CN118174954A - Security event analysis method, device, electronic equipment and storage medium - Google Patents
Security event analysis method, device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN118174954A CN118174954A CN202410454893.0A CN202410454893A CN118174954A CN 118174954 A CN118174954 A CN 118174954A CN 202410454893 A CN202410454893 A CN 202410454893A CN 118174954 A CN118174954 A CN 118174954A
- Authority
- CN
- China
- Prior art keywords
- threat
- security event
- knowledge graph
- entities
- same security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 27
- 238000001514 detection method Methods 0.000 claims abstract description 43
- 238000000034 method Methods 0.000 claims abstract description 39
- 238000012545 processing Methods 0.000 claims abstract description 29
- 238000012512 characterization method Methods 0.000 claims abstract description 7
- 239000011159 matrix material Substances 0.000 claims description 17
- 230000006399 behavior Effects 0.000 claims description 13
- 238000004590 computer program Methods 0.000 claims description 6
- 230000008569 process Effects 0.000 abstract description 11
- 238000012549 training Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 238000006243 chemical reaction Methods 0.000 description 4
- 238000010606 normalization Methods 0.000 description 4
- 238000007781 pre-processing Methods 0.000 description 4
- 230000009467 reduction Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 3
- 238000004140 cleaning Methods 0.000 description 3
- 238000010276 construction Methods 0.000 description 3
- 238000010219 correlation analysis Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000012216 screening Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000016571 aggressive behavior Effects 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 239000002131 composite material Substances 0.000 description 1
- 230000009193 crawling Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 230000002349 favourable effect Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 208000015181 infectious disease Diseases 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 238000000513 principal component analysis Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The application provides a security event analysis method, a security event analysis device, electronic equipment and a storage medium, and relates to the technical field of computers. A security event analysis method comprising: determining all threat entities initially belonging to the same security event based on a preset threat knowledge graph; wherein, the connection line between two nodes in the threat knowledge graph represents the relationship between two threat entities; obtaining a threat characteristic set based on threat characteristics corresponding to all threat entities initially belonging to the same security event; obtaining a detection result based on the threat feature set and a preset credibility model; the detection result represents the credibility of attributing all threat entities which initially belong to the same security event to the security event; when the reliability of the detection result characterization is larger than a preset reliability threshold, all threat entities which initially belong to the same security event are issued. The process does not need the participation of analysts, so that the mass data can be processed, and the processing efficiency can be improved.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method and apparatus for analyzing a security event, an electronic device, and a storage medium.
Background
Network security events typically involve multiple entities, and thus threat intelligence needs to be processed to determine the multiple entities involved in the same network security event in order to cope with the network security event.
At present, analysts are often relied on to analyze the association between different threat intelligence to determine entities involved in the same network security event. However, this method is difficult to process mass data and has low processing efficiency.
Disclosure of Invention
The application provides a security event analysis method, a security event analysis device, electronic equipment and a storage medium, which are used for solving the problems that massive threat information is difficult to process and the processing efficiency is low in the prior art.
In a first aspect, the present application provides a security event analysis method, including: determining all threat entities initially belonging to the same security event based on a preset threat knowledge graph; each node in the threat knowledge graph represents one threat entity, and a connection line between two nodes in the threat knowledge graph represents a relationship between the two threat entities; obtaining a threat characteristic set based on threat characteristics corresponding to all threat entities initially belonging to the same security event; obtaining a detection result based on the threat feature set and a preset credibility model; the detection result represents the credibility of attributing all threat entities which initially belong to the same security event to the security event, wherein all threat entities which initially belong to the same security event correspond to one credibility; and when the reliability of the detection result representation is larger than a preset reliability threshold, determining that all threat entities initially belonging to the same security event truly belong to the same security event, and issuing all threat entities initially belonging to the same security event.
In the embodiment of the application, the threat entities belonging to the same security event are determined through the threat knowledge graph, the reliability model is utilized to determine the detection result of the standard reliability, and under the condition that the reliability represented by the detection result is larger than the preset reliability threshold, all threat entities which are determined based on the threat knowledge graph and initially belong to the same security event can be confirmed to be trusted, so that all threat entities which initially belong to the same security event can be issued. The process does not need the participation of analysts, so that the mass data can be processed, and the processing efficiency can be improved.
With reference to the foregoing technical solution provided by the first aspect, in some possible implementation manners, determining, based on a preset threat knowledge graph, all threat entities that initially belong to the same security event includes: calculating the relevance between any two nodes in the preset threat knowledge graph; determining two nodes with relevance larger than a preset threshold value as threat entities belonging to the same security event; traversing all nodes of the threat knowledge graph, and determining all nodes which are connected with each other and have the relevance of the two connected nodes larger than a preset threshold value as all threat entities which initially belong to the same security event.
In the embodiment of the application, as the relevance between two nodes is larger, the closer the two nodes are connected, the higher the possibility that the two nodes belong to the same security event is. Thus, the higher the likelihood that all nodes connected to each other and having a relevance of the two connected nodes greater than a preset threshold belong to the same security event.
With reference to the foregoing technical solution provided by the first aspect, in some possible implementation manners, before determining all threat entities that initially belong to the same security event based on a preset threat knowledge graph, the method further includes: acquiring new threat information; the threat intelligence includes threat entities; adding the new threat information into the threat knowledge graph to obtain an updated threat knowledge graph; correspondingly, determining all threat entities initially belonging to the same security event based on a preset threat knowledge graph comprises: and determining all threat entities which initially belong to the same security event based on the updated threat knowledge graph.
In the embodiment of the application, the threat knowledge graph is updated by acquiring the threat information, so that the threat knowledge graph can be more in line with the actual situation, and the threat knowledge graph cannot lag with time, thereby improving the accuracy of the final result.
With reference to the foregoing technical solution provided by the first aspect, in some possible implementation manners, adding the new threat intelligence to the threat knowledge map includes: determining whether a new threat entity in the new threat intelligence exists in the threat knowledge graph; if the new threat entity in the new threat information does not exist in the threat knowledge graph, adding a node corresponding to the new threat entity in the threat knowledge graph, and updating the relation between the node corresponding to the new threat entity and other nodes in the threat knowledge graph based on the new threat information to obtain an updated threat knowledge graph; if the new threat entity in the new threat information exists in the threat knowledge graph, updating the relation between the node corresponding to the new threat entity and other nodes in the threat knowledge graph based on the new threat information, and obtaining an updated threat knowledge graph.
In the embodiment of the application, by determining whether the new threat entity in the new threat information exists in the threat knowledge graph, the existing nodes can be prevented from being added in the threat knowledge graph to cause redundancy of the threat knowledge graph.
With reference to the foregoing technical solution of the first aspect, in some possible implementation manners, the threat features include at least one type of features among basic features characterizing basic information of an attack behavior, propagation features characterizing propagation features of the attack, hazard features characterizing a hazard degree of the attack behavior, and association features characterizing behavior features having an association relationship with the attack behavior.
In the embodiment of the application, the basic feature, the transmission feature, the hazard feature and the association feature respectively reflect the characteristics of the security event from four different dimensions, so that a more accurate detection result can be obtained through a threat feature set comprising at least one type of features in the basic feature, the transmission feature, the hazard feature and the association feature.
With reference to the foregoing technical solution provided in the first aspect, in some possible implementation manners, the method further includes: updating the threat knowledge graph when the reliability of the detection result characterization is smaller than the reliability threshold; and obtaining a detection result again based on the updated threat knowledge graph and the credibility model.
With reference to the foregoing technical solution provided by the first aspect, in some possible implementation manners, before determining all threat intelligence belonging to the same security event based on a preset threat knowledge graph, the method further includes: acquiring threat information; the threat intelligence includes threat entities; constructing a threat knowledge graph based on all the obtained threat information; determining an embedding matrix between any two nodes in the threat knowledge graph; the embedded matrix characterizes the association relationship between two nodes.
In the embodiment of the application, the threat knowledge graph is constructed through the threat information, and the incidence relation between the two nodes is characterized by utilizing the embedded matrix, so that the constructed threat knowledge graph can accurately reflect the incidence relation between different nodes, thereby improving the accuracy of the subsequently obtained detection result.
In a second aspect, the present application provides a security event analysis apparatus comprising: the device comprises a determining module and a processing module. The determining module is used for determining all threat entities initially belonging to the same security event based on a preset threat knowledge graph; each node in the threat knowledge graph represents one threat entity, and a connection line between two nodes in the threat knowledge graph represents a relationship between the two threat entities; the processing module is used for obtaining a threat characteristic set based on threat characteristics corresponding to all threat entities initially belonging to the same security event; the processing module is further used for obtaining a detection result based on the threat characteristic set and a preset credibility model; the detection result represents the credibility of attributing all threat entities which initially belong to the same security event to the security event, wherein all threat entities which initially belong to the same security event correspond to one credibility; and the processing module is further used for determining that all threat entities initially belonging to the same security event truly belong to the same security event when the reliability of the detection result representation is larger than a preset reliability threshold value, and issuing all threat entities initially belonging to the same security event.
In a third aspect, the present application provides an electronic device comprising: the device comprises a memory and a processor, wherein the memory is connected with the processor; the memory is used for storing programs; the processor is configured to invoke a program stored in the memory, so as to perform the method of the first aspect and/or any possible implementation manner of the first aspect.
