CN117914616A - Network threat analysis processing method and system - Google Patents
Network threat analysis processing method and system Download PDFInfo
- Publication number
- CN117914616A CN117914616A CN202410128165.0A CN202410128165A CN117914616A CN 117914616 A CN117914616 A CN 117914616A CN 202410128165 A CN202410128165 A CN 202410128165A CN 117914616 A CN117914616 A CN 117914616A
- Authority
- CN
- China
- Prior art keywords
- attack
- path
- network
- sub
- equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 25
- 238000003672 processing method Methods 0.000 title claims abstract description 15
- 238000000034 method Methods 0.000 claims abstract description 28
- 238000012545 processing Methods 0.000 claims description 12
- 238000004590 computer program Methods 0.000 claims description 8
- 238000010586 diagram Methods 0.000 claims description 8
- 230000000694 effects Effects 0.000 abstract description 5
- 230000008859 change Effects 0.000 abstract description 4
- 230000009286 beneficial effect Effects 0.000 abstract description 3
- 230000000007 visual effect Effects 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 238000011161 development Methods 0.000 description 2
- 238000010295 mobile communication Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000013135 deep learning Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000012806 monitoring device Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000012502 risk assessment Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012800 visualization Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a network threat analysis processing method and a system, which relate to the technical field of network security, wherein the method comprises the steps of extracting network attack data from acquired network threat data, analyzing the acquired network attack data, dividing attack paths according to attack types in network attack information to obtain attack sub-paths, and calculating the complexity of the attack sub-paths; configuring entity connection parameters for an attack sub-path; configuring identification parameters for the attack equipment, the attacked equipment and the intermediate equipment; and drawing a dynamic attack map according to the entity connection parameters and the identification parameters. The invention realizes the dynamic display of the attack map, is convenient for users to observe the attack event, the attack strategy corresponding to the attack event and the situation change, is beneficial to improving the display effect and greatly ensures the network security.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a network threat analysis processing method and system.
Background
With the continuous development of computer networks, network information security is increasingly gaining importance. How to perform risk assessment on a network is a considerable important issue.
Some security vendors offer schemes for visualizing attack links for network attacks. The traditional network attack link visualization scheme can analyze network threat data and display data such as attack types, security events, attack path diagrams and the like in a static picture mode, however, the picture mode is only convenient and visual to understand, truly useful security analysis is not brought to users, and the users cannot quickly locate and take effective security protection measures.
In view of the above, it is important to provide a network threat analysis processing method and system for dynamically displaying an attack path.
Disclosure of Invention
Aiming at the defects in the prior art, the invention provides a network threat analysis processing method and a system, which can solve the problem of poor display effect of analysis results of network threat data in the prior art.
In a first aspect, an embodiment of the present invention provides a method for analyzing and processing a cyber threat, where the method includes:
Acquiring network threat data;
Extracting network attack data from the acquired network threat data, analyzing the acquired network attack data, and acquiring network attack information, wherein the network attack information comprises: attack time, attack type, attack equipment, intermediate equipment, attacked equipment and attack path;
dividing the attack path according to the attack type to obtain an attack sub-path, and calculating the complexity of the attack sub-path; configuring entity connection parameters for the attack sub-path according to the complexity; configuring identification parameters for the attack equipment, the attacked equipment and the intermediate equipment according to the attack time;
and drawing a dynamic attack map according to the entity connection parameters and the identification parameters.
Preferably, the method further comprises: and analyzing the network threat data, determining the type and the number of the network security events, and generating a security event diagram according to the type and the number of the network security events.
Preferably, the attack path is divided according to the attack type, so as to obtain attack sub-paths, and determining the complexity of each attack sub-path includes:
Constructing an attack sub-path directed graph according to the attack sub-path;
Acquiring attribute information of the attack sub-path directed graph, wherein the attribute information comprises node numbers and edge numbers;
determining a complexity coefficient of the attack sub-path according to the node number and the edge number;
Determining a first influence coefficient according to the attack type of the attack sub-path;
Determining a second influence coefficient according to the coincidence degree of the attack sub-path and the service path;
And determining the complexity of the attack sub-path according to the complexity coefficient and the first influence coefficient and the second influence coefficient.
Preferably, the physical connection parameters include physical connection thickness, physical connection shape and physical connection color; the identification parameters include an identification shape and an identification color.
Preferably, configuring the entity connection parameters for the attack sub-path according to the complexity degree includes:
determining the shape of the entity connecting line according to the attack type;
Determining the thickness of an entity connecting line according to the complexity;
And determining the depth of the continuous color of the entity according to the attack time.
Preferably, the attack time includes a plurality of attack sub-times, and each attack sub-time corresponds to at least one attack task;
Configuring identification parameters for the attack equipment and the attacked equipment according to the attack type and the attack time comprises the following steps:
Determining the shape of the mark according to the attack task;
and determining the color depth of the identification parameter according to the attack time.
Preferably, the method further comprises:
acquiring an operation instruction of a user on the dynamic attack map;
Determining a situation awareness scope according to the operation instruction, and extracting characteristic information of network equipment in the situation awareness scope, wherein the characteristic information comprises: attack time, attack type, attack equipment, intermediate equipment, attacked equipment, attack path, attack sub-path and complexity of the attack sub-path;
inputting a situation awareness model according to the characteristic information to obtain a situation awareness result;
and early warning is carried out according to the situation awareness result, and the network equipment and service lines between the network equipment in the situation awareness range are red during early warning.
In a second aspect, an embodiment of the present invention provides a cyber threat analysis processing system, the system including:
the acquisition module is used for acquiring network threat data;
The analysis module is used for extracting network attack data from the acquired network threat data, analyzing the acquired network attack data and acquiring network attack information, wherein the network attack information comprises: attack time, attack type, attack equipment, intermediate equipment, attacked equipment and attack path;
The configuration module is used for dividing the attack path according to the attack type to obtain an attack sub-path, and calculating the complexity of the attack sub-path; configuring entity connection parameters for the attack sub-path according to the complexity; configuring identification parameters for the attack equipment, the attacked equipment and the intermediate equipment according to the attack time;
and the map module is used for drawing a dynamic attack map according to the entity connection line parameters and the identification parameters.
In a third aspect, a processing device comprises a memory storing a computer program and a processor implementing the method of any of the above embodiments when executing the computer program.
In a fourth aspect, a computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements a method according to any of the above embodiments.
The beneficial effects of the invention are as follows: the invention provides a network threat analysis processing method and a system, which can acquire network threat data; extracting network attack data from the acquired network threat data, analyzing the acquired network attack data, and acquiring network attack information, wherein the network attack information comprises: attack time, attack type, attack equipment, intermediate equipment, attacked equipment and attack path; dividing the attack path according to the attack type to obtain an attack sub-path, and calculating the complexity of the attack sub-path; configuring entity connection parameters for the attack sub-path according to the complexity; configuring identification parameters for the attack equipment, the attacked equipment and the intermediate equipment according to the attack time; and drawing a dynamic attack map according to the entity connection parameters and the identification parameters. According to the invention, the network threat data is analyzed to obtain the network attack information, the network attack information can be analyzed, the visual parameters are configured for each attack device, the attacked device, the intermediate device and the attack path in a targeted manner, the dynamic display of the attack map is realized, the user can observe the attack event, the attack strategy corresponding to the attack event and the situation change conveniently, the display effect is improved, and the network security is ensured greatly.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below. Like elements or portions are generally identified by like reference numerals throughout the several figures. In the drawings, elements or portions thereof are not necessarily drawn to scale.
FIG. 1 is a flowchart of a network threat analysis processing method according to an embodiment of the present invention;
FIG. 2 is a flowchart of a network threat analysis processing method according to another embodiment of the present invention;
FIG. 3 is a system block diagram of a cyber threat analysis processing system according to an embodiment of the invention;
Fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
Embodiments of the technical scheme of the present invention will be described in detail below with reference to the accompanying drawings. The following examples are only for more clearly illustrating the technical aspects of the present invention, and thus are merely examples, and are not intended to limit the scope of the present invention.
It is noted that unless otherwise indicated, technical or scientific terms used herein should be given the ordinary meaning as understood by one of ordinary skill in the art to which this application belongs.
FIG. 1 is a flowchart of a method for analyzing and processing a cyber threat according to an embodiment of the invention, the method comprising:
s101, acquiring network threat data, wherein the threat data comprises log information of security equipment;
It is understood that the security device may be a security device in a network environment, where the security device may include a traffic layer security device, a terminal security device, an operating system with a security protection function, and the like, for example: firewall, IDS (intrusion detection system), IPS (intrusion prevention system), vulnerability scanning device, security isolation gatekeeper, VPN (Virtual Private Network ) device, traffic monitoring device, terminal security response system (EDR), etc. The log information mainly comprises information such as alarm information of flow layer safety equipment, alarm information of safety equipment of a terminal, safety log information of an operating system and the like.
S102, extracting network attack data from the acquired network threat data, analyzing the acquired network attack data, and acquiring network attack information, wherein the network attack information comprises: the attack event, attack time, attack type, attack equipment, intermediate equipment, attacked equipment and attack path corresponding to each attack event;
It should be noted that, the attack time includes attack start time, attack duration time and attack end time, one attack time corresponds to one attack event, one attack event corresponds to a plurality of attack types and a plurality of attack paths, and each attack path corresponds to the same attack device, the attacked device and different intermediate devices.
S103, dividing the attack path according to the attack type to obtain an attack sub-path, and calculating the complexity of the attack sub-path; configuring entity connection parameters for the attack sub-path according to the complexity; configuring identification parameters for the attack equipment, the attacked equipment and the intermediate equipment according to the attack time;
In the embodiment of the present invention, dividing the attack paths according to the attack types to obtain attack sub-paths, and determining the complexity of each attack sub-path includes: constructing an attack sub-path directed graph according to the attack sub-path; acquiring attribute information of the attack sub-path directed graph, wherein the attribute information comprises node numbers and edge numbers; determining a complexity coefficient of the attack sub-path according to the node number and the edge number; determining a first influence coefficient according to the attack type of the attack sub-path; determining a second influence coefficient according to the coincidence degree of the attack sub-path and the service path; and determining the complexity of the attack sub-path according to the complexity coefficient and the first influence coefficient and the second influence coefficient.
Specifically, the formula for determining the complexity coefficient of the attack sub-path according to the node number and the edge number is as follows:
wherein, To attack the complexity of the sub-path directed graph,/>To attack the number of nodes in the sub-path directed graph,For the number of edges in the attack sub-path directed graph, A, B, C, D is a constant, and Q is the number of paths from the attack device to the attacked device in the attack sub-path.
Specifically, determining the first influence coefficient according to the attack type of the attack sub-path includes: and acquiring a first weight corresponding to the hardware resource or the software resource of the network equipment by the attack type from the attack type table, calling a second weight corresponding to the hardware or the software resource of the attacked equipment, and calculating according to the first weight and implementing the second weight to obtain the first influence coefficient.
The emphasis points corresponding to different attack types are different, so that the damage degree of the attack types to different resources of the network equipment is different, and in addition, the importance ratio of each resource in different network equipment is different, so that the accuracy of the first influence coefficient can be improved by determining the first influence coefficient through the first weight and the second weight.
Specifically, determining the second influence coefficient according to the coincidence degree of the attack sub-path and the service path includes: the higher the degree of coincidence, the lower the degree of complexity, and the smaller the second influence coefficient.
The embodiment of the invention accurately evaluates the complexity of the attack sub-path by comprehensively considering the attribute information of the attack sub-path, the influence degree of the attack type on the network equipment resource and the coincidence degree of the attack sub-path and the service path.
In the embodiment of the invention, the entity connection parameters comprise entity connection thickness, entity connection shape and entity connection color; the identification parameters include an identification shape and an identification color.
In the embodiment of the present invention, configuring entity connection parameters for the attack sub-path according to the complexity includes: determining an entity connection line shape according to the attack type, including but not limited to a solid line and a broken line; determining the thickness of the entity connecting lines according to the complexity, wherein the entity connecting lines are thicker as the complexity is higher, and the entity connecting lines are thinner as the complexity is lower; and determining the depth of the continuous color of the entity according to the attack time, wherein the earlier the attack start time is, the darker the color is, and the later the attack start time is, the lighter the color is.
In the embodiment of the invention, the attack time comprises a plurality of attack sub-times, and each attack sub-time corresponds to at least one attack task; configuring identification parameters for the attack equipment and the attacked equipment according to the attack type and the attack time comprises the following steps: determining the shape of the mark according to the attack task; and determining the color shade of the identification parameter according to the attack time, determining the interval range of the attack time in the whole monitoring period according to the attack time, and determining the shade of the interval color according to the duty ratio of the attack time in the interval range, wherein the higher the duty ratio is, the darker the color is, and the lighter the duty ratio is.
S105, drawing a dynamic attack map according to the entity connection parameters and the identification parameters.
Specifically, the longitude and latitude of the attack equipment, the intermediate equipment and the attacked equipment are determined according to the IP of the attack equipment, the IP of the intermediate equipment and the IP of the attacked equipment, the longitude and latitude of the attack equipment, the IP of the intermediate equipment and the IP of the attacked equipment are drawn according to the identification parameters, the corresponding attack paths are drawn according to the attack sub-paths and the corresponding entity connection parameters, an attack map is obtained, the attack map is updated according to the change of attack time, a dynamic attack map is obtained, and the development condition of an attack event corresponding to the whole attack time is dynamically described.
According to the network threat analysis processing method, network threat data are analyzed, network attack information is obtained, the network attack information can be analyzed, visual parameters are configured for each attack device, the attacked device, the intermediate device and the attack path in a targeted mode, a user can observe attack events and attack strategies corresponding to the attack events conveniently, the display effect is improved, and network safety is guaranteed greatly.
As shown in fig. 2, fig. 2 is a flowchart of a network threat analysis processing method according to another embodiment of the present invention, where the method includes: s201, acquiring network threat data; s202, extracting network attack data from the acquired network threat data, analyzing the acquired network attack data, and acquiring network attack information, wherein the network attack information comprises: attack time, attack type, attack equipment, intermediate equipment, attacked equipment and attack path; s203, dividing the attack path according to the attack type to obtain an attack sub-path, and calculating the complexity of the attack sub-path; configuring entity connection parameters for the attack sub-path according to the complexity; configuring identification parameters for the attack equipment, the attacked equipment and the intermediate equipment according to the attack time; s204, drawing a dynamic attack map according to the entity connection parameters and the identification parameters.
In an embodiment of the present invention, the method further includes: s205, analyzing the network threat data, determining the type and the number of the network security events, and generating a security event diagram according to the type and the number of the network security events.
In a specific implementation, by collecting the log information of the security device in the network environment, the log information mainly comprises information such as alarm information of the traffic layer security device, alarm information of the security device of the terminal, security log information of the operating system and the like. The alarm protocol uploaded by the device includes, but is not limited to, syslog, WMI, etc. protocols, and the security event collection is formed by uploading the alarm protocol to the log information via the network. And the change condition of the safety event is displayed in a dynamic line graph, a dynamic curve graph and the like.
In an embodiment of the present invention, the method further includes: s206, acquiring an operation instruction of a user on the dynamic attack map; determining a situation awareness scope according to the operation instruction, and extracting characteristic information of network equipment in the situation awareness scope, wherein the characteristic information comprises: attack time, attack type, attack equipment, intermediate equipment, attacked equipment, attack path, attack sub-path and complexity of the attack sub-path; inputting a situation awareness model according to the characteristic information to obtain a situation awareness result; and early warning is carried out according to the situation awareness result, and the network equipment and service lines between the network equipment in the situation awareness range are red during early warning.
Specifically, the user performs operations on the dynamic attack map, for example, selects a specific time period, selects a specific attack type, and the like, determines a situation awareness range according to an operation instruction of the user, that is, determines a range of network equipment and service lines to be analyzed and perceived, and extracts feature information of related network equipment within the determined situation awareness range. Such information may include the time at which the attack occurred, the type of attack, the attack device, the intermediate device, the device under attack, the attack path, the attack sub-path, the complexity of the attack sub-path, etc. The extracted characteristic information is input into a pre-constructed situation awareness model which can be constructed based on technologies such as machine learning, deep learning or rule engine and the like and is used for analyzing and understanding attack situations in a network, and the situation awareness model generates corresponding situation awareness results by analyzing and processing the characteristic information. The results may include a recognized local risk level, an attack event, a visual representation of a local prediction attack map, and the like, where the local prediction attack map is displayed in a second layer, and is used to switch between the attack map and the local prediction attack map, and when the local risk level is greater than a preset value, risk early warning is performed, where early warning operation may be implemented by displaying network devices and service lines within a situation awareness range as red, so as to draw attention of an operator.
According to the embodiment of the invention, the situation awareness range is determined according to the user operation instruction, and the characteristic information of the related network equipment is extracted, so that the network attack situation in the specific range can be accurately perceived and analyzed, and the user can perform the operation instruction on the dynamic attack map according to the need, so that the situation awareness range and the attention point can be flexibly controlled. The situation awareness model is utilized to analyze the extracted characteristic information, a large amount of network data can be automatically processed, corresponding situation awareness results are generated, analysis efficiency is improved, early warning operation is carried out according to the situation awareness results, attention of operators can be timely brought, and necessary steps are taken.
The embodiment of the invention can realize real-time statistics and dynamic visual display of the security event, analyze the security situation according to the user demand, display the early warning information on the attack map and be beneficial to the user to quickly locate the abnormal region.
Fig. 3 is a schematic structural diagram of a network threat analysis processing system according to an embodiment of the present invention, where the system includes: an acquisition module 31, configured to acquire network threat data; the parsing module 32 is configured to extract network attack data from the acquired network threat data, parse the acquired network attack data, and acquire network attack information, where the network attack information includes: attack time, attack type, attack equipment, intermediate equipment, attacked equipment and attack path; the configuration module 33 is configured to divide the attack paths according to the attack types to obtain attack sub-paths, and calculate the complexity of the attack sub-paths; configuring entity connection parameters for the attack sub-path according to the complexity; configuring identification parameters for the attack equipment, the attacked equipment and the intermediate equipment according to the attack time; and the map module 34 is used for drawing a dynamic attack map according to the entity connection line parameters and the identification parameters.
The system of the present embodiment may be used to implement the technical solutions of the method embodiments shown in fig. 1 and fig. 2, and its implementation principle and technical effects are similar, and are not described herein again.
Fig. 4 is a schematic structural diagram of an embodiment of an electronic device according to the present invention, where the flow of the embodiment shown in fig. 1 and fig. 2 of the present invention may be implemented, and as shown in fig. 4, the electronic device may include: the device comprises a shell 41, a processor 42, a memory 43, a circuit board 44 and a power circuit 45, wherein the circuit board 44 is arranged in a space surrounded by the shell 41, and the processor 42 and the memory 43 are arranged on the circuit board 44; a power supply circuit 45 for supplying power to the respective circuits or devices of the above-described electronic apparatus; the memory 43 is for storing executable program code; the processor 42 executes a program corresponding to the executable program code by reading the executable program code stored in the memory 43 for performing the network security event analysis method according to any of the foregoing embodiments.
The specific implementation of the above steps by the processor 42 and the further implementation of the steps by the processor 42 through the execution of the executable program code may be referred to in the embodiments of fig. 1 and 2 of the present invention, and will not be described herein.
The electronic device exists in a variety of forms including, but not limited to:
(1) A mobile communication device: such devices are characterized by mobile communication capabilities and are primarily aimed at providing voice, data communications. Such terminals include: smart phones (e.g., iPhone), multimedia phones, functional phones, and low-end phones, etc.
(2) Mobile personal computer device: such devices are in the category of personal computers, having computing and processing functions, and generally also having mobile internet access characteristics. Such terminals include: PDA, MID, and UMPC devices, etc., such as iPad.
(3) Portable entertainment device: such devices may display and play multimedia content. The device comprises: audio, video players (e.g., iPod), palm game consoles, electronic books, and smart toys and portable car navigation devices.
(4) And (3) a server: the configuration of the server includes a processor, a hard disk, a memory, a system bus, and the like, and the server is similar to a general computer architecture, but is required to provide highly reliable services, and thus has high requirements in terms of processing capacity, stability, reliability, security, scalability, manageability, and the like.
(5) Other electronic devices with data interaction functions.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
In this specification, each embodiment is described in a related manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments.
In particular, for the device embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and reference is made to the description of the method embodiments in part.
For convenience of description, the above apparatus is described as being functionally divided into various units/modules, respectively. Of course, the functions of the various elements/modules may be implemented in the same piece or pieces of software and/or hardware when implementing the present invention.
Those skilled in the art will appreciate that implementing all or part of the above-described methods in accordance with the embodiments may be accomplished by way of a computer program stored on a computer readable storage medium, which when executed may comprise the steps of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disc, a read-only memory (ROM), a random access memory (random AccessMemory, RAM), or the like.
The foregoing is merely illustrative of the present invention, and the present invention is not limited thereto, and any changes or substitutions easily contemplated by those skilled in the art within the scope of the present invention should be included in the present invention. Therefore, the protection scope of the invention is subject to the protection scope of the claims.
Claims (10)
1.A method for analyzing and processing a network threat, comprising:
Acquiring network threat data;
Extracting network attack data from the acquired network threat data, analyzing the acquired network attack data, and acquiring network attack information, wherein the network attack information comprises: attack time, attack type, attack equipment, intermediate equipment, attacked equipment and attack path;
dividing the attack path according to the attack type to obtain an attack sub-path, and calculating the complexity of the attack sub-path; configuring entity connection parameters for the attack sub-path according to the complexity; configuring identification parameters for the attack equipment, the attacked equipment and the intermediate equipment according to the attack time;
and drawing a dynamic attack map according to the entity connection parameters and the identification parameters.
2. The cyber threat analysis processing method of claim 1, further comprising: and analyzing the network threat data, determining the type and the number of the network security events, and generating a security event diagram according to the type and the number of the network security events.
3. The method of claim 1, wherein dividing the attack paths according to the attack types to obtain attack sub-paths, and determining the complexity of each attack sub-path comprises:
Constructing an attack sub-path directed graph according to the attack sub-path;
Acquiring attribute information of the attack sub-path directed graph, wherein the attribute information comprises node numbers and edge numbers;
determining a complexity coefficient of the attack sub-path according to the node number and the edge number;
Determining a first influence coefficient according to the attack type of the attack sub-path;
Determining a second influence coefficient according to the coincidence degree of the attack sub-path and the service path;
And determining the complexity of the attack sub-path according to the complexity coefficient and the first influence coefficient and the second influence coefficient.
4. The network threat analysis processing method of claim 1, wherein the physical link parameters include physical link thickness, physical link shape, and physical link color; the identification parameters include an identification shape and an identification color.
5. The method of claim 4, wherein configuring entity connection parameters for the attack sub-path according to the complexity level comprises:
determining the shape of the entity connecting line according to the attack type;
Determining the thickness of an entity connecting line according to the complexity;
And determining the depth of the continuous color of the entity according to the attack time.
6. The network threat analysis processing method of claim 4, wherein the attack time comprises a plurality of attack sub-times, each attack sub-time corresponding to at least one attack task;
Configuring identification parameters for the attack equipment and the attacked equipment according to the attack type and the attack time comprises the following steps:
Determining the shape of the mark according to the attack task;
and determining the color depth of the identification parameter according to the attack time.
7. The cyber threat analysis processing method of claim 1, further comprising:
acquiring an operation instruction of a user on the dynamic attack map;
Determining a situation awareness scope according to the operation instruction, and extracting characteristic information of network equipment in the situation awareness scope, wherein the characteristic information comprises: attack time, attack type, attack equipment, intermediate equipment, attacked equipment, attack path, attack sub-path and complexity of the attack sub-path;
inputting a situation awareness model according to the characteristic information to obtain a situation awareness result;
and early warning is carried out according to the situation awareness result, and the network equipment and service lines between the network equipment in the situation awareness range are red during early warning.
8. A cyber threat analysis processing system, comprising:
the acquisition module is used for acquiring network threat data;
The analysis module is used for extracting network attack data from the acquired network threat data, analyzing the acquired network attack data and acquiring network attack information, wherein the network attack information comprises: attack time, attack type, attack equipment, intermediate equipment, attacked equipment and attack path;
The configuration module is used for dividing the attack path according to the attack type to obtain an attack sub-path, and calculating the complexity of the attack sub-path; configuring entity connection parameters for the attack sub-path according to the complexity; configuring identification parameters for the attack equipment, the attacked equipment and the intermediate equipment according to the attack time;
and the map module is used for drawing a dynamic attack map according to the entity connection line parameters and the identification parameters.
9. A processing device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the method of any of claims 1 to 7 when executing the computer program.
10. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the method of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410128165.0A CN117914616A (en) | 2024-01-30 | 2024-01-30 | Network threat analysis processing method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410128165.0A CN117914616A (en) | 2024-01-30 | 2024-01-30 | Network threat analysis processing method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117914616A true CN117914616A (en) | 2024-04-19 |
Family
ID=90683575
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410128165.0A Pending CN117914616A (en) | 2024-01-30 | 2024-01-30 | Network threat analysis processing method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117914616A (en) |
-
2024
- 2024-01-30 CN CN202410128165.0A patent/CN117914616A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11750659B2 (en) | Cybersecurity profiling and rating using active and passive external reconnaissance | |
| CN111786950B (en) | Network security monitoring method, device, equipment and medium based on situation awareness | |
| CN110351280B (en) | Method, system, equipment and readable storage medium for extracting threat information | |
| JP6201614B2 (en) | Log analysis apparatus, method and program | |
| US20210360032A1 (en) | Cybersecurity risk analysis and anomaly detection using active and passive external reconnaissance | |
| CN110691080B (en) | Automatic tracing method, device, equipment and medium | |
| CN112100545A (en) | Visualization method, device and equipment of network assets and readable storage medium | |
| WO2018216000A1 (en) | A system and method for on-premise cyber training | |
| CN113973012B (en) | Threat detection method and device, electronic equipment and readable storage medium | |
| CN112351031A (en) | Generation method and device of attack behavior portrait, electronic equipment and storage medium | |
| CN114205128B (en) | Network attack analysis method, device, electronic equipment and storage medium | |
| CN111176202A (en) | Safety management method, device, terminal equipment and medium for industrial control network | |
| CN113810395B (en) | Threat information detection method and device and electronic equipment | |
| US20230283641A1 (en) | Dynamic cybersecurity scoring using traffic fingerprinting and risk score improvement | |
| CN112165445A (en) | Method, device, storage medium and computer equipment for detecting network attack | |
| CN110941632A (en) | Database auditing method, device and equipment | |
| CN108183884B (en) | Network attack determination method and device | |
| JP5613000B2 (en) | Application characteristic analysis apparatus and program | |
| CN106651183B (en) | Communication data security audit method and device of industrial control system | |
| CN113098852A (en) | Log processing method and device | |
| CN106411923B (en) | Network risk assessment method based on ontology modeling | |
| CN111988322A (en) | Attack event display system | |
| CN116015808A (en) | Network port abnormity open sensing method and device, electronic equipment and storage medium | |
| CN117914616A (en) | Network threat analysis processing method and system | |
| CN111030977A (en) | Attack event tracking method and device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |