WO2021017614A1 - Threat intelligence data collection and processing method and system, apparatus, and storage medium - Google Patents

Threat intelligence data collection and processing method and system, apparatus, and storage medium Download PDF

Info

Publication number
WO2021017614A1
WO2021017614A1 PCT/CN2020/093620 CN2020093620W WO2021017614A1 WO 2021017614 A1 WO2021017614 A1 WO 2021017614A1 CN 2020093620 W CN2020093620 W CN 2020093620W WO 2021017614 A1 WO2021017614 A1 WO 2021017614A1
Authority
WO
WIPO (PCT)
Prior art keywords
intelligence
threat
data
threat intelligence
enterprise
Prior art date
Application number
PCT/CN2020/093620
Other languages
French (fr)
Chinese (zh)
Inventor
李洋
周亚军
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2021017614A1 publication Critical patent/WO2021017614A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/302Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information gathering intelligence information for situation awareness or reconnaissance

Definitions

  • This application relates to the field of data security technology, and more specifically, to a method, system, device, and storage medium for collecting and processing threat intelligence data.
  • threat intelligence is knowledge based on certain evidence, including context, mechanism, labeling, meaning, and recommendations that can be implemented. This knowledge is related to existing or brewing threats or hazards faced by the asset, and can be used by asset-related entities. Provide information support in response to threats or hazards or handling decisions. Enterprises and organizations use threat intelligence to better meet their own related security threats and conduct more effective security defenses.
  • the purpose of this application is to provide a method for collecting and processing threat intelligence data, which can be used to establish an "intelligence community” for large group companies, so that enterprises and users can become intelligence “producers”.
  • "Intelligence community” provides information in real time, shares information in the industry in a timely manner, and uses cloud intelligence capabilities and evaluation screening to screen and merge this information to form effective industry intelligence.
  • a threat intelligence data collection and processing method which includes the following steps:
  • the threat intelligence operation platform collects the intelligence production data of the enterprise, and the intelligence production data includes at least the enterprise's event analysis report, the enterprise IDC export security equipment log data, the samples submitted by the enterprise and the intelligence data;
  • the threat intelligence operation platform determines threat intelligence data to be screened according to the source of the intelligence production data
  • the threat intelligence operation platform uses a local sandbox to screen the threat intelligence data to be screened, and merges the data confirmed as threat intelligence with the existing threat intelligence in the intelligence database according to the screening result;
  • the threat intelligence operation platform pushes the threat intelligence confirmed in S130 to the enterprise, generates alarm information based on the threat intelligence, and distributes the alarm information to the enterprise.
  • a threat intelligence data collection and processing system including:
  • Intelligence production data collection module used to collect enterprise intelligence production data
  • the threat intelligence data generating module to be screened is used to determine the threat intelligence data to be screened according to the source of the intelligence production data;
  • the threat intelligence screening and merging module is used to screen the threat intelligence data to be screened by using a local sandbox, and merge the data confirmed as threat intelligence with the existing threat intelligence in the intelligence database according to the screening results;
  • Threat intelligence and alarm information issuing module used to push the confirmed threat information to the enterprise, generate alarm information based on the threat information, and distribute the alarm information to the enterprise;
  • the intelligence production data includes at least the company’s event analysis report, the company’s IDC export security equipment log data, and the company’s submitted samples and intelligence data.
  • the present application also provides an electronic device, including a memory and a processor, and a computer program is stored in the memory.
  • a computer program is stored in the memory.
  • Collect the enterprise’s intelligence production data which includes at least the enterprise’s event analysis report, the enterprise IDC export security equipment log data, and the samples and intelligence data submitted by the enterprise;
  • Push the confirmed threat information to the enterprise generate alarm information based on the threat information, and distribute the alarm information to the enterprise.
  • This application also provides a computer-readable storage medium that includes a threat intelligence data collection and processing program, and when the threat intelligence data collection and processing program is executed by a processor, the following steps are implemented:
  • Collect the enterprise’s intelligence production data which includes at least the enterprise’s event analysis report, the enterprise IDC export security equipment log data, and the samples and intelligence data submitted by the enterprise;
  • Push the confirmed threat information to the enterprise generate alarm information based on the threat information, and distribute the alarm information to the enterprise.
  • the threat intelligence data collection and processing method and system provided in this application have the following beneficial effects:
  • intelligence can be shared in the industry in a timely manner; a certain scale of threat intelligence sharing in the industry is formed within the industry to which the company belongs, and the overall threats faced by the industry can be shared together without harming the respective business interests of the participants. , Share intelligence and conduct joint attacks against common threats in the industry.
  • FIG. 1 is a flowchart of a threat intelligence data collection and processing method according to Embodiment 1 of the present application;
  • FIG. 2 is a schematic diagram of the logical structure of a threat intelligence data collection and processing system according to Embodiment 2 of the present application;
  • FIG. 3 is a schematic diagram of a logical structure of an electronic device according to Embodiment 3 of the present application.
  • Figure 2 has the following tags: 501 intelligence production data collection module; 502 threat intelligence data generation module to be screened; 503 threat intelligence screening and merging module; 504 threat intelligence and alarm information issuing module.
  • Figure 3 has the following marks: 1 electronic device; 2 processor; 3 memory; 4 computer program.
  • Fig. 1 shows the flow of the threat intelligence data collection and processing method according to Embodiment 1 of the present application.
  • the threat intelligence data collection and processing method provided by this embodiment includes the following steps:
  • the threat intelligence operation platform collects the intelligence production data of the enterprise.
  • the intelligence production data includes at least the enterprise's event analysis report, the enterprise IDC (Interner Data Center, Internet Data Center) export security equipment log data, and the samples and intelligence data submitted by the enterprise ;
  • An enterprise can be a large group of customers, the number is at least two, and all enterprises form an intelligence community.
  • the threat intelligence operation platform can at least collect intelligence data from three sources: event analysis reports of each company in the intelligence community, corporate IDC export security equipment log data, samples submitted by the company, and intelligence data, forming a comprehensive collection of intelligence.
  • the threat intelligence operation platform determines the threat intelligence data to be screened according to the source of the intelligence production data
  • the threat intelligence operation platform uses a local sandbox to screen the threat intelligence data to be screened, and merges the data confirmed as threat intelligence with the existing threat intelligence in the intelligence database according to the screening results;
  • the threat intelligence operation platform pushes the threat intelligence confirmed in S130 to the enterprise, generates alarm information based on the threat intelligence, and distributes the alarm information to the enterprise.
  • step S110 the threat intelligence operation platform collects the intelligence production data of the enterprise, and selects different collection methods according to different sources of the collected intelligence production data.
  • the threat intelligence operation platform can connect the API (Application Program Interface) of the threat intelligence operation platform with the event recording system that stores the event analysis report, which can be used as an enterprise emergency response
  • the threat intelligence operation platform obtains the event analysis report in real time.
  • At least two companies’ event recording systems connect with the API of the threat intelligence operation platform.
  • the incident analysis report is that in the past incident processing, the security personnel will form an incident analysis report after completing the incident analysis and processing, and the incident analysis report itself already contains the intelligence context and ioc (intrusion threat indicator) information.
  • This application starts with the information contained in the incident analysis report itself, and sets the format of the incident analysis report submitted by each enterprise from the group enterprise level (the format is shown in the table below).
  • the threat intelligence operation platform can comprehensively carry out each enterprise terminal Intelligence data collection.
  • the following is an event analysis report of a specific embodiment of this application.
  • the event analysis report uses a table format:
  • Event source XX alarm
  • Event process description of the event process
  • Affected company Affected party multiple companies Impact level: None (business is not affected) Loss: None
  • the threat intelligence operation platform docks with the security equipment deployed by the enterprise at the IDC exit, and collects log data based on the full flow analysis capabilities and results of the security equipment.
  • the log data of enterprise IDC export security equipment mainly includes NTA (network traffic analysis), NGFW (Next generation firewall, the next generation firewall), WAF (Web Application Firewall, Web application protection system), IPS (Intrusion Prevention System, intrusion prevention system), anti-virus and other equipment security alarm log and event log, etc.
  • NTA network traffic analysis
  • NGFW Next generation firewall, the next generation firewall
  • WAF Web Application Firewall, Web application protection system
  • IPS Intrusion Prevention System, intrusion prevention system
  • Enterprise terminal intelligence data collection and IDC exit for full flow intelligence data collection process can be combined with NTA, local sandbox, traditional security equipment, terminal applications and other technologies.
  • Traditional security devices include NGFW, WAF, IPS, anti-software, etc.
  • terminal applications include mailboxes, IM (instant messaging tools), etc.
  • the samples and intelligence data submitted by companies include certain or suspicious IP, domain name information, and malicious sample information. Each company can assign certain or suspicious IP, domain names Information is submitted to the threat intelligence operation platform, and malicious sample information can also be submitted to the threat intelligence operation platform.
  • the threat intelligence operation platform stores information such as certain or suspicious IP, domain name information, and malicious sample information.
  • step S120 the threat intelligence operation platform determines the threat intelligence data to be screened according to the source of the intelligence production data.
  • NLP natural language analysis
  • ioc intrusion threat indicator
  • TTP Tactics, Techniques & Procedures, means, technology, process intelligence
  • the "event summary” field When natural language analysis (NLP) is used to extract the information in the incident analysis report, the "event summary" field will be analyzed at the same time, and the intelligence type will be automatically identified based on the content of the "event summary” field, such as lost information, file reputation information, IP reputation information, etc.
  • the threat intelligence operation platform saves intelligence information in the intelligence database according to its type.
  • ELK Elasticsearch, Logstash, Kibana, popular log collection and analysis platform
  • the ELK system mainly uses SPL (Splunk Search Language, a log search syntax) language, for example, to retrieve NGFW alarm logs, count IPs whose attack parameters have reached a preset threshold in the past preset time, and save them in the intelligence database to form threat intelligence data to be filtered.
  • SPL Splunk Search Language, a log search syntax
  • This embodiment uses statistics of attack source IPs with attack types greater than 20 types and attack target IPs greater than 10 in the past week. It can be preliminarily considered that this IP is performing a scanning attack, and an IP reputation information can be output.
  • the threat intelligence operation platform calculates the information based on the suspicious IP, domain name information and information obtained from the user’s comments in the intelligence community. Credit value, at the same time, calculate the company’s credit rating based on the company’s positive review ratio, audit pass rate, audit rejection rate, and complaints. The credit value and credit rating are combined to determine the threat intelligence information to be screened. And stored in the information database. The malicious samples will be pushed to the local sandbox to analyze the identifiable files in these samples. After the analysis is completed, the threat intelligence information to be screened will be output, including file hash value, file network behavior, local behavior and other intelligence data, and stored in the intelligence database .
  • the files that can be recognized by the sandbox are generally binary executable files, emails, etc., and unrecognizable samples need to be manually analyzed before being submitted.
  • the positive and negative comment ratio of user reviews can be described as the like/dislike ratio.
  • IP and domain name reporting functions enable users to provide community information in real time.
  • step S130 the threat intelligence operation platform screens the threat intelligence data to be screened, and merges the data confirmed as threat intelligence with the existing threat intelligence in the intelligence database according to the screening result.
  • the process of the threat intelligence operation platform screening the threat intelligence data to be screened provided by each enterprise includes the use of local sandboxes to identify the threat intelligence data to be screened.
  • the threat intelligence data to be screened that can be identified by the local sandbox is confirmed as threat intelligence; for the threat intelligence data to be screened that cannot be identified by the local sandbox, the threat intelligence operation platform will automatically distribute the unidentified threat intelligence data to be screened , Go to the security enterprise intelligence analysis platform, and rewrite the event analysis report in accordance with the unified setting format (as in the above table), in case it is collected again on the threat intelligence operation platform.
  • the security enterprise intelligence analysis platform is used to provide intelligence analysis and sharing for cooperative enterprises. It is composed of several cooperative enterprises in the intelligence community. Several cooperative enterprises are enterprises that connect the enterprise's event recording system with the API of the threat intelligence operation platform. The threat intelligence operation platform has established communication channels with several cooperative companies. The threat intelligence operation platform automatically distributes the threat data to be screened that cannot be identified by the local sandbox to the cooperative companies through the channels.
  • the distribution principle is intra-industry distribution, that is, the unidentified threat intelligence data to be screened provided by a certain industry company is distributed to all other cooperative companies in the same industry, and all other cooperative companies in the same industry will analyze and return them in strict accordance with the above table.
  • the event analysis report written in the set format; the returned event analysis report will go to step S120.
  • the threat intelligence operation platform automatically distributes unidentified threat intelligence data to be screened to various cooperative enterprises through channels, it will filter sensitive information involving enterprises and attack targets.
  • the written data includes threat intelligence hash (algorithm), host characteristics, event characteristics, and TTP information.
  • threat intelligence hash algorithm
  • host characteristics host characteristics
  • event characteristics event characteristics
  • TTP information TTP information
  • the threat intelligence operation platform When the threat intelligence operation platform merges the data identified as threat intelligence with the existing threat intelligence in the intelligence database, the threat intelligence operation platform compares the host characteristics identified as threat intelligence with the existing threat intelligence in the intelligence database. Automatically compare the characteristics of the host, and automatically associate and classify threat intelligence with similar host characteristics and enter it into the intelligence database.
  • step 130 it may also include the following steps: establishing a machine learning model, and outputting the TTP information of the malicious sample family to be updated according to the machine learning model and the threat intelligence confirmed in step 130, and the TTP information of the malicious sample family to be updated including the activity status , Activity time, goals, etc.
  • step S140 the threat intelligence operation platform pushes the threat intelligence confirmed in S130 to the enterprise, generates warning information based on the threat intelligence, and distributes the warning information to the enterprise.
  • the process of pushing threat intelligence includes: the threat intelligence operation platform pushes the confirmed threat intelligence to the enterprises that have subscribed to the threat intelligence according to the category of the confirmed threat intelligence, so as to ensure that users can obtain the intelligence in time.
  • the process of generating alarm information based on threat intelligence and distributing the alarm information to the enterprise includes: connecting the threat intelligence operation platform with the enterprise’s NGSOC (security operation platform) and/or SIEM (security information and event management) system, and connecting the confirmed threat intelligence with Assets and events are correlated to form more abundant and easy-to-understand event alarm information.
  • NGSOC security operation platform
  • SIEM security information and event management
  • a query API function can be set on the threat intelligence operation platform.
  • the threat intelligence data collection and processing method provided in this application also includes: updating the credit rating of each company, and the update basis includes the positive comment ratio of the company being reviewed, the review pass rate, the review rejection rate, the situation of complaints, etc. to determine the user's credit value .
  • the intelligence community should be an information sharing platform for the industry to jointly fight the same threats.
  • constraint rules for each enterprise there are mainly the following constraint rules for each enterprise:
  • the platform encourages the sharing of detailed threat intelligence without disclosing confidential corporate information
  • the threat intelligence operation platform will detect corporate violations by monitoring whether the comment content is positive (relying on NLP natural language analysis technology) and whether it contains sensitive vocabulary, etc., and will provide complaints against companies, such as companies that do not comply with the rules. , Downgrade the credit rating of the enterprise.
  • a threat intelligence data collection and processing system includes: an intelligence production data collection module 501, a threat intelligence data generation module 502 to be screened, a threat intelligence screening and merging module 503, and a threat intelligence and alarm information issuing module 504.
  • the intelligence production data collection module 501 is used to collect the intelligence production data of the enterprise; the threat intelligence data generation module to be screened is used to determine the threat intelligence data to be screened according to the source of the intelligence production data; the threat intelligence screening and merge module 503 is used to The threat intelligence data to be screened is filtered using a local sandbox, and the data confirmed as threat intelligence is combined with the existing threat intelligence in the intelligence database according to the screening results; the threat intelligence and alarm information issuing module 504 is used to confirm Pushes the threat information of to the enterprise, generates alarm information based on the threat information, and distributes the alarm information to the enterprise.
  • the intelligence production data includes at least the company’s event analysis report, the company’s IDC export security equipment log data, and the samples submitted by the company and intelligence data; the number of said companies is more than two.
  • the intelligence production data collection module 501 may include a corporate event analysis report collection module, a corporate IDC export security equipment log data collection module, samples submitted by the company, and an intelligence data collection module.
  • the threat intelligence data generating module 502 to be screened may include an event analysis report processing module, an IDC export security device log data processing module, and a sample and intelligence data processing module submitted by the enterprise.
  • the threat intelligence screening and merging module 503 may include a screening and identifying module of threat intelligence data to be screened and a threat intelligence merging module.
  • the threat intelligence and alarm information distribution module 504 may include a threat information push module and an alarm information distribution module.
  • the threat intelligence data collection and processing system may also include a module for generating family information of malicious samples to be updated and a module for establishing corporate credit ratings.
  • an electronic device 1 includes a memory 3 and a processor 2.
  • the memory 3 stores a computer program 4, and the computer program 4 is executed by the processor 2 to implement the threat intelligence data collection and processing method in Embodiment 1. .
  • a computer-readable storage medium may be non-volatile or volatile, and the computer-readable storage medium includes a threat intelligence data collection and processing program, and a threat intelligence data collection and processing program When executed by the processor, the steps of the threat intelligence data collection and processing method in Embodiment 1 are realized.

Landscapes

  • Engineering & Computer Science (AREA)
  • Technology Law (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Evolutionary Computation (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Catching Or Destruction (AREA)

Abstract

The present application relates to the technical field of data security. Disclosed are a threat intelligence data collection and processing method and system, an apparatus, and a storage medium. The method comprises: S110, a threat intelligence operation platform collects intelligence production data of an enterprise; S120, the threat intelligence operation platform determines threat intelligence data to be screened according to the intelligence production data source; S130, the threat intelligence operation platform screens the threat intelligence data to be screened by using a local sandbox, and merges data confirmed as threat intelligence with existing threat intelligence in an intelligence library according to a screening result; and S140, the threat intelligence operation platform pushes the confirmed threat intelligence to the enterprise, generates alarm information according to the threat intelligence, and distributes the alarm information to the enterprise. According to the present application, the large-scale group enterprise-oriented "intelligence community" is established, so that the enterprise becomes a "producer" of intelligence, the intelligence can be provided in the intelligence community in real time, and the intelligence can be shared in the industry in time.

Description

威胁情报数据采集处理方法、系统、装置及存储介质Threat intelligence data collection and processing method, system, device and storage medium
本申请要求于2019年7月31日提交中国专利局、申请号为CN201910700841.6,发明名称为“威胁情报数据采集处理方法、装置及存储介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office on July 31, 2019, the application number is CN201910700841.6, and the invention title is "Threat intelligence data collection and processing methods, devices, and storage media". The entire content is approved The reference is incorporated in this application.
技术领域Technical field
本申请涉及数据安全技术领域,更为具体地,涉及一种威胁情报数据采集处理方法、系统、装置及存储介质。This application relates to the field of data security technology, and more specifically, to a method, system, device, and storage medium for collecting and processing threat intelligence data.
背景技术Background technique
所谓威胁情报,是某种基于一定证据的知识,包括上下文、机制、标示、含义和能够执行的建议,这些知识与资产所面临已有的或酝酿中的威胁或危害相关,可用于资产相关主体对威胁或危害的响应或处理决策提供信息支持。企业和机构使用威胁情报,以达到更好的满足其应对自身相关的安全威胁和进行更有效的安全防御为目的。The so-called threat intelligence is knowledge based on certain evidence, including context, mechanism, labeling, meaning, and recommendations that can be implemented. This knowledge is related to existing or brewing threats or hazards faced by the asset, and can be used by asset-related entities. Provide information support in response to threats or hazards or handling decisions. Enterprises and organizations use threat intelligence to better meet their own related security threats and conduct more effective security defenses.
发明人意识到市面上现有的威胁情报系统,类似于360、绿盟、微步等等,都是基于推送和集中式情报提供模式,大型企业都是情报的“消费者”,不能及时地提供某行业的“自生产”情报,在企业威胁情报使用上存在一定的缺陷。The inventor realized that the existing threat intelligence systems on the market, similar to 360, NSFOCUS, Weibu, etc., are based on push and centralized intelligence provision models. Large enterprises are all intelligence "consumers" and cannot be timely Providing "self-produced" intelligence in a certain industry has certain flaws in the use of corporate threat intelligence.
现阶段各安全厂商推出的威胁情报,由于厂商之间的商业和技术壁垒、以及缺乏统一交流标准等因素,威胁情报数据交换仍然非常少,导致情报的使用价值难以充分发挥。At this stage, the threat intelligence introduced by various security vendors, due to the commercial and technical barriers between vendors, and the lack of unified communication standards, still has very little threat intelligence data exchange, which makes it difficult to give full play to the value of intelligence.
在情报采集环节,现有安全厂商的数据采集一般通过反恶意软件实现,采集数据的规模和行业依赖于反恶意软件的部署情况,存在数据采集覆盖面不全、采集环境不一致等情况。对于流量层面的采集,安全厂商往往依赖与电信运营商的合作来进行,这中间存在客户隐私层面的隔阂,从而导致不能采集全量的情报数据。In the intelligence collection link, the data collection of existing security vendors is generally realized through anti-malware software. The scale and industry of the collected data depend on the deployment of anti-malware software. There are situations such as incomplete data collection coverage and inconsistent collection environments. For the collection of traffic level, security vendors often rely on cooperation with telecom operators. There is a gap in customer privacy, which leads to the inability to collect full amounts of intelligence data.
在情报处理环节,由于安全厂商采集数据环境不一致、覆盖不全等问题,从样本(原始数据)到生成情报要投入大量的人力。In the intelligence processing link, due to the inconsistency and incomplete coverage of the data collection environment of security vendors, a lot of manpower has to be invested from samples (raw data) to generating intelligence.
技术问题technical problem
鉴于上述问题,本申请的目的是提供一种威胁情报数据采集处理方法,采用这种方法能够建立面向大型集团企业的“情报社区”,使企业、用户成为情报的“生产者”,可以在“情报社区”实时地提供情报、及时地在行业分享情报,并借助云端的情报能力和评估筛选,对这些情报进行筛选、合并等,形成有效的行业情报。In view of the above-mentioned problems, the purpose of this application is to provide a method for collecting and processing threat intelligence data, which can be used to establish an "intelligence community" for large group companies, so that enterprises and users can become intelligence "producers". "Intelligence community" provides information in real time, shares information in the industry in a timely manner, and uses cloud intelligence capabilities and evaluation screening to screen and merge this information to form effective industry intelligence.
技术解决方案Technical solutions
根据本申请的一个方面,提供了一种威胁情报数据采集处理方法,包括以下步骤:According to one aspect of this application, a threat intelligence data collection and processing method is provided, which includes the following steps:
S110:威胁情报运营平台采集企业的情报生产数据,所述情报生产数据至少包括企业的事件分析报告、企业IDC出口安全设备日志数据、企业提交的样本和情报数据;S110: The threat intelligence operation platform collects the intelligence production data of the enterprise, and the intelligence production data includes at least the enterprise's event analysis report, the enterprise IDC export security equipment log data, the samples submitted by the enterprise and the intelligence data;
S120:所述威胁情报运营平台根据所述情报生产数据来源确定待筛选威胁情报数据;S120: The threat intelligence operation platform determines threat intelligence data to be screened according to the source of the intelligence production data;
S130:所述威胁情报运营平台对所述待筛选威胁情报数据采用本地沙箱进行筛选,根据筛选结果将确认为威胁情报的数据与情报库中的已有威胁情报进行合并;S130: The threat intelligence operation platform uses a local sandbox to screen the threat intelligence data to be screened, and merges the data confirmed as threat intelligence with the existing threat intelligence in the intelligence database according to the screening result;
S140:所述威胁情报运营平台将S130中确认的威胁情报向所述企业进行推送,并根据所述威胁情报生成告警信息,并将所述告警信息分发给所述企业。S140: The threat intelligence operation platform pushes the threat intelligence confirmed in S130 to the enterprise, generates alarm information based on the threat intelligence, and distributes the alarm information to the enterprise.
根据本申请的另一方面,提供了一种威胁情报数据采集处理系统,包括:According to another aspect of this application, a threat intelligence data collection and processing system is provided, including:
情报生产数据采集模块,用于采集企业的情报生产数据;Intelligence production data collection module, used to collect enterprise intelligence production data;
待筛选威胁情报数据生成模块,用于根据所述情报生产数据来源确定待筛选威胁情报数据;The threat intelligence data generating module to be screened is used to determine the threat intelligence data to be screened according to the source of the intelligence production data;
威胁情报筛选合并模块,用于对所述待筛选威胁情报数据采用本地沙箱进行筛选,根据筛选结果将确认为威胁情报的数据与情报库中的已有威胁情报进行合并;The threat intelligence screening and merging module is used to screen the threat intelligence data to be screened by using a local sandbox, and merge the data confirmed as threat intelligence with the existing threat intelligence in the intelligence database according to the screening results;
威胁情报和告警信息发放模块,用于将确认的威胁情报向所述企业进行推送,并根据所述威胁情报生成告警信息,并将所述告警信息分发给所述企业;Threat intelligence and alarm information issuing module, used to push the confirmed threat information to the enterprise, generate alarm information based on the threat information, and distribute the alarm information to the enterprise;
所述的情报生产数据至少包括企业的事件分析报告、企业IDC出口安全设备日志数据、企业提交的样本和情报数据。The intelligence production data includes at least the company’s event analysis report, the company’s IDC export security equipment log data, and the company’s submitted samples and intelligence data.
本申请还提供一种电子装置,包括存储器和处理器,所述存储器中存储有计算机程序,所述计算机程序被处理器执行时实现如下步骤:The present application also provides an electronic device, including a memory and a processor, and a computer program is stored in the memory. When the computer program is executed by the processor, the following steps are implemented:
采集企业的情报生产数据,所述情报生产数据至少包括企业的事件分析报告、企业IDC出口安全设备日志数据、企业提交的样本和情报数据;Collect the enterprise’s intelligence production data, which includes at least the enterprise’s event analysis report, the enterprise IDC export security equipment log data, and the samples and intelligence data submitted by the enterprise;
根据所述情报生产数据来源确定待筛选威胁情报数据;Determine the threat intelligence data to be screened according to the source of the intelligence production data;
对所述待筛选威胁情报数据采用本地沙箱进行筛选,根据筛选结果将确认为威胁情报的数据与情报库中的已有威胁情报进行合并;Use a local sandbox to filter the threat intelligence data to be screened, and merge the data confirmed as threat intelligence with the existing threat intelligence in the intelligence database according to the screening results;
将确认的威胁情报向所述企业进行推送,并根据所述威胁情报生成告警信息,并将所述告警信息分发给所述企业。Push the confirmed threat information to the enterprise, generate alarm information based on the threat information, and distribute the alarm information to the enterprise.
本申请还提供一种计算机可读存储介质,所述计算机可读存储介质中包括威胁情报数据采集处理程序,所述威胁情报数据采集处理程序被处理器执行时,实现如下步骤:This application also provides a computer-readable storage medium that includes a threat intelligence data collection and processing program, and when the threat intelligence data collection and processing program is executed by a processor, the following steps are implemented:
采集企业的情报生产数据,所述情报生产数据至少包括企业的事件分析报告、企业IDC出口安全设备日志数据、企业提交的样本和情报数据;Collect the enterprise’s intelligence production data, which includes at least the enterprise’s event analysis report, the enterprise IDC export security equipment log data, and the samples and intelligence data submitted by the enterprise;
根据所述情报生产数据来源确定待筛选威胁情报数据;Determine the threat intelligence data to be screened according to the source of the intelligence production data;
对所述待筛选威胁情报数据采用本地沙箱进行筛选,根据筛选结果将确认为威胁情报的数据与情报库中的已有威胁情报进行合并;Use a local sandbox to filter the threat intelligence data to be screened, and merge the data confirmed as threat intelligence with the existing threat intelligence in the intelligence database according to the screening results;
将确认的威胁情报向所述企业进行推送,并根据所述威胁情报生成告警信息,并将所述告警信息分发给所述企业。Push the confirmed threat information to the enterprise, generate alarm information based on the threat information, and distribute the alarm information to the enterprise.
有益效果Beneficial effect
本申请提供的一种威胁情报数据采集处理方法及系统与现有技术相比,具有以下有益效果:Compared with the prior art, the threat intelligence data collection and processing method and system provided in this application have the following beneficial effects:
1、能够全面的采集企业的情报生产数据,企业、用户成为情报的“生产者”,可以实时地提供情报;1. Able to collect enterprise's intelligence production data in a comprehensive way, and enterprises and users become intelligence "producers" and can provide intelligence in real time;
2、通过“情报社区”,可以及时地在行业分享情报;在企业所属行业内部形成一定规模的行业内威胁情报共享,在不伤害参与方各自商业利益的前提下,一起分享行业面临的整体威胁、共享情报,向行业的共性威胁进行联合打击。2. Through the "intelligence community", intelligence can be shared in the industry in a timely manner; a certain scale of threat intelligence sharing in the industry is formed within the industry to which the company belongs, and the overall threats faced by the industry can be shared together without harming the respective business interests of the participants. , Share intelligence and conduct joint attacks against common threats in the industry.
3、可以借助云端的情报能力和评估筛选,对这些情报进行合并、筛选等,形成有效的行业情报。3. With the help of cloud intelligence capabilities and evaluation and screening, these intelligence can be merged and screened to form effective industry intelligence.
为了实现上述以及相关目的,本申请的一个或多个方面包括后面将详细说明并在权利要求中特别指出的特征。下面的说明以及附图详细说明了本申请的某些示例性方面。然而,这些方面指示的仅仅是可使用本申请的原理的各种方式中的一些方式。此外,本申请旨在包括所有这些方面以及它们的等同物。In order to achieve the above and related objects, one or more aspects of the present application include features that will be described in detail later and specifically pointed out in the claims. The following description and drawings illustrate certain exemplary aspects of the present application in detail. However, these aspects indicate only some of the various ways in which the principles of this application can be used. Furthermore, this application is intended to include all these aspects and their equivalents.
附图说明Description of the drawings
通过参考以下结合附图的说明及权利要求书的内容,并且随着对本申请的更全面理解,本申请的其它目的及结果将更加明白及易于理解。在附图中:By referring to the following description in conjunction with the accompanying drawings and the content of the claims, and with a more comprehensive understanding of the application, other purposes and results of the application will be more clear and easy to understand. In the attached picture:
图1是根据本申请实施例1的威胁情报数据采集处理方法的流程图;Figure 1 is a flowchart of a threat intelligence data collection and processing method according to Embodiment 1 of the present application;
图2是根据本申请实施例2的威胁情报数据采集处理系统的逻辑结构示意图;2 is a schematic diagram of the logical structure of a threat intelligence data collection and processing system according to Embodiment 2 of the present application;
图3是根据本申请实施例3的电子装置的逻辑结构示意图。FIG. 3 is a schematic diagram of a logical structure of an electronic device according to Embodiment 3 of the present application.
附图2中有如下标记:501情报生产数据采集模块;502待筛选威胁情报数据生成模块;503威胁情报筛选合并模块;504威胁情报和告警信息发放模块。Figure 2 has the following tags: 501 intelligence production data collection module; 502 threat intelligence data generation module to be screened; 503 threat intelligence screening and merging module; 504 threat intelligence and alarm information issuing module.
附图3中有如下标记:1电子装置;2处理器;3存储器;4计算机程序。Figure 3 has the following marks: 1 electronic device; 2 processor; 3 memory; 4 computer program.
在所有附图中相同的标号指示相似或相应的特征或功能。 The same reference numerals in all drawings indicate similar or corresponding features or functions. To
本发明的实施方式Embodiments of the invention
在下面的描述中,出于说明的目的,为了提供对一个或多个实施例的全面理解,阐述了许多具体细节。然而,很明显,也可以在没有这些具体细节的情况下实现这些实施例。在其它例子中,为了便于描述一个或多个实施例,公知的结构和设备以方框图的形式示出。In the following description, for illustrative purposes, in order to provide a comprehensive understanding of one or more embodiments, many specific details are set forth. However, it is obvious that these embodiments can also be implemented without these specific details. In other examples, for the convenience of describing one or more embodiments, well-known structures and devices are shown in the form of block diagrams.
以下将结合附图对本申请的具体实施例进行详细描述。The specific embodiments of the present application will be described in detail below in conjunction with the accompanying drawings.
实施例1Example 1
图1示出了根据本申请实施例1的威胁情报数据采集处理方法的流程。Fig. 1 shows the flow of the threat intelligence data collection and processing method according to Embodiment 1 of the present application.
如图1所示,本实施例提供的威胁情报数据采集处理方法,包括以下步骤:As shown in Figure 1, the threat intelligence data collection and processing method provided by this embodiment includes the following steps:
S110:威胁情报运营平台采集企业的情报生产数据,所述情报生产数据至少包括企业的事件分析报告、企业IDC(Interner  Data  Center,互联网数据中心)出口安全设备日志数据、企业提交的样本和情报数据;S110: The threat intelligence operation platform collects the intelligence production data of the enterprise. The intelligence production data includes at least the enterprise's event analysis report, the enterprise IDC (Interner Data Center, Internet Data Center) export security equipment log data, and the samples and intelligence data submitted by the enterprise ;
企业可以为大型集团客户,数量至少为2个,所有的企业形成一个情报社区。威胁情报运营平台至少可采集情报社区中每个企业的事件分析报告、企业IDC出口安全设备日志数据、企业提交的样本和情报数据三种来源的情报数据,形成了情报的全面采集。An enterprise can be a large group of customers, the number is at least two, and all enterprises form an intelligence community. The threat intelligence operation platform can at least collect intelligence data from three sources: event analysis reports of each company in the intelligence community, corporate IDC export security equipment log data, samples submitted by the company, and intelligence data, forming a comprehensive collection of intelligence.
S120:威胁情报运营平台根据所述情报生产数据来源确定待筛选威胁情报数据;S120: The threat intelligence operation platform determines the threat intelligence data to be screened according to the source of the intelligence production data;
S130:威胁情报运营平台对所述待筛选威胁情报数据采用本地沙箱进行筛选,根据筛选结果将确认为威胁情报的数据与情报库中的已有威胁情报进行合并;S130: The threat intelligence operation platform uses a local sandbox to screen the threat intelligence data to be screened, and merges the data confirmed as threat intelligence with the existing threat intelligence in the intelligence database according to the screening results;
S140:威胁情报运营平台将S130中确认的威胁情报向所述企业进行推送,并根据所述威胁情报生成告警信息,并将所述告警信息分发给所述企业。S140: The threat intelligence operation platform pushes the threat intelligence confirmed in S130 to the enterprise, generates alarm information based on the threat intelligence, and distributes the alarm information to the enterprise.
在步骤S110中,威胁情报运营平台采集企业的情报生产数据,根据采集的情报生产数据的来源不同,选用不同的采集方式。In step S110, the threat intelligence operation platform collects the intelligence production data of the enterprise, and selects different collection methods according to different sources of the collected intelligence production data.
威胁情报运营平台在采集企业的事件分析报告的过程中,可以将威胁情报运营平台的API(Application Program Interface,应用程序编程接口)与存储有事件分析报告的事件记录系统进行对接,当企业应急响应人员提交事件分析报告到事件记录系统时,威胁情报运营平台实时获取事件分析报告。与威胁情报运营平台的API对接的至少为两个企业的事件记录系统。In the process of collecting enterprise event analysis reports, the threat intelligence operation platform can connect the API (Application Program Interface) of the threat intelligence operation platform with the event recording system that stores the event analysis report, which can be used as an enterprise emergency response When personnel submit an event analysis report to the event recording system, the threat intelligence operation platform obtains the event analysis report in real time. At least two companies’ event recording systems connect with the API of the threat intelligence operation platform.
事件分析报告,为在过去的事件处理中,安全人员完成事件分析和处理后会形成事件分析报告,而事件分析报告本身已经包含了情报上下文和ioc(入侵威胁指标)信息。本申请从事件分析报告本身所包含的信息入手,从集团企业层面对每个企业提交的事件分析报告进行统一设定格式(格式如下表),威胁情报运营平台能够全面的进行每个企业终端的情报数据采集。The incident analysis report is that in the past incident processing, the security personnel will form an incident analysis report after completing the incident analysis and processing, and the incident analysis report itself already contains the intelligence context and ioc (intrusion threat indicator) information. This application starts with the information contained in the incident analysis report itself, and sets the format of the incident analysis report submitted by each enterprise from the group enterprise level (the format is shown in the table below). The threat intelligence operation platform can comprehensively carry out each enterprise terminal Intelligence data collection.
以下是本申请一个具体实施例的事件分析报告,该事件分析报告采用的表格格式:The following is an event analysis report of a specific embodiment of this application. The event analysis report uses a table format:
事件分析报告Incident Analysis Report
事件名称*           Minerd挖矿木马活动事件Event name* Minerd mining Trojan activity event
事件编号             EYDM20180001Event number EYDM20180001
事件来源:         XX告警Event source: XX alarm
事件发生时间*    2018-03-15 11:39:11Time of incident* 2018-03-15 11:39:11
事件发现时间      2018.5.30 16:34Event discovery time 2018.5.30 16:34
事件解决时间     2018.6.7 16:57Incident resolution time 2018.6.7 16:57
事件发现者        XXXIncident discoverer XXX
事件类型*          恶意代码、挖矿病毒、C2Event type* Malicious code, mining virus, C2
事件定级           低危Event rating Low risk
事件概述*      检测到XX发生一例Minerd挖矿病毒事件,通过ms17-010漏洞传播Event overview* A case of Minerd mining virus was detected in XX, which was spread through the ms17-010 vulnerability
详细描述           事件原因:事件原因描述Detailed description of the cause of the event: description of the cause of the event
                      受影响业务/服务:受影响业务和服务情况▫ Affected businesses/services: affected businesses and services
                      事件过程:事件过程描述▫ ▫ Event process: description of the event process
                      事件结果:处理结果描述▫ ▫ Event result: description of processing result
影响公司          影响方:多家公司影响程度:无(业务未受影响)损失:无Affected company Affected party: multiple companies Impact level: None (business is not affected) Loss: None
影响行业*        银行、金融Affect industries* Banking, finance
应急缓解措施   缓解措施Emergency mitigation measures Mitigation measures
纠正/预防措施    Corrective and preventive measures
长期处置计划     Long-term disposal plan
事件经验总结:   Summary of event experience:
Ioc*                 rer.njaavfxcgk3.club:4433Ioc* Rer.njaavfxcgk3.club:4433
                      2cc80b81edb2133206d29ec44ed8aaa1▫ ▫ 2cc80b81edb2133206d29ec44ed8aaa1
                     018dcbf3d26eafaad1b2cca3608af9faf38fa8281b2e3c8d5ad4c89bc2d7e1b8, 018dcbf3d26eafaad1b2cca3608af9faf38fa8281b2e3c8d5ad4c89bc2d7e1b8
相关链接*        https://www.xxxx.com/articles/network/164869.htmlRelated Links* https://www.xxxx.com/articles/network/164869.html
填表时间:       2018.6.8 10:34Filling time: 2018.6.8 10:34
填表人:          XXXFiller: XXX
2、威胁情报运营平台采集企业IDC出口安全设备日志数据的过程中,威胁情报运营平台对接企业部署在IDC出口的安全设备,基于安全设备的全流量分析能力和结果进行日志数据采集。2. In the process of the threat intelligence operation platform collecting the log data of the enterprise IDC export security equipment, the threat intelligence operation platform docks with the security equipment deployed by the enterprise at the IDC exit, and collects log data based on the full flow analysis capabilities and results of the security equipment.
企业IDC出口安全设备日志数据主要包含NTA(网络流量分析)、NGFW(Next generation firewall,即下一代防火墙)、WAF(Web Application Firewall,Web应用防护系统)、IPS( Intrusion Prevention System,入侵防御系统)、杀软等设备的安全告警日志和事件日志等。The log data of enterprise IDC export security equipment mainly includes NTA (network traffic analysis), NGFW (Next generation firewall, the next generation firewall), WAF (Web Application Firewall, Web application protection system), IPS (Intrusion Prevention System, intrusion prevention system), anti-virus and other equipment security alarm log and event log, etc.
企业终端的情报数据采集和IDC出口进行全流量的情报数据采集的过程可结合NTA、本地沙箱、传统安全设备、终端应用等技术。传统安全设备包括NGFW、WAF、IPS、杀软等,终端应用包括邮箱、IM(即时通讯工具)等。Enterprise terminal intelligence data collection and IDC exit for full flow intelligence data collection process can be combined with NTA, local sandbox, traditional security equipment, terminal applications and other technologies. Traditional security devices include NGFW, WAF, IPS, anti-software, etc., and terminal applications include mailboxes, IM (instant messaging tools), etc.
3、威胁情报运营平台采集企业提交的样本和情报数据的过程中:企业提交的样本和情报数据包括确定或者可疑的IP、域名信息及恶意样本信息,各企业可以将确定或者可疑的IP、域名信息提交到威胁情报运营平台,也可以提交恶意样本信息到威胁情报运营平台,威胁情报运营平台将确定或者可疑的IP、域名信息及恶意样本信息等这些情报数据进行存储。3. In the process of the threat intelligence operation platform collecting samples and intelligence data submitted by companies: The samples and intelligence data submitted by companies include certain or suspicious IP, domain name information, and malicious sample information. Each company can assign certain or suspicious IP, domain names Information is submitted to the threat intelligence operation platform, and malicious sample information can also be submitted to the threat intelligence operation platform. The threat intelligence operation platform stores information such as certain or suspicious IP, domain name information, and malicious sample information.
在步骤S120中,威胁情报运营平台根据所述情报生产数据来源确定待筛选威胁情报数据。In step S120, the threat intelligence operation platform determines the threat intelligence data to be screened according to the source of the intelligence production data.
1、采用自然语言分析(NLP)的方式,提取事件分析报告中的ioc(入侵威胁指标)和TTP(Tactics,Techniques&Procedures,手段、技术、过程情报)信息,即上表事件分析报告中带有*的字段信息,并识别出情报类型,按照情报类型将ioc和TTP信息保存到情报库中,生成待筛选威胁情报数据。1. Use natural language analysis (NLP) to extract the ioc (intrusion threat indicator) and TTP (Tactics, Techniques & Procedures, means, technology, process intelligence) information in the incident analysis report, that is, the incident analysis report in the table above has * Field information, and identify the intelligence type, save the ioc and TTP information in the intelligence database according to the intelligence type, and generate threat intelligence data to be screened.
采用自然语言分析(NLP)提取事件分析报告中情报时,同时会分析“事件概述”字段,根据“事件概述”字段内容自动识别出情报类型,如失陷情报、文件信誉情报、IP信誉情报等,威胁情报运营平台将情报信息按照类型保存到情报库中。When natural language analysis (NLP) is used to extract the information in the incident analysis report, the "event summary" field will be analyzed at the same time, and the intelligence type will be automatically identified based on the content of the "event summary" field, such as lost information, file reputation information, IP reputation information, etc. The threat intelligence operation platform saves intelligence information in the intelligence database according to its type.
2、采用平台ELK(Elasticsearch , Logstash, Kibana,流行的日志收集和分析平台)系统对企业的IDC出口安全设备日志数据进行分析处理形成待筛选威胁情报。2. Using the platform ELK (Elasticsearch, Logstash, Kibana, popular log collection and analysis platform) The system analyzes and processes the log data of the company's IDC export security equipment to form threat intelligence to be screened.
ELK系统在处理中主要使用SPL(Splunk Search Language,一种日志搜索语法)语言,具体如调取NGFW告警日志,统计过去预设时间内攻击参数达到预设阈值的IP作为失誉IP,保存到情报库,形成待筛选的威胁情报数据。本实施例采用统计过去1周中攻击类型大于20类、攻击目标IP大于10个的攻击源IP,可以初步认为这个IP是在进行扫描攻击,可以输出一条IP信誉情报。The ELK system mainly uses SPL (Splunk Search Language, a log search syntax) language, for example, to retrieve NGFW alarm logs, count IPs whose attack parameters have reached a preset threshold in the past preset time, and save them in the intelligence database to form threat intelligence data to be filtered. This embodiment uses statistics of attack source IPs with attack types greater than 20 types and attack target IPs greater than 10 in the past week. It can be preliminarily considered that this IP is performing a scanning attack, and an IP reputation information can be output.
3、威胁情报运营平台在存储企业提交的可疑的IP、域名信息及恶意样本信息之后,通过可疑的IP、域名信息情报在情报社区获得的用户评论的正反向评论比等数据计算该情报的信用值,同时根据企业被评论的正向评论比、审核通过率、审核驳回率、被投诉情况计算该企业的信用等级,将信用值和信用等级进行结合判断,以确定待筛选威胁情报信息,并存入情报库中。恶意样本将推送到本地沙箱对这些样本中可识别的文件进行分析,分析完成将输出待筛选的威胁情报信息,包括文件hash值、文件网络行为、本地行为等情报数据,并存入情报库。沙箱可识别的文件一般为二进制可执行文件、邮件等,不可识别的样本需进行人工分析后再进行提交。用户评论的正反向评论比可谓点赞/踩比。3. After storing the suspicious IP, domain name information, and malicious sample information submitted by the enterprise, the threat intelligence operation platform calculates the information based on the suspicious IP, domain name information and information obtained from the user’s comments in the intelligence community. Credit value, at the same time, calculate the company’s credit rating based on the company’s positive review ratio, audit pass rate, audit rejection rate, and complaints. The credit value and credit rating are combined to determine the threat intelligence information to be screened. And stored in the information database. The malicious samples will be pushed to the local sandbox to analyze the identifiable files in these samples. After the analysis is completed, the threat intelligence information to be screened will be output, including file hash value, file network behavior, local behavior and other intelligence data, and stored in the intelligence database . The files that can be recognized by the sandbox are generally binary executable files, emails, etc., and unrecognizable samples need to be manually analyzed before being submitted. The positive and negative comment ratio of user reviews can be described as the like/dislike ratio.
IP、域名举报功能实现了社区情报的用户实时提供。The IP and domain name reporting functions enable users to provide community information in real time.
在步骤S130中,威胁情报运营平台对待筛选威胁情报数据进行筛选,根据筛选结果将确认为威胁情报的数据与情报库中的已有威胁情报进行合并。In step S130, the threat intelligence operation platform screens the threat intelligence data to be screened, and merges the data confirmed as threat intelligence with the existing threat intelligence in the intelligence database according to the screening result.
威胁情报运营平台对每个企业提供的待筛选威胁情报数据进行筛选的过程包括,采用本地沙箱对待筛选威胁情报数据进行识别。The process of the threat intelligence operation platform screening the threat intelligence data to be screened provided by each enterprise includes the use of local sandboxes to identify the threat intelligence data to be screened.
其中,对于本地沙箱能够识别的待筛选威胁情报数据,确认为威胁情报;对于本地沙箱无法识别的待筛选威胁情报数据,威胁情报运营平台将自动分发所述无法识别的待筛选威胁情报数据,到安全企业情报分析平台,按照统一设定格式(如上表格)进行重新撰写事件分析报告,以备再次被采集到所述威胁情报运营平台。Among them, the threat intelligence data to be screened that can be identified by the local sandbox is confirmed as threat intelligence; for the threat intelligence data to be screened that cannot be identified by the local sandbox, the threat intelligence operation platform will automatically distribute the unidentified threat intelligence data to be screened , Go to the security enterprise intelligence analysis platform, and rewrite the event analysis report in accordance with the unified setting format (as in the above table), in case it is collected again on the threat intelligence operation platform.
安全企业情报分析平台用于为合作企业提供情报分析共享,由情报社区内的若干合作企业组成,若干合作企业为将企业的事件记录系统与威胁情报运营平台的API对接的企业。威胁情报运营平台与若干合作企业之间分别建立联系通道,威胁情报运营平台自动通过通道将本地沙箱无法识别的待筛选威胁数据分发到各合作企业。The security enterprise intelligence analysis platform is used to provide intelligence analysis and sharing for cooperative enterprises. It is composed of several cooperative enterprises in the intelligence community. Several cooperative enterprises are enterprises that connect the enterprise's event recording system with the API of the threat intelligence operation platform. The threat intelligence operation platform has established communication channels with several cooperative companies. The threat intelligence operation platform automatically distributes the threat data to be screened that cannot be identified by the local sandbox to the cooperative companies through the channels.
分发原则为行业内分发,即由某行业企业提供的无法识别的待筛选威胁情报数据分发到同行业内所有其他合作企业,由同行业内的其他所有合作企业分别进行分析并回传严格按照上表中设定格式撰写的事件分析报告;回传的事件分析报告将进行步骤S120。The distribution principle is intra-industry distribution, that is, the unidentified threat intelligence data to be screened provided by a certain industry company is distributed to all other cooperative companies in the same industry, and all other cooperative companies in the same industry will analyze and return them in strict accordance with the above table. The event analysis report written in the set format; the returned event analysis report will go to step S120.
当威胁情报运营平台自动通过通道将无法识别的待筛选威胁情报数据分发到各合作企业时,将过滤涉及企业、攻击目标等敏感信息。When the threat intelligence operation platform automatically distributes unidentified threat intelligence data to be screened to various cooperative enterprises through channels, it will filter sensitive information involving enterprises and attack targets.
被确认为威胁情报的数据写入威胁情报运营平台中,写入的数据包括威胁情报的hash(算法)、主机特征、事件特征、TTP信息。Data confirmed as threat intelligence is written into the threat intelligence operation platform. The written data includes threat intelligence hash (algorithm), host characteristics, event characteristics, and TTP information.
本威胁情报运营平台对这些确认为威胁情报的数据与情报库中的已有的威胁情报进行合并的过程中,威胁情报运营平台对确认为威胁情报的主机特征与情报库中的已有威胁情报的主机特征进行自动比对,将具有相似主机特征的威胁情报进行自动关联和分类并录入情报库。When the threat intelligence operation platform merges the data identified as threat intelligence with the existing threat intelligence in the intelligence database, the threat intelligence operation platform compares the host characteristics identified as threat intelligence with the existing threat intelligence in the intelligence database. Automatically compare the characteristics of the host, and automatically associate and classify threat intelligence with similar host characteristics and enter it into the intelligence database.
在步骤130之后,还可以包括如下步骤:建立机器学习模型,根据机器学习模型和步骤130中确认的威胁情报,输出拟更新恶意样本家族的TTP信息,拟更新恶意样本家族的TTP信息包括活动状态、活动时间、目标等。After step 130, it may also include the following steps: establishing a machine learning model, and outputting the TTP information of the malicious sample family to be updated according to the machine learning model and the threat intelligence confirmed in step 130, and the TTP information of the malicious sample family to be updated including the activity status , Activity time, goals, etc.
在步骤S140中:威胁情报运营平台将S130中确认的威胁情报向企业进行推送,并根据威胁情报生成告警信息,并将告警信息分发给企业。In step S140: the threat intelligence operation platform pushes the threat intelligence confirmed in S130 to the enterprise, generates warning information based on the threat intelligence, and distributes the warning information to the enterprise.
对威胁情报进行推送过程包括:威胁情报运营平台根据确认的威胁情报的类别将确认的威胁情报推送至订阅了所述类别的威胁情报的企业,以保证用户及时获取到情报。The process of pushing threat intelligence includes: the threat intelligence operation platform pushes the confirmed threat intelligence to the enterprises that have subscribed to the threat intelligence according to the category of the confirmed threat intelligence, so as to ensure that users can obtain the intelligence in time.
根据威胁情报生成告警信息,将告警信息分发给企业的过程包括:威胁情报运营平台与企业的NGSOC(安全运营平台)和/或SIEM(安全信息和事件管理)系统对接,将确认的威胁情报与资产、事件关联形成更加丰富和易懂的事件告警信息,根据确认的威胁情报的类别将告警信息分发到订阅了所述类别情报的企业,由相应的应急响应人员进行处置。The process of generating alarm information based on threat intelligence and distributing the alarm information to the enterprise includes: connecting the threat intelligence operation platform with the enterprise’s NGSOC (security operation platform) and/or SIEM (security information and event management) system, and connecting the confirmed threat intelligence with Assets and events are correlated to form more abundant and easy-to-understand event alarm information. According to the confirmed threat intelligence category, the alarm information is distributed to the enterprises that have subscribed to the category intelligence, and the corresponding emergency response personnel will handle it.
此外,为了便于企业的查询还可以在威胁情报运营平台设置查询API功能。In addition, in order to facilitate enterprise inquiries, a query API function can be set on the threat intelligence operation platform.
本申请提供的威胁情报数据采集处理方法,还包括:更新各企业的信用等级,更新依据包括企业被评论的正向评论比、审核通过率、审核驳回率、被投诉情况等确定用户的信用值。The threat intelligence data collection and processing method provided in this application also includes: updating the credit rating of each company, and the update basis includes the positive comment ratio of the company being reviewed, the review pass rate, the review rejection rate, the situation of complaints, etc. to determine the user's credit value .
情报社区应是行业一致共同对抗相同威胁的信息共享平台,为了维护这一终极目标,对各企业主要存在以下约束规则:The intelligence community should be an information sharing platform for the industry to jointly fight the same threats. In order to maintain this ultimate goal, there are mainly the following constraint rules for each enterprise:
a)   禁止一切企业提交虚假情报信息;a) All enterprises are prohibited from submitting false information;
b)   禁止一切企业利用威胁情报运营平台进行商业宣传、竞争等行为;b) It is forbidden for all enterprises to use the threat intelligence operation platform to conduct commercial propaganda and competition;
c)   禁止一切企业利用威胁情报运营平台进行误导(用户、平台)的行为;c) All enterprises are prohibited from using threat intelligence operation platforms to mislead (users, platforms);
d)   平台鼓励在不泄露企业机密信息的情况下分享详细的威胁情报;d) The platform encourages the sharing of detailed threat intelligence without disclosing confidential corporate information;
威胁情报运营平台会通过监控评论内容是否正向(依靠NLP自然语言分析技术实现)、是否包含敏感词汇等情况来发现企业的违规行为,同时提供针对企业的投诉通道,如发现不遵守规则的企业,将该企业的信用等级降级。The threat intelligence operation platform will detect corporate violations by monitoring whether the comment content is positive (relying on NLP natural language analysis technology) and whether it contains sensitive vocabulary, etc., and will provide complaints against companies, such as companies that do not comply with the rules. , Downgrade the credit rating of the enterprise.
实施例2Example 2
如图2所示,一种威胁情报数据采集处理系统,包括:情报生产数据采集模块501、待筛选威胁情报数据生成模块502、威胁情报筛选合并模块503、威胁情报和告警信息发放模块504。As shown in FIG. 2, a threat intelligence data collection and processing system includes: an intelligence production data collection module 501, a threat intelligence data generation module 502 to be screened, a threat intelligence screening and merging module 503, and a threat intelligence and alarm information issuing module 504.
情报生产数据采集模块501,用于采集企业的情报生产数据;待筛选威胁情报数据生成模块502,用于根据所述情报生产数据来源确定待筛选威胁情报数据;威胁情报筛选合并模块503,用于对所述待筛选威胁情报数据采用本地沙箱进行筛选,根据筛选结果将确认为威胁情报的数据与情报库中的已有威胁情报进行合并;威胁情报和告警信息发放模块504,用于将确认的威胁情报向所述企业进行推送,并根据所述威胁情报生成告警信息,并将所述告警信息分发给所述企业。The intelligence production data collection module 501 is used to collect the intelligence production data of the enterprise; the threat intelligence data generation module to be screened is used to determine the threat intelligence data to be screened according to the source of the intelligence production data; the threat intelligence screening and merge module 503 is used to The threat intelligence data to be screened is filtered using a local sandbox, and the data confirmed as threat intelligence is combined with the existing threat intelligence in the intelligence database according to the screening results; the threat intelligence and alarm information issuing module 504 is used to confirm Pushes the threat information of to the enterprise, generates alarm information based on the threat information, and distributes the alarm information to the enterprise.
情报生产数据至少包括企业的事件分析报告、企业IDC出口安全设备日志数据、企业提交的样本和情报数据;所述企业数量为两个以上。The intelligence production data includes at least the company’s event analysis report, the company’s IDC export security equipment log data, and the samples submitted by the company and intelligence data; the number of said companies is more than two.
情报生产数据采集模块501可包括企业事件分析报告采集模块、企业IDC出口安全设备日志数据采集模块、企业提交的样本和情报数据采集模块。The intelligence production data collection module 501 may include a corporate event analysis report collection module, a corporate IDC export security equipment log data collection module, samples submitted by the company, and an intelligence data collection module.
待筛选威胁情报数据生成模块502可包括事件分析报告处理模块、IDC出口安全设备日志数据处理模块及企业提交的样本和情报数据处理模块。The threat intelligence data generating module 502 to be screened may include an event analysis report processing module, an IDC export security device log data processing module, and a sample and intelligence data processing module submitted by the enterprise.
威胁情报筛选合并模块503可包括待筛选威胁情报数据筛选识别模块和威胁情报合并模块。The threat intelligence screening and merging module 503 may include a screening and identifying module of threat intelligence data to be screened and a threat intelligence merging module.
威胁情报和告警信息发放模块504可包括威胁情报推送模块和告警信息分发模块。The threat intelligence and alarm information distribution module 504 may include a threat information push module and an alarm information distribution module.
本威胁情报数据采集处理系统还可包括;生成拟更新恶意样本家族信息模块和建立企业信用等级模块。The threat intelligence data collection and processing system may also include a module for generating family information of malicious samples to be updated and a module for establishing corporate credit ratings.
实施例3Example 3
如图3 所示,一种电子装置1,包括存储器3和处理器2,存储器3中存储有计算机程序4,计算机程序4被处理器2执行时实现实施例1中的威胁情报数据采集处理方法。As shown in FIG. 3, an electronic device 1 includes a memory 3 and a processor 2. The memory 3 stores a computer program 4, and the computer program 4 is executed by the processor 2 to implement the threat intelligence data collection and processing method in Embodiment 1. .
实施例4Example 4
一种计算机可读存储介质,所述计算机可读存储介质可以是非易失性,也可以是易失性,所述计算机可读存储介质中包括威胁情报数据采集处理程序,威胁情报数据采集处理程序被处理器执行时,实现实施例1中的威胁情报数据采集处理方法的步骤。A computer-readable storage medium, the computer-readable storage medium may be non-volatile or volatile, and the computer-readable storage medium includes a threat intelligence data collection and processing program, and a threat intelligence data collection and processing program When executed by the processor, the steps of the threat intelligence data collection and processing method in Embodiment 1 are realized.
对于本申请提供的威胁情报数据采集处理系统实施例而言,由于其基本相似于威胁情报数据采集处理方法的实施例,相关之处参见方法实施例的部分说明,此处不再赘述。Regarding the embodiment of the threat intelligence data collection and processing system provided in this application, since it is basically similar to the embodiment of the threat intelligence data collection and processing method, for related parts, please refer to the part of the description of the method embodiment, which will not be repeated here.
如上附图以示例的方式描述根据本申请的威胁情报数据采集处理方法及系统。但是,本领域技术人员应当理解,对于上述本申请所提出的威胁情报数据采集处理方法及系统,还可以在不脱离本申请内容的基础上做出各种改进。因此,本申请的保护范围应当由所附的权利要求书的内容确定。The above figures describe the threat intelligence data collection and processing method and system according to the present application by way of example. However, those skilled in the art should understand that various improvements can be made to the threat intelligence data collection and processing method and system proposed in this application without departing from the content of this application. Therefore, the protection scope of this application should be determined by the content of the appended claims.

Claims (20)

  1. 一种威胁情报数据采集处理方法,其中,包括以下步骤:A method for collecting and processing threat intelligence data, which includes the following steps:
    S110:威胁情报运营平台采集企业的情报生产数据,所述情报生产数据至少包括企业的事件分析报告、企业IDC出口安全设备日志数据、企业提交的样本和情报数据;S110: The threat intelligence operation platform collects the intelligence production data of the enterprise, and the intelligence production data includes at least the enterprise's event analysis report, the enterprise IDC export security equipment log data, the samples submitted by the enterprise and the intelligence data;
    S120:所述威胁情报运营平台根据所述情报生产数据来源确定待筛选威胁情报数据;S120: The threat intelligence operation platform determines threat intelligence data to be screened according to the source of the intelligence production data;
    S130:所述威胁情报运营平台对所述待筛选威胁情报数据采用本地沙箱进行筛选,根据筛选结果将确认为威胁情报的数据与情报库中的已有威胁情报进行合并;S130: The threat intelligence operation platform uses a local sandbox to screen the threat intelligence data to be screened, and merges the data confirmed as threat intelligence with the existing threat intelligence in the intelligence database according to the screening result;
    S140:所述威胁情报运营平台将S130中确认的威胁情报向所述企业进行推送,并根据所述威胁情报生成告警信息,并将所述告警信息分发给所述企业。S140: The threat intelligence operation platform pushes the threat intelligence confirmed in S130 to the enterprise, generates alarm information based on the threat intelligence, and distributes the alarm information to the enterprise.
  2. 如权利要求1所述的威胁情报数据采集处理方法,其中,所述威胁情报运营平台采集企业的情报生产数据的过程包括:The threat intelligence data collection and processing method according to claim 1, wherein the process of the threat intelligence operation platform collecting enterprise intelligence production data includes:
    威胁情报运营平台采集所述企业的事件分析报告,包括将所述威胁情报运营平台的API与存储有所述事件分析报告的事件记录系统对接,所述威胁情报运营平台实时获取所述事件分析报告;The threat intelligence operation platform collects the event analysis report of the enterprise, including connecting the API of the threat intelligence operation platform to the event recording system storing the event analysis report, and the threat intelligence operation platform obtains the event analysis report in real time ;
    威胁情报运营平台采集所述企业IDC出口安全设备日志数据,包括所述威胁情报运营平台对接企业部署在IDC出口的安全设备,基于所述安全设备的全流量分析能力和结果进行日志数据采集;The threat intelligence operation platform collects the enterprise IDC export security equipment log data, including the threat intelligence operation platform docking with the enterprise security equipment deployed at the IDC exit, and collects log data based on the full traffic analysis capabilities and results of the security equipment;
    威胁情报运营平台采集所述企业提交的样本和情报数据的过程包括:企业将所述样本和情报数据包含的确定或者可疑的IP、域名信息及恶意样本信息提交到威胁情报运营平台,所述威胁情报运营平台存储所述IP、域名信息及恶意样本信息。The process of the threat intelligence operation platform collecting samples and intelligence data submitted by the enterprise includes: the enterprise submits the determined or suspicious IP, domain name information and malicious sample information contained in the samples and intelligence data to the threat intelligence operation platform. The intelligence operation platform stores the IP, domain name information and malicious sample information.
  3. 如权利要求1所述的威胁情报数据采集处理方法,其中,所述威胁情报运营平台根据所述情报生产数据来源确定待筛选威胁情报数据的过程包括:The threat intelligence data collection and processing method according to claim 1, wherein the process of the threat intelligence operation platform determining the threat intelligence data to be screened according to the source of the intelligence production data comprises:
    采用自然语言分析的方式,提取所述事件分析报告中的入侵威胁指标和TTP信息,并识别出情报类型,按照情报类型将所述入侵威胁指标和TTP信息保存到情报库中,生成待筛选威胁情报数据;Using natural language analysis, extract the intrusion threat indicators and TTP information in the event analysis report, and identify the intelligence type, and save the intrusion threat indicators and TTP information in the intelligence database according to the intelligence type to generate threats to be screened Intelligence data
    采用ELK系统对企业的IDC出口安全设备日志数据进行分析处理,所述ELK系统采用SPL语言,调取NGFW告警日志,统计过去预设时间内攻击参数达到预设阈值的IP作为失誉IP,保存到情报库,形成待筛选威胁情报数据。The ELK system is used to analyze and process the company’s IDC export security equipment log data. The ELK system uses the SPL language to retrieve the NGFW alarm log, and counts the IP whose attack parameters have reached the preset threshold in the past preset time as the dishonest IP, and save it Go to the intelligence database to form threat intelligence data to be screened.
  4. 如权利要求2所述的威胁情报数据采集处理方法,其中,所述威胁情报运营平台在存储所述IP、域名信息及恶意样本信息之后,通过用户评论的正反向评论比计算所述IP、域名信息的信用值,根据所述信用值和企业的信用等级,以确定待筛选威胁情报数据,保存到情报库;The threat intelligence data collection and processing method according to claim 2, wherein the threat intelligence operation platform calculates the IP, domain name information and malicious sample information based on the forward and backward comment ratios of user comments. The credit value of the domain name information is determined according to the credit value and the credit level of the enterprise to determine the threat intelligence data to be screened and saved in the intelligence database;
    将所述恶意样本推送到本地沙箱,对所述恶意样本中可识别的文件进行分析,以确定待筛选威胁情报数据,保存到情报库;Push the malicious sample to a local sandbox, analyze the identifiable files in the malicious sample to determine the threat intelligence data to be screened, and save it in the intelligence database;
    其中,所述企业的信用等级根据所述企业被评论的正向评论比、审核通过率、审核驳回率和被投诉情况确定。Wherein, the credit rating of the enterprise is determined according to the positive comment ratio of the enterprise being commented, the audit pass rate, the audit rejection rate and the complaint situation.
  5. 如权利要求1所述的威胁情报数据采集处理方法,其中,所述威胁情报运营平台对所述待筛选威胁情报数据采用本地沙箱进行筛选,根据筛选结果将确认为威胁情报的数据与情报库中的已有威胁情报进行合并的过程包括:The threat intelligence data collection and processing method according to claim 1, wherein the threat intelligence operation platform uses a local sandbox to screen the threat intelligence data to be screened, and according to the screening results, the data and intelligence database confirmed as threat intelligence The process of merging existing threat intelligence in, includes:
    采用本地沙箱对待筛选威胁情报数据进行识别,其中,将本地沙箱识别出的待筛选威胁情报数据确认为威胁情报;Use the local sandbox to identify the threat intelligence data to be screened, where the threat intelligence data to be screened identified by the local sandbox is confirmed as threat intelligence;
    将本地沙箱无法识别的待筛选威胁情报数据分发到安全企业情报分析平台,并按照设定格式重新撰写事件分析报告,以备再次被采集到所述威胁情报运营平台;Distribute the to-be-screened threat intelligence data that cannot be identified by the local sandbox to the security enterprise intelligence analysis platform, and rewrite the event analysis report according to the set format, in case it is collected again on the threat intelligence operation platform;
    其中,被确认为威胁情报的数据写入威胁情报运营平台中,所述写入的数据包括所述威胁情报的算法、主机特征、事件特征、TTP信息;Wherein, the data confirmed as threat intelligence is written into the threat intelligence operation platform, and the written data includes the algorithm, host characteristics, event characteristics, and TTP information of the threat intelligence;
    所述威胁情报运营平台对确认为威胁情报的主机特征与情报库中的已有威胁情报的主机特征进行比对,将具有相似主机特征的威胁情报进行关联和分类并录入所述情报库。The threat intelligence operation platform compares the host characteristics confirmed as threat intelligence with the host characteristics of the existing threat intelligence in the intelligence database, associates and classifies the threat intelligence with similar host characteristics, and enters the intelligence database.
  6. 如权利要求1所述的威胁情报数据采集处理方法,其中,所述威胁情报运营平台将S130中确认的威胁情报向所述企业进行推送,并根据所述威胁情报生成告警信息,并将所述告警信息分发给所述企业的过程包括:The threat intelligence data collection and processing method according to claim 1, wherein the threat intelligence operation platform pushes the threat intelligence confirmed in S130 to the enterprise, generates alarm information based on the threat intelligence, and combines the The process of distributing alarm information to the enterprise includes:
    所述威胁情报运营平台根据所述确认的威胁情报的类别将所述确认的威胁情报推送至订阅了所述类别的威胁情报的企业;The threat intelligence operation platform pushes the confirmed threat intelligence to the enterprise that has subscribed to the threat intelligence of the category according to the category of the confirmed threat intelligence;
    所述威胁情报运营平台与所述企业的安全运营平台和/或安全信息和事件管理系统对接,将确认的威胁情报与资产、事件关联后的告警信息,根据所述确认的威胁情报的类别将所述告警信息分发到订阅了所述类别情报的企业。The threat intelligence operation platform is docked with the enterprise’s security operation platform and/or security information and event management system, and the confirmed threat intelligence is associated with assets and alarm information after the event. According to the confirmed threat intelligence category, The alarm information is distributed to enterprises that have subscribed to the category information.
  7. 如权利要求1所述的威胁情报数据采集处理方法,其中,在步骤130之后,还包括:建立机器学习模型,根据所述机器学习模型和步骤130中所述确认的威胁情报,输出拟更新恶意样本家族的TTP信息,所述拟更新恶意样本家族的TTP信息包括活动状态、活动时间、目标。The threat intelligence data collection and processing method according to claim 1, wherein after step 130, it further comprises: establishing a machine learning model, and outputting the malicious information to be updated according to the machine learning model and the threat information confirmed in step 130 The TTP information of the sample family. The TTP information of the malicious sample family to be updated includes activity status, activity time, and target.
  8. 一种威胁情报数据采集处理系统,其中,包括:A threat intelligence data collection and processing system, which includes:
    情报生产数据采集模块,用于采集企业的情报生产数据;Intelligence production data collection module, used to collect enterprise intelligence production data;
    待筛选威胁情报数据生成模块,用于根据所述情报生产数据来源确定待筛选威胁情报数据;The threat intelligence data generating module to be screened is used to determine the threat intelligence data to be screened according to the source of the intelligence production data;
    威胁情报筛选合并模块,用于对所述待筛选威胁情报数据采用本地沙箱进行筛选,根据筛选结果将确认为威胁情报的数据与情报库中的已有威胁情报进行合并;The threat intelligence screening and merging module is used to screen the threat intelligence data to be screened by using a local sandbox, and merge the data confirmed as threat intelligence with the existing threat intelligence in the intelligence database according to the screening results;
    威胁情报和告警信息发放模块,用于将确认的威胁情报向所述企业进行推送,并根据所述威胁情报生成告警信息,并将所述告警信息分发给所述企业;Threat intelligence and alarm information issuing module, used to push the confirmed threat information to the enterprise, generate alarm information based on the threat information, and distribute the alarm information to the enterprise;
    所述的情报生产数据至少包括企业的事件分析报告、企业IDC出口安全设备日志数据、企业提交的样本和情报数据。The intelligence production data includes at least the company’s event analysis report, the company’s IDC export security equipment log data, and the company’s submitted samples and intelligence data.
  9. 一种电子装置,其中,包括存储器和处理器,所述存储器中存储有计算机程序,所述计算机程序被处理器执行时实现如下步骤:An electronic device, which includes a memory and a processor, and a computer program is stored in the memory. When the computer program is executed by the processor, the following steps are implemented:
    采集企业的情报生产数据,所述情报生产数据至少包括企业的事件分析报告、企业IDC出口安全设备日志数据、企业提交的样本和情报数据;Collect the enterprise’s intelligence production data, which includes at least the enterprise’s event analysis report, the enterprise IDC export security equipment log data, and the samples and intelligence data submitted by the enterprise;
    根据所述情报生产数据来源确定待筛选威胁情报数据;Determine the threat intelligence data to be screened according to the source of the intelligence production data;
    对所述待筛选威胁情报数据采用本地沙箱进行筛选,根据筛选结果将确认为威胁情报的数据与情报库中的已有威胁情报进行合并;Use a local sandbox to filter the threat intelligence data to be screened, and merge the data confirmed as threat intelligence with the existing threat intelligence in the intelligence database according to the screening results;
    将确认的威胁情报向所述企业进行推送,并根据所述威胁情报生成告警信息,并将所述告警信息分发给所述企业。Push the confirmed threat information to the enterprise, generate alarm information based on the threat information, and distribute the alarm information to the enterprise.
  10. 如权利要求9所述的电子装置,其中,所述采集企业的情报生产数据的过程包括:8. The electronic device of claim 9, wherein the process of collecting enterprise intelligence production data comprises:
    采集所述企业的事件分析报告,包括将与存储有所述事件分析报告的事件记录系统对接,实时获取所述事件分析报告;Collecting the event analysis report of the enterprise, including connecting to an event recording system storing the event analysis report, and obtaining the event analysis report in real time;
    采集所述企业IDC出口安全设备日志数据,包括对接企业部署在IDC出口的安全设备,基于所述安全设备的全流量分析能力和结果进行日志数据采集;Collect the log data of the security equipment at the IDC exit of the enterprise, including the security equipment deployed at the IDC exit by the docking company, and collect the log data based on the full traffic analysis capabilities and results of the security equipment;
    采集所述企业提交的样本和情报数据的过程包括:接收企业提交的所述样本和情报数据包含的确定或者可疑的IP、域名信息及恶意样本信息,并存储所述IP、域名信息及恶意样本信息。The process of collecting samples and intelligence data submitted by the enterprise includes: receiving the confirmed or suspicious IP, domain name information, and malicious sample information contained in the samples and intelligence data submitted by the enterprise, and storing the IP, domain name information and malicious samples information.
  11. 如权利要求9所述的电子装置,其中,所述根据所述情报生产数据来源确定待筛选威胁情报数据的过程包括:9. The electronic device of claim 9, wherein the process of determining the threat intelligence data to be screened according to the source of the intelligence production data comprises:
    采用自然语言分析的方式,提取所述事件分析报告中的入侵威胁指标和TTP信息,并识别出情报类型,按照情报类型将所述入侵威胁指标和TTP信息保存到情报库中,生成待筛选威胁情报数据;Using natural language analysis, extract the intrusion threat indicators and TTP information in the event analysis report, and identify the intelligence type, and save the intrusion threat indicators and TTP information in the intelligence database according to the intelligence type to generate threats to be screened Intelligence data
    采用ELK系统对企业的IDC出口安全设备日志数据进行分析处理,所述ELK系统采用SPL语言,调取NGFW告警日志,统计过去预设时间内攻击参数达到预设阈值的IP作为失誉IP,保存到情报库,形成待筛选威胁情报数据。The ELK system is used to analyze and process the company’s IDC export security equipment log data. The ELK system uses the SPL language to retrieve the NGFW alarm log, and counts the IP whose attack parameters have reached the preset threshold in the past preset time as the dishonest IP, and save it Go to the intelligence database to form threat intelligence data to be screened.
  12. 如权利要求10所述的电子装置,其中,所述计算机程序被处理器执行时,在存储所述IP、域名信息及恶意样本信息之后,还实现如下步骤:10. The electronic device of claim 10, wherein when the computer program is executed by the processor, after storing the IP, domain name information, and malicious sample information, the following steps are further implemented:
    通过用户评论的正反向评论比计算所述IP、域名信息的信用值,根据所述信用值和企业的信用等级,以确定待筛选威胁情报数据,保存到情报库;Calculate the credit value of the IP and domain name information based on the ratio of the forward and reverse reviews of user reviews, and determine the threat intelligence data to be screened according to the credit value and the credit level of the enterprise, and save it in the intelligence database;
    将所述恶意样本推送到本地沙箱,对所述恶意样本中可识别的文件进行分析,以确定待筛选威胁情报数据,保存到情报库;Push the malicious sample to a local sandbox, analyze the identifiable files in the malicious sample to determine the threat intelligence data to be screened, and save it in the intelligence database;
    其中,所述企业的信用等级根据所述企业被评论的正向评论比、审核通过率、审核驳回率和被投诉情况确定。Wherein, the credit rating of the enterprise is determined according to the positive comment ratio of the enterprise being commented, the audit pass rate, the audit rejection rate and the complaint situation.
  13. 如权利要求9所述的电子装置,其中,所述将确认的威胁情报向所述企业进行推送,并根据所述威胁情报生成告警信息,并将所述告警信息分发给所述企业的过程包括:The electronic device of claim 9, wherein the process of pushing the confirmed threat intelligence to the enterprise, generating alarm information based on the threat intelligence, and distributing the alarm information to the enterprise comprises :
    根据所述确认的威胁情报的类别将所述确认的威胁情报推送至订阅了所述类别的威胁情报的企业;Push the confirmed threat information to the enterprise that has subscribed to the threat information of the type according to the type of the confirmed threat information;
    与所述企业的安全运营平台和/或安全信息和事件管理系统对接,将确认的威胁情报与资产、事件关联后的告警信息,根据所述确认的威胁情报的类别将所述告警信息分发到订阅了所述类别情报的企业。Connect with the security operation platform and/or security information and event management system of the enterprise, associate the confirmed threat intelligence with the alarm information after the asset and event, and distribute the alarm information to the confirmed threat intelligence category Companies that have subscribed to the category of information.
  14. 如权利要求9所述的电子装置,其中,所述计算机程序被处理器执行时,在根据筛选结果将确认为威胁情报的数据与情报库中的已有威胁情报进行合并之后,还实现如下步骤:The electronic device according to claim 9, wherein when the computer program is executed by the processor, after merging the data confirmed as threat intelligence with the existing threat intelligence in the intelligence database according to the screening result, the following steps are further implemented :
    建立机器学习模型,根据所述机器学习模型和所述确认的威胁情报,输出拟更新恶意样本家族的TTP信息,所述拟更新恶意样本家族的TTP信息包括活动状态、活动时间、目标。A machine learning model is established, and the TTP information of the malicious sample family to be updated is output according to the machine learning model and the confirmed threat intelligence. The TTP information of the malicious sample family to be updated includes activity status, activity time, and target.
  15. 一种计算机可读存储介质,其中,所述计算机可读存储介质中包括威胁情报数据采集处理程序,所述威胁情报数据采集处理程序被处理器执行时,实现如下步骤:A computer-readable storage medium, wherein the computer-readable storage medium includes a threat intelligence data collection and processing program, and when the threat intelligence data collection and processing program is executed by a processor, the following steps are implemented:
    采集企业的情报生产数据,所述情报生产数据至少包括企业的事件分析报告、企业IDC出口安全设备日志数据、企业提交的样本和情报数据;Collect the enterprise’s intelligence production data, which includes at least the enterprise’s event analysis report, the enterprise IDC export security equipment log data, and the samples and intelligence data submitted by the enterprise;
    根据所述情报生产数据来源确定待筛选威胁情报数据;Determine the threat intelligence data to be screened according to the source of the intelligence production data;
    对所述待筛选威胁情报数据采用本地沙箱进行筛选,根据筛选结果将确认为威胁情报的数据与情报库中的已有威胁情报进行合并;Use a local sandbox to filter the threat intelligence data to be screened, and merge the data confirmed as threat intelligence with the existing threat intelligence in the intelligence database according to the screening results;
    将确认的威胁情报向所述企业进行推送,并根据所述威胁情报生成告警信息,并将所述告警信息分发给所述企业。Push the confirmed threat information to the enterprise, generate alarm information based on the threat information, and distribute the alarm information to the enterprise.
  16. 如权利要求15所述的计算机可读存储介质,其中,所述采集企业的情报生产数据的过程包括:15. The computer-readable storage medium of claim 15, wherein the process of collecting enterprise intelligence production data comprises:
    采集所述企业的事件分析报告,包括与存储有所述事件分析报告的事件记录系统对接,实时获取所述事件分析报告;Collecting the event analysis report of the enterprise, including docking with the event recording system storing the event analysis report, and obtaining the event analysis report in real time;
    采集所述企业IDC出口安全设备日志数据,包括对接企业部署在IDC出口的安全设备,基于所述安全设备的全流量分析能力和结果进行日志数据采集;Collect the log data of the security equipment at the IDC exit of the enterprise, including the security equipment deployed at the IDC exit by the docking company, and collect the log data based on the full traffic analysis capabilities and results of the security equipment;
    采集所述企业提交的样本和情报数据的过程包括:接收企业提交的所述样本和情报数据包含的确定或者可疑的IP、域名信息及恶意样本信息,并存储所述IP、域名信息及恶意样本信息。The process of collecting samples and intelligence data submitted by the enterprise includes: receiving the confirmed or suspicious IP, domain name information, and malicious sample information contained in the samples and intelligence data submitted by the enterprise, and storing the IP, domain name information and malicious samples information.
  17. 如权利要求15所述的计算机可读存储介质,其中,所述根据所述情报生产数据来源确定待筛选威胁情报数据的过程包括:15. The computer-readable storage medium of claim 15, wherein the process of determining the threat intelligence data to be screened according to the source of the intelligence production data comprises:
    采用自然语言分析的方式,提取所述事件分析报告中的入侵威胁指标和TTP信息,并识别出情报类型,按照情报类型将所述入侵威胁指标和TTP信息保存到情报库中,生成待筛选威胁情报数据;Using natural language analysis, extract the intrusion threat indicators and TTP information in the event analysis report, and identify the intelligence type, and save the intrusion threat indicators and TTP information in the intelligence database according to the intelligence type to generate threats to be screened Intelligence data
    采用ELK系统对企业的IDC出口安全设备日志数据进行分析处理,所述ELK系统采用SPL语言,调取NGFW告警日志,统计过去预设时间内攻击参数达到预设阈值的IP作为失誉IP,保存到情报库,形成待筛选威胁情报数据。The ELK system is used to analyze and process the company’s IDC export security equipment log data. The ELK system uses the SPL language to retrieve the NGFW alarm log, and counts the IP whose attack parameters have reached the preset threshold in the past preset time as the dishonest IP, and save it Go to the intelligence database to form threat intelligence data to be screened.
  18. 如权利要求16所述的计算机可读存储介质,其中,所述威胁情报数据采集处理程序被处理器执行时,在存储所述IP、域名信息及恶意样本信息之后,还实现如下步骤:16. The computer-readable storage medium of claim 16, wherein when the threat intelligence data collection processing program is executed by the processor, after storing the IP, domain name information, and malicious sample information, the following steps are further implemented:
    通过用户评论的正反向评论比计算所述IP、域名信息的信用值,根据所述信用值和企业的信用等级,以确定待筛选威胁情报数据,保存到情报库;Calculate the credit value of the IP and domain name information based on the ratio of the forward and reverse reviews of user reviews, and determine the threat intelligence data to be screened according to the credit value and the credit level of the enterprise, and save it in the intelligence database;
    将所述恶意样本推送到本地沙箱,对所述恶意样本中可识别的文件进行分析,以确定待筛选威胁情报数据,保存到情报库;Push the malicious sample to a local sandbox, analyze the identifiable files in the malicious sample to determine the threat intelligence data to be screened, and save it in the intelligence database;
    其中,所述企业的信用等级根据所述企业被评论的正向评论比、审核通过率、审核驳回率和被投诉情况确定。Wherein, the credit rating of the enterprise is determined according to the positive comment ratio of the enterprise being commented, the audit pass rate, the audit rejection rate and the complaint situation.
  19. 如权利要求15所述的计算机可读存储介质,其中,所述将确认的威胁情报向所述企业进行推送,并根据所述威胁情报生成告警信息,并将所述告警信息分发给所述企业的过程包括:The computer-readable storage medium of claim 15, wherein the confirmed threat intelligence is pushed to the enterprise, and warning information is generated based on the threat intelligence, and the warning information is distributed to the enterprise The process includes:
    根据所述确认的威胁情报的类别将所述确认的威胁情报推送至订阅了所述类别的威胁情报的企业;Push the confirmed threat information to the enterprise that has subscribed to the threat information of the type according to the type of the confirmed threat information;
    与所述企业的安全运营平台和/或安全信息和事件管理系统对接,将确认的威胁情报与资产、事件关联后的告警信息,根据所述确认的威胁情报的类别将所述告警信息分发到订阅了所述类别情报的企业。Connect with the security operation platform and/or security information and event management system of the enterprise, associate the confirmed threat intelligence with the alarm information after the asset and event, and distribute the alarm information to the confirmed threat intelligence category Companies that have subscribed to the category of information.
  20. 如权利要求15所述的计算机可读存储介质,其中,所述威胁情报数据采集处理程序被处理器执行时,在根据筛选结果将确认为威胁情报的数据与情报库中的已有威胁情报进行合并之后,还实现如下步骤:The computer-readable storage medium according to claim 15, wherein, when the threat intelligence data collection processing program is executed by the processor, the data confirmed as threat intelligence is combined with the existing threat intelligence in the intelligence database according to the screening result. After the merger, the following steps are also implemented:
    建立机器学习模型,根据所述机器学习模型和所述确认的威胁情报,输出拟更新恶意样本家族的TTP信息,所述拟更新恶意样本家族的TTP信息包括活动状态、活动时间、目标。A machine learning model is established, and the TTP information of the malicious sample family to be updated is output according to the machine learning model and the confirmed threat intelligence. The TTP information of the malicious sample family to be updated includes activity status, activity time, and target.
PCT/CN2020/093620 2019-07-31 2020-05-30 Threat intelligence data collection and processing method and system, apparatus, and storage medium WO2021017614A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910700841.6A CN110460594B (en) 2019-07-31 2019-07-31 Threat information data acquisition processing method, device and storage medium
CN201910700841.6 2019-07-31

Publications (1)

Publication Number Publication Date
WO2021017614A1 true WO2021017614A1 (en) 2021-02-04

Family

ID=68484191

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/093620 WO2021017614A1 (en) 2019-07-31 2020-05-30 Threat intelligence data collection and processing method and system, apparatus, and storage medium

Country Status (2)

Country Link
CN (1) CN110460594B (en)
WO (1) WO2021017614A1 (en)

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113259356A (en) * 2021-05-21 2021-08-13 北京国联天成信息技术有限公司 Threat intelligence and terminal detection response method and system under big data environment
CN113420127A (en) * 2021-07-06 2021-09-21 北京信安天途科技有限公司 Threat information processing method, device, computing equipment and storage medium
CN113420150A (en) * 2021-07-06 2021-09-21 北京信安天途科技有限公司 Threat intelligence knowledge detection method, device, computing equipment and storage medium
CN113468384A (en) * 2021-07-20 2021-10-01 山石网科通信技术股份有限公司 Network information source information processing method, device, storage medium and processor
CN113610427A (en) * 2021-08-19 2021-11-05 深圳市德信软件有限公司 Event early warning index obtaining method and device, terminal equipment and storage medium
CN113645232A (en) * 2021-08-10 2021-11-12 克拉玛依和中云网技术发展有限公司 Intelligent flow monitoring method and system for industrial internet and storage medium
CN113691518A (en) * 2021-08-17 2021-11-23 北京鸿腾智能科技有限公司 Information analysis method, device, equipment and storage medium
CN113691525A (en) * 2021-08-23 2021-11-23 杭州安恒信息技术股份有限公司 Traffic data processing method, device, equipment and storage medium
CN113691524A (en) * 2021-08-23 2021-11-23 杭州安恒信息技术股份有限公司 Alarm information processing method, system, electronic equipment and storage medium
CN113872950A (en) * 2021-09-18 2021-12-31 恒安嘉新(北京)科技股份公司 Automobile safety analysis method and device, electronic equipment and storage medium
CN114065767A (en) * 2021-11-29 2022-02-18 北京航空航天大学 Method for analyzing classification and evolution relation of threat information
CN114301709A (en) * 2021-12-30 2022-04-08 山石网科通信技术股份有限公司 Message processing method and device, storage medium and processor
CN114500048A (en) * 2022-01-26 2022-05-13 南方电网数字电网研究院有限公司 External threat information analysis method and system based on network security
CN114553558A (en) * 2022-02-24 2022-05-27 新华三信息安全技术有限公司 Data processing method and device
CN114584366A (en) * 2022-03-01 2022-06-03 南方电网数字电网研究院有限公司 Power monitoring network safety detection system and method
CN115134131A (en) * 2022-06-20 2022-09-30 中能融合智慧科技有限公司 Situation awareness-based Internet of things communication transmission system
CN115514529A (en) * 2022-08-22 2022-12-23 智网安云(武汉)信息技术有限公司 Threat information data processing method, equipment and storage equipment
CN115622805A (en) * 2022-12-06 2023-01-17 南宁重望电子商务有限公司 Artificial intelligence-based safety payment protection method and AI system
CN116527323A (en) * 2023-04-04 2023-08-01 中国华能集团有限公司北京招标分公司 Dynamic threat analysis method
CN117113340A (en) * 2023-10-20 2023-11-24 杭州美创科技股份有限公司 Host computer sag detection method, device, computer equipment and storage medium

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110460594B (en) * 2019-07-31 2022-02-25 平安科技(深圳)有限公司 Threat information data acquisition processing method, device and storage medium
CN110868418A (en) * 2019-11-18 2020-03-06 杭州安恒信息技术股份有限公司 Threat information generation method and device
CN110955893A (en) * 2019-11-22 2020-04-03 杭州安恒信息技术股份有限公司 Malicious file threat analysis platform and malicious file threat analysis method
CN110912889B (en) * 2019-11-22 2021-08-20 上海交通大学 Network attack detection system and method based on intelligent threat intelligence
CN111160749B (en) * 2019-12-23 2023-07-21 绿盟科技集团股份有限公司 Information quality assessment and information fusion method and device
CN111800395A (en) * 2020-06-18 2020-10-20 云南电网有限责任公司信息中心 Threat information defense method and system
CN111782967B (en) * 2020-07-02 2024-05-28 奇安信科技集团股份有限公司 Information processing method, apparatus, electronic device, and computer-readable storage medium
CN112256785A (en) * 2020-11-26 2021-01-22 奇安信科技集团股份有限公司 Information data processing method, device, electronic equipment, medium and program product
CN112765366A (en) * 2021-01-24 2021-05-07 中国电子科技集团公司第十五研究所 APT (android Package) organization portrait construction method based on knowledge map
CN113489716A (en) * 2021-07-02 2021-10-08 南京联成科技发展股份有限公司 Threat information data correlation analysis system based on centralized management and control
CN113890758B (en) * 2021-09-27 2024-04-12 深信服科技股份有限公司 Threat information method, threat information device, threat information equipment and computer storage medium
CN113919514B (en) * 2021-12-09 2022-03-22 北京微步在线科技有限公司 Sample data acquisition method and device based on threat intelligence
CN113992436B (en) * 2021-12-27 2022-03-01 北京微步在线科技有限公司 Local information generating method, device, equipment and storage medium
CN114003904B (en) * 2021-12-31 2022-03-08 北京微步在线科技有限公司 Information sharing method, device, computer equipment and storage medium
CN114218578A (en) * 2021-12-31 2022-03-22 奇安信科技集团股份有限公司 Method and device for generating threat information
CN115314304A (en) * 2022-08-10 2022-11-08 重庆电子工程职业学院 Network security event analysis device and method
CN115842685B (en) * 2023-02-21 2023-05-05 北京微步在线科技有限公司 Threat information generation method and device, electronic equipment and storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180068119A1 (en) * 2016-09-07 2018-03-08 Hewlett Packard Enterprise Development Lp Enhanced intelligence for a security information sharing platform
WO2018125854A1 (en) * 2016-12-30 2018-07-05 Microsoft Technology Licensing, Llc Threat intelligence management in security and compliance environment
CN109299174A (en) * 2018-09-11 2019-02-01 北京奇安信科技有限公司 A kind of multi-source information data aggregation processing method and device
CN109547479A (en) * 2018-12-27 2019-03-29 国网浙江省电力有限公司电力科学研究院 Information integration system and method are threatened in a kind of industrial environment
CN109614553A (en) * 2018-12-21 2019-04-12 北京博明信德科技有限公司 PaaS platform for log collection
CN109981627A (en) * 2019-03-18 2019-07-05 武汉思普崚技术有限公司 The update method and system of Cyberthreat information
CN110460594A (en) * 2019-07-31 2019-11-15 平安科技(深圳)有限公司 Threaten information data acquiring and processing method, device and storage medium

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105743877A (en) * 2015-11-02 2016-07-06 哈尔滨安天科技股份有限公司 Network security threat information processing method and system
CN107046543A (en) * 2017-04-26 2017-08-15 国家电网公司 A kind of threat intelligence analysis system traced to the source towards attack
CN107547526A (en) * 2017-08-17 2018-01-05 北京奇安信科技有限公司 The data processing method and device combined a kind of cloud
CN108460278B (en) * 2018-02-13 2020-07-14 奇安信科技集团股份有限公司 Threat information processing method and device

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180068119A1 (en) * 2016-09-07 2018-03-08 Hewlett Packard Enterprise Development Lp Enhanced intelligence for a security information sharing platform
WO2018125854A1 (en) * 2016-12-30 2018-07-05 Microsoft Technology Licensing, Llc Threat intelligence management in security and compliance environment
CN109299174A (en) * 2018-09-11 2019-02-01 北京奇安信科技有限公司 A kind of multi-source information data aggregation processing method and device
CN109614553A (en) * 2018-12-21 2019-04-12 北京博明信德科技有限公司 PaaS platform for log collection
CN109547479A (en) * 2018-12-27 2019-03-29 国网浙江省电力有限公司电力科学研究院 Information integration system and method are threatened in a kind of industrial environment
CN109981627A (en) * 2019-03-18 2019-07-05 武汉思普崚技术有限公司 The update method and system of Cyberthreat information
CN110460594A (en) * 2019-07-31 2019-11-15 平安科技(深圳)有限公司 Threaten information data acquiring and processing method, device and storage medium

Cited By (35)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113259356A (en) * 2021-05-21 2021-08-13 北京国联天成信息技术有限公司 Threat intelligence and terminal detection response method and system under big data environment
CN113420127A (en) * 2021-07-06 2021-09-21 北京信安天途科技有限公司 Threat information processing method, device, computing equipment and storage medium
CN113420150A (en) * 2021-07-06 2021-09-21 北京信安天途科技有限公司 Threat intelligence knowledge detection method, device, computing equipment and storage medium
CN113468384A (en) * 2021-07-20 2021-10-01 山石网科通信技术股份有限公司 Network information source information processing method, device, storage medium and processor
CN113468384B (en) * 2021-07-20 2023-11-03 山石网科通信技术股份有限公司 Processing method, device, storage medium and processor for network information source information
CN113645232B (en) * 2021-08-10 2023-04-28 克拉玛依和中云网技术发展有限公司 Intelligent flow monitoring method, system and storage medium for industrial Internet
CN113645232A (en) * 2021-08-10 2021-11-12 克拉玛依和中云网技术发展有限公司 Intelligent flow monitoring method and system for industrial internet and storage medium
CN113691518A (en) * 2021-08-17 2021-11-23 北京鸿腾智能科技有限公司 Information analysis method, device, equipment and storage medium
CN113691518B (en) * 2021-08-17 2023-12-05 三六零数字安全科技集团有限公司 Information analysis method, device, equipment and storage medium
CN113610427A (en) * 2021-08-19 2021-11-05 深圳市德信软件有限公司 Event early warning index obtaining method and device, terminal equipment and storage medium
CN113610427B (en) * 2021-08-19 2023-08-18 深圳市德信软件有限公司 Event early warning index obtaining method, device, terminal equipment and storage medium
CN113691525A (en) * 2021-08-23 2021-11-23 杭州安恒信息技术股份有限公司 Traffic data processing method, device, equipment and storage medium
CN113691524A (en) * 2021-08-23 2021-11-23 杭州安恒信息技术股份有限公司 Alarm information processing method, system, electronic equipment and storage medium
CN113872950B (en) * 2021-09-18 2024-06-07 恒安嘉新(北京)科技股份公司 Automobile safety analysis method and device, electronic equipment and storage medium
CN113872950A (en) * 2021-09-18 2021-12-31 恒安嘉新(北京)科技股份公司 Automobile safety analysis method and device, electronic equipment and storage medium
CN114065767B (en) * 2021-11-29 2024-05-14 北京航空航天大学 Threat information classification and evolution relation analysis method
CN114065767A (en) * 2021-11-29 2022-02-18 北京航空航天大学 Method for analyzing classification and evolution relation of threat information
CN114301709B (en) * 2021-12-30 2024-04-02 山石网科通信技术股份有限公司 Message processing method and device, storage medium and computing equipment
CN114301709A (en) * 2021-12-30 2022-04-08 山石网科通信技术股份有限公司 Message processing method and device, storage medium and processor
CN114500048A (en) * 2022-01-26 2022-05-13 南方电网数字电网研究院有限公司 External threat information analysis method and system based on network security
CN114500048B (en) * 2022-01-26 2023-10-03 南方电网数字电网研究院有限公司 External threat information analysis method and system based on network security
CN114553558A (en) * 2022-02-24 2022-05-27 新华三信息安全技术有限公司 Data processing method and device
CN114553558B (en) * 2022-02-24 2024-03-08 新华三信息安全技术有限公司 Data processing method and device
CN114584366A (en) * 2022-03-01 2022-06-03 南方电网数字电网研究院有限公司 Power monitoring network safety detection system and method
CN114584366B (en) * 2022-03-01 2024-05-07 南方电网数字电网研究院有限公司 Power monitoring network safety detection system and method
CN115134131B (en) * 2022-06-20 2023-10-20 中能融合智慧科技有限公司 Internet of things communication transmission system based on situation awareness
CN115134131A (en) * 2022-06-20 2022-09-30 中能融合智慧科技有限公司 Situation awareness-based Internet of things communication transmission system
CN115514529B (en) * 2022-08-22 2023-09-22 智网安云(武汉)信息技术有限公司 Threat information data processing method, threat information data processing equipment and storage equipment
CN115514529A (en) * 2022-08-22 2022-12-23 智网安云(武汉)信息技术有限公司 Threat information data processing method, equipment and storage equipment
CN115622805B (en) * 2022-12-06 2023-08-25 深圳慧卡科技有限公司 Safety payment protection method and AI system based on artificial intelligence
CN115622805A (en) * 2022-12-06 2023-01-17 南宁重望电子商务有限公司 Artificial intelligence-based safety payment protection method and AI system
CN116527323B (en) * 2023-04-04 2024-01-30 中国华能集团有限公司北京招标分公司 Dynamic threat analysis method
CN116527323A (en) * 2023-04-04 2023-08-01 中国华能集团有限公司北京招标分公司 Dynamic threat analysis method
CN117113340A (en) * 2023-10-20 2023-11-24 杭州美创科技股份有限公司 Host computer sag detection method, device, computer equipment and storage medium
CN117113340B (en) * 2023-10-20 2024-01-23 杭州美创科技股份有限公司 Host computer sag detection method, device, computer equipment and storage medium

Also Published As

Publication number Publication date
CN110460594A (en) 2019-11-15
CN110460594B (en) 2022-02-25

Similar Documents

Publication Publication Date Title
WO2021017614A1 (en) Threat intelligence data collection and processing method and system, apparatus, and storage medium
US11706247B2 (en) Detection and prevention of external fraud
US10438001B1 (en) Identification, prediction, and assessment of cyber security risk
CN106411578B (en) A kind of web publishing system and method being adapted to power industry
CN103026345B (en) For the dynamic multidimensional pattern of event monitoring priority
US10929345B2 (en) System and method of performing similarity search queries in a network
CN113486351A (en) Civil aviation air traffic control network safety detection early warning platform
CN108833514A (en) Audit log processing method, device and Log Audit System based on block chain
CN112417477A (en) Data security monitoring method, device, equipment and storage medium
WO2019136282A1 (en) Control maturity assessment in security operations environments
Bryant et al. Improving SIEM alert metadata aggregation with a novel kill-chain based classification model
CN1705938A (en) Integrated emergency response system in information infrastructure and operating method therefor
CN111598574A (en) Intelligent service transaction oriented supervision method and supervision interface
Curti et al. Cyber risk definition and classification for financial risk management
CN117769706A (en) Network risk management system and method for automatically detecting and analyzing network security in network
US10917422B2 (en) Digital auditing system and method for detecting unauthorized activities on websites
US20230396640A1 (en) Security event management system and associated method
CN113709170A (en) Asset safe operation system, method and device
US20160188676A1 (en) Collaboration system for network management
Hajamydeen et al. A refined filter for UHAD to improve anomaly detection
CN105763555A (en) Website risk control server and method and client
CN110460558B (en) Method and system for discovering attack model based on visualization
Alharbi A qualitative study on security operations centers in saudi arabia: challenges and research directions
US12015647B2 (en) System and method for securing computer infrastructure and devices that depend on cloud platforms
CN116015925A (en) Data transmission method, device, equipment and medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20847538

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20847538

Country of ref document: EP

Kind code of ref document: A1