In a fourth aspect, the present application provides a computer readable storage medium having stored thereon a computer program which, when executed by a computer, performs the method of the first aspect and/or any of the possible implementations of the first aspect.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments will be briefly described below, it being understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a security event analysis method according to an embodiment of the present application;
FIG. 2 is a schematic diagram of a threat knowledge graph, in accordance with an embodiment of the application;
FIG. 3 is a block diagram illustrating a first security event analysis apparatus according to an embodiment of the present application;
FIG. 4 is a block diagram illustrating a second security event analysis apparatus according to an embodiment of the present application;
fig. 5 is a block diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the accompanying drawings in the embodiments of the present application.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures. Meanwhile, relational terms such as "first," "second," and the like may be used solely to distinguish one entity or action from another entity or action in the description of the application without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
The technical scheme of the present application will be described in detail with reference to the accompanying drawings.
Referring to fig. 1, fig. 1 is a flow chart of a security event analysis method according to an embodiment of the application, and the steps included in the method are described below with reference to fig. 1.
S100: and determining all threat entities initially belonging to the same security event based on a preset threat knowledge graph.
Each node in the threat knowledge graph represents one threat entity, and a connecting line between two nodes in the threat knowledge graph represents a relationship between the two threat entities.
The threat entities may be, for example, domain names, IPs, attack types, etc., and the relationship between threat entities may be, for example, a relationship including (for example, entity a includes entity B, that is, entity B is part of entity a), a relationship belonging to (for example, entity a belongs to part of entity B), an attacked (for example, entity a is attacked by entity B), etc., and the specific threat entity type and relationship between entities may be determined according to threat intelligence that is analyzed according to actual needs, which is not limited herein.
The threat knowledge graph can be obtained from a third party device and stored in a local storage medium, and can be directly called when the threat knowledge graph needs to be used. Or threat knowledge graph can be directly constructed when needed.
Threat intelligence is evidence-based knowledge, including context, mechanisms, metrics, meaning, and practical advice. Threat intelligence describes existing, or impending, threats or hazards to an asset and may be used to inform a subject to take some response to the associated threat or hazard. Including Hash, IP (Internet Protocol, referring to the internet protocol), domain, URL (Uniform Resource Locator, uniform resource location system), email address, program run path, registry key, etc.
In one embodiment, a method of constructing a threat knowledge graph may be to first obtain threat information, where the threat information includes threat entities; and then constructing a threat knowledge graph based on all the acquired threat information, and determining an embedding matrix between any two nodes in the threat knowledge graph. Wherein the embedding matrix characterizes the association relationship between two nodes.
By converting threat information into threat knowledge patterns, association relations among different threat entities can be more intuitively represented, and whether indirect relations exist among entities without direct association relations can be represented.
Alternatively, the specific way to obtain threat intelligence may be: the resulting security information, such as text, web pages, social content, etc., is first crawled from the network. After the security information is obtained, format conversion processing can be performed on the security information, and the security information is converted into security information in a preset format. And then, the structured threat information can be extracted from the security information converted into the preset format, so that the threat information is obtained.
Or threat intelligence may be obtained directly from a third party.
The security information obtained by crawling from the network may include information such as failure detection host data, vulnerability information data, security notification text, DDOS (Distributed Denial of Service, distributed blocking service) attack information, data leakage monitoring information, honeypot information, and the like of the large network.
After threat intelligence is obtained, a knowledge database may also be constructed based on threat intelligence.
The knowledge database may include a plurality of knowledge databases, for example, a collapse detection attack library, a vulnerability information library, a data leakage information library, a threat situation attack library, an APT (ADVANCED PERSISTENT THREAT ) organization activity attack library, botnet (botnet), a DDOS information library, and the like.
Alternatively, the same piece of threat intelligence may be stored simultaneously in different knowledge databases.
Optionally, the specific way to construct the threat knowledge graph based on all the acquired threat information may be: firstly, all threat entities existing in all threat information are used as nodes of threat knowledge maps. And then, based on all the obtained threat information, determining the relation between any two nodes in the threat knowledge graph, and connecting the two nodes with the relation to obtain the threat knowledge graph.
For ease of understanding, threat intelligence is illustrated including entity a being attacked by entity B and entity C being attacked by entity B. The threat knowledge graph includes three nodes of entity a, entity B and entity C, and a connection line representing that entity a is attacked by entity B exists between entity B and entity a, and a connection line representing that entity C is attacked by entity B exists between entity B and entity C. The examples herein are for ease of understanding only and should not be construed as limiting the application.
Optionally, in the process of creating the threat knowledge graph, a node type may also be marked for each node. For example, the node type may include domain name, attack, vulnerability, device, etc. The type of marked nodes can be set according to actual requirements, and is not limited herein.
Alternatively, a specific manner of determining the embedding matrix between any two nodes in the threat knowledge graph may be to determine the embedding matrix between any two nodes in the threat knowledge graph according to TransE (TRANSLATING EMBEDDING, translation embedding) graph embedding algorithm.
The specific principles and operation of the TransE-diagram embedding algorithm are well known to those skilled in the art, and are not described herein for brevity.
Optionally, in the process of constructing the threat knowledge graph, for each node, threat features corresponding to the node may be extracted from threat information, and the threat features may be associated with the node. Therefore, under the condition that the threat features corresponding to the threat entities are required to be acquired later, the corresponding threat features can be acquired from the threat knowledge graph directly based on the corresponding relation between the nodes and the threat features.
Optionally, the threat features may include at least one type of features among basic features characterizing basic information of the attack behavior, propagation features characterizing propagation features of the attack, hazard features characterizing hazard degrees of the attack behavior, and association features characterizing behavior features having association relation with the attack behavior.
Wherein the basic features may include information such as threat type, source, etc.; the propagation characteristics may include information such as infection speed, range, etc.; the hazard signature may include information such as vandalism, concealment, etc.; the associated features may include information such as related aggression. Specific implementations of threat features include, but are not limited to, the above-exemplified sections.
In one embodiment, the specific manner of determining all threat entities initially belonging to the same security event based on the preset threat knowledge graph may be: firstly, calculating the relevance between any two nodes in a preset threat knowledge graph. And then determining two nodes with the relevance larger than a preset threshold value as threat entities belonging to the same security event. And finally traversing all nodes of the threat knowledge graph, and determining all nodes which are connected with each other and have the relevance of the two connected nodes larger than a preset threshold value as all threat entities initially belonging to the same security event.
Alternatively, the manner of calculating the association between any two nodes in the preset threat knowledge graph may be to calculate the similarity between any two nodes.
Or the mode of calculating the relevance between any two nodes in the preset threat knowledge graph can also be as follows: and calculating the relevance between any two nodes in the preset threat knowledge graph based on a relevance analysis algorithm.
In order to facilitate understanding of a specific mode of calculating relevance between any two nodes in a preset threat knowledge graph based on a relevance analysis algorithm, vi and Vj are used for respectively representing the two nodes, and then R [ i, j ] =1/|Evi-Evj |, wherein Evi and Evj are respectively node embedding matrixes, and R [ i, j ] is an relevance matrix. The correlation matrix characterizes the correlation between two nodes.
The node embedding matrix characterizes the corresponding threat entity, for example, the node embedding matrix may be a feature matrix obtained according to the threat feature of each threat entity. Therefore, through the node embedding matrix corresponding to each of the two nodes, the relevance between the threat entities corresponding to each of the two nodes can be obtained.
Optionally, the specific value of the preset threshold may be set according to actual requirements, where the specific value of the preset threshold is not limited.
In order to facilitate understanding of all nodes traversing the threat knowledge graph, all nodes which are connected with each other and the relevance of the two connected nodes is larger than a preset threshold value are determined as all threat entities which initially belong to the same security event. The threat knowledge graph comprises a node 1, a node 2, a node 3, a node 4 and a node 5, wherein the node 1 is connected with the node 2 and the node 3, the node 2 is connected with the node 4 and the node 5, and the node 5 is connected with the node 3, as shown in fig. 2.
If the association between the node 1 and the node 3 is greater than the preset threshold, the association between the node 2 and the node 1 is greater than the preset threshold, the association between the node 2 and the node 4 is less than the preset threshold, and the association between the node 5 and the node 2 is greater than the preset threshold. Then node 1, node 2, node 3, node 5 are determined to be all threat entities that initially belong to the same security event.
The examples herein are for ease of understanding only and should not be construed as limiting the application.
In one embodiment, before all threat entities initially belonging to the same security event are determined based on a preset threat knowledge graph, new threat information including threat entities may be obtained; and adding the new threat information into the threat knowledge graph to obtain an updated threat knowledge graph. Correspondingly, the specific manner of determining all threat entities initially belonging to the same security event based on the preset threat knowledge graph may be: and determining all threat entities which initially belong to the same security event based on the updated threat knowledge graph.
By updating the threat knowledge graph, the threat knowledge graph can be more in line with the actual situation, and the finally obtained detection result can be more accurate.
In one embodiment, the specific way to obtain new threat intelligence may be: the resulting security information, such as text, web pages, social content, etc., is first crawled from the network. After the security information is obtained, format conversion processing can be performed on the security information, and the security information is converted into security information in a preset format. And then, the structured threat information can be extracted from the security information converted into the preset format, so that the acquisition of the new threat information is completed.
Or the specific way to obtain new threat intelligence may be: threat intelligence is obtained directly from a third party.
Alternatively, new threat intelligence may be acquired periodically, for example, once every hour, or once a day.
Or the method can acquire new threat information immediately after a major threat event occurs and update the threat knowledge graph.
Or the new threat information can be obtained immediately after the threat information source is updated, and the threat knowledge graph is updated.
Or the new threat information can be obtained immediately and the threat knowledge graph can be updated under the condition that the staff is manually triggered through an API (Application Programming Interface ) interface.
The API may be, for example, a RESTful API (an application program interface that accesses or uses data using HTTP requests) or the like.
Alternatively, when the amount of data of threat information to be acquired is large, threat information may be acquired in an asynchronous processing manner. The specific implementation principle of asynchronous processing is well known to those skilled in the art, and is not described herein for brevity.
Optionally, after the new threat information is acquired, the new threat information acquired can be compared with the threat information acquired in the past in similarity, if the similarity is greater than a preset similarity threshold, the threat information acquired by the message is determined to be similar information, and the threat knowledge map is not updated by using the new threat information acquired.
And under the condition that the similarity is smaller than or equal to a preset similarity threshold, updating the threat knowledge graph by using the newly acquired threat information.
Optionally, after acquiring the new threat information, a prompt message may also be sent to the staff. After the staff examines the threat information, if the examination result characterization of the staff is updated, the threat knowledge map is updated by using the threat information. If the audit result characterization of the staff is not updated, the threat knowledge graph is not updated by using the threat information.
Optionally, after acquiring the new threat information, the new threat information may be written into a preset database, and the threat information may be archived.
Alternatively, the specific way to add the new threat intelligence to the threat knowledge graph may be: first, it is determined whether a new threat entity in the new threat intelligence exists in the threat knowledge graph.
If the new threat entity in the new threat information does not exist in the threat knowledge graph, adding a node corresponding to the new threat entity in the threat knowledge graph, and updating the relation between the node corresponding to the new threat entity and other nodes in the threat knowledge graph based on the new threat information to obtain an updated threat knowledge graph.
If a new threat entity in the new threat information exists in the threat knowledge graph, updating the relation between the node corresponding to the new threat entity and other nodes in the threat knowledge graph based on the new threat information, and obtaining an updated threat knowledge graph.
S200: and obtaining a threat characteristic set based on threat characteristics corresponding to all threat entities initially belonging to the same security event.
Under the condition that threat features corresponding to the nodes are stored in the threat knowledge graph, threat features corresponding to each threat entity belonging to the same security event can be directly obtained from the threat knowledge graph. And combining threat features corresponding to each threat entity to obtain a threat feature set.
Or, for each threat entity belonging to the same security event, extracting threat features corresponding to the threat entity from stored threat information, and then merging the threat features corresponding to each threat entity to obtain a threat feature set.
S300: and obtaining a detection result based on the threat characteristic set and a preset credibility model.
The detection result characterizes the credibility of all threat entities which initially belong to the same security event and belong to the security event. Wherein, all threat entities initially belonging to the same security event correspond to a confidence level.
Alternatively, the threat feature set may be directly used as an input of the reliability model, so as to obtain the detection result.
Or based on the threat feature set and a preset credibility model, the specific mode for obtaining the detection result can be as follows: firstly, data preprocessing is carried out on the threat feature set to obtain an input feature vector. And then inputting the input feature vector into a preset credibility model to obtain a detection result.
Optionally, the data preprocessing includes at least one of data cleaning, formatting conversion, feature normalization, correlation analysis, feature screening, feature construction, dimension reduction processing, and class imbalance processing.
The data cleaning is to clean threat feature sets, and process missing values, abnormal values, repeated data and the like.
Formatting is the formatting of different types of feature data into a numerical format that can be directly processed by the model, such as converting threat feature sets into uniform coding.
Feature normalization is to adjust different features to the same dimension range by using methods such as scaling normalization and the like, so as to prevent the dimension from affecting the model.
The correlation analysis is to calculate the correlation between different features, reject the features with high redundancy correlation in the threat feature set, and prevent overfitting.
Feature selection is to select the most favorable feature subset for the model using a filtered, packaged, etc. method based on the contribution and relevance of the features.
Feature construction is an attempt to construct composite features to capture nonlinear relationships between features, enhancing representational capacity.
The dimension reduction processing is to map the high-dimension features into the low-dimension space by using a dimension reduction method such as principal component analysis and the like, so as to prevent dimension disasters.
The category imbalance process is to over/under sample each risk level category in the threat feature set, balancing different category sample ratios.
In one embodiment, the training process of the preset reliability model may be: firstly, a training sample set is obtained, wherein the training sample set comprises a plurality of sample feature sets, and each sample feature set is marked with an identifier for representing whether the sample feature sets belong to the same event. Training the initial model based on the training sample set until a preset condition is met, and obtaining a trained credibility model.
The specific manner of training the model is well known to those skilled in the art, and is not described herein for brevity.
S400: when the reliability of the detection result characterization is larger than a preset reliability threshold, determining that all threat entities initially belonging to the same security event truly belong to the same security event, and issuing all threat entities initially belonging to the same security event.
Updating the threat knowledge map when the credibility of the detection result characterization is smaller than the credibility threshold; and obtaining the detection result again based on the updated threat knowledge graph and the reliability model.
The above steps S100 to S400 may be executed after each acquisition of threat information.
In one embodiment, the issuing of all threat entities that initially belong to the same security event may be the disclosure of all threat entities that initially belong to the same security event onto the network. Or it may be that all threat entities of the same security event are displayed in the system display panel.
Alternatively, all threat entities initially belonging to the same security event may be published, and threat information corresponding to all entities belonging to the security event may also be published.
Based on the same technical conception, the application also provides a safety event analysis device. As shown in fig. 3, the security event analysis apparatus 100 includes a determination module 110 and a processing module 120.
A determining module 110, configured to determine all threat entities initially belonging to the same security event based on a preset threat knowledge graph; each node in the threat knowledge graph represents one threat entity, and a connection line between two nodes in the threat knowledge graph represents a relationship between the two threat entities.
The processing module 120 is configured to obtain a threat feature set based on threat features corresponding to all threat entities initially belonging to the same security event.
The processing module 120 is further configured to obtain a detection result based on the threat feature set and a preset reliability model; and the detection result represents the credibility of attributing all threat entities which initially belong to the same security event to the security event, wherein all threat entities which initially belong to the same security event correspond to one credibility.
The processing module 120 is further configured to determine that all threat entities initially belonging to the same security event truly belong to the same security event when the reliability of the detection result representation is greater than a preset reliability threshold, and issue all threat entities initially belonging to the same security event.
The determining module 110 is specifically configured to calculate a correlation between any two nodes in the preset threat knowledge graph; determining two nodes with relevance larger than a preset threshold value as threat entities belonging to the same security event; traversing all nodes of the threat knowledge graph, and determining all nodes which are connected with each other and have the relevance of the two connected nodes larger than a preset threshold value as all threat entities which initially belong to the same security event.
The security event analysis device 100 further includes an acquisition module 130, as shown in fig. 4, where the acquisition module 130 is configured to acquire various data sources and thread information.
The acquiring module 130 is configured to acquire new threat information before determining all threat entities initially belonging to the same security event based on a preset threat knowledge graph; threat intelligence includes threat entities; and adding the new threat information into the threat knowledge graph to obtain an updated threat knowledge graph.
Correspondingly, the determining module 110 is specifically configured to determine all threat entities initially belonging to the same security event based on the updated threat knowledge graph.
The obtaining module 130 is specifically configured to determine whether a new threat entity in the new threat information exists in the threat knowledge graph; if the new threat entity in the new threat information does not exist in the threat knowledge graph, adding a node corresponding to the new threat entity in the threat knowledge graph, and updating the relation between the node corresponding to the new threat entity and other nodes in the threat knowledge graph based on the new threat information to obtain an updated threat knowledge graph; if the new threat entity in the new threat information exists in the threat knowledge graph, updating the relation between the node corresponding to the new threat entity and other nodes in the threat knowledge graph based on the new threat information, and obtaining an updated threat knowledge graph.
In one embodiment, the threat features include at least one type of features selected from basic features characterizing basic information of an attack behavior, propagation features characterizing propagation features of the attack, hazard features characterizing hazard levels of the attack behavior, and association features characterizing behavior features having association with the attack behavior.
The processing module 120 is specifically configured to perform data preprocessing on the threat feature set to obtain an input feature vector; and inputting the input feature vector into the preset credibility model to obtain the detection result.
In one embodiment, the data preprocessing includes at least one of data cleaning, formatting conversion, feature normalization, correlation analysis, feature screening, feature construction, dimension reduction processing, and class imbalance processing.
The processing module 120 is further configured to update the threat knowledge graph when the reliability of the detection result representation is less than the reliability threshold; and obtaining the detection result again based on the updated threat knowledge graph and the reliability model.
The processing module 120 is further configured to obtain threat information before determining all threat information belonging to the same security event based on a preset threat knowledge graph; threat intelligence includes threat entities; constructing a threat knowledge graph based on all the obtained threat information; determining an embedding matrix between any two nodes in the threat knowledge graph; the embedded matrix characterizes the association relationship type between two nodes.
The safety event analysis device 100 according to the embodiment of the present application has the same implementation principle and technical effects as those of the embodiment of the safety event analysis method, and for brevity, reference may be made to the corresponding contents of the embodiment of the safety event analysis method.
Please refer to fig. 4, which illustrates an electronic device 200 according to an embodiment of the present application. The electronic device 200 includes: a processor 210, a memory 220.
The memory 220 and the processor 210 are electrically connected directly or indirectly to each other to realize data transmission or interaction. For example, the components may be electrically connected to each other via one or more communication buses or signal lines. The memory 220 is used for storing a computer program, for example, a software functional module shown in fig. 3, that is, the security event analysis apparatus 100. The security event analysis apparatus 100 includes at least one software function module that may be stored in the memory 220 in the form of software or firmware (firmware) or cured in an Operating System (OS) of the electronic device 200. The processor 210 is configured to execute executable modules stored in the memory 220, such as software functional modules or computer programs included in the security event analysis device 100. At this time, the processor 210 is configured to determine all threat entities initially belonging to the same security event based on a preset threat knowledge graph; each node in the threat knowledge graph represents one threat entity, and a connection line between two nodes in the threat knowledge graph represents a relationship between the two threat entities; obtaining a threat characteristic set based on threat characteristics corresponding to all threat entities initially belonging to the same security event; obtaining a detection result based on the threat feature set and a preset credibility model; the detection result represents the credibility of attributing all threat entities which initially belong to the same security event to the security event, wherein all threat entities which initially belong to the same security event correspond to one credibility; and when the reliability of the detection result representation is larger than a preset reliability threshold, determining that all threat entities initially belonging to the same security event truly belong to the same security event, and issuing all threat entities initially belonging to the same security event.
The Memory 220 may be, but is not limited to, RAM (Random Access Memory ), ROM (Read Only Memory), PROM (Programmable Read-Only Memory, programmable Read Only Memory), EPROM (Erasable Programmable Read-Only Memory, erasable Read Only Memory), EEPROM (Electric Erasable Programmable Read-Only Memory, electrically erasable Read Only Memory), etc.
The processor 210 may be an integrated circuit chip with signal processing capabilities. The processor may be a general-purpose processor, including a CPU (Central Processing Unit ), NP (Network Processor, network processor), etc.; but also DSP (DIGITAL SIGNAL Processor), ASIC (Application SPECIFIC INTEGRATED Circuit), FPGA (Field Programmable GATE ARRAY ) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. The disclosed methods, steps, and logic blocks in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor 210 may be any conventional processor or the like.
The electronic device 200 includes, but is not limited to, a personal computer, a server, and the like.
The embodiment of the present application further provides a computer readable storage medium (hereinafter referred to as a storage medium) having a computer program stored thereon, where the computer program, when executed by a computer such as the electronic device 200 described above, performs the security event analysis method described above. The computer-readable storage medium includes: various media capable of storing program codes, such as a U disk, a mobile hard disk, a read-only memory, a random access memory, a magnetic disk or an optical disk.
The above description is only of the preferred embodiments of the present application and is not intended to limit the present application, but various modifications and variations can be made to the present application by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the protection scope of the present application.
Claims (10)
1. A method of security event analysis, comprising:
Determining all threat entities initially belonging to the same security event based on a preset threat knowledge graph; each node in the threat knowledge graph represents one threat entity, and a connection line between two nodes in the threat knowledge graph represents a relationship between the two threat entities;
Obtaining a threat characteristic set based on threat characteristics corresponding to all threat entities initially belonging to the same security event;
Obtaining a detection result based on the threat feature set and a preset credibility model; the detection result represents the credibility that all threat entities initially belonging to the same security event truly belong to the security event, wherein all threat entities initially belonging to the same security event correspond to one credibility;
And when the reliability of the detection result representation is larger than a preset reliability threshold, determining that all threat entities initially belonging to the same security event truly belong to the same security event, and issuing all threat entities initially belonging to the same security event.
2. The method of claim 1, wherein determining all threat entities initially belonging to the same security event based on a preset threat knowledge-graph comprises:
Calculating the relevance between any two nodes in the preset threat knowledge graph;
determining two nodes with relevance larger than a preset threshold value as threat entities belonging to the same security event;
traversing all nodes of the threat knowledge graph, and determining all nodes which are connected with each other and have the relevance of the two connected nodes larger than a preset threshold value as all threat entities which initially belong to the same security event.
3. The method of claim 1, wherein prior to determining all threat entities initially belonging to the same security event based on a preset threat knowledge-graph, the method further comprises:
Acquiring new threat information; the threat intelligence includes threat entities;
adding the new threat information into the threat knowledge graph to obtain an updated threat knowledge graph;
Correspondingly, determining all threat entities initially belonging to the same security event based on a preset threat knowledge graph comprises:
And determining all threat entities which initially belong to the same security event based on the updated threat knowledge graph.
4. A method according to claim 3, wherein adding the new threat intelligence to the threat knowledge-graph comprises:
determining whether a new threat entity in the new threat intelligence exists in the threat knowledge graph;
If the new threat entity in the new threat information does not exist in the threat knowledge graph, adding a node corresponding to the new threat entity in the threat knowledge graph, and updating the relation between the node corresponding to the new threat entity and other nodes in the threat knowledge graph based on the new threat information to obtain an updated threat knowledge graph;
If the new threat entity in the new threat information exists in the threat knowledge graph, updating the relation between the node corresponding to the new threat entity and other nodes in the threat knowledge graph based on the new threat information, and obtaining an updated threat knowledge graph.
5. The method of claim 1, wherein the threat features comprise at least one type of features selected from the group consisting of basic features characterizing basic information of an attack, propagation features characterizing propagation of an attack, hazard features characterizing a degree of hazard of the attack, and association features characterizing behavior features associated with the attack.
6. The method according to claim 1, wherein the method further comprises:
Updating the threat knowledge graph when the reliability of the detection result characterization is smaller than the reliability threshold;
And obtaining a detection result again based on the updated threat knowledge graph and the credibility model.
7. The method of any of claims 1-6, wherein prior to determining all threat intelligence pertaining to the same security event based on a preset threat knowledge pattern, the method further comprises:
Acquiring threat information; the threat intelligence includes threat entities;
Constructing a threat knowledge graph based on all the obtained threat information;
Determining an embedding matrix between any two nodes in the threat knowledge graph; the embedded matrix characterizes the association relationship between two nodes.
8. A security event analysis apparatus, comprising:
The determining module is used for determining all threat entities initially belonging to the same security event based on a preset threat knowledge graph; each node in the threat knowledge graph represents one threat entity, and a connection line between two nodes in the threat knowledge graph represents a relationship between the two threat entities;
the processing module is used for obtaining a threat characteristic set based on threat characteristics corresponding to all threat entities initially belonging to the same security event;
The processing module is further used for obtaining a detection result based on the threat characteristic set and a preset credibility model; the detection result represents the credibility that all threat entities initially belonging to the same security event truly belong to the security event, wherein all threat entities initially belonging to the same security event correspond to one credibility;
And the processing module is further used for determining that all threat entities initially belonging to the same security event truly belong to the same security event when the reliability of the detection result representation is larger than a preset reliability threshold value, and issuing all threat entities initially belonging to the same security event.
9. An electronic device, comprising: the device comprises a memory and a processor, wherein the memory is connected with the processor;
The memory is used for storing programs;
The processor is configured to invoke a program stored in the memory to perform the method of any of claims 1-7.
10. A computer-readable storage medium, on which a computer program is stored, which, when being run by a computer, performs the method according to any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410454893.0A CN118174954A (en) | 2024-04-15 | 2024-04-15 | Security event analysis method, device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410454893.0A CN118174954A (en) | 2024-04-15 | 2024-04-15 | Security event analysis method, device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118174954A true CN118174954A (en) | 2024-06-11 |
Family
ID=91358241
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410454893.0A Pending CN118174954A (en) | 2024-04-15 | 2024-04-15 | Security event analysis method, device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118174954A (en) |
-
2024
- 2024-04-15 CN CN202410454893.0A patent/CN118174954A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20220124108A1 (en) | System and method for monitoring security attack chains | |
| US11750659B2 (en) | Cybersecurity profiling and rating using active and passive external reconnaissance | |
| US20200389495A1 (en) | Secure policy-controlled processing and auditing on regulated data sets | |
| Bryant et al. | Improving SIEM alert metadata aggregation with a novel kill-chain based classification model | |
| CN111786950B (en) | Network security monitoring method, device, equipment and medium based on situation awareness | |
| CN108932426B (en) | Unauthorized vulnerability detection method and device | |
| US10505986B1 (en) | Sensor based rules for responding to malicious activity | |
| US20210360032A1 (en) | Cybersecurity risk analysis and anomaly detection using active and passive external reconnaissance | |
| US20210136120A1 (en) | Universal computing asset registry | |
| US11693958B1 (en) | Processing and storing event data in a knowledge graph format for anomaly detection | |
| Stiawan | Phishing detection system using machine learning classifiers | |
| Scarabeo et al. | Mining known attack patterns from security-related events | |
| US11765199B2 (en) | Computer-based system for analyzing and quantifying cyber threat patterns and methods of use thereof | |
| CN114338372A (en) | Network information security monitoring method and system | |
| CN110598959A (en) | Asset risk assessment method and device, electronic equipment and storage medium | |
| US11423099B2 (en) | Classification apparatus, classification method, and classification program | |
| CN114650187A (en) | Abnormal access detection method and device, electronic equipment and storage medium | |
| CN113918938A (en) | User entity behavior analysis method and system of continuous immune safety system | |
| CN112685255A (en) | Interface monitoring method and device, electronic equipment and storage medium | |
| US11575702B2 (en) | Systems, devices, and methods for observing and/or securing data access to a computer network | |
| CN113923037B (en) | Anomaly detection optimization device, method and system based on trusted computing | |
| CN115001724B (en) | Network threat intelligence management method, device, computing equipment and computer readable storage medium | |
| US11588678B2 (en) | Generating incident response action recommendations using anonymized action implementation data | |
| CN114900375A (en) | Malicious threat detection method based on AI graph analysis | |
| CN115643044A (en) | Data processing method, device, server and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination |