CN116938600B - Threat event analysis method, electronic device and storage medium - Google Patents

Threat event analysis method, electronic device and storage medium Download PDF

Info

Publication number
CN116938600B
CN116938600B CN202311184589.0A CN202311184589A CN116938600B CN 116938600 B CN116938600 B CN 116938600B CN 202311184589 A CN202311184589 A CN 202311184589A CN 116938600 B CN116938600 B CN 116938600B
Authority
CN
China
Prior art keywords
event
event information
dimension
threat
analysis
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202311184589.0A
Other languages
Chinese (zh)
Other versions
CN116938600A (en
Inventor
徐蕾
肖新光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Antiy Network Technology Co Ltd
Original Assignee
Beijing Antiy Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Antiy Network Technology Co Ltd filed Critical Beijing Antiy Network Technology Co Ltd
Priority to CN202311184589.0A priority Critical patent/CN116938600B/en
Publication of CN116938600A publication Critical patent/CN116938600A/en
Application granted granted Critical
Publication of CN116938600B publication Critical patent/CN116938600B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Abstract

The application provides a threat event analysis method, electronic equipment and a storage medium, and relates to the field of network security. The method comprises the following steps: constructing an event analysis model based on a plurality of analysis dimensions; aggregating n network alarm logs to form event information of m threat events; the event analysis model analyzes the currently acquired event information based on at least part of analysis dimensions in a plurality of analysis dimensions to obtain sub-analysis results of the event information in each analysis dimension in at least part of analysis dimensions, and obtains a target analysis result of the event information based on the sub-analysis results; sequencing at least part of event information in the event information of m threat events according to the sequence from the big to the small of the target event score; and outputting the appointed number of event information and corresponding target analysis results which are in front in the sequencing. The method can screen out effective threat events from massive threat events, accurately find out high-quality threat events, and improve the efficiency of subsequent research, judgment and event disposal.

Description

Threat event analysis method, electronic device and storage medium
Technical Field
The present application relates to the field of network security, and in particular, to a method for analyzing a threat event, an electronic device, and a storage medium.
Background
Along with the aggravation of network against situations, network attacks present a diversified trend, massive threat events are usually generated in diversified attack scenes, analysis of the massive threat events is an important ring for improving network security, the current threat event analysis technology cannot screen effective threat events from the massive threat events, high-quality threat events cannot be found accurately, and further improvement of network security protection capability is restricted.
Disclosure of Invention
In view of the above, the application provides a threat degree method, electronic equipment and storage medium for threat events, so as to solve the technical problems in the prior art that effective threat events cannot be screened from massive threat events, and high-quality threat events cannot be found accurately.
In a first aspect, an embodiment of the present application provides a threat degree determination method for a threat event, including:
constructing an event analysis model based on a plurality of analysis dimensions; the plurality of analysis dimensions include a hazard dimension, a persistence dimension, an activity dimension, an asset dimension, a detection basis dimension, and a behavioral anomaly dimension;
acquiring n network alarm logs detected by a plurality of detection engines;
According to a preset aggregation strategy, n network alarm logs are aggregated to form event information of m threat events;
the event analysis model acquires event information of each threat event, analyzes the currently acquired event information based on at least part of analysis dimensions in a plurality of analysis dimensions to obtain sub-analysis results of the currently acquired event information in all analysis dimensions in at least part of analysis dimensions, and obtains target analysis results of the currently acquired event information in at least part of analysis dimensions based on the sub-analysis results; the sub-analysis result comprises a sub-event score and a sub-event label, the sub-event score and the sub-event label are jointly used for marking the security service attribute of the currently acquired event information under the corresponding analysis dimension, the target analysis result comprises a target event score and a target event label, and the target event score and the target event label are jointly used for marking the security service attribute of the currently acquired event information under at least part of the analysis dimension;
sequencing at least part of event information in the event information of m threat events according to the sequence from the big to the small of the target event score;
and outputting the appointed number of event information in the front in the sequence and the target analysis result corresponding to the appointed number of event information.
Optionally, in the above method for analyzing threat events, each threat event has a unique event identifier.
Optionally, in the above threat event analysis method, analyzing the currently acquired event information based on at least some analysis dimensions of the plurality of analysis dimensions, to obtain sub-analysis results of the currently acquired event information in each analysis dimension of the at least some analysis dimensions, including:
determining the attack times of the currently acquired event information, and obtaining a sub-analysis result of the currently acquired event information under the hazard dimension according to the attack type and the attack times in the currently acquired event information;
determining the duration, average propagation degree and duration of the currently acquired event information, and obtaining a sub-analysis result of the currently acquired event information under the persistence dimension according to the duration, the average propagation degree and the duration;
determining the activity of the currently acquired event information, and obtaining a sub-analysis result of the currently acquired event information under the activity dimension according to the activity;
determining the key asset coverage of the currently acquired event information, and obtaining a sub-analysis result of the currently acquired event information under the asset dimension according to the key asset coverage;
Obtaining a sub-analysis result of the currently acquired event information under the dimension of the detection basis according to the detection basis in the currently acquired event information;
determining the occurrence time anomaly degree and the occurrence position anomaly degree of the currently acquired event information, and obtaining a sub-analysis result of the currently acquired event information under the abnormal behavior dimension according to the occurrence time, the occurrence time anomaly degree, the occurrence geographic position and the occurrence position anomaly degree of the currently acquired event information.
Optionally, in the above analysis method of threat event, determining the number of attacks of the currently acquired event information, and obtaining a sub-analysis result of the currently acquired event information under the hazard dimension according to the attack type and the number of attacks in the currently acquired event information, where the sub-analysis result includes:
s201, matching threat event information lists with the same attack type in a database as a target threat event information list according to the attack type in the currently acquired event information, and determining an event identifier corresponding to the currently acquired event information as a target identifier; the database stores a plurality of threat event information lists, each threat event information list comprises event information of a plurality of threat events of the same attack type, the event information of each threat event in the threat event information list comprises a corresponding event identifier and event occurrence time, and the event information in each threat event information list is arranged according to the sequence of the event occurrence time;
S202, setting a quantity flag parameter n=1;
s203, acquiring the information quantity X; x is the number of current event information in the target threat event information list;
s204, acquiring event information of an X-th threat event in the target threat event information list as candidate event information;
s205, if the event identification corresponding to the candidate event information is the same as the target identification, executing step S206, otherwise executing step S210;
s206, if N is equal to the target number, executing step S207, otherwise, executing step S209; the target number is equal to a preset attack frequency threshold value;
s207, obtaining event occurrence time T corresponding to the candidate event information 1
S208, if T 2 - T 1 Step S211 is executed if delta T is less than delta T, otherwise, the current flow is ended; wherein T is 2 As the current time, deltat is a preset time period threshold;
s209, acquiring n=n+1, and executing step S210;
s210, acquiring x=x-1, and executing step S204;
s211, determining a target dimension index from a plurality of dimension indexes in a hazard dimension according to the attack type in the currently acquired event information;
s212, determining a preset sub-analysis result corresponding to the target dimension index as a sub-analysis result corresponding to the currently acquired event information in the hazard dimension.
Optionally, in the threat event analysis method, analyzing the currently acquired event information based on at least some analysis dimensions of the multiple analysis dimensions to obtain sub-analysis results of the currently acquired event information in each analysis dimension of the at least some analysis dimensions, and obtaining a target analysis result of the currently acquired event information in the at least some analysis dimensions based on the sub-analysis results, including:
s310, obtaining total quantity of event information which can be processed in target working timeThe method comprises the steps of carrying out a first treatment on the surface of the Wherein NUM 1 Number NUM for the current security analyst 1 ,NUM 2 The number of event information that can be processed within a target working time period for each security analyst;
s320, acquiring an event information set A= (A) formed by event information of the m threat events 1 ,A 2 ,...,A i ,...,A m ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein i=1, 2,..m, a i Event information of an ith threat event in the event information of the m threat events;
s330, analyzing each event information in A based on a plurality of first-class dimension indexes to obtain sub-event scores of each event information in A under each first-class dimension index, and obtaining a first event score list B= (B) based on the sub-event scores 1 ,B 2 ,...,B i ,...,B m ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein B is i Is A i A corresponding first event score; the first type of dimension indexes are dimension indexes with associated sub-event scores larger than a preset score threshold value and dimension indexes independent of statistical data in all dimension indexes contained in a plurality of analysis dimensions;
s340, determining the first event score which is larger than the preset score threshold value in the B as a key event score;
s350, if the number GNUM of the determined key event scores is greater than or equal to MN, determining each key event score as a designated event score, and proceeding to step S360; otherwise, the first event scores in the B are arranged according to the order of the first event scores from the big to the small to obtain an arranged score list B ', and the front in the B' is processedThe first event score is determined as the specified event score, and the process proceeds to step S360;
s360, analyzing the event information corresponding to each appointed event score based on a plurality of second-class dimension indexes to obtain sub-event scores of the event information corresponding to each appointed event score under each second-class dimension index, so as to obtain a second event score list C= (C) 1 ,C 2 ,...,C j ,...,C ZNUM ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein j=1, 2,. -%, ZNUM; ZNUM is the number of assigned event scores; c (C) j A second event score of the event information corresponding to the j-th designated event score; the second type of dimension index is the other dimension indexes except the first type of dimension index in all dimension indexes contained in the plurality of analysis dimensions;
s370, determining a target event score list d= (D 1 ,D 2 ,...,D j, ...,D ZNUM ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein D is j Target event scores of event information corresponding to the j-th designated event score under the at least partial analysis dimension; d (D) j =GB j +C j ;GB j Is C j Scoring the corresponding specified event;
the ordering at least some of the event information of the m threat events in order of the target event score from greater than lesser than the target event score includes:
ordering event information corresponding to the ZNUM target event scores in the D according to the sequence from the big to the small of the target event scores;
the outputting the first appointed number of event information in the sequence and the target analysis result corresponding to the appointed number of event information comprises the following steps:
selecting the previous MN event information from the sequenced ZNUM event information as MN information to be processed, and outputting the MN information to be processed and a target analysis result corresponding to the MN information to be processed.
Optionally, the method for analyzing a threat event further includes:
MN are to be treatedSplitting process information into NUM 2 A subset of event information; the number of event information in each event information subset is equal;
for each security analyst, from NUM 2 Extracting one piece of non-extracted event information from each event information subset, and adding the extracted MN pieces of event information into a to-be-processed list corresponding to the security analysis personnel.
Optionally, in the above threat event analysis method, for each security analyst's list to be processed, the threat event analysis method is performed from NUM 2 Extracting one piece of non-extracted event information from each event information subset, and adding the extracted MN pieces of event information to the to-be-processed list, wherein the method comprises the following steps:
acquiring processing efficiency data of each security analysis personnel; the processing efficiency data is used for representing event processing efficiency of safety analysis personnel;
in order of high-to-low processing efficiency data, for NUM 1 NUM corresponding to individual security analysts 1 Sorting the lists to be processed; the initial list to be processed is empty;
sorting ordered NUMs 1 Traversing the list to be processed, and traversing the currently traversed list to be processed from NUM 2 And extracting one piece of event information which is not extracted and has the maximum target event score from each event information subset, and adding the extracted event information into the to-be-processed list to obtain each to-be-processed list.
In a second aspect, an embodiment of the present application provides an electronic device, including: the system comprises a memory and a processor, wherein the memory stores program codes which are loaded and executed by the processor to realize the method provided by the first aspect of the embodiment of the application.
In a third aspect, embodiments of the present application provide a computer readable storage medium storing program code which, when executed by a processor, implements the method provided by the first aspect of embodiments of the present application.
The technical proposal provided by the application can aggregate a large amount of network alarm logs detected by a plurality of detection engines into a large amount of event information of threat events, can perform more comprehensive and accurate analysis on the event information of a large amount of threat events in a plurality of dimensions by using an event analysis model to obtain the target analysis result of each threat event, the target event score and the target event label in the target analysis result can jointly represent the security service attributes such as the effectiveness, the activity, the influence range, the event quality and the like of the threat events, can rank the event information of a large amount of threat events from high to low based on the target event score, based on the ordering, the order from high to low of the security service attributes such as effectiveness, activity, influence range, event quality and the like can be determined, and further, effective, active and wide-influence threat events can be screened out based on the order of the security service attributes, high-quality threat events can be accurately found out, false-report threat events are eliminated, ordered threat events are automatically pushed to security analysts, the security analysts are assisted in improving the efficiency of research, judgment notification and defense processing, key threats are quickly eliminated, security service conversion rate is improved, the aim of reducing cost and enhancing efficiency is achieved, and the overall protection level of network security is improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a method for analyzing a threat event according to an embodiment of the present application;
fig. 2 is a schematic partial flow chart of another method for analyzing a threat event according to an embodiment of the application.
Detailed Description
Embodiments of the present application will be described in detail below with reference to the accompanying drawings.
It should be noted that, without conflict, the following embodiments and features in the embodiments may be combined with each other; and that all other embodiments, which are intended to be within the scope of the present application, will be within the scope of the present application as defined by the appended claims.
It is noted that various aspects of the embodiments are described below within the scope of the following claims. It should be apparent that the aspects described herein may be embodied in a wide variety of forms and that any specific structure and/or function described herein is merely illustrative. Based on the present embodiments, one skilled in the art will appreciate that one aspect described herein may be implemented independently of any other aspects and that two or more of these aspects may be combined in various ways. For example, an apparatus may be implemented and/or a method practiced using any number of the aspects set forth herein. In addition, such apparatus may be implemented and/or such methods practiced using other structure and/or functionality in addition to one or more of the aspects set forth herein.
First, some terms related to the present application are explained as follows:
threat intelligence: evidence-based knowledge, including context, mechanisms, metrics, implicit and feasible advice, that describes existing or upcoming threats or hazards to an asset and that can provide decision basis for a principal to take some response to the relevant threat or hazard.
Threat event: refers to events occurring in a network system that jeopardize network security, such as network attacks, network crimes, network incidents, etc.
Event analysis model: the method is used for analyzing the security business attribute of the threat event to obtain a corresponding target event score and a corresponding target event label, and different event analysis models have different emphasis points and application ranges.
The application provides a threat event analysis method, as shown in fig. 1, the method may include the following steps S101-S105:
s101, constructing an event analysis model based on a plurality of analysis dimensions.
The plurality of analysis dimensions may include a hazard dimension, a persistence dimension, an liveness dimension, an asset dimension, a detection basis dimension, and a behavioral anomaly dimension.
S102, n network alarm logs detected by a plurality of detection engines are obtained.
The multiple detection engines may be different detection engines or the same detection engine, and different detection engines may provide a greater number of network alarm logs. In one example, the plurality of detection engines may include a file detection engine, a load detection engine, a snort (network intrusion detection defense system) engine, a class snort engine, a threat intelligence detection engine, and the like. The value of n is usually large, so that a large number of network alarm logs can be obtained. A plurality of embodiments of the present application represent at least two.
S103, according to a preset aggregation strategy, n pieces of network alarm logs are aggregated to form event information of m threat events.
Each threat event has one event information, each event information may include information of a network alarm log aggregated when forming a corresponding threat event, m threat events correspond to m event information, and n network alarm logs are aggregated, so that m event information corresponding to m threat events may be formed.
m is smaller than n, and the value of m is generally larger, so that a large amount of event information of threat events can be aggregated based on a large amount of standardized network alarm logs.
S104, the event analysis model acquires event information of each threat event, analyzes the currently acquired event information based on at least part of analysis dimensions in a plurality of analysis dimensions to obtain sub-analysis results of the currently acquired event information in all analysis dimensions in at least part of analysis dimensions, and obtains target analysis results of the currently acquired event information in at least part of analysis dimensions based on the sub-analysis results.
The sub-analysis results may include sub-event scores and sub-event tags that may be used together to tag security business attributes of the event information currently acquired by the model under the corresponding analysis dimensions. The target analysis result may include a target event score and a target event label, where the target event score and the target event label may be used together to mark the security service attribute of the event information currently acquired by the model under the above at least part of analysis dimensions, specifically, the sub event score and the target event score may mark the security service attribute of the event information currently acquired in a form of a score (for example, 80 score, 100 score, etc.), the higher the score is, the higher the security service attribute is, for example, more effective and active, the wider the influence range is, the lower the probability of false alarm is, the sub event label and the target event label may mark the security service attribute of the event information currently acquired in a form of text, for example, labels such as "serious threat", "general threat", etc., and the security service attribute may be judged according to the content of the text itself.
S105, ordering at least part of event information in the event information of the m threat events according to the order of the target event scores from large to small.
S106, outputting the appointed number of event information in the front in the sequence and the target analysis result corresponding to the appointed number of event information.
The specified number may be less than or equal to m, and when the specified number is m, the event information indicating that all the formed threat events may be output and the corresponding target analysis result are indicated.
The analysis method of threat event provided by the embodiment of the application can aggregate a large amount of network alarm logs detected by a plurality of detection engines to obtain a large amount of event information of threat event, can perform multi-dimensional, more comprehensive and accurate analysis on the event information of a large amount of threat event by using an event analysis model to obtain a target analysis result of each threat event, can jointly characterize the security service attributes such as effectiveness, activity, influence range, event quality and the like of the threat event by the target event score and the target event label in the target analysis result, can rank the event information of a large amount of threat event from high to low based on the target event score, based on the ordering, the order from high to low of the security service attributes such as effectiveness, activity, influence range, event quality and the like can be determined, and further, effective, active and wide-influence threat events can be screened out based on the order of the security service attributes, high-quality threat events can be accurately found out, false-report threat events are eliminated, ordered threat events are automatically pushed to security analysts, the security analysts are assisted in improving the efficiency of research, judgment notification and defense processing, key threats are quickly eliminated, security service conversion rate is improved, the aim of reducing cost and enhancing efficiency is achieved, and the overall protection level of network security is improved.
The execution sequence of the step S101 is not limited in the embodiment of the present application, and may be executed before the step S102, or may be executed before the step S102 or after the step S103 and before the step S104, or may be executed synchronously with the step S102 or the step S103, and the sequence shown in fig. 1 is only an example and is not limited to the step sequence.
The step S101 may be performed only once in a plurality of analyses, or the steps S102 to S106 may be performed a plurality of times in a plurality of analyses, and the steps S102 to S106 may be performed each time, and when the step S101 is performed only once in a plurality of analyses, the construction operation indicating the event analysis model may be performed only once in a plurality of analyses, and the model may be repeatedly called once constructed.
In an alternative implementation, in an embodiment of the present application, each threat event has a unique event identification. The unique event identification can establish the association relation between the threat event and the network alarm log before aggregation, and when the original alarm information of a certain threat event needs to be queried, the associated network alarm log can be called and checked through the event identification of the threat event. The event identification may be an event ID (Identity Document), for example, an event ID in encoded form.
In the step S102, the aggregation processing of the n network alarm logs according to the preset aggregation policy may include: and carrying out format standardization processing on the n network alarm logs to obtain n standardized network alarm logs with a unified format, and carrying out aggregation processing on the n standardized network alarm logs according to a preset aggregation strategy, for example, combining the standardized network alarm logs with the same element to form event information of a threat event. The unified format may include a plurality of fields, types and descriptions corresponding to the fields, and other information, the elements may include an attack source, an attack type (or referred to as a threat type), an attack target, a malicious code name, and the like, the event information (i.e., an event information) of one threat event may include a plurality of standardized network alarm logs with the same attack source, the same attack behavior and the same attack target, and the event information of one threat event may include information of a plurality of attack behaviors from one attack source to one attack target, such as an attack source geographic location, an attack target geographic location, an attack type, a detection basis, an event occurrence time, and the like, that is, one threat event may correspond to a plurality of attacks.
In the above step S104, the obtaining of the target analysis result of the currently acquired event information in at least part of the analysis dimensions based on the sub-analysis result may be achieved by: and summarizing sub-event labels in each sub-analysis result to form a target event label of the event information under at least part of analysis dimension for the currently acquired event information, summing sub-event scores in each sub-analysis result, wherein the obtained value can be used as the target event score of the event information under at least part of analysis dimension, and further the target analysis result of the event information can be obtained based on the target event label and the target event score.
TABLE 1
Referring to the example of table 1, in the above step S104, analyzing the currently acquired event information based on at least some of the plurality of analysis dimensions, respectively, to obtain sub-analysis results of the currently acquired event information in each of the at least some analysis dimensions may include: determining the attack times of the currently acquired event information, and obtaining a sub-analysis result of the currently acquired event information under the hazard dimension according to the attack type in the currently acquired event information and the determined attack times; determining the duration, average propagation degree and duration of the currently acquired event information, and obtaining a sub-analysis result of the currently acquired event information under the persistence dimension according to the duration, average propagation degree and duration; determining the activity of the currently acquired event information, and obtaining a sub-analysis result of the currently acquired event information under the activity dimension according to the activity; determining the key asset coverage of the currently acquired event information, and obtaining a sub-analysis result of the currently acquired event information under the asset dimension according to the key asset coverage; obtaining a sub-analysis result of the currently acquired event information under the dimension of the detection basis according to the detection basis in the currently acquired event information; determining the occurrence time anomaly degree and the occurrence position anomaly degree of the currently acquired event information, and obtaining a sub-analysis result of the currently acquired event information under the action anomaly dimension according to the occurrence time of the event in the currently acquired event information, the determined occurrence time anomaly degree, the occurrence geographic position of the event in the currently acquired event information and the determined occurrence position anomaly degree. The event occurrence time may be a time range from the start time of the alarm of the threat event to the end time of the alarm of the threat event, or may be a time point, the event occurrence geographic location may include an attack source geographic location and an attack target geographic location, the analysis steps of the analysis dimensions may be synchronously executed, and the attack type, the detection basis, the event occurrence time and the event occurrence geographic location may be obtained from currently obtained event information.
The hazard dimension corresponds to a plurality of dimension indicators describing the extent of hazard of the threat event, in the example of table 1, there may be four dimension indicators under the hazard dimension: "related to nationwide network security", "endangering public safety", "serious threat" and "general threat". The four dimension indexes can be determined based on the attack type and the attack times corresponding to the threat event, for example, if the attack type corresponding to the threat event is APT (Advanced Persistent Threat, directed threat attack), and the attack times corresponding to the threat event is not less than 10 times, it can be determined that the dimension index matched with the threat event under the hazard degree is "network security related to the national range", the sub-event label matched with the threat event label is "network security related to the national range", and the sub-event score associated with the dimension index of "network security related to the national range" can be used as the sub-event score of the threat event under the hazard dimension, which is 80 points; if the attack type corresponding to the threat event is at least one of remote control, lux, botnet and the like, and the attack frequency corresponding to the threat event is not less than 10 times, so as to judge that the dimension index corresponding to the threat event under the hazard degree is 'hazard public safety', the corresponding sub-event label is 'hazard public safety', and the sub-event score associated with the dimension index of 'hazard public safety' can be used as the sub-event score of the threat event under the hazard dimension, which is 60 points; if the attack type corresponding to the threat event is at least one of Trojan horse, computer virus, network eavesdropping, back gate and the like, and the attack frequency corresponding to the threat event is not less than 10 times, the dimension index corresponding to the threat event under the hazard degree can be judged to be a serious threat, the corresponding sub-event label is a serious threat, and the sub-event score associated with the dimension index of the serious threat can be used as the sub-event score of the threat event under the hazard dimension and is 40 points; if the attack type corresponding to the threat event is other types and the attack frequency corresponding to the threat event is not less than 10 times, the dimension index corresponding to the threat event in the hazard dimension can be judged to be a general threat, the corresponding sub-event label is a general threat, and the sub-event score associated with the dimension index of the general threat can be used as the sub-event score of the threat event in the hazard dimension, which is 20 points.
The remote control refers to remote control attack, namely an attacker connects computers to be controlled through means such as remote dialing of a computer network or Internet access of both parties, the desktop environment of the controlled computer is displayed on the own computer, and malicious behaviors such as control of the remote computer are performed through a local computer; the luxury attack is a popular Trojan, and the user data asset or the computing resource cannot be normally used by harassing, frightening, even adopting a kidnapping user file and other modes, and the luxury money is luxury to the user on the condition; botnet refers to a network formed between a controller and an infected host by infecting a large number of hosts with bot (bot) viruses by one or more propagation means; the back door refers to a back door attack, and specifically refers to a method for bypassing security control and obtaining access rights to a program or a system.
The persistence dimension corresponds to a dimension index having a plurality of persistence levels describing the threat event. In the example of table 1, there may be two dimension indicators under the persistence dimension: "persistent brute force propagation" and "persistent propagation". The two dimension indexes can be determined based on the persistence, the average propagation degree and the duration, for example, if the persistence of the threat event is greater than or equal to 80%, the average propagation degree is greater than or equal to 100 times/day, and the duration is greater than or equal to 30 days, it can be determined that the dimension index corresponding to the threat event in the persistence dimension is "persistence strong propagation", the sub-event score associated with the dimension index corresponding to the corresponding sub-event label is "persistence burst" and "persistence strong propagation" can be used as the sub-event score of the threat event in the persistence dimension, which is 10 points; if the duration of the threat event is greater than or equal to 50%, the average transmission degree is greater than or equal to 10 times/day, and the duration is greater than or equal to 7 days, it may be determined that the dimension index corresponding to the threat event in the persistence dimension is "persistence transmission", the sub-event score associated with the dimension index corresponding to the threat event label is "persistence transmission", and the sub-event score associated with the dimension index of "persistence transmission" may be used as the sub-event score of the threat event in the persistence dimension, which is 5 minutes.
Where the duration is the total period of the threat event, the time unit may be days, for example, a network alarm log for which a certain event merges together for 100 days, and the duration of the threat event is 100 days. The persistence can be calculated as follows: duration = attack time of threat event/duration of threat event, which can be converted into a percentage. The attack time of the threat event may be calculated by taking "day" as a unit, and if a network attack occurs for 50 days, the attack time of the threat event is 50 days. In one example, if the duration of a threat event is 100 days, where the number of days a network attack occurs is 50 days, then the duration of the threat event is 50%. The average degree of propagation can be calculated as follows: the number of attacks corresponding to the threat event/the duration of the threat event. For example, if a threat event corresponds to 200 attacks and the duration is 100 days, the average propagation degree of the event set is 2.
The liveness dimension corresponds to a dimension index having a plurality of liveness levels describing threat events. In the example of table 1, there may be three dimension indicators under the liveness dimension: "very active", "generally active" and "inactive". The three dimension indexes can be determined based on the liveness, for example, if the liveness of the threat event is less than or equal to 1 day, it can be determined that the dimension index corresponding to the threat event in the liveness dimension is "very active", the corresponding sub-event label is "active within 24 hours", and the sub-event score associated with the dimension index of "very active" can be used as the sub-event score of the threat event in the liveness dimension, which is 5 points; if the activity degree of the threat event is less than or equal to 7 days, the dimension index corresponding to the threat event in the activity dimension can be judged to be 'general activity', the corresponding sub-event label is 'active', and the sub-event score associated with the dimension index of 'general activity' can be used as the sub-event score of the threat event in the activity dimension and is 3 points; if the activity degree of the threat event is greater than or equal to 30 days, the dimension index corresponding to the threat event in the activity dimension can be judged to be 'inactive', the corresponding sub-event label is 'inactive', and the sub-event score associated with the dimension index of 'inactive' can be used as the sub-event score of the threat event in the activity dimension and is-5 score.
The activity level may be calculated by the following calculation method: the time difference between the time of the last attack in the threat event and the current time. The calculation result may be converted into a day and may be retained to the last 2 bits of the decimal point.
The asset dimension corresponds to a dimension index having a plurality of asset coverage conditions describing threat events. In the example of table 1, there may be two dimension indicators under the asset dimension: "accent asset as the purpose of attack" and "contain accent asset". The two dimension indexes can be judged based on the key asset coverage, for example, if the key asset coverage of the threat event is greater than or equal to 50%, the dimension index corresponding to the threat event in the asset dimension can be judged to be "key asset as attack objective", the corresponding sub-event label is "attack against key asset", and the sub-event score associated with the dimension index of "key asset as attack objective" can be used as the sub-event score of the threat event in the asset dimension, which is 5 points; if the key asset coverage of the threat event is greater than 0, it can be determined that the dimension index corresponding to the threat event in the asset dimension is "including key asset", the corresponding sub-event label is "including key asset", and the sub-event score associated with the dimension index "including key asset" can be used as the sub-event score of the threat event in the asset dimension, which is 3 score.
Wherein, the key asset coverage represents the percentage of key assets in the assets covered by the threat event, "key assets are used as attack purposes" to represent that an attacker attacks the key assets pertinently, and "including the key assets" represents that the attacker does not attack the key assets pertinently, but attacks in a large range, and the attack range includes the key assets.
The detection basis dimension corresponds to a plurality of dimension indexes describing the types of the detection basis for analyzing the threat event. In the example of table 1, the detection basis dimension may have the following six dimension indicators: expert information, accurate information, document detection, threat information detection, document detection, an antivirus detection engine detection, URL (Uniform Resource Locator, uniform resource location system) type, and domain name type. The six dimension indexes can be determined based on the types of threat information, for example, if threat information according to which a threat event is based is expert information, it can be determined that a dimension index corresponding to the threat event in a detection basis dimension is expert information, a corresponding sub-event label is expert information, and a sub-event score associated with the dimension index of expert information can be used as a sub-event score of the threat event in the detection basis dimension, which is 5 points; if threat information according to the threat event is accurate information, it can be determined that a dimension index corresponding to the threat event under the detection basis dimension is accurate information, a corresponding sub-event label is accurate information, and a sub-event score associated with the dimension index of accurate information can be used as a sub-event score of the threat event under the detection basis dimension, wherein the sub-event score is 3 points; if the threat information according to the threat event is HASH information, IT can be determined that the dimension index corresponding to the threat event under the detection basis dimension is "file type IT", the corresponding sub-event label is "load detection", and the sub-event score associated with the dimension index of "file type IT" can be used as the sub-event score of the threat event under the detection basis dimension, which is 5 points; if threat information according to the threat event is a file detection result, it can be determined that a dimension index corresponding to the threat event under the detection basis dimension is "file type AVL", a corresponding sub-event label is "load detection", and a sub-event score associated with the dimension index of "file type AVL" can be used as a sub-event score of the threat event under the detection basis dimension, wherein the sub-event score is 5 score; if the threat information according to the threat event is URL information, the dimension index corresponding to the threat event under the detection basis dimension can be judged to be of the URL type, the corresponding sub-event label is URL detection, and the sub-event score associated with the dimension index of the URL type can be used as the sub-event score of the threat event under the detection basis dimension to be 4 points; if the threat information according to the threat event is domain name information, it can be determined that the dimension index corresponding to the threat event under the dimension of detection is "domain name type", the corresponding sub-event label is "domain name detection", and the sub-event score associated with the dimension index of "domain name type" can be used as the sub-event score of the threat event under the dimension of detection, which is 2 points.
The expert information is threat information analyzed, extracted and summarized by a security analysis engineer or an information analysis worker, and the credibility and the accuracy are the best. The accurate information is information extracted by a non-safety analysis engineer or an information analysis engineer, and the credibility and the accuracy are relatively good but weaker than those of an expert.
The behavioral anomaly dimension corresponds to a plurality of dimension indicators describing the type and extent of behavioral anomalies of the threat event. In the example of table 1, there may be four dimension indicators under the behavioral exception dimension: "occurrence time abnormality", "occurrence time suspicious", "occurrence position abnormality", and "occurrence position suspicious". The four dimension indexes can be determined based on communication behaviors, for example, if the occurrence time of the threat event is a specified time period, for example, after 20 hours later or before 7 hours later in Beijing time, and the occurrence time anomaly degree of the event is greater than or equal to 80%, it can be determined that the dimension index corresponding to the threat event in the abnormal dimension of the behavior is "occurrence time anomaly", the sub-event score associated with the dimension index of the corresponding sub-event label is "abnormal time", "occurrence time anomaly" can be used as the sub-event score of the threat event in the abnormal dimension of the behavior, and the sub-event score is 5 minutes; if the occurrence time of the threat event is a specified time period, for example, the Beijing time is 20 hours later to 7 hours earlier, and the occurrence time anomaly degree of the event is greater than or equal to 10%, the dimension index corresponding to the threat event under the abnormal behavior dimension can be judged to be "occurrence time suspicious", the corresponding sub-event label is "suspicious time", and the sub-event score associated with the dimension index of "occurrence time suspicious" can be used as the sub-event score of the threat event under the abnormal behavior dimension and is 2 points; if the country (or region) where the attack source of the threat event is located is different from the country (or region) where the attack target is located, and the abnormality degree of the event position is greater than or equal to 80%, it can be determined that the dimension index corresponding to the threat event under the abnormal dimension of the behavior is "occurrence position abnormality", the corresponding sub-event label is "abnormal position", and the sub-event score associated with the dimension index of "occurrence position abnormality" can be used as the sub-event score of the threat event under the abnormal dimension of the behavior, which is 5 points; if the country (or region) where the threat event attack source is located is different from the country (region) where the attack target is located, and the abnormality degree of the event position is greater than or equal to 10%, it can be determined that the dimension index corresponding to the threat event under the abnormal behavior dimension is "suspicious in occurrence position", the sub-event score associated with the dimension index corresponding to the sub-event label is "suspicious in occurrence time", and the sub-event score of the threat event under the abnormal behavior dimension can be 2 points.
In Table 1, the threat event ts_start represents the alarm start time of the threat event, the threat event ts_end represents the alarm end time of the threat event, the threat event ts_start is greater than or equal to 20, the threat event ts_end is less than the alarm start time of the threat event 7, and the threat event ts_end is less than or equal to 7. The division of the area where the attack target is located and the designated area other than the area where the attack target is located may be determined according to the actual situation, for example, if the area where the attack target is located is a country C, the areas of other countries other than the country C may be regarded as designated areas, and if the area where the attack target is located is a region D in the country C, the areas other than the region D or the countries may be regarded as designated areas.
Based on the multiple analysis dimensions and the multiple dimension indexes, the embodiment of the application can construct a high-precision threat event evaluation system, and can precisely discover effective, network popular and active threat events from massive threat events, and ignore and exclude ineffective and false-reported threat events.
When an event analysis model is constructed, the association relationship between each dimension index and the sub-analysis result can be firstly established with reference to table 1, and when the dimension index matched with the event information of a certain threat event in a certain dimension is determined based on parameters such as attack type, attack times, duration, average propagation degree and the like, the sub-analysis result of the threat event in the analysis dimension can be determined. Taking table 1 as an example, the dimension index of "serious threat", the sub-event score 40 and the sub-event label of "serious threat" have an association relationship, and when it is determined that the dimension index matched with a certain threat event in the hazard dimension is "serious threat", the sub-event score and the sub-event label associated with the dimension index of "serious threat" can be used as sub-analysis results of the threat event in the hazard dimension, that is, the sub-analysis results of the threat event in the hazard dimension are "serious threat (sub-event label) and 40 (sub-event score)".
In an alternative embodiment, as shown in fig. 2, determining the number of attacks of the currently acquired event information, and obtaining the sub-analysis result of the currently acquired event information in the hazard dimension according to the attack type and the number of attacks in the currently acquired event information may include the following steps S201 to S212:
s201, matching threat event information lists with the same attack type in a database as a target threat event information list according to the attack type in the currently acquired event information, and determining an event identifier corresponding to the currently acquired event information as a target identifier.
The method comprises the steps that a plurality of threat event information lists are stored in a database, each threat event information list comprises event information of a plurality of threat events of the same attack type, the event information of each threat event in the threat event information list comprises a corresponding event identifier and event occurrence time, and the event information in each threat event information list is arranged according to the sequence of the event occurrence time.
The attack type may include a plurality of sub-attack types, so that a threat event information table corresponding to one attack type may include threat events corresponding to a plurality of sub-attack types belonging to the same attack type. The sub-attack type may be some variation of the attack type, for example, APT attacks (an attack type) may exist in multiple varieties, each of which may act as a sub-attack type. The event identification corresponding to the currently acquired event information may be determined based on the sub-attack type.
S202, a quantity flag parameter n=1 is set.
S203, acquiring the information quantity X.
X is the current event information quantity in the target threat event list, and X can represent the initial position of the same event identifier in the target threat event information list.
S204, acquiring event information of an X-th threat event in the target threat event information list as candidate event information.
Step S205, if the event identifier corresponding to the candidate event information is the same as the target identifier, step S206 is executed, otherwise step S210 is executed.
S206, if N is equal to the target number, then step S207 is executed, otherwise, step S209 is executed.
The target number is equal to a preset attack frequency threshold (for example, 10 times in table 1), and the target number=the preset attack frequency threshold=10, if N is equal to 10, it means that the number of event information with the same event identifier as that of the currently input event information in the target threat event information list is at least 10, so that it can be determined that at least 10 times of attack of the sub attack type corresponding to the current threat event occurs, that is, the attack frequency corresponding to the current threat event is not less than 10 times.
S207, obtaining event occurrence time T corresponding to the candidate event information 1
S208, if T 2 - T 1 Step S211 is executed if Δt is <, otherwise the current flow is ended.
T 2 For the current time, Δt is a preset time period threshold.
S209, acquiring n=n+1, and executing step S210;
s210, obtain x=x-1, and execute step S204.
S211, determining a target dimension index from a plurality of dimension indexes in the hazard dimension according to the attack type in the currently acquired event information.
Referring to the example of table 1, when it is determined that the number of attacks corresponding to the current threat event is not less than 10, if the attack type corresponding to the current threat event is APT, it is determined that the target dimension index is "network security related to the nationwide" from the multi-dimension index in the hazard dimension.
S212, determining a sub-analysis result corresponding to the target dimension index as a sub-analysis result corresponding to the currently acquired event information in the hazard dimension.
The sub-analysis result corresponding to the target dimension index may be preset, and when the target dimension index is "network security related to nationwide", referring to the example of table 1, the sub-analysis result corresponding to the target dimension index may be network security related to nationwide (sub-event label) +80 molecules (sub-event score).
Based on the steps S201-S212, in the analysis method for threat events provided by the embodiment of the application, the event information with the same attack type in the event information of each threat event in the database can be stored in one threat event information list in time sequence, when the event information of each threat event relates to different attack types, different threat event information lists can be obtained in the database, when the attack times are counted for a certain threat event, the corresponding threat event information list can be quickly searched in the database based on the attack types, and the statistics of the attack times are realized in the corresponding threat event information list without searching and counting all the event information of the database, thereby effectively reducing the calculation amount of the statistical process and improving the statistical efficiency; when the number of attacks is counted in the searched threat event information list, the statistics of the threat events of the same sub-attack type can be realized by counting the event identification based on the relevance of the event identification and the sub-attack type, so that the statistics of the number of attacks of the current threat event can be realized; in addition, when the attack times of the current threat event are counted, the embodiment of the application can determine the time period where each attack of the current Wei-Rin event is located by setting the time period threshold, and can more accurately and efficiently determine the dimension index of the event information of the threat event in the hazard dimension on the basis of comprehensively considering the attack times and the time period, thereby determining the sub-analysis result of the event information of the threat event in the hazard dimension.
In an optional embodiment, in the step S103, the analyzing the currently acquired event information based on at least some of the multiple analysis dimensions to obtain sub-analysis results of the currently acquired event information in each of the at least some analysis dimensions, and obtaining, based on the sub-analysis results, a target analysis result of the currently acquired event information in at least some analysis dimensions may include the following steps S310-S370:
s310, obtaining total quantity of event information which can be processed in target working timeThe method comprises the steps of carrying out a first treatment on the surface of the Wherein NUM 1 Number NUM for the current security analyst 1 ,NUM 2 The amount of event information that can be processed within the target operating time for each security analyst.
NUM 1 And NUM 2 Can be entered by a worker via an input device. The target working time length represents a working time length after the current time, can be set according to actual requirements, and can be set as a certain time length within one day after the current time as the target working time length. ""means multiplication.
S320, acquiring an event information set A= (A) formed by event information of m threat events 1 ,A 2 ,...,A i ,...,A m )。
Wherein i=1, 2,..m, a i The event information of the ith threat event in the event information of the m threat events may be event information of m threat events formed by aggregation in the step S103, where the event information of the m threat events is event information to be processed by a security analyst in a target working time.
S330, analyzing each event information in a based on a plurality of first-class dimension indexes to obtain sub-event scores of each event information in a under each first-class dimension index, and obtaining a first event score list b= (B) based on the sub-event scores 1 ,B 2 ,...,B i ,...,B m )。
Wherein B is i Is A i The corresponding first event scores, wherein the first type of dimension indexes are dimension indexes of which the associated sub-event scores are larger than a preset score threshold value and dimension indexes which are independent of statistical data, in all dimension indexes contained in a plurality of analysis dimensions.
Event information A i The sub-event score under a certain first type of dimension index can be determined based on the corresponding judgment condition of the first type of dimension index, if the event information A i The related parameters (such as attack type, attack times, duration, average propagation degree and the like) of the first class dimension index meet the corresponding judging conditions, namely the event information A i When the first type dimension index can be matched, the event information A can be determined i The sub-event score under the first type dimension index is the sub-event score associated with the first type dimension index, if the event information A i The related parameters of the first type dimension index do not meet the corresponding judging conditions, namely event information A i When the first type dimension index cannot be matched with the first type dimension index, the event information A can be determined i The sub-event score under the first class dimension index is 0.
Taking table 1 as an example, if the dimension index "network security related to nationwide" is the first type dimension index, event information a i The corresponding attack types and attack times meet the following conditions: the attack type is APT and the attack times are not less than 10 times, and the event information A can be determined i Can be combined with the dimension index benzene of 'related to nationwide network security', so that the event information A can be determined i The sub-event score under the dimension index of "related to nationwide network security" is 80 points, otherwise the event information A can be determined i In "national network security related" thisThe sub-event score under each dimension index is 0 points.
First event score B i May be event information A i The result of the summation (direct summation or weighted summation) of sub-event scores under each first class dimension index.
The preset scoring threshold may be set according to actual requirements, for example, may be set to 50 or 80 minutes, where the dimension index of the associated sub-event score greater than the preset scoring threshold is a key index for evaluating a threat event, and may be calculated as a first type dimension index, for example, if the preset scoring threshold is 50 minutes, the sub-event scores associated with the two dimension indexes of "related to national network security" and "endangered public security" in table 1 are both greater than 50 minutes, and may be used as the first type dimension index that needs to be calculated preferentially. The dimension indexes which do not depend on statistical data refer to dimension indexes which can be determined only by single-dimension data without complex information calling and calculation when judging, and by taking table 1 as an example, two dimension indexes of serious threat and general threat need to call event information from a database to calculate attack times, two dimension indexes of continuous strong propagation and continuous propagation need to call event information from the database to calculate duration, average propagation degree, duration and the like, the dimension indexes belong to dimension indexes which depend on the statistical data, and under the condition that the associated sub-event score is smaller than or equal to a preset score threshold value, the dimension indexes can be used as second dimension indexes to reduce the calculation amount of first dimension indexes, and two dimension indexes of expert intelligence and precise intelligence need not call event information from the database to calculate which dimension index can be judged by means of detection basis, and the dimension indexes can be used as first dimension indexes, and can enrich the index range of the first dimension indexes while not carrying large calculation amount, so that the calculation of the first dimension indexes is more comprehensive and accurate.
And S340, determining the first event score which is larger than the preset score threshold value in the B as a key event score.
S350, if the determined number of key event scores GNUM is greater than or equal to MN, eachA key event score is determined as the designated event score, and step S360 is performed; otherwise, the first event scores in the B are arranged according to the order of the first event scores from the big to the small to obtain an arranged score list B ', and the front in the B' is processedThe first event score is determined as the specified event score, and the process proceeds to step S360.
Sub-event scores of event information corresponding to the j-th designated event score under a certain second class dimension index can be determined based on the judging condition corresponding to the second class dimension index, and the principle and the event information A i The principle of determining the sub-event scores under a certain first class of dimension index is similar and will not be described in detail here. Second event score C j The result of summation (direct summation or weighted summation) of the event information corresponding to the j-th appointed event score of the event information under each sub-event score of each second class dimension index can be obtained.
S370, determining a target event score list d= (D 1 ,D 2 ,...,D j, ...,D ZNUM ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein D is j Target event scores of event information corresponding to the j-th designated event score under the at least partial analysis dimension; d (D) j =GB j +C j ;GB j Is C j Corresponding designated event scores.
Correspondingly, in the step S105, the sorting of at least part of the event information in the event information of the m threat events in the order from the big to the small target event score may include: and ordering the event information corresponding to the ZNUM target event scores in the D according to the sequence from the big target event score to the small target event score. In the step S106, outputting the specified number of event information in the order and the target analysis result corresponding to the specified number of event information may include: selecting the first MN event information from the sequenced GNUM event information as MN information to be processed, and outputting the MN information to be processed and target analysis results corresponding to the MN information to be processed, namely the appointed number is MN.
Based on the embodiment, the method for analyzing the threat event provided by the embodiment of the application can divide the dimension index of the event analysis model into the first dimension index and the second dimension index with different priorities, wherein the first dimension index is preferentially calculated, GNUM first event scores which are larger than the preset score threshold value are screened out from the obtained first event score list to serve as key event scores, and larger target event scores which meet the condition (namely are larger than the preset score threshold value) can be obtained with less calculated amount. The second-class dimension index is calculated after the first-class dimension index, after the larger target event score is screened out based on the first-class dimension index, the event information of the target event score meeting the condition is obtained, calculation is not needed for all the event information, calculation is only needed for the event information corresponding to the screened key event score based on the second-class dimension index, and the calculated amount can be effectively reduced.
Taking the dimension index shown in table 1 as an example, if m is 10000, that is, m event information is present, in the calculation in the above embodiment of the present application, each event information needs to be analyzed according to 21 dimension indexes in table 1, and a total of 210000 times of calculation are required; in the calculation of the above embodiment of the present application, 50 is divided into a preset threat degree threshold, 8 first class dimension indexes and 13 second class dimension indexes can be screened out from 21 dimension indexes in table 1, and the 8 first class dimension indexes are respectively "network safety related to national scope", "public safety endangered", "expert intelligence", "accurate intelligence", "file type TI", file type AVL "," URL type "," domain name type ", and the rest are second class dimension indexes, and 10000 event information is analyzed based on the 8 first class dimension indexes, so that 10000 first event scores are obtained, and if 6000 key event scores are included in 10000 target event scores, 6000 key event scores are analyzed based on 13 second class dimension indexes, so that 158000 times of calculation are required in the above embodiment of the present application, and compared with the previous 210000 times of calculation, 52000 times of calculation can be saved.
In another alternative embodiment, in the above steps S310-S370, in case GNUM < MN, event information of all threat events may be analyzed using a second class of dimension indicators in the event analysis model.
In an optional implementation manner, the threat degree determination method for a threat event provided by the embodiment of the application may further include: splitting the MN pieces of information to be processed into NUMs 2 A subset of event information; for each security analyst, from NUM 2 Extracting one piece of non-extracted event information from each event information subset, and adding the extracted MN pieces of event information into a to-be-processed list corresponding to the security analysis personnel. Wherein the number of event information in each event information subset is equal; the initial pending list is empty.
In one example, the number of security analysts NUM 1 At 50, the number NUM of event information that each security analyst can process during the time of day (as the target time of day) 2 For 100, the total number of event information that can be processed by 50 security analysts in the working time of a day is mn=5000, the number of finally screened to-be-processed information is 5000, after 5000 to-be-processed information is sorted according to the order of the target event scores from big to small, 5000 to-be-processed information can be divided into 100 event information subsets on average, for example, the 1 st to 50 th to-be-processed information is divided into the 1 st to the 100 th to-be-processed information subsets, the 51 st to the 100 th to-be-processed information is divided into the 2 nd to-be-processed information subsets, and then the method is analogized sequentially, and every 50 to-be-processed information is divided into one to-be-processed information subset.
When the 1 st security analysis personnel is assigned to work, extracting one piece of information to be tested from 100 pieces of event information respectively, and adding the extracted 100 pieces of information to be tested into a list to be tested of the 1 st security analysis personnel, namely, assigning the extracted 100 pieces of information to be tested to the 1 st security analysis personnel; when the 2 nd security analyst is allocated to work, extracting one piece of non-extracted information to be processed in the 100 event information subsets, namely, the information to be processed which is not allocated to the 1 st security analyst, and adding the extracted 100 pieces of new information to be processed into a list to be processed of the 2 nd security analyst, namely, the information to be processed which is allocated to the 2 nd security analyst; event allocation for subsequent security analysts and so on.
Because the 100 event information subsets are arranged according to the sequence of the target event scores from large to small, each security analysis person can be distributed to the event information with the large target event score range, and each security analysis person can be distributed to the event information with the large target event score, the event information with the medium target event score and the event information with the small target event score, so that the processing difficulty of different security analysis persons is relatively average when processing the event information of the respective threat event, and the situations of unbalanced overall processing efficiency caused by excessive individual person difficulty and excessively small individual person difficulty can be reduced.
In an alternative embodiment, for each security analyst's pending list, from NUM 2 Extracting one piece of non-extracted event information from each event information subset, and adding the extracted MN event information to the to-be-processed list may include: acquiring processing efficiency data of each security analysis personnel; in order of high-to-low processing efficiency data, for NUM 1 NUM corresponding to individual security analysts 1 Sorting the lists to be processed (one corresponding to each security analyst); sorting ordered NUMs 1 Traversing the list to be processed, and traversing the currently traversed list to be processed from NUM 2 And extracting one piece of event information which is not extracted and has the maximum target event score from each event information subset, and adding the extracted event information into the to-be-processed list to obtain each to-be-processed list.
The processing efficiency data can be used for representing the processing efficiency of the security analyst, the larger the numerical value of the processing efficiency data is, the higher the processing efficiency of the security analyst is, the more difficult processing work can be born, and on the basis, the event information with larger target event scores in each event information subset can be distributed to the security analyst with high processing efficiency.
Taking 50 security analysts and 100 event information subsets as examples, the information to be processed with the largest target event score in each event information subset can be extracted and allocated to the security analyst with the largest processing efficiency data, the information to be processed with the second target event score in each event information subset is extracted and allocated to the security analyst with the second processing efficiency data, and so on, the information to be processed with the smallest target event score in each event information subset is extracted and allocated to the security analyst with the smallest processing efficiency data. Therefore, under the condition that the processing difficulty of each security analysis personnel is relatively balanced, the processing efficiency of different security analysis personnel is further considered, the security analysis personnel with different processing efficiency are distributed with information to be processed with different difficulty, and the overall processing efficiency can be improved.
The processing efficiency data of the security analyst can be obtained by calculating according to the index of the historical processing event of the security analyst, for example, a first processing efficiency value of the security analyst in a time dimension and a second processing efficiency value of the security analyst in an accuracy dimension can be calculated, corresponding weights are set for the first processing efficiency value and the second processing efficiency value according to actual requirements, and the obtained values are used as the processing efficiency data of the security analyst. The first processing efficiency value can be obtained by calculating the number of event information which can be processed by the security analyst in unit time, and the number can be used as the first processing efficiency value; the second processing efficiency value may be obtained by dividing the number of event information successfully processed per unit time by the number of event information actually processed per unit time.
Although the steps of the methods of the present application are illustrated in the accompanying drawings in a particular order, this does not require or imply that the steps must be performed in the particular order or that all of the illustrated steps be performed in order to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step to perform, and/or one step decomposed into multiple steps to perform, etc.
Based on the same technical concept, the embodiment of the application also provides electronic equipment, which comprises: memory and a processor. The memory stores program code that is loaded and executed by the processor to implement any of the threat event analysis methods provided by the embodiments of the application. The data of the memory and the processor may be one or more.
The memory may include at least one of a nonvolatile memory and a volatile memory. The non-volatile memory may include at least one of: read-Only Memory (ROM), programmable ROM (PROM), erasable Programmable EPROM (EPROM), electrically Erasable EPROM (EEPROM), flash Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) which acts as an external cache, and by way of example and not limitation, many forms of RAM are available, such as Static RAM (SRAM), dynamic random access memory (Dynamic Random Access Memory, DRAM), synchronous Dynamic Random Access Memory (SDRAM), double Data rate Synchronous dynamic random access memory (DDR SDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), direct RAM (DR RAM), etc.
The memory may also include a program/utility having a set (at least one) of program modules including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment. The memory may also be referred to as a storage medium or storage device, as embodiments of the application are not limited in this regard.
The processor may be a central processing unit (Central Processing Unit, CPU), other general purpose processor, digital signal processor (Digital Signal Processing, DSP), application specific integrated circuit (Application Specific Integrated Circuit, ASIC), field programmable gate array (Field Programmable Gate Array, FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. A general purpose processor may be a microprocessor or any conventional processor or the like. It is noted that the processor may be a processor supporting an advanced reduced instruction set machine (Advanced RISC Machines, ARM) architecture.
Alternatively, if the memory and the processor are implemented independently, the memory and the processor may be connected to each other and communicate with each other through a bus. The bus may be an industry standard architecture (Industry Standard Architecture, ISA) bus, an external device interconnect (Peripheral Component Interconnect, PCI) bus, or an extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, among others. The bus may be one or more of several types of bus structures including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, a processor, or a local bus using any of a variety of bus architectures.
Alternatively, in a specific implementation, if the memory and the processor are integrated on a chip, the memory and the processor may communicate with each other through an internal interface.
The electronic device may communicate with one or more external devices (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device, and/or with any device (e.g., router, modem, etc.) that enables the electronic device to communicate with one or more other computing devices. Such communication may be via an Input/Output (I/O) interface. And, the electronic device may also communicate with one or more networks, such as a local area network (Local Area Network, LAN), wide area network (Wide Area Network, WAN), public network (e.g., the internet), etc., through a network adapter that communicates with other modules of the electronic device through a bus. It should be appreciated that other hardware and/or software modules may be used in connection with an electronic device, including but not limited to: microcode, device drivers, redundant processors, external disk drive arrays, disk array (Redundant Arrays of Independent Disks, RAID) systems, tape drives, data backup storage systems, and the like.
An electronic device according to this embodiment of the application. The electronic device is merely an example, and should not impose any limitations on the functionality and scope of use of embodiments of the present application.
Based on the same technical concept, the embodiment of the present application also provides a computer readable storage medium storing program code, which when executed by a processor, implements any one of the threat event analysis methods provided by the embodiment of the present application.
In an exemplary embodiment of the present application, a computer-readable storage medium having stored thereon a program product capable of implementing the method described above in the present specification is also provided. In some possible embodiments, the various aspects of the application may also be implemented in the form of a program product comprising program code for causing a terminal device to carry out the steps according to the various exemplary embodiments of the application as described in the "exemplary methods" section of this specification, when the program code is run on the terminal device.
The program product described above may take the form of any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium.
The readable storage medium can be, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-Only Memory (ROM), an erasable programmable read-Only Memory (EPROM or flash Memory), an optical fiber, a compact disc read-Only Memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the preceding.
The readable signal medium may include a data signal propagated in baseband or as part of a carrier wave with readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or may be implemented in software in combination with the necessary hardware. Thus, the technical solution according to the embodiments of the present application may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, and includes several instructions to cause a computing device (may be a personal computer, a server, a mobile terminal, or a network device, etc.) to perform the method according to the embodiments of the present application.
Those skilled in the art will appreciate that the various aspects of the application may be implemented as a system, method, or program product. Accordingly, aspects of the application may be embodied in the following forms, namely: an entirely hardware embodiment, an entirely software embodiment (including firmware, micro-code, etc.) or an embodiment combining hardware and software aspects may be referred to herein as a "circuit," module "or" system.
Program code for carrying out operations of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any changes or substitutions easily contemplated by those skilled in the art within the scope of the present application should be included in the present application. Therefore, the protection scope of the application is subject to the protection scope of the claims.

Claims (8)

1. A method of analyzing a threat event, comprising:
constructing an event analysis model based on a plurality of analysis dimensions; the plurality of analysis dimensions include a hazard dimension, a persistence dimension, an activity dimension, an asset dimension, a detection basis dimension, and a behavioral anomaly dimension;
acquiring n network alarm logs detected by a plurality of detection engines;
according to a preset aggregation strategy, carrying out aggregation processing on the n network alarm logs to form event information of m threat events;
the event analysis model obtains event information of each threat event, analyzes the currently obtained event information based on at least part of analysis dimensions in the plurality of analysis dimensions to obtain sub-analysis results of the currently obtained event information in each analysis dimension in the at least part of analysis dimensions, and obtains target analysis results of the currently obtained event information in the at least part of analysis dimensions based on the sub-analysis results; the sub-analysis results comprise sub-event scores and sub-event labels, the sub-event scores and the sub-event labels are used together for marking the security business attributes of the currently acquired event information under the corresponding analysis dimension, the target analysis results comprise target event scores and target event labels, and the target event scores and the target event labels are used together for marking the security business attributes of the currently acquired event information under the at least partial analysis dimension;
Sequencing at least part of the event information of the m threat events according to the sequence from the big to the small of the target event scores;
outputting a specified number of event information in the front in the sequence and a target analysis result corresponding to the specified number of event information;
analyzing the currently acquired event information based on at least part of the analysis dimensions to obtain sub-analysis results of the currently acquired event information in each of the at least part of the analysis dimensions, including:
s201, matching threat event information lists with the same attack type in a database as a target threat event information list according to the attack type in the currently acquired event information, and determining an event identifier corresponding to the currently acquired event information as a target identifier; the database stores a plurality of threat event information lists, each threat event information list comprises event information of a plurality of threat events of the same attack type, the event information of each threat event in the threat event information list comprises a corresponding event identifier and event occurrence time, and the event information in each threat event information list is arranged according to the sequence of the event occurrence time;
S202, setting a quantity flag parameter n=1;
s203, acquiring the information quantity X; x is the current event information quantity in the target threat event information list;
s204, acquiring event information of an X-th threat event in the target threat event information list as candidate event information;
s205, if the event identification corresponding to the candidate event information is the same as the target identification, executing a step S206, otherwise executing a step S210;
s206, if N is equal to the target number, executing step S207, otherwise, executing step S209; the target number is equal to a preset attack frequency threshold value;
s207, obtaining event occurrence time T corresponding to the candidate event information 1
S208, if T 2 -T 1 Step S211 is executed if delta T is less than delta T, otherwise, the current flow is ended; wherein T is 2 As the current time, deltat is a preset time period threshold;
s209, acquiring n=n+1, and executing step S210;
s210, acquiring x=x-1, and executing step S204;
s211, determining a target dimension index from a plurality of dimension indexes in a hazard dimension according to the attack type in the currently acquired event information;
s212, determining a sub-analysis result corresponding to the target dimension index as a sub-analysis result corresponding to the currently acquired event information under the hazard dimension.
2. The method of claim 1, wherein each threat event has a unique event identification.
3. The method of claim 1 or 2, wherein analyzing the currently acquired event information based on at least some of the plurality of analysis dimensions results in sub-analysis results of the currently acquired event information in each of the at least some analysis dimensions, further comprising:
determining the duration, average propagation degree and duration of the currently acquired event information, and obtaining a sub-analysis result of the currently acquired event information under the persistence dimension according to the duration, the average propagation degree and the duration;
determining the activity of the currently acquired event information, and obtaining a sub-analysis result of the currently acquired event information under the activity dimension according to the activity;
determining the key asset coverage of the currently acquired event information, and obtaining a sub-analysis result of the currently acquired event information under the asset dimension according to the key asset coverage;
obtaining a sub-analysis result of the currently acquired event information under the dimension of the detection basis according to the detection basis in the currently acquired event information;
Determining the occurrence time anomaly degree and the occurrence position anomaly degree of the currently acquired event information, and obtaining a sub-analysis result of the currently acquired event information under the abnormal behavior dimension according to the occurrence time, the occurrence time anomaly degree, the occurrence geographic position and the occurrence position anomaly degree of the currently acquired event information.
4. The method of claim 1 or 2, wherein analyzing the currently acquired event information based on at least some of the plurality of analysis dimensions to obtain sub-analysis results of the currently acquired event information in each of the at least some analysis dimensions, and obtaining target analysis results of the currently acquired event information in the at least some analysis dimensions based on the sub-analysis results, comprises:
s310, acquiring the total number mn=num of event information that can be processed in the target operation duration 1 NUM 2 The method comprises the steps of carrying out a first treatment on the surface of the Wherein NUM 1 Number NUM for the current security analyst 1 ,NUM 2 The number of event information that can be processed within a target working time period for each security analyst;
s320, acquiring an event information set A= (A) formed by event information of the m threat events 1 ,A 2 ,...,A i ,...,A m ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein i=1, 2,..m, a i Event information of an ith threat event in the event information of the m threat events;
s330, analyzing each event information in A based on a plurality of first-class dimension indexes to obtain sub-event scores of each event information in A under each first-class dimension index, and obtaining a first event score list B= (B) based on the sub-event scores 1 ,B 2 ,...,B i ,...,B m ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein B is i Is A i A corresponding first event score; the first type of dimension indexes are dimension indexes with associated sub-event scores larger than a preset score threshold value and dimension indexes independent of statistical data in all dimension indexes contained in a plurality of analysis dimensions;
s340, determining the first event score which is larger than the preset score threshold value in the B as a key event score;
s350, if the number GNUM of the determined key event scores is greater than or equal to MN, determining each key event score as a designated event score, and proceeding to step S360; otherwise, the first event scores in the B are arranged according to the order of the first event scores from the big to the small to obtain an arranged score list B ', and the front GNUM+2 in the B' is used for the method(MN-GNUM) first event scores are determined as specified event scores, and step S360 is entered;
S360, analyzing the event information corresponding to each appointed event score based on a plurality of second-class dimension indexes to obtain sub-event scores of the event information corresponding to each appointed event score under each second-class dimension index, so as to obtain a second event score list C= (C) 1 ,C 2 ,...,C j ,...,C ZNUM ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein j=1, 2,. -%, ZNUM; ZNUM is the number of assigned event scores; c (C) j A second event score of the event information corresponding to the j-th designated event score; the second type dimension index is obtained by dividing the first type dimension index from all dimension indexes contained in the plurality of analysis dimensionsOther dimension indexes except indexes;
s370, determining a target event score list d= (D 1 ,D 2 ,...,D j, ...,D ZNUM ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein D is j Target event scores of event information corresponding to the j-th designated event score under the at least partial analysis dimension; d (D) j =GB j +C j ;GB j Is C j Scoring the corresponding specified event;
the ordering at least some of the event information of the m threat events in order of the target event score from greater than lesser than the target event score includes:
ordering event information corresponding to the ZNUM target event scores in the D according to the sequence from the big to the small of the target event scores;
the outputting the first appointed number of event information in the sequence and the target analysis result corresponding to the appointed number of event information comprises the following steps:
Selecting the previous MN event information from the sequenced ZNUM event information as MN information to be processed, and outputting the MN information to be processed and a target analysis result corresponding to the MN information to be processed.
5. The method of claim 4, further comprising:
splitting the MN pieces of information to be processed into NUMs 2 A subset of event information; the number of event information in each event information subset is equal;
for each security analyst, from the NUM 2 Extracting one piece of non-extracted event information from each event information subset, and adding the extracted MN pieces of event information into a to-be-processed list corresponding to the security analysis personnel.
6. The method of claim 5, wherein for each security analyst, from the NUM 2 Extracting one piece of non-extracted event information from each event information subset, and extracting MN eventsThe information is added into a to-be-processed list corresponding to the security analysis personnel, and the method comprises the following steps:
acquiring processing efficiency data of each security analysis personnel; the processing efficiency data are used for representing event processing efficiency of safety analysis personnel;
In order of high-to-low processing efficiency data, for NUM 1 NUM corresponding to individual security analysts 1 Sorting the lists to be processed; the initial list to be processed is empty;
sorting ordered NUMs 1 Traversing the list to be processed, and traversing the currently traversed list to be processed from the NUM 2 And extracting one piece of event information which is not extracted and has the maximum target event score from each event information subset, and adding the extracted event information into the to-be-processed list to obtain each to-be-processed list.
7. An electronic device, comprising: a memory and a processor, the memory having stored therein program code that is loaded and executed by the processor to implement the method of any of claims 1-6.
8. A computer readable storage medium, characterized in that a program code is stored, which when executed by a processor implements the method according to any of claims 1-6.
CN202311184589.0A 2023-09-14 2023-09-14 Threat event analysis method, electronic device and storage medium Active CN116938600B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311184589.0A CN116938600B (en) 2023-09-14 2023-09-14 Threat event analysis method, electronic device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311184589.0A CN116938600B (en) 2023-09-14 2023-09-14 Threat event analysis method, electronic device and storage medium

Publications (2)

Publication Number Publication Date
CN116938600A CN116938600A (en) 2023-10-24
CN116938600B true CN116938600B (en) 2023-11-24

Family

ID=88386345

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311184589.0A Active CN116938600B (en) 2023-09-14 2023-09-14 Threat event analysis method, electronic device and storage medium

Country Status (1)

Country Link
CN (1) CN116938600B (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110535855A (en) * 2019-08-28 2019-12-03 北京安御道合科技有限公司 A kind of network event method for monitoring and analyzing and system, information data processing terminal
CN110809010A (en) * 2020-01-08 2020-02-18 浙江乾冠信息安全研究院有限公司 Threat information processing method, device, electronic equipment and medium
CN112511561A (en) * 2020-12-21 2021-03-16 深信服科技股份有限公司 Network attack path determination method, equipment, storage medium and device
CN113973012A (en) * 2021-10-18 2022-01-25 北京安天网络安全技术有限公司 Threat detection method and device, electronic equipment and readable storage medium
CN114124552A (en) * 2021-11-29 2022-03-01 恒安嘉新(北京)科技股份公司 Network attack threat level obtaining method, device and storage medium
CN115632874A (en) * 2022-11-11 2023-01-20 上海派拉软件股份有限公司 Method, device, equipment and storage medium for detecting threat of entity object
CN115632884A (en) * 2022-12-21 2023-01-20 徐工汉云技术股份有限公司 Network security situation perception method and system based on event analysis
US11714823B1 (en) * 2021-04-30 2023-08-01 Splunk Inc. Generating metric data from log data using metricization rules
CN116827697A (en) * 2023-08-30 2023-09-29 北京安天网络安全技术有限公司 Push method of network attack event, electronic equipment and storage medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11729198B2 (en) * 2020-05-21 2023-08-15 Tenable, Inc. Mapping a vulnerability to a stage of an attack chain taxonomy

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110535855A (en) * 2019-08-28 2019-12-03 北京安御道合科技有限公司 A kind of network event method for monitoring and analyzing and system, information data processing terminal
CN110809010A (en) * 2020-01-08 2020-02-18 浙江乾冠信息安全研究院有限公司 Threat information processing method, device, electronic equipment and medium
CN112511561A (en) * 2020-12-21 2021-03-16 深信服科技股份有限公司 Network attack path determination method, equipment, storage medium and device
US11714823B1 (en) * 2021-04-30 2023-08-01 Splunk Inc. Generating metric data from log data using metricization rules
CN113973012A (en) * 2021-10-18 2022-01-25 北京安天网络安全技术有限公司 Threat detection method and device, electronic equipment and readable storage medium
CN114124552A (en) * 2021-11-29 2022-03-01 恒安嘉新(北京)科技股份公司 Network attack threat level obtaining method, device and storage medium
CN115632874A (en) * 2022-11-11 2023-01-20 上海派拉软件股份有限公司 Method, device, equipment and storage medium for detecting threat of entity object
CN115632884A (en) * 2022-12-21 2023-01-20 徐工汉云技术股份有限公司 Network security situation perception method and system based on event analysis
CN116827697A (en) * 2023-08-30 2023-09-29 北京安天网络安全技术有限公司 Push method of network attack event, electronic equipment and storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
网络攻击源威胁行为评估方法研究;常帅等;小型微型计算机系统;第36卷(第1期);全文 *

Also Published As

Publication number Publication date
CN116938600A (en) 2023-10-24

Similar Documents

Publication Publication Date Title
US11936666B1 (en) Risk analyzer for ascertaining a risk of harm to a network and generating alerts regarding the ascertained risk
EP2769508B1 (en) System and method for detection of denial of service attacks
US10817603B2 (en) Computer security system with malicious script document identification
US8805995B1 (en) Capturing data relating to a threat
US9344457B2 (en) Automated feedback for proposed security rules
US8479296B2 (en) System and method for detecting unknown malware
CN108933785B (en) Network risk monitoring method and device, computer equipment and storage medium
US20140172495A1 (en) System and method for automated brand protection
US20150082437A1 (en) Method and apparatus for detecting irregularities on a device
US10951645B2 (en) System and method for prevention of threat
Rosli et al. Clustering analysis for malware behavior detection using registry data
US8364776B1 (en) Method and system for employing user input for website classification
US20190190947A1 (en) Predictive crowdsourcing-based endpoint protection system
CN116827697B (en) Push method of network attack event, electronic equipment and storage medium
CN112738107B (en) Network security evaluation method, device, equipment and storage medium
Hsu et al. Identify fixed-path phishing attack by STC
Baci et al. Machine learning approach for intrusion detection systems as a cyber security strategy for Small and Medium Enterprises
CN111131166B (en) User behavior prejudging method and related equipment
CN115632884B (en) Network security situation perception method and system based on event analysis
CN116938600B (en) Threat event analysis method, electronic device and storage medium
Sahin et al. An efficient firewall for web applications (EFWA)
CN114900375A (en) Malicious threat detection method based on AI graph analysis
James et al. Malware attacks: A survey on mitigation measures
Bhanu et al. Protecting Android based applications from malware affected through SMS messages
CN117478433B (en) Network and information security dynamic early warning system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant