CN117614643A - Threat information analysis method, threat information analysis system, computer equipment and storage medium - Google Patents

Threat information analysis method, threat information analysis system, computer equipment and storage medium Download PDF

Info

Publication number
CN117614643A
CN117614643A CN202311368200.8A CN202311368200A CN117614643A CN 117614643 A CN117614643 A CN 117614643A CN 202311368200 A CN202311368200 A CN 202311368200A CN 117614643 A CN117614643 A CN 117614643A
Authority
CN
China
Prior art keywords
threat information
threat
weight
analyzed
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311368200.8A
Other languages
Chinese (zh)
Inventor
王文辉
韩啸
葛广凯
韩龙玺
赵奇
钱珂翔
杨征浩
张道娟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Smart Grid Research Institute Co ltd
Original Assignee
State Grid Smart Grid Research Institute Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Smart Grid Research Institute Co ltd filed Critical State Grid Smart Grid Research Institute Co ltd
Priority to CN202311368200.8A priority Critical patent/CN117614643A/en
Publication of CN117614643A publication Critical patent/CN117614643A/en
Pending legal-status Critical Current

Links

Abstract

The invention relates to the technical field of network security, and discloses a threat information analysis method, a threat information analysis system, computer equipment and a storage medium, wherein the method comprises the following steps: acquiring threat information data updated in real time and log data to be analyzed; calculating the multidimensional weight of threat information occurrence probability by using the threat information data updated in real time; calculating a weight change value according to the multidimensional weight of the threat information occurrence probability by using the threat information data updated in real time; summing the multidimensional weight of the threat information occurrence probability and the weight change value to obtain the total weight of the threat information occurrence probability; judging whether the log data to be analyzed is threat information or not by using the total weight and the multi-dimensional weight to be analyzed, wherein the multi-dimensional weight to be analyzed is the multi-dimensional weight corresponding to the log data to be analyzed. The invention can predict the occurrence probability of the known threat information under the existing environment, has the capability of reducing the occurrence of false information and missing information of the threat information platform, and effectively improves the safety of the threat information platform.

Description

Threat information analysis method, threat information analysis system, computer equipment and storage medium
Technical Field
The invention relates to the technical field of network security, in particular to a threat information analysis method, a threat information analysis system, computer equipment and a storage medium.
Background
The rapid development of new technologies such as cloud computing, big data, internet of things and mobile Internet provides great challenges for business architecture and network environment security of enterprises. Attack tools and methods of attackers are complex and changeable and difficult to detect, and traditional protection means such as safety protection devices and detection means of antivirus software, firewalls, WAFs (Web Application Firewall, website application level intrusion prevention systems) and the like are also becoming important points in the safety industry as to whether new threat information can be effectively detected. The existing threat information analysis method based on machine learning and intelligent algorithm can not update the existing model or algorithm by utilizing new threat information data in real time, so that the problems of false information and missing report are unavoidable. Therefore, the problem of low threat information analysis accuracy exists in the prior art.
Disclosure of Invention
In view of the above, the present invention provides a threat information analysis method, system, computer device and storage medium, so as to solve the problem of low accuracy of threat information analysis.
In a first aspect, the present invention provides a threat intelligence analysis method, including: acquiring threat information data updated in real time and log data to be analyzed; calculating the multidimensional weight of threat information occurrence probability by using the threat information data updated in real time; calculating a weight change value according to the multidimensional weight of the threat information occurrence probability by using the threat information data updated in real time; summing the multidimensional weight of the threat information occurrence probability and the weight change value to obtain the total weight of the threat information occurrence probability; judging whether the log data to be analyzed is threat information or not by using the total weight and the multi-dimensional weight to be analyzed, wherein the multi-dimensional weight to be analyzed is the multi-dimensional weight corresponding to the log data to be analyzed.
In the embodiment of the invention, the multi-dimensional weight of the occurrence probability of threat information is calculated by utilizing the threat information data updated in real time, namely, the occurrence probability of the known threat information is comprehensively analyzed and calculated from the multi-dimensional degree, further, the weight change value is calculated according to the multi-dimensional weight, so that the influence on the occurrence probability of the threat information after the change of the multi-dimensional factors is found, the situation awareness of the threat information is realized according to whether the total weight analysis log data is the threat information, the purpose of predicting the occurrence probability of the known threat information in the existing environment is achieved, and because the analysis is realized based on the threat information data updated in real time, the effect of timely updating the total occurrence probability of the threat information is achieved, the occurrence error and missing information are reduced, the technical effect of improving the analysis accuracy of the threat information is achieved, and the problem of lower threat information analysis accuracy in the related technology is solved.
In an alternative embodiment, the method further comprises: if the log data to be analyzed is threat information, carrying out text processing on the log data to be analyzed; and displaying the log data to be analyzed after text processing and the multidimensional weights to be analyzed in a knowledge graph form.
In the embodiment of the invention, the analysis result is displayed in the form of a knowledge graph, so that the purpose of improving the understandability of the analysis result is realized.
In an alternative embodiment, calculating the multidimensional weight of threat intelligence occurrence probabilities using threat intelligence data updated in real time includes: calculating influence parameters of multiple dimensions by using threat information data updated in real time; and calculating the multidimensional weight of the threat information occurrence probability according to the influence parameters of the multiple dimensions.
In the embodiment of the invention, the multi-dimensional weight of the threat information occurrence probability is calculated from a plurality of dimensions, so that the aim of improving the calculation accuracy of the threat information occurrence probability is fulfilled, and the accuracy of threat information situation awareness is further improved.
In an alternative embodiment, any dimension contains multiple layers, the real-time updated threat intelligence data includes intelligence generation time and current time, and calculating an impact parameter for the multiple dimensions using the real-time updated threat intelligence data includes: randomly selecting a preset number of threat information data from the threat information data updated in real time; calculating weights corresponding to multiple layers of any dimension by using threat information data of a preset quantity; determining time parameters corresponding to a plurality of layers of any dimension according to information generation time and current time in threat information data of a preset quantity; and calculating the influence parameters of any dimension according to the product of the weights corresponding to the multiple layers of any dimension and the time parameters corresponding to the multiple layers of any dimension to obtain the influence parameters of multiple dimensions.
In the embodiment of the invention, any dimension is further divided into a plurality of layers, and the time limitation of the threat information and the plurality of layers is considered when the influence parameter of any dimension is calculated, so that the effect of improving the calculation reliability and accuracy of the influence parameter of any dimension is achieved, and the effect of improving the calculation reliability and accuracy of the multidimensional weight is achieved.
In an alternative embodiment, calculating a weight change value from a multidimensional weight of threat intelligence occurrence probabilities using threat intelligence data updated in real time includes: randomly selecting a preset number of threat information data again from the threat information data updated in real time; calculating influence parameters of a plurality of dimensions corresponding to the re-randomly selected preset number of threat information data; and calculating a weight change value according to the multidimensional weight of the threat information occurrence probability and the influence parameters of a plurality of dimensions corresponding to the preset number of threat information data selected again randomly by using the base number of the natural logarithmic function and the logic-type function.
In the embodiment of the invention, the threat information data of the preset quantity is selected randomly from the threat information data updated in real time to calculate the influence parameters of multiple dimensions, the influence parameters of multiple dimensions and the multi-dimensional weights are utilized to jointly determine the weight change value, the purpose of determining the influence on the occurrence probability of the threat information after the multi-dimensional factors are changed is realized, and the effect of improving the situation awareness accuracy of the threat information is achieved by calculating the total weight by utilizing the weight change value.
In an alternative embodiment, the method further comprises: and executing the steps of re-randomly selecting the preset number of threat information data and calculating influence parameters of a plurality of dimensions corresponding to the re-randomly selected preset number of threat information data for a plurality of times, and iteratively updating the weight change value.
In the embodiment of the invention, the weight change value can be iteratively updated for a plurality of times according to specific conditions, thereby achieving the purposes of updating the total weight according to new threat information data in time and improving the reliability and accuracy of the total weight calculation.
In an alternative embodiment, determining whether the log data to be analyzed is threat information by using the total weight and the multi-dimensional weight to be analyzed, where the multi-dimensional weight to be analyzed is a multi-dimensional weight corresponding to the log data to be analyzed, includes: when the multi-dimensional weight to be analyzed is greater than the total weight, judging that the log data to be analyzed is threat information; when the multidimensional weight to be analyzed is smaller than or equal to the total weight, the log data to be analyzed is judged not to be threat information.
In the embodiment of the invention, the aim of sensing threat information is realized by comparing the multidimensional weight to be analyzed with the total weight, thereby realizing monitoring and early warning of network security.
In a second aspect, the present invention provides a threat intelligence analysis system comprising: the acquisition module is used for acquiring threat information data updated in real time and log data to be analyzed; the multidimensional weight calculation module is used for calculating multidimensional weights of threat information occurrence probability by using threat information data updated in real time; the weight change value calculation module is used for calculating a weight change value according to the multidimensional weight of the threat information occurrence probability by using the threat information data updated in real time; the total weight calculation module is used for summing the multidimensional weight of the threat information occurrence probability and the weight change value to obtain the total weight of the threat information occurrence probability; the threat information prediction module is used for judging whether the log data to be analyzed is threat information or not by using the total weight and the multi-dimensional weight to be analyzed, wherein the multi-dimensional weight to be analyzed is the multi-dimensional weight corresponding to the log data to be analyzed.
In an alternative embodiment, the system further comprises: the text processing module is used for performing text processing on the log data to be analyzed if the log data to be analyzed is threat information; the knowledge graph construction module is used for displaying the log data to be analyzed after text processing and the multidimensional weight to be analyzed in a knowledge graph mode.
In an alternative embodiment, the multi-dimensional weight calculation module includes: an influence parameter calculation unit for calculating influence parameters of a plurality of dimensions by using threat intelligence data updated in real time; and the multidimensional weight calculating unit is used for calculating multidimensional weights of threat information occurrence probability according to the influence parameters of the plurality of dimensions.
In an alternative embodiment, any dimension contains multiple layers, the threat intelligence data updated in real time includes intelligence generation time and current time, and the influence parameter calculation unit includes: the information selecting subunit is used for randomly selecting a preset number of threat information data from the threat information data updated in real time; the weight calculation subunit is used for calculating weights corresponding to a plurality of layers of any dimension by using the threat intelligence data of a preset quantity; the time parameter determining subunit is used for determining time parameters corresponding to a plurality of layers of any dimension according to the information generating time and the current time in the threat information data of the preset quantity; the multidimensional parameter calculation subunit is used for calculating the influence parameters of any dimension according to the product of the weights corresponding to the multiple layers of any dimension and the time parameters corresponding to the multiple layers of any dimension to obtain the influence parameters of the multiple dimensions.
In an alternative embodiment, the weight change value calculation module includes: the information selecting unit is used for randomly selecting a preset number of threat information data again from the threat information data updated in real time; the parameter calculation unit is used for calculating influence parameters of a plurality of dimensions corresponding to the threat information data of the preset quantity selected at random; the weight change value calculating unit is used for calculating the weight change value according to the multidimensional weight of the threat information occurrence probability and the influence parameters of a plurality of dimensions corresponding to the preset number of threat information data selected randomly again by utilizing the base of the natural logarithmic function and the logic substance function.
In an alternative embodiment, the system further comprises: the iteration module is used for repeatedly executing the steps of randomly selecting the threat information data of the preset quantity again and calculating the influence parameters of the multiple dimensions corresponding to the threat information data of the preset quantity again, and carrying out iterative updating on the weight change value.
In an alternative embodiment, the threat intelligence prediction module comprises: the first judging unit is used for judging that the log data to be analyzed is threat information when the multi-dimensional weight to be analyzed is greater than the total weight; and the second judging unit is used for judging that the log data to be analyzed is not threat information when the multidimensional weight to be analyzed is smaller than or equal to the total weight.
In a third aspect, the present invention provides a computer device comprising: the threat information analysis system comprises a memory and a processor, wherein the memory and the processor are in communication connection, the memory stores computer instructions, and the processor executes the computer instructions, so that the threat information analysis method of the first aspect or any corresponding implementation mode is executed.
In a fourth aspect, the present invention provides a computer-readable storage medium having stored thereon computer instructions for causing a computer to perform the threat intelligence analysis method of the first aspect or any of its corresponding embodiments.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the present invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a threat intelligence analysis method in accordance with an embodiment of the invention;
FIG. 2 is a flow chart of another threat intelligence analysis method in accordance with an embodiment of the invention;
FIG. 3 is a schematic overall framework of a threat intelligence analysis method in accordance with an embodiment of the invention;
FIG. 4 is a feature weight table generation schematic diagram in accordance with an embodiment of the invention;
FIG. 5 is a diagram illustrating analysis of log intelligence according to an embodiment of the present invention;
FIG. 6 is a block diagram of a threat intelligence analysis system in accordance with an embodiment of the invention;
fig. 7 is a schematic diagram of a hardware structure of a computer device according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
It should be noted that in the description of the present invention, the terms "first," "second," and the like are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. The terms "mounted," "connected," "coupled," and "connected" are to be construed broadly, and may be, for example, fixedly connected, detachably connected, or integrally connected; can be mechanically or electrically connected; the two components can be directly connected or indirectly connected through an intermediate medium, or can be communicated inside the two components, or can be connected wirelessly or in a wired way. The specific meaning of the above terms in the present invention will be understood in specific cases by those of ordinary skill in the art.
Technological innovation becomes one of important power for industry transformation, and enterprise digital transformation becomes an important path for economic development. With the rapid development of new technologies such as cloud computing, big data, internet of things and mobile internet, great challenges are brought to business architecture and network environment security of enterprises. The network security threat of enterprises is constantly changing, attack tools and techniques of attackers are more complex and changeable and difficult to detect, and traditional protection means and detection means are also becoming more and more important. The thinking of security threat detection defense also has changed greatly in the industry, whether novel threat information can be effectively detected has become one of important concerns in the security industry, threat information capability is one of core capabilities of network threat monitoring and early warning, and a reliable and accurate threat information analysis method is urgently needed at present, so that a function of foreknowledge in advance is provided for users, and situation awareness of threat information is realized.
In accordance with an embodiment of the present invention, there is provided a threat intelligence analysis method embodiment, it being noted that the steps shown in the flowchart of the figures may be performed in a computer system, such as a set of computer executable instructions, and, although a logical order is shown in the flowchart, in some cases, the steps shown or described may be performed in an order other than that shown or described herein.
In this embodiment, a threat intelligence analysis method is provided, which may be used in the above mobile terminal, such as a central processing unit, a server, etc., fig. 1 is a schematic flow chart of the threat intelligence analysis method according to an embodiment of the invention, as shown in fig. 1, and the flow includes the following steps:
step S101, threat information data updated in real time and log data to be analyzed are obtained. Alternatively, threat intelligence data is some sort of evidence-based knowledge, including context, mechanisms, indicia, meaning, and suggestions that can be performed, etc., that is relevant to the threat or hazard, and that can be used to respond to or provide information support for the threat or hazard. The threat information data in this embodiment is the same as most of threat information described in the industry, and the main content of the threat information data is a collapse identifier for identifying and detecting a threat, such as digital hash, address, domain name, program running path, registry entry, and related attribution label of a file. Threat intelligence data is typically obtained from a plurality of intelligence websites, also referred to as intelligence sources, where only threat intelligence data is needed, no other data is needed, and re-extraction of threat intelligence data is not needed.
In this embodiment, data obtained from multiple information sources are processed, integrated and aggregated to obtain a threat information database, where the threat information database is a comprehensive database, and the database may be a graph database, a relational database, or other databases suitable for storing threat information data. As an example, a relational database (Relational Database, RDB) corresponding to the local knowledge-graph is built, and the local knowledge-graph database is a threat information database, where the threat information database is used for storing threat information data, specifically, the threat information database is abutted to an information source through the internet, and the information source periodically pushes the threat information data to the threat information database according to a preset communication protocol, so as to obtain threat information data updated in real time. Similarly, the log source is log data obtained from a plurality of websites, the log data is commonly used for tracking security events and analyzing security vulnerabilities, the threat information library can also be used for storing log data to be analyzed, and whether the log data to be analyzed is threat information can be predicted by analyzing the log data to be analyzed, so that the security of a network is improved.
Step S102, calculating the multidimensional weight of the threat information occurrence probability by using the threat information data updated in real time. Optionally, the multi-dimensional weight of threat intelligence occurrence probability is derived from a comprehensive consideration of threat intelligence occurrence probabilities from multiple dimensions. The multiple dimensions may be as follows: city dimension, network protection level dimension, network equipment protection level dimension, etc. represent angles or aspects of environmental impact factors, equipment security impact factors, protection capability impact factors, time impact factors.
Step S103, calculating a weight change value according to the multidimensional weight of the threat information occurrence probability by using the threat information data updated in real time. Optionally, since threat information data is updated in real time, the threat information occurrence probability also needs to be updated correspondingly according to the updated threat information data, and specifically, the embodiment calculates the weight change value according to the existing multidimensional weight, thereby achieving the technical effects of reducing the occurrence of false alarm and missing alarm situations and improving the analysis accuracy of the threat information.
Step S104, summing the multidimensional weight of the threat information occurrence probability and the weight change value to obtain the total weight of the threat information occurrence probability. Optionally, the multidimensional weight of the threat intelligence occurrence probability calculated in the step S102 is summed with the weight change value calculated in the step S103 to obtain a total weight of the threat intelligence occurrence probability, wherein the total weight has higher reliability and accuracy due to consideration of the influence of the updated threat intelligence data in multiple dimensions.
Step S105, judging whether the log data to be analyzed is threat information or not by using the total weight and the multi-dimensional weight to be analyzed, wherein the multi-dimensional weight to be analyzed is the multi-dimensional weight corresponding to the log data to be analyzed. Optionally, referring to step S102, calculating the multidimensional weight of the threat intelligence occurrence probability, calculating the multidimensional weight corresponding to the log data to be analyzed, comparing the multidimensional weight corresponding to the log data to be analyzed with the total weight of the threat intelligence occurrence probability obtained in step S104, and determining whether the log data to be analyzed is threat intelligence.
In the embodiment of the invention, the multi-dimensional weight of the occurrence probability of threat information is calculated by utilizing the threat information data updated in real time, namely, the occurrence probability of the known threat information is comprehensively analyzed and calculated from the multi-dimensional degree, further, the weight change value is calculated according to the multi-dimensional weight, so that the influence on the occurrence probability of the threat information after the change of the multi-dimensional factors is found, the situation awareness of the threat information is realized according to whether the total weight analysis log data is the threat information, the purpose of predicting the occurrence probability of the known threat information in the existing environment is achieved, and because the analysis is realized based on the threat information data updated in real time, the effect of timely updating the total occurrence probability of the threat information is achieved, the occurrence error and missing information are reduced, the technical effect of improving the analysis accuracy of the threat information is achieved, and the problem of lower threat information analysis accuracy in the related technology is solved.
In this embodiment, a threat intelligence analysis method is provided, which may be used in the above mobile terminal, such as a central processing unit, a server, etc., and fig. 2 is a schematic flow chart of another threat intelligence analysis method according to an embodiment of the invention, as shown in fig. 2, where the flow includes the following steps:
Step S201, threat information data updated in real time and log data to be analyzed are obtained. Please refer to step S101 in the embodiment shown in fig. 1 in detail, which is not described herein.
Step S202, calculating the multidimensional weight of the threat information occurrence probability by using the threat information data updated in real time. Specifically, the present embodiment calculates the occurrence probability of threat intelligence from three dimensions of city, network protection level, and network equipment protection level. Wherein, the city is the city where the threat information specifically occurs, c1 to cn are used for representing a plurality of cities, and n is a positive integer.
The network protection level includes five levels, the primary network protection is suitable for basic protection of information systems and networks, and mainly focuses on the following aspects: network communication control, intrusion monitoring and alarming, basic vulnerability scanning and repairing, and preliminary filtering and detecting of external threats; the secondary network protection enhances the monitoring and response capability to network security threats, and mainly comprises the following steps: deploying advanced intrusion detection systems (intrusion detection system, IDS) and intrusion prevention systems (Intrusion Prevention System, IPS) to enhance the detection, analysis and response capabilities to internal and external attacks; three-level network protection focuses on the real-time monitoring and emergency response capability to network threats, and is mainly characterized in that: the security event monitoring and analyzing capability including log audit, abnormal behavior detection and the like is further enhanced, and the protection capability against malicious software and attack propagation is improved; the four-level network protection requirement realizes advanced network security management and threat information analysis, and is mainly characterized in that: enhancing the response, traceability and evidence obtaining capability of the security event, and implementing advanced control measures such as vulnerability management, security policy and rule management; five-level network protection is the highest protection level, and is oriented to key information infrastructure and important information systems, and is characterized in that: advanced security protection technology and measures, such as centralized security management, data encryption, intrusion prevention, an antivirus system and the like are implemented, and advanced threat information sharing, security event response and handling are realized.
The network equipment protection comprises five levels, and the primary network equipment protection is suitable for carrying out basic security protection on information system infrastructure and mainly comprises the following steps: basic access control and identity authentication mechanisms, simple vulnerability restoration and configuration management, and the most basic network threat defense capabilities; the protection of the secondary network equipment enhances the management and control of the security of the network equipment, and is mainly characterized by comprising the following steps: the requirements on access control, identity authentication and password policy are enhanced, vulnerability restoration and configuration management are further enhanced, and reliability and usability are improved; the protection requirement of the three-level network equipment realizes higher-level equipment safety management and protection capability, and is mainly characterized in that: the audit and log recording capability of the equipment is emphasized, the security configuration and operation and maintenance are further enhanced, and the network threat is more comprehensively defended and detected; the protection of the four-level network equipment requires the implementation of advanced security control and management measures, and is mainly characterized by comprising the following steps: the configuration management and vulnerability restoration capability of the equipment is enhanced, the intrusion detection and denial of service (Distributed Denial of Service, DDoS) capability of the equipment is improved, and a higher-level audit and log record mechanism is provided; the protection of five-level network equipment is the highest-level protection level, and is oriented to key information infrastructure and important information systems, and is characterized in that: advanced equipment security management and protection technologies, such as centralized management, automatic operation and maintenance and the like, have advanced threat detection and response capability and security event management capability, and can resist advanced network attacks and persistent threats.
The step S202 includes:
in step S2021, the influence parameters of the multiple dimensions are calculated using the threat intelligence data updated in real time. Specifically, any dimension contains a plurality of layers, the threat intelligence data updated in real time includes the intelligence generation time and the current time, and the step S2021 includes:
step a1, randomly selecting a preset number of threat information data from threat information data updated in real time. Specifically, taking city dimension as an example, threat information data updated in real time is obtained from a threat information library, and a preset number of threat information data, such as N threat information data (N is a positive integer), are selected by means of random selection.
And a2, calculating weights corresponding to a plurality of layers of any dimension by using the threat intelligence data of a preset quantity. Specifically, the weights C corresponding to multiple layers (C1 to cn) of the city dimension are calculated according to the city of the specific threat information Q =[C Q 1,C Q 2,C Q i,...,C Q n]Wherein C Q i=vci/N, vci represents the number of occurrences of city ci in the N pieces of data collected.
And a3, determining time parameters corresponding to a plurality of layers of any dimension according to the information generation time and the current time in the threat information data of the preset quantity. Specifically, the longest validity period of threat information data is 365 days, and more than 365 days become failure information, so that the time parameter is also an important threat information index. The time parameter T is obtained by respectively representing the information generation time and the current time in the threat information DATA updated in real time by T and DATA Q Can be expressed as:
it will be appreciated that the time parameter T Q Weights C corresponding to multiple levels (C1 to cn) of city dimensions Q As a matrix, e.g. T Q 1 is C Q 1, if multiple cities c1 appear in N threat information data, the time parameters can be calculated for multiple timesThe average value of the inter-parameters is taken as the final time parameter.
And a4, calculating the influence parameters of any dimension according to the product of the weights corresponding to the layers of any dimension and the time parameters corresponding to the layers of any dimension to obtain the influence parameters of the dimensions. Specifically, according to step a2 and step a3, the city dimension influence parameter C Qz The following formula can be used for calculation:
C Qz =C Q *T Q
optionally, a time parameter T Q Weights C corresponding to multiple levels (C1 to cn) of city dimensions Q In the case of row vectors and column vectors, respectively, the influence parameter C of the city dimension Qz Is a constant.
In addition to the city dimension, the network protection level dimension and the impact parameters of the network device protection level dimension can be calculated in the same manner. Wherein the weights corresponding to multiple layers (from one level network protection to five levels network protection) of the network protection level dimension are denoted as F Q =[F Q 1,F Q 2,F Q i,...,F Q n]Wherein F is Q i=vfi/N, where Vfi represents the number of times that N-level network protection levels occur in the collected N pieces of data, N being 5 in this embodiment. T (T) Q1 Reference is made to T for the calculation method of (2) Q Impact parameters of network protection level F Qz The following formula can be used for calculation:
F Qz =F Q *T Q1
likewise, the weight S corresponding to the multiple layers (from the first level network equipment protection to the fifth level network equipment protection) of the network equipment protection level dimension Q =[S Q 1,S Q 2,S Q i,...,S Q n]Wherein S is Q i=vsi/N, vsi represents the number of times N-level network device protection occurs in the acquired N pieces of data, where N is 5 in this embodiment. T (T) Q2 Reference is made to T for the calculation method of (2) Q Influence parameter S of network protection level Qz The following formula can be used for calculation:
S Qz =S Q *T Q2
step S2022, calculating the multidimensional weight of threat intelligence occurrence probability according to the influence parameters of the plurality of dimensions. Alternatively, the multidimensional weight Z of threat intelligence occurrence probability may be calculated using the following formula F (Z):
wherein e is the base of a natural logarithmic function, C Qz 、F Qz 、S Qz The method comprises the steps of respectively influencing parameters of city dimensions, influencing parameters of network protection levels and influencing parameters of network equipment protection levels.
Step S203, calculating weight change value according to the multidimensional weight of threat information occurrence probability by using the threat information data updated in real time. Specifically, the step S203 includes:
step S2031, re-randomly selecting a preset number of threat intelligence data from the threat intelligence data updated in real time. Specifically, a preset number of threat intelligence data is selected again in a random selection manner, for example, N1 threat intelligence data (N1 is a positive integer) is selected.
Step S2032, calculating influence parameters of multiple dimensions corresponding to the re-randomly selected preset number of threat intelligence data. Calculating influence parameters of multiple dimensions (city, network protection level and network equipment protection level) corresponding to the re-randomly selected preset number of threat intelligence data according to the steps a2 to a4, and respectively recording as C' qz 、F′ qz S 'and S' qz
Step S2033, calculating a weight change value according to the multidimensional weight of the threat information occurrence probability and the influence parameters of the plurality of dimensions corresponding to the preset number of threat information data selected again randomly by using the base of the natural logarithmic function and the logistic function. Alternatively, the weight change value Δz is calculated using the following formula:
in an alternative embodiment, after the step S203, the method further includes: and b, executing the steps of re-randomly selecting the preset number of threat information data and calculating influence parameters of a plurality of dimensions corresponding to the re-randomly selected preset number of threat information data for a plurality of times, and iteratively updating the weight change value. Optionally, since the preset number of threat information data is selected again randomly from the threat information data updated in real time in step S2031, the latest data may be selected, or the latest data may not be selected, so step S203 is repeatedly performed multiple times in this embodiment, to achieve the purpose of iteratively updating the weight change value Δz. I.e., Δz adjusts the weight corresponding to the multiple dimensions in the threat intelligence according to the multiple influencing parameters corresponding to the multiple dimensions. The number of times of performing or iteratively updating may be set according to the specific situation, and the number of times of iteratively updating the weight change value Δz may be M, where M is a positive integer greater than 1000, for example.
Step S204, summing the multidimensional weight of the threat information occurrence probability and the weight change value to obtain the total weight of the threat information occurrence probability. Specifically, the total weight Zn of threat information occurrence probability is calculated according to Zn=Z+DeltaZ by utilizing the weight change value DeltaZ obtained after repeated iterative updating in the step b, so that the purposes of updating the total weight according to new threat information data in time and improving the reliability and accuracy of the total weight calculation are achieved. The calculated Zn can be stored in a threat information library, such as creating a table named t_cs_info, for storing Zn, and can be directly checked and obtained when in use.
Step S205, judging whether the log data to be analyzed is threat information or not by using the total weight and the multi-dimensional weight to be analyzed, wherein the multi-dimensional weight to be analyzed is the multi-dimensional weight corresponding to the log data to be analyzed. Specifically, the step S205 includes: when the multi-dimensional weight to be analyzed is greater than the total weight, judging that the log data to be analyzed is threat information; when the multidimensional weight to be analyzed is smaller than or equal to the total weight, the log data to be analyzed is judged not to be threat information. Optionally, the step S202 may be referred to for calculating the multidimensional weight corresponding to the log data to be analyzed, which is not described in detail in this embodiment. And if the Zx is larger than Zn, the possibility that the log data to be analyzed is threat information is larger, and the log data to be analyzed is judged to be threat information, so that corresponding precaution and processing can be performed in advance.
In an alternative embodiment, after the step S205, the method further includes: c, if the log data to be analyzed is threat information, performing text processing on the log data to be analyzed; and displaying the log data to be analyzed after text processing and the multidimensional weights to be analyzed in a knowledge graph form. Optionally, after calculating Zx and Zn in step S205, if the log data to be analyzed is threat information, performing text processing on the log data to be analyzed, for example, extracting knowledge related to threat or hazard therein, and then storing the extracted knowledge and the multidimensional weight Zx to be analyzed together into a knowledge graph as basic data to display a knowledge graph style, which is equivalent to updating threat information data, and meanwhile displaying known threat information data by the knowledge graph, so that the association relationship between the threat information data and the log data can be clearly displayed.
In an alternative implementation, fig. 3 is a schematic diagram of an overall framework of a threat intelligence analysis method in accordance with an embodiment of the invention. As shown in fig. 3, the knowledge graph database RDB is a threat information database, which is used for storing threat information data, and can perform visual display on the threat information data, for example, display the threat information data updated in real time in a form of knowledge graph. The system performs the first query, that is, calculates the multidimensional weight of the threat intelligence occurrence probability by using the threat intelligence data updated in real time, please refer to step S202 in the embodiment shown in fig. 2 in detail, which is not described herein. The data duty ratio is adjusted by the user' S selection in a multidimensional manner, that is, the weight change value is calculated according to the multidimensional weight of the threat intelligence occurrence probability by using the threat intelligence data updated in real time, please refer to step S203 in the embodiment shown in fig. 2 in detail, which is not described herein. After the multidimensional data is integrated, the total weight is updated by the weight change value, and the log data to be analyzed, which is threat information, is integrated into the database and the knowledge graph for display, please refer to step S204, step b and step c in the embodiment shown in fig. 2 in detail, which is not described herein. The system utilizes the integrated data to carry out the second inquiry, the multidimensional data is integrated again in a ratio for the subsequent inquiry, the data with integrated multiple data in a ratio is input into the knowledge graph, namely the steps are repeated for multiple times, and finally the more accurate display of the knowledge graph can be carried out.
Optionally, fig. 4 is a schematic diagram of generating a feature weight table according to an embodiment of the present invention, as shown in fig. 4, threat information is real-time updated threat information data, and the real-time updated threat information data is used to calculate city parameters C, network protection level F, and network equipment protection level S, that is, calculate influence parameters C of city dimensions Qz Impact parameters of network protection class F Qz Influence parameter S of network protection level Qz . And (3) evaluating the weight (total weight of threat intelligence occurrence probability) according to the comparison characteristics of the calculation results. The characteristics comprise environmental characteristics, influence caused by the environmental characteristics, time and other objective environmental factors, and in the process of comparing the characteristics and evaluating the weights, functions meeting the calculation requirements, such as F (Z) and delta Z, are used. And generating a characteristic weight table, such as a t_cs_info table, according to the calculation result of the total weight Zn of the threat information occurrence probability.
Alternatively, FIG. 5 is a diagram illustrating analysis of log intelligence according to an embodiment of the present invention. As shown in fig. 5, the log information is log data to be analyzed, and city parameters C in the log, network protection level F in the log, and network equipment protection level S in the log are calculated. According to the characteristics and the weight prediction 'threat information', namely according to the influence parameters of a plurality of dimensions, calculating the multidimensional weight to be analyzed as multidimensional weight Zx corresponding to log data to be analyzed, comparing the Zx with the total weight Zn of threat information occurrence probability stored in a characteristic weight table t_cs_info, and if the Zx is larger than Zn, judging that threat information is found.
In the embodiment, the knowledge graph is used for comprehensively analyzing the known threat information and multidimensional parameters, so that the influence weight of environmental factors on information security events occurring in the later stage of the system is found. According to the embodiment, the probability of occurrence of the known threat information under the existing environment can be predicted through the calculation result obtained through analysis, a function of foreknowledge is provided for a user, situation awareness of threat information is achieved, the purposes of reducing false information and missing information of a threat information platform are achieved, and the effect of improving the safety of the threat information platform is achieved. By analyzing the whole architecture of the business system and the association degree among multiple modules, the system establishes a problem based on accurate display of knowledge graph data by utilizing the analysis of the system and the integration of the knowledge graph, and ensures that the knowledge graph has accurate display data, the data more accords with the requirements of inquirers, and the desired result is displayed more intelligently. Compared with the traditional solution, the method has the advantages of low investment, low dependence on personal skills of engineers, comprehensive risk detection and the like. The accuracy and the safety of the service system can be effectively improved, the data of the system is more intelligent, the habit of users is more met, and the wanted data can be accurately displayed.
The embodiment also provides a threat information analysis system, which is used for implementing the above embodiment and the preferred implementation, and is not described in detail. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. While the system described in the following embodiments is preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
The present embodiment provides a threat intelligence analysis system, as shown in fig. 6, including: the acquisition module 601 is configured to acquire threat information data updated in real time and log data to be analyzed; the multidimensional weight calculating module 602 is configured to calculate multidimensional weights of threat intelligence occurrence probabilities using threat intelligence data updated in real time; a weight change value calculation module 603 for calculating a weight change value according to the multidimensional weight of the threat intelligence occurrence probability using the threat intelligence data updated in real time; the total weight calculation module 604 is configured to sum the multidimensional weight of the threat information occurrence probability and the weight change value to obtain a total weight of the threat information occurrence probability; the threat intelligence prediction module 605 is configured to determine whether the log data to be analyzed is threat intelligence by using the total weight and the multi-dimensional weight to be analyzed, where the multi-dimensional weight to be analyzed is a multi-dimensional weight corresponding to the log data to be analyzed.
In an alternative embodiment, the system further comprises: the text processing module is used for performing text processing on the log data to be analyzed if the log data to be analyzed is threat information; the knowledge graph construction module is used for displaying the log data to be analyzed after text processing and the multidimensional weight to be analyzed in a knowledge graph mode.
In an alternative embodiment, the multi-dimensional weight calculation module includes: an influence parameter calculation unit for calculating influence parameters of a plurality of dimensions by using threat intelligence data updated in real time; and the multidimensional weight calculating unit is used for calculating multidimensional weights of threat information occurrence probability according to the influence parameters of the plurality of dimensions.
In an alternative embodiment, any dimension contains multiple layers, the threat intelligence data updated in real time includes intelligence generation time and current time, and the influence parameter calculation unit includes: the information selecting subunit is used for randomly selecting a preset number of threat information data from the threat information data updated in real time; the weight calculation subunit is used for calculating weights corresponding to a plurality of layers of any dimension by using the threat intelligence data of a preset quantity; the time parameter determining subunit is used for determining time parameters corresponding to a plurality of layers of any dimension according to the information generating time and the current time in the threat information data of the preset quantity; the multidimensional parameter calculation subunit is used for calculating the influence parameters of any dimension according to the product of the weights corresponding to the multiple layers of any dimension and the time parameters corresponding to the multiple layers of any dimension to obtain the influence parameters of the multiple dimensions.
In an alternative embodiment, the weight change value calculation module includes: the information selecting unit is used for randomly selecting a preset number of threat information data again from the threat information data updated in real time; the parameter calculation unit is used for calculating influence parameters of a plurality of dimensions corresponding to the threat information data of the preset quantity selected at random; the weight change value calculating unit is used for calculating the weight change value according to the multidimensional weight of the threat information occurrence probability and the influence parameters of a plurality of dimensions corresponding to the preset number of threat information data selected randomly again by utilizing the base of the natural logarithmic function and the logic substance function.
In an alternative embodiment, the system further comprises: the iteration module is used for repeatedly executing the steps of randomly selecting the threat information data of the preset quantity again and calculating the influence parameters of the multiple dimensions corresponding to the threat information data of the preset quantity again, and carrying out iterative updating on the weight change value.
In an alternative embodiment, the threat intelligence prediction module comprises: the first judging unit is used for judging that the log data to be analyzed is threat information when the multi-dimensional weight to be analyzed is greater than the total weight; and the second judging unit is used for judging that the log data to be analyzed is not threat information when the multidimensional weight to be analyzed is smaller than or equal to the total weight.
Further functional descriptions of the above respective modules and units are the same as those of the above corresponding embodiments, and are not repeated here.
The threat intelligence analysis system in this embodiment is presented in the form of functional units, where the units refer to ASIC (Application Specific Integrated Circuit ) circuits, processors and memories executing one or more software or fixed programs, and/or other devices that can provide the functionality described above.
The embodiment of the invention also provides computer equipment, which is provided with the threat information analysis system shown in the figure 6.
Referring to fig. 7, fig. 7 is a schematic structural diagram of a computer device according to an alternative embodiment of the present invention, as shown in fig. 7, the computer device includes: one or more processors 10, memory 20, and interfaces for connecting the various components, including high-speed interfaces and low-speed interfaces. The various components are communicatively coupled to each other using different buses and may be mounted on a common motherboard or in other manners as desired. The processor may process instructions executing within the computer device, including instructions stored in or on memory to display graphical information of the GUI on an external input/output device, such as a display device coupled to the interface. In some alternative embodiments, multiple processors and/or multiple buses may be used, if desired, along with multiple memories and multiple memories. Also, multiple computer devices may be connected, each providing a portion of the necessary operations (e.g., as a server array, a set of blade servers, or a multiprocessor system). One processor 10 is illustrated in fig. 7.
The processor 10 may be a central processor, a network processor, or a combination thereof. The processor 10 may further include a hardware chip, among others. The hardware chip may be an application specific integrated circuit, a programmable logic device, or a combination thereof. The programmable logic device may be a complex programmable logic device, a field programmable gate array, a general-purpose array logic, or any combination thereof.
Wherein the memory 20 stores instructions executable by the at least one processor 10 to cause the at least one processor 10 to perform a method for implementing the embodiments described above.
The memory 20 may include a storage program area that may store an operating system, at least one application program required for functions, and a storage data area; the storage data area may store data created according to the use of the computer device, etc. In addition, the memory 20 may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid-state storage device. In some alternative embodiments, memory 20 may optionally include memory located remotely from processor 10, which may be connected to the computer device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
Memory 20 may include volatile memory, such as random access memory; the memory may also include non-volatile memory, such as flash memory, hard disk, or solid state disk; the memory 20 may also comprise a combination of the above types of memories.
The computer device also includes a communication interface 30 for the computer device to communicate with other devices or communication networks.
The embodiments of the present invention also provide a computer readable storage medium, and the method according to the embodiments of the present invention described above may be implemented in hardware, firmware, or as a computer code which may be recorded on a storage medium, or as original stored in a remote storage medium or a non-transitory machine readable storage medium downloaded through a network and to be stored in a local storage medium, so that the method described herein may be stored on such software process on a storage medium using a general purpose computer, a special purpose processor, or programmable or special purpose hardware. The storage medium can be a magnetic disk, an optical disk, a read-only memory, a random access memory, a flash memory, a hard disk, a solid state disk or the like; further, the storage medium may also comprise a combination of memories of the kind described above. It will be appreciated that a computer, processor, microprocessor controller or programmable hardware includes a storage element that can store or receive software or computer code that, when accessed and executed by the computer, processor or hardware, implements the methods illustrated by the above embodiments.
Although embodiments of the present invention have been described in connection with the accompanying drawings, various modifications and variations may be made by those skilled in the art without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope of the invention as defined by the appended claims.

Claims (16)

1. A threat intelligence prediction method, the method comprising:
acquiring threat information data updated in real time and log data to be analyzed;
calculating the multidimensional weight of threat information occurrence probability by using the threat information data updated in real time;
calculating a weight change value according to the multidimensional weight of the threat information occurrence probability by utilizing the threat information data updated in real time;
summing the multidimensional weights of the threat information occurrence probabilities and the weight change values to obtain the total weight of the threat information occurrence probabilities;
judging whether the log data to be analyzed is threat information or not by using the total weight and the multidimensional weight to be analyzed, wherein the multidimensional weight to be analyzed is the multidimensional weight corresponding to the log data to be analyzed.
2. The threat intelligence prediction method of claim 1, wherein the method further comprises:
if the log data to be analyzed is threat information, performing text processing on the log data to be analyzed;
And displaying the log data to be analyzed after text processing and the multidimensional weights to be analyzed in a knowledge graph form.
3. The threat intelligence prediction method of claim 1, wherein calculating a multidimensional weight of threat intelligence occurrence probability using the real-time updated threat intelligence data comprises:
calculating influence parameters of multiple dimensions by using the threat intelligence data updated in real time;
and calculating the multidimensional weight of the threat information occurrence probability according to the influence parameters of the multiple dimensions.
4. A threat intelligence prediction method in accordance with claim 3, wherein any dimension comprises a plurality of layers, the real-time updated threat intelligence data comprises an intelligence generation time and a current time, the calculating an influence parameter of the plurality of dimensions using the real-time updated threat intelligence data comprises:
randomly selecting a preset number of threat information data from the threat information data updated in real time;
calculating weights corresponding to a plurality of layers of any dimension by using the threat intelligence data of the preset quantity;
determining time parameters corresponding to a plurality of layers of any dimension according to information generation time and current time in the threat information data of the preset quantity;
And calculating the influence parameters of any dimension according to the product of the weights corresponding to the layers of any dimension and the time parameters corresponding to the layers of any dimension to obtain the influence parameters of the plurality of dimensions.
5. The threat intelligence prediction method of claim 3, wherein calculating a weight change value from the multi-dimensional weight of the threat intelligence occurrence probability using the real-time updated threat intelligence data comprises:
randomly selecting a preset number of threat information data again from the threat information data updated in real time;
calculating influence parameters of a plurality of dimensions corresponding to the re-randomly selected preset number of threat information data;
and calculating a weight change value according to the multidimensional weight of the threat information occurrence probability and the influence parameters of a plurality of dimensions corresponding to the re-randomly selected preset number of threat information data by using the base number of the natural logarithmic function and the logistic function.
6. The threat intelligence prediction method of claim 5, wherein the method further comprises:
and executing the steps of re-randomly selecting the preset number of threat information data and calculating influence parameters of a plurality of dimensions corresponding to the re-randomly selected preset number of threat information data for a plurality of times, and iteratively updating the weight change value.
7. The threat intelligence prediction method of claim 1, wherein the determining whether the log data to be analyzed is threat intelligence by using the total weight and a multidimensional weight to be analyzed, the multidimensional weight to be analyzed being a multidimensional weight corresponding to the log data to be analyzed, comprises:
when the multi-dimensional weight to be analyzed is greater than the total weight, judging that the log data to be analyzed is threat information;
and when the multidimensional weight to be analyzed is smaller than or equal to the total weight, judging that the log data to be analyzed is not threat information.
8. A threat intelligence prediction system, the system comprising:
the acquisition module is used for acquiring threat information data updated in real time and log data to be analyzed;
the multidimensional weight calculation module is used for calculating multidimensional weights of threat information occurrence probability by using the threat information data updated in real time;
the weight change value calculation module is used for calculating a weight change value according to the multidimensional weight of the threat information occurrence probability by utilizing the threat information data updated in real time;
the total weight calculation module is used for summing the multidimensional weight of the threat information occurrence probability and the weight change value to obtain the total weight of the threat information occurrence probability;
And the threat information prediction module is used for judging whether the log data to be analyzed is threat information or not by utilizing the total weight and the multidimensional weight to be analyzed, wherein the multidimensional weight to be analyzed is the multidimensional weight corresponding to the log data to be analyzed.
9. The threat intelligence prediction system of claim 8, wherein the system further comprises:
the text processing module is used for performing text processing on the log data to be analyzed if the log data to be analyzed is threat information;
the knowledge graph construction module is used for displaying the log data to be analyzed after text processing and the multidimensional weight to be analyzed in a knowledge graph mode.
10. The threat intelligence prediction system of claim 8, wherein the multi-dimensional weight calculation module comprises:
an influence parameter calculation unit for calculating influence parameters of a plurality of dimensions by using the threat intelligence data updated in real time;
and the multidimensional weight calculating unit is used for calculating multidimensional weights of threat information occurrence probability according to the influence parameters of the plurality of dimensions.
11. The threat intelligence prediction system of claim 10, wherein any dimension comprises a plurality of layers, the threat intelligence data updated in real time comprises an intelligence generation time and a current time, the influence parameter calculation unit comprises:
The information selecting subunit is used for randomly selecting a preset number of threat information data from the threat information data updated in real time;
the weight calculation subunit is used for calculating weights corresponding to a plurality of layers of any dimension by using the threat intelligence data of the preset quantity;
a time parameter determining subunit, configured to determine time parameters corresponding to multiple layers of any dimension according to the information generating time and the current time in the threat information data of the preset number;
and the multidimensional parameter calculation subunit is used for calculating the influence parameters of any dimension according to the product of the weights corresponding to the multiple layers of any dimension and the time parameters corresponding to the multiple layers of any dimension to obtain the influence parameters of multiple dimensions.
12. The threat intelligence prediction system of claim 10, wherein the weight change value calculation module comprises:
the information selecting unit is used for randomly selecting a preset number of threat information data again from the threat information data updated in real time;
the parameter calculation unit is used for calculating influence parameters of a plurality of dimensions corresponding to the re-randomly selected preset number of threat information data;
the weight change value calculating unit is used for calculating the weight change value according to the multidimensional weight of the threat information occurrence probability and the influence parameters of the plurality of dimensions corresponding to the re-randomly selected preset number of threat information data by utilizing the base number of the natural logarithmic function and the logic substance function.
13. The threat intelligence prediction system of claim 12, wherein the system further comprises:
the iteration module is used for repeatedly executing the steps of randomly selecting the threat information data of the preset quantity again and calculating the influence parameters of the multiple dimensions corresponding to the threat information data of the preset quantity again, and carrying out iterative updating on the weight change value.
14. The threat intelligence prediction system of claim 8, wherein the threat intelligence prediction module comprises:
the first judging unit is used for judging that the log data to be analyzed is threat information when the multi-dimensional weight to be analyzed is greater than the total weight;
and the second judging unit is used for judging that the log data to be analyzed is not threat intelligence when the multidimensional weight to be analyzed is smaller than or equal to the total weight.
15. A computer device, comprising:
a memory and a processor, the memory and the processor being communicatively connected to each other, the memory having stored therein computer instructions, the processor executing the computer instructions to perform the threat intelligence prediction method of any of claims 1 to 7.
16. A computer-readable storage medium having stored thereon computer instructions for causing a computer to perform the threat intelligence prediction method of any of claims 1 to 7.
CN202311368200.8A 2023-10-20 2023-10-20 Threat information analysis method, threat information analysis system, computer equipment and storage medium Pending CN117614643A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311368200.8A CN117614643A (en) 2023-10-20 2023-10-20 Threat information analysis method, threat information analysis system, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311368200.8A CN117614643A (en) 2023-10-20 2023-10-20 Threat information analysis method, threat information analysis system, computer equipment and storage medium

Publications (1)

Publication Number Publication Date
CN117614643A true CN117614643A (en) 2024-02-27

Family

ID=89943197

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311368200.8A Pending CN117614643A (en) 2023-10-20 2023-10-20 Threat information analysis method, threat information analysis system, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN117614643A (en)

Similar Documents

Publication Publication Date Title
US11792229B2 (en) AI-driven defensive cybersecurity strategy analysis and recommendation system
CN109347801B (en) Vulnerability exploitation risk assessment method based on multi-source word embedding and knowledge graph
US20200389495A1 (en) Secure policy-controlled processing and auditing on regulated data sets
CN110958220B (en) Network space security threat detection method and system based on heterogeneous graph embedding
US20220210200A1 (en) Ai-driven defensive cybersecurity strategy analysis and recommendation system
Sarker Machine learning for intelligent data analysis and automation in cybersecurity: current and future prospects
EP3107026B1 (en) Event anomaly analysis and prediction
US20220014560A1 (en) Correlating network event anomalies using active and passive external reconnaissance to identify attack information
US11218510B2 (en) Advanced cybersecurity threat mitigation using software supply chain analysis
US20220201042A1 (en) Ai-driven defensive penetration test analysis and recommendation system
CN113486351A (en) Civil aviation air traffic control network safety detection early warning platform
CN113162794B (en) Next attack event prediction method and related equipment
CN108092985B (en) Network security situation analysis method, device, equipment and computer storage medium
CN113839817A (en) Network asset risk assessment method, device and system
WO2021216163A2 (en) Ai-driven defensive cybersecurity strategy analysis and recommendation system
Gonaygunta Machine learning algorithms for detection of cyber threats using logistic regression
CN115001934A (en) Industrial control safety risk analysis system and method
CN117220978B (en) Quantitative evaluation system and evaluation method for network security operation model
CN115659351B (en) Information security analysis method, system and equipment based on big data office
Al-Sanjary et al. Challenges on digital cyber-security and network forensics: a survey
Suthaharan et al. An approach for automatic selection of relevance features in intrusion detection systems
CN117614643A (en) Threat information analysis method, threat information analysis system, computer equipment and storage medium
CN114039837A (en) Alarm data processing method, device, system, equipment and storage medium
CN113032774A (en) Training method, device and equipment of anomaly detection model and computer storage medium
Rathod et al. AI & ML Based Anamoly Detection and Response Using Ember Dataset

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination