CN117792715A - Method and device for threatening hunting - Google Patents

Method and device for threatening hunting Download PDF

Info

Publication number
CN117792715A
CN117792715A CN202311735209.8A CN202311735209A CN117792715A CN 117792715 A CN117792715 A CN 117792715A CN 202311735209 A CN202311735209 A CN 202311735209A CN 117792715 A CN117792715 A CN 117792715A
Authority
CN
China
Prior art keywords
threat
preset
model
hunting
kernel
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311735209.8A
Other languages
Chinese (zh)
Inventor
雷小辉
张渤琦
郑玮
赵培源
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xi'an Clover Cyber Technology Co ltd
Original Assignee
Xi'an Clover Cyber Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xi'an Clover Cyber Technology Co ltd filed Critical Xi'an Clover Cyber Technology Co ltd
Priority to CN202311735209.8A priority Critical patent/CN117792715A/en
Publication of CN117792715A publication Critical patent/CN117792715A/en
Pending legal-status Critical Current

Links

Landscapes

  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The application discloses a threat hunting method and device, wherein the method comprises the following steps: and acquiring current network flow data, inputting the current network flow data into a preset threat hunting model for calculation, and generating a threat hunting result corresponding to the current network flow data. According to the method, the current network flow data is directly calculated through the pre-trained preset threat hunting model, so that a corresponding threat hunting result can be obtained, and the accuracy and efficiency of threat hunting are improved; in addition, the preset threat hunting model replaces expert hunting, so that the accuracy is improved, and meanwhile, the model has lower cost and more comprehensive disposal capability; meanwhile, a mode of combining microkernel, scenery and manual judgment is adopted, so that the preset threat hunting model has higher generalization capability and adaptability.

Description

Method and device for threatening hunting
Technical Field
The application relates to the technical field of network security, in particular to a threat hunting method and device.
Background
Threat hunting is also known as threat capturing and threat searching, and supposing that an attacker is hidden in an intranet environment, the threat hunting worker finds attack traces as soon as possible, and harm caused by the attacker is reduced to the greatest extent. The significance of threat hunting is that it considers how to actively monitor and prevent threat events, rather than passively defend, passively deal with, before a security event does not occur.
Conventionally, in threat hunting, rule-driven threat hunting is mostly based, so that threat hunting results are obtained. However, the threat hunting performed in the above manner has problems of low accuracy and efficiency.
Disclosure of Invention
The application aims at least solving the technical problems existing in the prior art, and therefore, the first aspect of the application provides a method for threatening hunting, which comprises the following steps:
acquiring current network flow data;
inputting the current network flow data into a preset threat hunting model for calculation, and generating a threat hunting result corresponding to the current network flow data; the method comprises the steps that a preset threat hunting model is generated based on a preset scene detection model, the preset scene detection model is generated based on a threat information data set, a threat correction mode data set and a preset scene kernel model, and the preset scene kernel model is a model which is built in a static simulation network environment and is subjected to an unsupervised learning mechanism.
In one possible implementation manner, the construction process of the preset scene kernel model includes:
acquiring a preset threat detection kernel model;
and learning and evaluating the preset threat detection kernel model by adopting an unsupervised learning mechanism to generate a preset scene kernel model.
In one possible implementation manner, a construction process of a threat detection kernel model is preset, including:
acquiring a network malicious behavior sample set;
constructing an initial threat detection model by adopting a preset deep learning model, and constructing a first preset evaluation index; training and evaluating the initial threat detection model through the network malicious behavior sample set until the evaluation result meets a first preset evaluation index, and generating a preset threat detection model;
and migrating the preset threat detection model to a static simulation network environment to generate a preset threat detection kernel model.
In one possible implementation manner, the learning and evaluation process is performed on the preset threat detection kernel model by adopting an unsupervised learning mechanism, so as to generate a preset scene kernel model, which includes:
acquiring a threat detection result corresponding to a second preset evaluation index and a preset threat detection kernel model;
clustering the threat detection results to generate clustering results;
evaluating the clustering result to generate a current evaluation result;
and learning and evaluating the preset threat detection kernel model based on the current evaluation result and a second preset evaluation index to generate a preset scene kernel model.
In one possible implementation manner, a construction process of a scene detection model is preset, including:
constructing a static simulation network environment; the static simulation network environment comprises fixed network flow data;
acquiring a threat information data set, a threat correction mode data set and a preset scene kernel model;
and generating a preset scene detection model based on the threat information data set, the threat correction mode data set and the preset scene kernel model.
In one possible embodiment, the method further comprises:
acquiring a judging result corresponding to the threat hunting result;
and updating the preset threat hunting model based on the judging result to generate a new preset threat hunting model.
In one possible implementation manner, inputting the current network traffic data into a preset threat hunting model for calculation, generating a threat hunting result corresponding to the current network traffic data, including:
and inputting the current network flow data into a new preset threat hunting model for calculation, and generating a threat hunting result corresponding to the current network flow data.
A second aspect of the present application proposes a threat hunting apparatus, the apparatus comprising:
the acquisition module is used for acquiring current network flow data;
The generation module is used for inputting the current network flow data into a preset threat hunting model for calculation and generating a threat hunting result corresponding to the current network flow data; the method comprises the steps that a preset threat hunting model is generated based on a preset scene detection model, the preset scene detection model is generated based on a threat information data set, a threat correction mode data set and a preset scene kernel model, and the preset scene kernel model is a model which is built in a static simulation network environment and is subjected to an unsupervised learning mechanism.
In one possible implementation, the threat hunting apparatus is further configured to:
acquiring a preset threat detection kernel model;
and learning and evaluating the preset threat detection kernel model by adopting an unsupervised learning mechanism to generate a preset scene kernel model.
In one possible implementation, the threat hunting apparatus is further configured to:
acquiring a network malicious behavior sample set;
constructing an initial threat detection model by adopting a preset deep learning model, and constructing a first preset evaluation index;
training and evaluating the initial threat detection model through the network malicious behavior sample set until the evaluation result meets a first preset evaluation index, and generating a preset threat detection model;
And migrating the preset threat detection model to a static simulation network environment to generate a preset threat detection kernel model.
In one possible implementation, the threat hunting apparatus is further configured to:
acquiring a threat detection result corresponding to a second preset evaluation index and a preset threat detection kernel model;
clustering the threat detection results to generate clustering results;
evaluating the clustering result to generate a current evaluation result;
and learning and evaluating the preset threat detection kernel model based on the current evaluation result and a second preset evaluation index to generate a preset scene kernel model.
In one possible implementation, the threat hunting apparatus is further configured to:
constructing a static simulation network environment; the static simulation network environment comprises fixed network flow data;
acquiring a threat information data set, a threat correction mode data set and a preset scene kernel model;
and generating a preset scene detection model based on the threat information data set, the threat correction mode data set and the preset scene kernel model.
In one possible implementation, the threat hunting apparatus is further configured to:
acquiring a judging result corresponding to the threat hunting result;
And updating the preset threat hunting model based on the judging result to generate a new preset threat hunting model.
In one possible implementation manner, the generating module is specifically configured to:
and inputting the current network flow data into a new preset threat hunting model for calculation, and generating a threat hunting result corresponding to the current network flow data.
A third aspect of the present application proposes an electronic device, the electronic device comprising a processor and a memory, the memory storing at least one instruction, at least one program, a set of codes, or a set of instructions, the at least one instruction, the at least one program, the set of codes, or the set of instructions being loaded and executed by the processor to implement the threat hunting method according to the first aspect.
A fourth aspect of the present application proposes a computer readable storage medium having stored therein at least one instruction, at least one program, a set of codes, or a set of instructions, loaded and executed by a processor to implement the threat hunting method according to the first aspect.
The embodiment of the application has the following beneficial effects:
The threat hunting method provided by the embodiment of the application comprises the following steps: the method comprises the steps of obtaining current network flow data, inputting the current network flow data into a preset threat hunting model for calculation, and generating a threat hunting result corresponding to the current network flow data, wherein the preset threat hunting model is generated based on a preset scene detection model, the preset scene detection model is generated based on a threat information data set, a threat correction mode data set and a preset scene kernel model, and the preset scene kernel model is a model which is built in a static simulation network environment and is subjected to an unsupervised learning mechanism. According to the method, the current network flow data is directly calculated through the pre-trained preset threat hunting model, so that a corresponding threat hunting result can be obtained, and the accuracy and efficiency of threat hunting are improved; in addition, the preset threat hunting model replaces expert hunting, so that the accuracy is improved, and meanwhile, the model has lower cost and more comprehensive disposal capability; meanwhile, a mode of combining microkernel, scenery and manual judgment is adopted, so that the preset threat hunting model has higher generalization capability and adaptability.
Drawings
FIG. 1 is a block diagram of a computer device provided in an embodiment of the present application;
FIG. 2 is a flowchart illustrating steps of a threat hunting method according to an embodiment of the present application;
FIG. 3 is a flowchart illustrating steps for constructing a kernel model of a preset scene according to an embodiment of the present application;
FIG. 4 is a flowchart illustrating steps for constructing a kernel model for detecting a preset threat according to an embodiment of the present application;
fig. 5 is a flowchart of a step of constructing a preset scene detection model according to an embodiment of the present application;
FIG. 6 is a flowchart illustrating steps for constructing a kernel model of a preset scene according to an embodiment of the present application;
FIG. 7 is a flowchart illustrating steps for updating a preset threat hunting model according to an embodiment of the present application;
fig. 8 is a block diagram of a threat hunting apparatus according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, are intended to be within the scope of the present application.
The terms "first" and "second" are used below for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include one or more such feature. In the description of the embodiments of the present disclosure, unless otherwise indicated, the meaning of "a plurality" is two or more. In addition, the use of "based on" or "according to" is intended to be open and inclusive in that a process, step, calculation, or other action "based on" or "according to" one or more of the stated conditions or values may in practice be based on additional conditions or beyond the stated values.
The threat hunting method provided by the application can be applied to computer equipment (electronic equipment), wherein the computer equipment can be a server or a terminal, the server can be one server or a server cluster consisting of a plurality of servers, the embodiment of the application is not particularly limited to the embodiment, and the terminal can be but not limited to various personal computers, notebook computers, smart phones, tablet computers and portable wearable equipment.
Taking the example of a computer device being a server, FIG. 1 illustrates a block diagram of a server, as shown in FIG. 1, which may include a processor and memory connected by a system bus. Wherein the processor of the server is configured to provide computing and control capabilities. The memory of the server includes nonvolatile storage medium and internal memory. The nonvolatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The computer program when executed by a processor implements a threat hunting method.
It will be appreciated by those skilled in the art that the structure shown in fig. 1 is merely a block diagram of a portion of the structure associated with the present application and does not constitute a limitation of the server to which the present application is applied, and that alternatively the server may include more or less components than those shown, or may combine some components, or have a different arrangement of components.
It should be noted that, the execution body in the embodiment of the present application may be a computer device or a hunting threat device, and in the following method embodiments, the execution body is described by using the computer device as the execution body.
Fig. 2 is a flowchart illustrating steps of a threat hunting method according to an embodiment of the present application. As shown in fig. 2, the method comprises the steps of:
step 202, obtaining current network flow data.
The threat hunting is also called threat capturing and threat searching, and the threat hunting is assumed that an attacker is hidden in an intranet environment, so that the threat hunting is as fast as possible to find attack traces, and the harm caused by the attacker is reduced to the greatest extent. The significance of threat hunting is that it considers how to actively monitor and prevent threat events, rather than passively defend, passively deal with, before a security event does not occur.
When threat hunting is performed, current network traffic data needs to be acquired first, and the acquired current network traffic data may include a plurality of pieces of data. In addition, the current network traffic data may be obtained by capturing the traffic packet by the packet capturing tool, or may be obtained by obtaining the network detailed log information by the network log tool, or may be obtained by other manners, which is not limited in the embodiment of the present application.
Step 204, inputting the current network traffic data into a preset threat hunting model for calculation, and generating a threat hunting result corresponding to the current network traffic data.
The method comprises the steps that a preset threat hunting model is generated based on a preset scene detection model, the preset scene detection model is generated based on a threat information data set, a threat correction mode data set and a preset scene kernel model, and the preset scene kernel model is a model which is built in a static simulation network environment and is subjected to an unsupervised learning mechanism.
After the current network traffic data is obtained, the current network traffic data can be input into a preset threat hunting model for calculation, so that a threat hunting result corresponding to the current network traffic data is generated. The threat hunting result may include threat subtype, threat probability value, and detailed information of the threat, which may be the current network traffic data itself corresponding to the threat. Of course, other types of threat hunting results may be included, as embodiments of the present application are not specifically limited.
In some optional embodiments, as shown in fig. 3, fig. 3 is a flowchart of a step of constructing a preset scene kernel model according to an embodiment of the present application, where the preset scene detection model and the preset scene kernel model need to be constructed in advance, and the step includes:
step 302, acquiring a preset threat detection kernel model.
When a preset threat detection kernel model is constructed, as shown in fig. 4, fig. 4 is a flowchart of a step of constructing a preset threat detection kernel model according to an embodiment of the present application, where the step includes:
step 402, obtaining a network malicious behavior sample set.
And 404, constructing an initial threat detection model by adopting a preset deep learning model, and constructing a first preset evaluation index.
Step 406, training and evaluating the initial threat detection model through the network malicious behavior sample set until the evaluation result meets a first preset evaluation index, and generating a preset threat detection model.
And step 408, migrating the preset threat detection model to a static simulation network environment to generate a preset threat detection kernel model.
The network malicious behavior sample set is a multi-mode large sample data set of common network threat flow data, log files, event records and the like collected in advance, and various malicious behaviors are collected in the network malicious behavior sample set, and the normal behavior set is not included. In order to ensure the model recognition effect, the malicious behaviors to be collected are as comprehensive as possible.
In addition, common types of malicious cyber threats may include malware, cyber attacks, identity theft, exploits, internet of things threats, malicious advertisements, cryptographic attacks, and the like. The malicious software may include but is not limited to threat subtypes such as viruses, worms, trojans and the like, the network attacks may include but are not limited to threat subtypes such as denial of service attacks, DNS attacks, man-in-the-middle attacks and the like, the identity theft may include but is not limited to threat subtypes such as phishing attacks, identity spoofing and the like, the exploit may include but is not limited to threat subtypes such as zero-day vulnerability attacks, SQL injection attacks and the like, the Internet of things threat may include but is not limited to threat subtypes such as unauthorized access, internal leakage and the like, and the password attack may include but is not limited to threat subtypes such as brute force cracking, password library collision and the like.
Then, the collected network malicious behavior sample set may be subjected to data preprocessing, where the data preprocessing process may include, but is not limited to, cleaning, denoising, missing value processing, outlier processing, normalization, and other processing, so as to obtain a preprocessed network malicious behavior sample set.
Feature engineering can be performed on the preprocessed network malicious behavior sample set, and key features related to network behaviors can be extracted from the network malicious behavior sample set, and the key features can include, but are not limited to, the size of a data packet, source and target IP addresses, port information, communication modes, protocol types and the like.
And then the data marking process is carried out, and specifically, the data marking can be carried out by using a mode of combining an automatic marking tool and manual marking. Wherein, the part of characteristic information can be automatically marked by using a common data marking tool. When the manual labeling is performed, the data of known normal and malicious behaviors can be manually labeled, so that the subsequent models can learn the correct behavior patterns when using the data. The content of the primary marker may include the type of attack and whether it is malicious.
After the data marking is finished, the marked network malicious behavior sample set can be subjected to data coding, segmentation, desensitization, format conversion and other treatments. Specifically, the network malicious behavior sample set is usually text data, and the non-numerical labeled network malicious behavior sample set can be subjected to data coding, converted into a numerical form which can be identified and processed by a model, and can be coded by using one-hot for example. The encoded network malicious behavior sample set may then be divided into a training set and a test set. If the training set and the testing set have samples with unbalanced categories, the samples can be processed in sampling or undersampling modes. In addition, for data containing sensitive information, a form of desensitization protection such as encryption can be adopted to ensure compliance and privacy security.
Then, an initial threat detection model can be built by adopting a preset deep learning model, wherein the preset deep learning model can be a gating circulation unit (Gated Recurrent Unit, GRU for short), a Long-short-period memory model (Long-Short Term Memory, LSTM for short) and the like. When an initial threat detection model is built, a framework of the model needs to be built, taking GRU as an example, and when the framework of the model is built, an input layer, a GRU layer and an output layer are built. In addition, parameters such as a proper loss function, an optimizer, a first preset evaluation index, an accuracy threshold, a recall threshold and the like are required to be set.
The evaluation index of the model can be constructed by the comprehensive accuracy, the comprehensive accuracy and the recall rate.
Taking the comprehensive accuracy as an example, the comprehensive accuracy r (quasi) can be calculated by a formula (1).
Where i represents the ith threat subtype of all threat subtypes; w (i) represents the percentage of the data volume of the network malicious behavior sample corresponding to the ith threat subtype to the total data volume of the network malicious behavior sample, namely the weight when the comprehensive accuracy is calculated; c (i) represents the number of the ith threat subtype classified correctly, and whether the ith threat subtype is classified correctly or not can be determined by comparing a threat detection result predicted by the model with the labeling data; t represents the amount of data in the training set.
Thus, the initial threat detection model may be trained using the training set described above, during which the model will learn various malicious behavior patterns. After training is completed, the model can be evaluated by adopting the test set, the first preset evaluation indexes can comprise comprehensive accuracy, comprehensive accuracy and recall, the training effect of the model is judged by using the comprehensive accuracy, the comprehensive accuracy and recall and corresponding thresholds, and then a tuning mode is determined according to the training effect until all the first preset evaluation indexes reach the standard.
Finally, the model meeting the first preset evaluation index can be parameterized and packaged to generate a preset threat detection model, and then the preset threat detection model is migrated to the static simulation network environment to generate the preset threat detection kernel model. The obtained preset threat detection kernel model can be migrated to different simulation environments to finish tasks of specific scenes through microkernels and scenerization, and the migration cost is low and the adaptability is strong.
And 304, learning and evaluating the preset threat detection kernel model by adopting an unsupervised learning mechanism to generate a preset scene kernel model.
The preset scene detection model is generated based on a threat information data set, a threat correction mode data set and a preset scene kernel model, as shown in fig. 5, fig. 5 is a flowchart of steps for constructing the preset scene detection model, which includes:
step 502, constructing a static simulation network environment.
Step 504, acquiring a threat information data set, a threat correction mode data set and a preset scene kernel model.
Step 506, generating a preset scene detection model based on the threat information data set, the threat correction mode data set and the preset scene kernel model.
The static simulation network environment comprises fixed network flow data, namely the static simulation network environment which has high reliability and strong representativeness in a time period, wherein the static simulation network environment comprises various network activities and threats. The fixed network traffic data may be historical network traffic data or may be dynamically generated based on actual network traffic data, so that different types of network events may be simulated. In addition, the static simulation network environment can simulate a sandbox environment, network defense exists in a real form in the environment, and a model trained in the environment can have higher recognition degree on corresponding network threats. Therefore, the static simulation network environment has an extremely important influence on the effect of the scene detection model.
In addition, the network traffic data in the static simulation network environment is formatted according to the input requirement of the preset threat detection kernel model, so that the static simulation network environment can be directly suitable for the preset threat detection kernel model. The parameters can be arranged according to the parameter requirements of the preset threat detection kernel model, and meanwhile, threat detection results are received according to the output format of the preset threat detection kernel model.
When a preset scene kernel model is constructed, as shown in fig. 6, fig. 6 is a flowchart of a step of constructing a preset scene kernel model according to an embodiment of the present application, where the step includes:
step 602, obtaining a threat detection result corresponding to a second preset evaluation index and a preset threat detection kernel model.
Step 604, clustering the threat detection results to generate a clustered result.
And 606, performing evaluation processing on the clustering result to generate a current evaluation result.
Step 608, learning and evaluating the preset threat detection kernel model based on the current evaluation result and the second preset evaluation index to generate a preset scene kernel model.
The second preset evaluation index may be a threshold corresponding to a contour coefficient, a variance ratio criterion, that is, a Calinski-Harabasz index, a Jaccard similarity, that is, a Jaccard similarity coefficient, and the like. Taking the profile coefficient as an example, the profile coefficient generally takes a value of [ -1,1], and the closer 1 is to the more similar in the family, the dissimilar samples in the family are, and the initial value of the threshold value can be given by an expert according to the actual scene.
Based on the threat subtype and the detailed threat information in the threat detection result, the network threats can be clustered, so that a clustering result is obtained. The initial cluster number selected during clustering can be the number of threat subtypes, the clustering algorithm is not limited in the application, and for example, principal component analysis (Principal Component Analysis, abbreviated as PCA) can be used for clustering.
Then, the current evaluation result needs to be calculated by adopting a calculation method corresponding to a second preset evaluation index, for example, the second preset evaluation index adopts a threshold value corresponding to the contour coefficient, and then the clustering result is evaluated by adopting the calculation method of the contour coefficient to generate the current evaluation result. Then, the current evaluation result can be compared with a second preset evaluation index, if the second preset evaluation index is not satisfied, the process is required to be repeated, and if the second preset evaluation index is not satisfied for a plurality of times, an expert can intervene or modify the second preset evaluation index.
For example, the second preset evaluation index is a threshold value 0.8 corresponding to the contour coefficient, and if the current evaluation result is smaller than 0.8, it is indicated that the second preset evaluation index is not satisfied. Finally, after learning and evaluating the preset threat detection kernel model, a preset scene kernel model aiming at the static simulation network environment can be formed. The model is built in the mode of supervised learning and reinforcement learning, the model has higher threat recognition capability by using the supervised learning, more data sets do not need to be labeled by using the reinforcement learning, the cost for building the model is controlled in a certain range, and better effect and cost-controllable balance are realized. In addition, a reinforcement learning mechanism is adopted, so that the self-learning capability of the model is stronger.
After the preset scene kernel model is constructed, a threat correction mode is also required to be constructed, wherein the threat correction mode is a repair mode, and the purpose is to add additional model repair measures so that a specific model is additionally influenced in operation. And in the subsequent scene threat detection, if the expert adds threat correction, repeatedly checking and normalizing the related information, and then sending the result to a scene extension module for processing.
When the scene extension module is constructed, the threat information data set and the threat correction mode data set can be acquired first, and then fusion processing is carried out on the threat information data set and the threat correction mode data set. Specifically, the threat intelligence data set may be first identified, thereby setting the cyber threat weight in the threat intelligence data set associated with the current threat subtype to 100%. In addition, the data weight in the threat correction pattern data set is set to k2, and it should be noted that the weight value k2 may be set to different values in different static simulation network environments. And finally, converting the threat information data set and the threat correction mode data set into the same data format for storage, and distinguishing the two data, thereby obtaining the scene extension module.
Therefore, when the preset scene detection model is constructed, fusion processing can be carried out on the scene extension module and the preset scene kernel model. Specifically, the weight of the scene kernel result corresponding to the preset scene kernel model may be set to k1, and then the weighted representation of the scene kernel result and the scene epitaxy result corresponding to the scene epitaxy module is performed by using a weighted form. The final threat value r (i) = [ threat information result ] = [ threat correction result ] = 100% + [ threat kernel result ] [ k2+ [ scene kernel result ]. K1, where r (i) is the ith threat subtype and [ threat information result ] represents the correlation of the ith network threat in the threat information data set, usually a percentage, and the correlation can be obtained by adopting similarity calculation, i.e. after screening out the network threats related to the current threat subtype from the threat information data set, similarity calculation is performed on the current threat subtype and each screened network threat. The threat correction result is a threat probability value in the ith network threat correction result in the threat correction pattern data set, which can be set by an expert when correcting. The scene kernel result represents an ith threat probability value calculated by a preset scene kernel model, and if a plurality of threat probability values exist, the largest threat probability value can be selected.
Finally, the above process can be parameterized and packaged to generate a preset scene detection model, input data of the preset scene detection model can comprise a threat information data set, a threat correction mode data set and a network flow data set, and output data of the model can comprise threat subtype, final threat value r (i) and detailed threat information.
In some alternative embodiments, the preset threat hunting model is implemented based on a preset scene detection model, and the threat hunting result is a threat detection result generated based on the preset scene detection model. The preset threat hunting model may be deployed on a bypass of the switch, so that network behavior may be detected in real time. In the detection process, related personnel can manually judge the detection effect and the detection result, the system fuses the judgment result as the correction of the model into a preset scene detection model, and the later detection is corrected by adding the artificial judgment, so that the identification effect is more accurate. By adopting a mode of combining a machine learning mode and manual judgment, the model has higher automation degree, a small amount of manual participation in judgment and correction is needed in the early stage, and the hunting automation degree is higher along with the stronger and stronger model detection capability in the later stage.
Specifically, as shown in fig. 7, fig. 7 is a flowchart illustrating steps for updating a preset threat hunting model according to an embodiment of the present application, including:
step 702, obtaining a judgment result corresponding to the threat hunting result.
Step 704, updating the preset threat hunting model based on the judgment result, and generating a new preset threat hunting model.
In the threat hunting process, the network switch can be connected in real time, bypass flow is usually opened for the core switch, network flow data is monitored in real time through a preset scene detection model, and threat detection results are displayed and notified to relevant security specialists in a preset mode, for example, the network switch can be in a web form and the like.
Therefore, the security expert can judge the threat detection result detected by the preset scene detection model, specifically, can mark, namely, whether the threat is, the type of the marked threat and the probability that the mark is the current type of threat, so as to obtain the judgment result.
When the preset threat hunting model is updated based on the judging result, the preset scene detection model is actually updated, namely, the judging result can be input into the preset scene detection model in micro batch for updating, so that a new preset scene detection model is obtained and used for subsequent scene detection. After the new preset scene detection model is obtained, the preset threat hunting model is updated, so that the new preset threat hunting model is obtained.
Further, when the threat hunting result is generated, the current network traffic data can be input into a new preset threat hunting model for calculation, and the threat hunting result corresponding to the current network traffic data is generated.
The application provides a threat hunting method, which comprises the following steps: the method comprises the steps of obtaining current network flow data, inputting the current network flow data into a preset threat hunting model for calculation, and generating a threat hunting result corresponding to the current network flow data, wherein the preset threat hunting model is generated based on a preset scene detection model, the preset scene detection model is generated based on a threat information data set, a threat correction mode data set and a preset scene kernel model, and the preset scene kernel model is a model which is built in a static simulation network environment and is subjected to an unsupervised learning mechanism. According to the method, the current network flow data is directly calculated through the pre-trained preset threat hunting model, so that a corresponding threat hunting result can be obtained, and the accuracy and efficiency of threat hunting are improved; in addition, the preset threat hunting model replaces expert hunting, so that the accuracy is improved, and meanwhile, the model has lower cost and more comprehensive disposal capability; meanwhile, a mode of combining microkernel, scenery and manual judgment is adopted, so that the preset threat hunting model has higher generalization capability and adaptability.
Fig. 8 is a block diagram of a threat hunting device according to an embodiment of the present application.
As shown in fig. 8, the threat hunting apparatus 800 includes:
an obtaining module 802 is configured to obtain current network traffic data.
The generating module 804 is configured to input current network traffic data into a preset threat hunting model for calculation, and generate a threat hunting result corresponding to the current network traffic data; the method comprises the steps that a preset threat hunting model is generated based on a preset scene detection model, the preset scene detection model is generated based on a threat information data set, a threat correction mode data set and a preset scene kernel model, and the preset scene kernel model is a model which is built in a static simulation network environment and is subjected to an unsupervised learning mechanism.
The specific manner in which the various modules perform the operations in the apparatus of the above embodiments have been described in detail in connection with the embodiments of the method, and will not be described in detail herein. The various modules in the threat hunting apparatus described above may be implemented in whole or in part in software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may invoke and perform the operations of the above modules.
In one embodiment of the present application, a computer device is provided, the computer device comprising a memory and a processor, the memory having stored therein a computer program, the processor, when executing the computer program, performing the steps of:
acquiring current network flow data;
inputting the current network flow data into a preset threat hunting model for calculation, and generating a threat hunting result corresponding to the current network flow data; the method comprises the steps that a preset threat hunting model is generated based on a preset scene detection model, the preset scene detection model is generated based on a threat information data set, a threat correction mode data set and a preset scene kernel model, and the preset scene kernel model is a model which is built in a static simulation network environment and is subjected to an unsupervised learning mechanism.
In one embodiment of the present application, the processor when executing the computer program further performs the steps of:
acquiring a preset threat detection kernel model;
and learning and evaluating the preset threat detection kernel model by adopting an unsupervised learning mechanism to generate a preset scene kernel model.
In one embodiment of the present application, the processor when executing the computer program further performs the steps of:
Acquiring a network malicious behavior sample set;
constructing an initial threat detection model by adopting a preset deep learning model, and constructing a first preset evaluation index;
training and evaluating the initial threat detection model through the network malicious behavior sample set until the evaluation result meets a first preset evaluation index, and generating a preset threat detection model;
and migrating the preset threat detection model to a static simulation network environment to generate a preset threat detection kernel model.
In one embodiment of the present application, the processor when executing the computer program further performs the steps of:
acquiring a threat detection result corresponding to a second preset evaluation index and a preset threat detection kernel model;
clustering the threat detection results to generate clustering results;
evaluating the clustering result to generate a current evaluation result;
and learning and evaluating the preset threat detection kernel model based on the current evaluation result and a second preset evaluation index to generate a preset scene kernel model.
In one embodiment of the present application, the processor when executing the computer program further performs the steps of:
constructing a static simulation network environment; the static simulation network environment comprises fixed network flow data;
Acquiring a threat information data set, a threat correction mode data set and a preset scene kernel model;
and generating a preset scene detection model based on the threat information data set, the threat correction mode data set and the preset scene kernel model.
In one embodiment of the present application, the processor when executing the computer program further performs the steps of:
acquiring a judging result corresponding to the threat hunting result;
and updating the preset threat hunting model based on the judging result to generate a new preset threat hunting model.
In one embodiment of the present application, the processor when executing the computer program further performs the steps of:
and inputting the current network flow data into a new preset threat hunting model for calculation, and generating a threat hunting result corresponding to the current network flow data.
The computer device provided in the embodiments of the present application has similar implementation principles and technical effects to those of the above method embodiments, and will not be described herein.
In one embodiment of the present application, a computer readable storage medium is provided having a computer program stored thereon, which when executed by a processor, performs the steps of:
acquiring current network flow data;
Inputting the current network flow data into a preset threat hunting model for calculation, and generating a threat hunting result corresponding to the current network flow data; the method comprises the steps that a preset threat hunting model is generated based on a preset scene detection model, the preset scene detection model is generated based on a threat information data set, a threat correction mode data set and a preset scene kernel model, and the preset scene kernel model is a model which is built in a static simulation network environment and is subjected to an unsupervised learning mechanism.
In one embodiment of the present application, the computer program when executed by the processor further performs the steps of:
acquiring a preset threat detection kernel model;
and learning and evaluating the preset threat detection kernel model by adopting an unsupervised learning mechanism to generate a preset scene kernel model.
In one embodiment of the present application, the computer program when executed by the processor further performs the steps of:
acquiring a network malicious behavior sample set;
constructing an initial threat detection model by adopting a preset deep learning model, and constructing a first preset evaluation index;
training and evaluating the initial threat detection model through the network malicious behavior sample set until the evaluation result meets a first preset evaluation index, and generating a preset threat detection model;
And migrating the preset threat detection model to a static simulation network environment to generate a preset threat detection kernel model.
In one embodiment of the present application, the computer program when executed by the processor further performs the steps of:
acquiring a threat detection result corresponding to a second preset evaluation index and a preset threat detection kernel model;
clustering the threat detection results to generate clustering results;
evaluating the clustering result to generate a current evaluation result;
and learning and evaluating the preset threat detection kernel model based on the current evaluation result and a second preset evaluation index to generate a preset scene kernel model.
In one embodiment of the present application, the computer program when executed by the processor further performs the steps of:
constructing a static simulation network environment; the static simulation network environment comprises fixed network flow data;
acquiring a threat information data set, a threat correction mode data set and a preset scene kernel model;
and generating a preset scene detection model based on the threat information data set, the threat correction mode data set and the preset scene kernel model.
In one embodiment of the present application, the computer program when executed by the processor further performs the steps of:
Acquiring a judging result corresponding to the threat hunting result;
and updating the preset threat hunting model based on the judging result to generate a new preset threat hunting model.
In one embodiment of the present application, the computer program when executed by the processor further performs the steps of:
and inputting the current network flow data into a new preset threat hunting model for calculation, and generating a threat hunting result corresponding to the current network flow data.
The computer readable storage medium provided in this embodiment has similar principles and technical effects to those of the above method embodiment, and will not be described herein.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the various embodiments provided herein may include non-volatile and/or volatile memory. The nonvolatile memory can include Read Only Memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), memory bus direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), among others.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any adaptations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
It is to be understood that the present disclosure is not limited to the precise arrangements and instrumentalities shown in the drawings, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.

Claims (10)

1. A threat hunting method, the method comprising:
acquiring current network flow data;
inputting the current network flow data into a preset threat hunting model for calculation, and generating a threat hunting result corresponding to the current network flow data; the preset threat hunting model is generated based on a preset scene detection model, the preset scene detection model is generated based on a threat information data set, a threat correction mode data set and a preset scene kernel model, and the preset scene kernel model is a model which is built in a static simulation network environment and is subjected to an unsupervised learning mechanism.
2. The method according to claim 1, wherein the constructing process of the preset scene kernel model includes:
acquiring a preset threat detection kernel model;
and adopting the unsupervised learning mechanism to learn and evaluate the preset threat detection kernel model to generate the preset scene kernel model.
3. The method of claim 2, wherein the constructing the preset threat detection kernel model includes:
acquiring a network malicious behavior sample set;
constructing an initial threat detection model by adopting a preset deep learning model, and constructing a first preset evaluation index;
training and evaluating the initial threat detection model through the network malicious behavior sample set until an evaluation result meets the first preset evaluation index, and generating a preset threat detection model;
and migrating the preset threat detection model to the static simulation network environment to generate the preset threat detection kernel model.
4. The method of claim 3, wherein the learning and evaluating the preset threat detection kernel model using the unsupervised learning mechanism to generate the preset scenario kernel model comprises:
Acquiring a second preset evaluation index and a threat detection result corresponding to the preset threat detection kernel model;
clustering the threat detection results to generate clustering results;
evaluating the clustering result to generate a current evaluation result;
and carrying out learning and evaluation processing on the preset threat detection kernel model based on the current evaluation result and the second preset evaluation index to generate the preset scene kernel model.
5. The method according to any one of claims 1-4, wherein the construction process of the preset scene detection model includes:
constructing a static simulation network environment; wherein the static simulation network environment comprises fixed network flow data;
acquiring the threat information data set, the threat correction mode data set and the preset scene kernel model;
and generating the preset scene detection model based on the threat information data set, the threat correction mode data set and the preset scene kernel model.
6. The method according to any one of claims 1-4, further comprising:
acquiring a judging result corresponding to the threat hunting result;
And updating the preset threat hunting model based on the evaluation result to generate a new preset threat hunting model.
7. The method of claim 6 wherein the inputting the current network traffic data into a preset threat hunting model for calculation to generate threat hunting results corresponding to the current network traffic data comprises:
and inputting the current network flow data into the new preset threat hunting model for calculation, and generating a threat hunting result corresponding to the current network flow data.
8. A threat hunting apparatus, the apparatus comprising:
the acquisition module is used for acquiring current network flow data;
the generation module is used for inputting the current network flow data into a preset threat hunting model for calculation and generating a threat hunting result corresponding to the current network flow data; the preset threat hunting model is generated based on a preset scene detection model, the preset scene detection model is generated based on a threat information data set, a threat correction mode data set and a preset scene kernel model, and the preset scene kernel model is a model which is built in a static simulation network environment and is subjected to an unsupervised learning mechanism.
9. An electronic device comprising a processor and a memory having stored therein at least one instruction, at least one program, code set, or instruction set that is loaded and executed by the processor to implement the threat hunting method of any of claims 1-7.
10. A computer readable storage medium having stored therein at least one instruction, at least one program, code set, or instruction set, loaded and executed by a processor to implement the threat hunting method of any of claims 1-7.
CN202311735209.8A 2023-12-15 2023-12-15 Method and device for threatening hunting Pending CN117792715A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311735209.8A CN117792715A (en) 2023-12-15 2023-12-15 Method and device for threatening hunting

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311735209.8A CN117792715A (en) 2023-12-15 2023-12-15 Method and device for threatening hunting

Publications (1)

Publication Number Publication Date
CN117792715A true CN117792715A (en) 2024-03-29

Family

ID=90386435

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311735209.8A Pending CN117792715A (en) 2023-12-15 2023-12-15 Method and device for threatening hunting

Country Status (1)

Country Link
CN (1) CN117792715A (en)

Similar Documents

Publication Publication Date Title
CN107241352B (en) Network security event classification and prediction method and system
CN110233849B (en) Method and system for analyzing network security situation
CN107888554B (en) Method and device for detecting server attack
CN108449342A (en) Malicious requests detection method and device
CN111107096A (en) Web site safety protection method and device
CN112492059A (en) DGA domain name detection model training method, DGA domain name detection device and storage medium
CN114553523A (en) Attack detection method and device based on attack detection model, medium and equipment
CN111049828B (en) Network attack detection and response method and system
CN116015703A (en) Model training method, attack detection method and related devices
Alhassan et al. A fuzzy classifier-based penetration testing for web applications
CN117056951A (en) Data security management method for digital platform
CN112966194A (en) Method and system for checking two-dimensional code
CN117235600A (en) User abnormal behavior detection method and system
CN114285587A (en) Domain name identification method and device and domain name classification model acquisition method and device
CN113918936A (en) SQL injection attack detection method and device
CN114884712B (en) Method, device, equipment and medium for determining risk level information of network asset
CN117792715A (en) Method and device for threatening hunting
Shakya et al. Intrusion detection system using back propagation algorithm and compare its performance with self organizing map
CN115643044A (en) Data processing method, device, server and storage medium
CN113923007A (en) Safety penetration testing method and device, electronic equipment and storage medium
CN113238971A (en) Automatic penetration testing system and method based on state machine
CN111970272A (en) APT attack operation identification method
CN117579395B (en) Method and system for scanning network security vulnerabilities by applying artificial intelligence
Patil et al. Impact of PCA Feature Extraction Method used in Malware Detection for Security Enhancement
CN115051833B (en) Intercommunication network anomaly detection method based on terminal process

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination