CN110489611B - Intelligent clue analysis method and system - Google Patents
Intelligent clue analysis method and system Download PDFInfo
- Publication number
- CN110489611B CN110489611B CN201910787650.8A CN201910787650A CN110489611B CN 110489611 B CN110489611 B CN 110489611B CN 201910787650 A CN201910787650 A CN 201910787650A CN 110489611 B CN110489611 B CN 110489611B
- Authority
- CN
- China
- Prior art keywords
- case
- clue
- preliminary
- preset
- library
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 59
- 238000000605 extraction Methods 0.000 claims description 26
- 238000005336 cracking Methods 0.000 claims description 19
- 238000000034 method Methods 0.000 claims description 19
- 238000001514 detection method Methods 0.000 claims description 5
- 238000005422 blasting Methods 0.000 claims description 4
- 238000012790 confirmation Methods 0.000 claims 2
- 238000011835 investigation Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 4
- 238000007621 cluster analysis Methods 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 230000002085 persistent effect Effects 0.000 description 2
- 238000002377 Fourier profilometry Methods 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/901—Indexing; Data structures therefor; Storage structures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/903—Querying
- G06F16/90335—Query processing
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q50/00—Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
- G06Q50/10—Services
- G06Q50/26—Government or public services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Business, Economics & Management (AREA)
- Databases & Information Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Tourism & Hospitality (AREA)
- Computer Security & Cryptography (AREA)
- Data Mining & Analysis (AREA)
- Computer Hardware Design (AREA)
- Economics (AREA)
- Signal Processing (AREA)
- Software Systems (AREA)
- Computational Linguistics (AREA)
- Computing Systems (AREA)
- Educational Administration (AREA)
- Development Economics (AREA)
- Health & Medical Sciences (AREA)
- Computer Networks & Wireless Communication (AREA)
- General Health & Medical Sciences (AREA)
- Human Resources & Organizations (AREA)
- Marketing (AREA)
- Primary Health Care (AREA)
- Strategic Management (AREA)
- General Business, Economics & Management (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides an intelligent clue analysis method and system, relating to the technical field of network space security, comprising the following steps: extracting alarm data provided by a third-party platform from an alarm library; extracting at least one preset rule from a rule base; matching the alarm data with at least one preset rule to obtain target alarm data; processing the target alarm data to obtain a preliminary clue; judging whether a case corresponding to the preliminary clue exists in a preset case library or not based on a preset clue matching rule; if yes, checking the case state of the case; and if the case state is in progress, the preliminary clues are extended to a case clue library of the case to obtain case clues of case updating. The target alarm data, the preliminary clues and the case clues in the invention improve the richness of the clues and greatly solve the problems of manpower and time, thereby reducing the difficulty of investigating, investigating and analyzing the clues.
Description
Technical Field
The invention relates to the technical field of network space security, in particular to an intelligent clue analysis method and system.
Background
With the continuous improvement of the informatization degree of China, the criminal phenomena related to the field of computer information are more and more, and the influence on people is larger and larger. The mass alarm data is difficult to find out common points quickly and manually, and investigation cases are difficult to detect in a short time.
According to the existing collection tools such as APT and SOC, a large amount of alarm data can be collected, and some analysis models such as DGA analysis, webhell analysis, targeted WEB attack detection analysis, etc. are provided, and by using the rules of these analysis models, the alarm data are respectively aggregated into associated attack relations (referred to as preliminary clues). However, these preliminary clues are too scattered to be directly applied to cases, and manual analysis is also needed to verify whether the cases are the same case.
In the prior art, a large amount of data is compared and analyzed manually, time and labor are wasted, the search period is relatively long, and a hacker may make a case again in the search time, so that economic loss or inconvenience is caused to other people.
Disclosure of Invention
The invention aims to provide an intelligent clue analysis method and system to improve the richness of clues and greatly solve the problems of manpower and time, thereby reducing the difficulty of investigation, investigation and clue analysis.
The invention provides an intelligent clue analysis method, which comprises the following steps: extracting alarm data provided by a third-party platform from an alarm library; extracting at least one preset rule from a rule base; matching the alarm data with the at least one preset rule to obtain target alarm data; processing the target alarm data to obtain a preliminary clue; judging whether a case corresponding to the preliminary clue exists in a preset case library or not based on a preset clue matching rule; if yes, checking the case state of the case; and if the case state is in progress, the preliminary clue is extended to a case clue library of the case to obtain a case clue of the case update.
Further, the method further comprises: if not, generating a case corresponding to the preliminary clue in the preset case library, and expanding the preliminary clue serving as a case clue to the case clue library of the case; or if the case state is detected or abandoned, generating a case corresponding to the preliminary clue in the preset case library, and using the preliminary clue as a case clue to extend to the case clue library of the case.
Further, the method comprises: the preliminary clue is composed of at least one attack chain, wherein each attack chain is determined by at least one target alarm data.
Further, the third party platform comprises one or more of SOC, APT and G01.
The invention provides an intelligent clue analysis system, which comprises: the system comprises a first extraction module, a second extraction module, a preliminary clue module and a case clue module; the first extraction module is used for extracting the alarm data provided by the third-party platform from the alarm library; the second extraction module is used for extracting at least one preset rule from the rule base; the preliminary clue module is respectively connected with the first extraction module and the second extraction module and is used for matching the alarm data with the at least one preset rule to obtain target alarm data; the system is also used for processing the target alarm data to obtain a preliminary clue; the case clue module is used for judging whether a case corresponding to the preliminary clue exists in a preset case library or not based on a preset clue matching rule; if yes, checking the case state of the case; and if the case state is in progress, expanding the preliminary clue to a case clue library of the case to obtain a case clue of the updated case.
Further, the preset rules comprise fixed rules and custom rules, and the rule base comprises a fixed rule base and a custom rule base; the fixed rule base is used for storing the fixed rules; the custom rule base is used for storing the custom rule.
Further, the fixed rule includes: DGA analysis, WEBSHELL analysis, C & C remote loop analysis, targeted WEB attack detection analysis, SMB remote overflow attack event, one-sentence WEB backdoor blasting, SSH brute force cracking, RDP brute force cracking and FTP brute force cracking.
Further, the custom rule comprises one or more of the following fields: rule name, effective start-stop time, device type, threat type, data source, usage scenario, attack source configuration, and attack target configuration.
Further, the attack source configuration includes: attack source, whether intelligence is matched, whether feature similarity is judged, attack threshold and attack features.
Further, the attack target configuration includes: attack target, whether intelligence is matched, attack target domain name, attack frequency threshold and one or more of attack target industry.
The invention provides an intelligent clue analysis method and system, comprising the following steps: extracting alarm data provided by a third-party platform from an alarm library; extracting at least one preset rule from a rule base; matching the alarm data with at least one preset rule to obtain target alarm data; processing the target alarm data to obtain a preliminary clue; judging whether a case corresponding to the preliminary clue exists in a preset case library or not based on a preset clue matching rule; if yes, checking the case state of the case; and if the case state is in progress, the preliminary clue is expanded to a case clue library of the case to obtain a case clue of the case update. The target alarm data, the preliminary clues and the case clues in the invention improve the richness of the clues, the existing alarm data is analyzed into the preliminary clues, and then the preliminary clues are automatically converted into high-grade available case clues, thereby greatly solving the problems of manpower and time and further reducing the difficulty of investigating, investigating and analyzing the clues.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a flowchart of an intelligent thread analysis method according to an embodiment of the present invention;
FIG. 2 is a diagram of preliminary clues provided by an embodiment of the present invention;
FIG. 3 is a schematic diagram of a case clue according to an embodiment of the present invention;
FIG. 4 is a flow chart of another intelligent thread analysis method according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an intelligent thread analysis system according to an embodiment of the present invention.
Icon:
11-a first extraction module; 12-a second extraction module; 13-preliminary cue module; 14-case clue module.
Detailed Description
The technical solutions of the present invention will be described clearly and completely with reference to the following embodiments, and it should be apparent that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the prior art, comparison and analysis of a large amount of data are performed manually, time and labor are wasted, a search period is relatively long, and hackers may crime again in the search time, so that economic losses or inconvenience are caused to other people. Based on this, the intelligent clue analysis method and system provided by the embodiment of the invention can improve the richness of clues through target alarm data, preliminary clues and case clues, wherein the existing alarm data is analyzed into the preliminary clues, and then the preliminary clues are automatically converted into high-level available case clues, so that the problems of manpower and time are greatly solved, and the difficulty of investigation, investigation and clue analysis is reduced.
For the understanding of the present embodiment, first, a detailed description will be given of an intelligent thread analysis method disclosed in the embodiment of the present invention.
The first embodiment is as follows:
referring to fig. 1, an embodiment of the present invention provides an intelligent thread analysis method, where the method includes the following steps:
and step S101, extracting alarm data provided by a third-party platform from an alarm library.
In an embodiment of the invention, the third party platform comprises one or more of SOC, APT, G01. APT may refer to a high-level persistent threat, in essence, a targeted attack. The APT utilizes an advanced attack section to carry out long-term persistent network attack on an attack target, the attack form of the APT is more advanced and advanced compared with other attack forms, and the advancement is mainly characterized in that the APT needs to accurately collect the business process and the target system of the attack target before starting the attack. The alarm data provided by the third party platform may correspond to different cases, for example: the 1 st to 10 th alarm data correspond to a case A, the 11 th to 15 th alarm data correspond to a case B, and the 16 th to 100 th alarm data correspond to a case C.
Step S102, extracting at least one preset rule from a rule base;
in the embodiment of the present invention, the preset rules include fixed rules and custom rules, where the fixed rules include but are not limited to: DGA analysis, WEBSHELL analysis, C & C remote loop analysis, targeted WEB attack detection analysis, SMB remote overflow attack event, one-sentence WEB backdoor blasting, SSH brute force cracking, RDP brute force cracking and FTP brute force cracking. Custom rules can be added in a custom manner, where a custom rule has multiple fields, including but not limited to: rule name, effective start-stop time, device type, threat type, data source, usage scenario, attack source configuration, and attack target configuration.
Step S103, matching the alarm data with at least one preset rule to obtain target alarm data;
in the embodiment of the invention, the alarm data comprises target alarm data which can be matched with the preset rule and invalid alarm data which is irrelevant to the preset rule. It should be noted that the target alarm data is successfully matched data and is valid alarm data. The alarm data matched with at least one preset rule can be manually and manually screened, and matching can also be realized through third-party service software or a platform with Python analysis, which is not described herein again.
Step S104, processing the target alarm data to obtain a preliminary clue;
the processing in this embodiment includes cluster analysis, that is, the target alarm data is automatically converted into a preliminary clue of a case after the cluster analysis. The clustering analysis means classifying the target alarm data, materializing the preliminary clues, and obtaining the preliminary clues associated with the same case, wherein the number of the preliminary clues may be 0. Referring to fig. 2, the embodiment provides a preliminary clue graph corresponding to the preliminary clue, where the preliminary clue graph shows 3 attack targets and 1 attack source, information between the attack source and any one of the attack targets is an attack chain, and the attack chain is composed of multiple alarm data. The preliminary hint thus consists of at least one attack chain, where each attack chain is determined by at least one target alarm data. The target alarm data on each attack chain has the same or similar characteristics.
Step S105, judging whether a case corresponding to the preliminary clue exists in the preset case library based on the preset clue matching rule.
In the embodiment of the present invention, the preset thread matching rules include, but are not limited to: the IP address of the unit asset, website information, and unit information. The cases in the preset case library are established by the thread analysis method of this embodiment, and see step S107 and step S109 of this embodiment for details. The preset case library may be an empty set, and specifically, the thread analysis method of the embodiment has never been set before the initial operation, so that no case exists in the preset case library. With the sequential execution of the steps in this embodiment, a continuous case setting operation may be performed, so that the preset case library may also include a plurality of cases. The embodiment does not limit the number of cases that can be stored in the preset case library. In addition, the present embodiment may also display cases in the preset case library on the client, so that the relevant personnel can process the cases in the preset case library, where the processing includes but is not limited to: modifying case status, deleting case and grading case.
And step S106, if the case exists, checking the case state of the case.
In the embodiment of the invention, all cases in the preset case library have respective case states, including but not limited to on-going, detected and abandoned case states. Among them, the process is also called as a scheme.
Step S108, if the case state is in progress, the preliminary clue is expanded to a case clue library of the case to obtain the case clue of the case update.
In the embodiment of the invention, the preliminary clue with the IP address of the same unit asset is associated with the case, and then the case clue and the preliminary clue of the case existing in the case clue library jointly form the case clue for case updating. In practical application, whether the preliminary clues are the same case or not is confirmed by matching the IP address of the attack target with the IP address of the attack source, and website attacks of the same case in the same unit are combined into case clues. The case clue takes a company or a department as a unit, each website under the same unit can relate to a plurality of preliminary clues, and one preliminary clue can relate to a plurality of websites. Referring to fig. 3, the case clues correspond to the case clue graph, and the case clues are more real and effective compared with the preliminary clues.
The embodiment of the invention provides an intelligent clue analysis method, which comprises the following steps: extracting alarm data provided by a third-party platform from an alarm library; extracting at least one preset rule from a rule base; matching the alarm data with at least one preset rule to obtain target alarm data; processing the target alarm data to obtain a primary clue; judging whether a case corresponding to the preliminary clue exists in a preset case library or not based on a preset clue matching rule; if yes, checking the case state of the case; and if the case state is in progress, the preliminary clue is expanded to a case clue library of the case to obtain a case clue of the case update. The target alarm data, the preliminary clue and the case clue in the embodiment of the invention improve the richness of the clue, the existing alarm data is analyzed into the preliminary clue, and then the preliminary clue is automatically converted into the high-grade available case clue, so that the problems of manpower and time are greatly solved, and the difficulty of detecting, investigating and analyzing the clue is reduced.
In an embodiment of the present invention, referring to fig. 4, the method further includes the steps of:
and S107, if the case does not exist, generating a case corresponding to the preliminary clue in the preset case library, and extending the preliminary clue serving as a case clue to the case clue library of the case.
In the embodiment of the invention, if the case corresponding to the preliminary clue does not exist in the preset case library, the case corresponding to the preliminary clue is automatically generated in the preset case library, and the case is a newly added case. In addition, the preliminary clue may be displayed on the client as a case clue of the case, so that the relevant personnel can determine whether to put up the case, and perform operations such as confirming the case status of the case.
Step S109, if the case state is detected or abandoned, generating a case corresponding to the preliminary clue in the preset case library, and expanding the preliminary clue serving as a case clue to the case clue library of the case.
In the embodiment of the invention, each case has a case state, and the existence of the case and the case state when the case exists determine the specific operation of the preliminary clue matched with the case. For example, if a case exists and the case status is in progress or in a case, the preliminary clue is automatically extended to the existing clue of the case to form a new clue, and the new clue is displayed on the client, so that the related personnel can reconfirm the case status of the case; when the case exists and the case state is detected or abandoned, the preliminary clue cannot play a role in the case, a new case can be automatically generated and displayed on the client, so that related personnel can confirm whether the new case is put up and the corresponding state.
For example, warning data of a plurality of FTPs can be matched with FTP brute force cracking rules to generate FTP brute force cracking preliminary clues, FTP brute force cracking attack case clues of a certain website are generated through preset clue matching rules, meanwhile, the certain website belongs to a certain unit, if the unit has the FTP brute force cracking attack case clues of the website or other websites, the FTP brute force cracking preliminary clues are automatically expanded to the brute force cracking case clues of the certain unit, and the FTP brute force cracking attack case clues are displayed to a client side to enable related personnel to confirm operation, and whether an event is real and effective or not is confirmed.
When expanding the line, if the preliminary clue related to the existing case clue of a certain case has 5 attack chains, when the attack related to the case occurs again, the newly generated attack chain is finally added into the existing case clue by generating the preliminary clue instead of newly creating a case clue, namely, the case clue can continuously accumulate the attack chains as long as the case is not finished, so that the case clue is more accurate. The real-time expansion can greatly improve the real-time effectiveness of case clues and reduce the difficulty of investigation, investigation and clue analysis.
The embodiment of the invention can improve the accuracy and richness of clues, obtain the clues more quickly, reduce the manpower input and reduce the analysis time. Therefore, the embodiment of the invention can help the unit and the website know the attack as early as possible, avoid loss or help the police to detect and investigate the case.
The second embodiment:
referring to fig. 5, an embodiment of the present invention provides an intelligent thread analysis system, including: a first extraction module 11, a second extraction module 12, a preliminary cue module 13 and a case cue module 14;
the first extraction module 11 is configured to extract alarm data provided by a third-party platform from an alarm library;
a second extraction module 12, configured to extract at least one preset rule from the rule base;
the preliminary clue module 13 is connected with the first extraction module 11 and the second extraction module 12 respectively, and is used for matching the alarm data with at least one preset rule to obtain target alarm data; the system is also used for processing the target alarm data to obtain a preliminary clue;
a case clue module 14, configured to determine whether a case corresponding to the preliminary clue exists in the preset case library based on a preset clue matching rule; if yes, checking the case state of the case; and if the case state is in progress, the preliminary clue is expanded to a case clue library of the case to obtain a case clue of the case update.
In the embodiment of the present invention, the intelligent clue analysis system provided in this embodiment matches various preset rules in the rule base on the basis of obtaining the alarm data such as APT, and finally analyzes various case clues. The embodiment automatically aggregates and analyzes the plurality of target alarm data into the preliminary clues, and then the preliminary clues form the case clues of one case, thereby facilitating the investigation work.
The invention provides an intelligent clue analysis system, which comprises: a first extraction module 11, a second extraction module 12, a preliminary cue module 13 and a case cue module 14; a first extraction module 11, configured to extract alarm data provided by a third-party platform from an alarm library; a second extraction module 12, configured to extract at least one preset rule from the rule base; the preliminary clue module 13 is connected with the first extraction module 11 and the second extraction module 12 respectively, and is used for matching the alarm data with at least one preset rule to obtain target alarm data; the system is also used for processing the target alarm data to obtain a preliminary clue; a case clue module 14, configured to determine whether a case corresponding to the preliminary clue exists in the preset case library based on a preset clue matching rule; if yes, checking the case state of the case; and if the case state is in progress, the preliminary clues are extended to a case clue library of the case to obtain case clues of case updating. The target alarm data, the preliminary clue and the case clue in the embodiment of the invention improve the richness of the clue, the existing alarm data is analyzed into the preliminary clue, and then the preliminary clue is automatically converted into the high-grade available case clue, so that the problems of manpower and time are greatly solved, and the difficulty of detecting, investigating and analyzing the clue is reduced.
Further, the intelligent thread analysis system further comprises:
a first generation module, configured to generate a case corresponding to the preliminary clue in the preset case library if the case does not exist, and extend the preliminary clue as a case clue to the case clue library of the case;
or the like, or, alternatively,
and the second generation module is used for generating a case corresponding to the preliminary clue in the preset case library if the case state is detected or abandoned, and expanding the preliminary clue serving as a case clue to the case clue library of the case.
Further, the preset rules comprise fixed rules and user-defined rules, and the rule base comprises a fixed rule base and a user-defined rule base;
in the embodiment of the invention, the fixed rule base is used for storing fixed rules; and the custom rule base is used for storing custom rules.
Further, the fixed rule includes: DGA analysis, WEBSHELL analysis, C & C remote loop analysis, targeted WEB attack detection analysis, SMB remote overflow attack event, one-sentence WEB backdoor blasting, SSH brute force cracking, RDP brute force cracking and FTP brute force cracking.
Further, the custom rule includes one or more of the following fields: rule name, effective start-stop time, device type, threat type, data source, usage scenario, attack source configuration, and attack target configuration.
Further, the attack source configuration comprises: attack source, whether intelligence is matched, whether feature similarity is judged, attack threshold and attack features.
Further, the attack target configuration comprises: attack target, whether intelligence is matched, attack target domain name, attack frequency threshold value and one or more of attack target industry.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process of the system described above may refer to the corresponding process in the foregoing method embodiment, and is not described herein again.
In addition, in the description of the embodiments of the present invention, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, e.g., as being fixedly connected, detachably connected, or integrally connected; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood in a specific case to those of ordinary skill in the art.
The functions may be stored in a computer-readable storage medium if they are implemented in the form of software functional units and sold or used as separate products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The computer program product of the intelligent thread analysis method provided in the embodiment of the present invention includes a computer-readable storage medium storing a program code, where instructions included in the program code may be used to execute the method described in the foregoing method embodiment, and specific implementation may refer to the method embodiment, which is not described herein again.
In the description of the present invention, it should be noted that the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", etc., indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings, and are only for convenience of description and simplicity of description, but do not indicate or imply that the device or element being referred to must have a particular orientation, be constructed and operated in a particular orientation, and thus, should not be construed as limiting the present invention. Furthermore, the terms "first," "second," and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.
Claims (9)
1. An intelligent cue analysis method, comprising:
extracting alarm data provided by a third-party platform from an alarm library;
extracting at least one preset rule from a rule base;
matching the alarm data with the at least one preset rule to obtain target alarm data; the target alarm data is alarm data successfully matched with the at least one preset rule;
processing the target alarm data to obtain a preliminary clue; the preliminary clue consists of at least one attack chain, wherein each attack chain is determined by at least one target alarm data; the information between the attack source and any attack target is an attack chain;
judging whether a case corresponding to the preliminary clue exists in a preset case library or not based on a preset clue matching rule; the preset clue matching rule comprises the following steps: IP address, website information and unit information of the unit assets;
if the situation exists, the preliminary clue is used as a case clue of the case and is displayed on a client, so that related personnel can view the case state of the case through the client and carry out confirmation operation on the case state of the case;
if the case state is in progress, the preliminary clues are expanded to a case clue library of the case to obtain case clues updated by the case;
the step of expanding the preliminary clue to a case clue library of the case to obtain the case clue of the case update comprises the following steps: associating the preliminary clue with the case, and then combining the existing case clue of the case in the case clue library with the preliminary clue to form a case clue for updating the case;
the method further comprises the following steps:
displaying the cases in the preset case library on the client, so that the related personnel can process the cases in the preset case library through the client; wherein, processing the case in the preset case library at least comprises: modifying the case state and/or deleting the case and/or grading the case.
2. The method of claim 1, further comprising:
if not, generating a case corresponding to the preliminary clue in the preset case library, and extending the preliminary clue serving as a case clue to a case clue library of the case;
or the like, or, alternatively,
and if the case state is detected or abandoned, generating a case corresponding to the preliminary clue in the preset case library, and using the preliminary clue as a case clue to expand the case clue to the case clue library of the case.
3. The cue analysis method of claim 1 wherein the third party platform comprises one or more of SOC, APT, G01.
4. An intelligent cue analysis system, comprising: the system comprises a first extraction module, a second extraction module, a preliminary clue module and a case clue module;
the first extraction module is used for extracting the alarm data provided by the third-party platform from the alarm library;
the second extraction module is used for extracting at least one preset rule from the rule base;
the preliminary clue module is respectively connected with the first extraction module and the second extraction module and is used for matching the alarm data with the at least one preset rule to obtain target alarm data; the target alarm data is alarm data successfully matched with the at least one preset rule; the system is also used for processing the target alarm data to obtain a preliminary clue; the preliminary clue consists of at least one attack chain, wherein each attack chain is determined by at least one target alarm data; the information between the attack source and any attack target is an attack chain;
the case clue module is used for judging whether cases corresponding to the preliminary clues exist in a preset case library or not based on a preset clue matching rule; if the case exists, the preliminary clue is used as a case clue of the case and is displayed on a client side, so that related personnel can view the case state of the case through the client side and carry out confirmation operation on the case state of the case; if the case state is in progress, the preliminary clue is expanded to a case clue library of the case to obtain a case clue of the case update; the preset clue matching rule comprises the following steps: IP address, website information and unit information of the unit asset;
the case thread module is further configured to: associating the preliminary clue with the case, and then combining the existing case clue of the case in the case clue library with the preliminary clue to form a case clue for updating the case;
the case thread module is further configured to: displaying the cases in the preset case library on the client, so that related personnel can process the cases in the preset case library through the client; wherein, processing the cases in the preset case library at least comprises: modifying the case status and/or deleting the case and/or grading the case.
5. The cue analysis system of claim 4 wherein the pre-set rules comprise fixed rules and custom rules, and wherein the rule base comprises a fixed rule base and a custom rule base;
the fixed rule base is used for storing the fixed rules;
and the custom rule base is used for storing the custom rule.
6. The cue analysis system of claim 5 wherein the fixed rule comprises: DGA analysis, WEBSHELL analysis, C & C remote loop analysis, targeted WEB attack detection analysis, SMB remote overflow attack event, one-sentence WEB backdoor blasting, SSH brute force cracking, RDP brute force cracking and FTP brute force cracking.
7. The cue analysis system of claim 5 wherein the custom rule comprises one or more of the following fields: rule name, effective start-stop time, device type, threat type, data source, usage scenario, attack source configuration, and attack target configuration.
8. The cue analysis system of claim 7 wherein the attack source configuration comprises: attack source, whether intelligence is matched, whether feature similarity is judged, attack threshold and attack features.
9. The cue analysis system of claim 8 wherein the attack target configuration comprises: attack target, whether intelligence is matched, attack target domain name, attack frequency threshold and one or more of attack target industry.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910787650.8A CN110489611B (en) | 2019-08-23 | 2019-08-23 | Intelligent clue analysis method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910787650.8A CN110489611B (en) | 2019-08-23 | 2019-08-23 | Intelligent clue analysis method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110489611A CN110489611A (en) | 2019-11-22 |
| CN110489611B true CN110489611B (en) | 2022-12-30 |
Family
ID=68553909
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910787650.8A Active CN110489611B (en) | 2019-08-23 | 2019-08-23 | Intelligent clue analysis method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110489611B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111369417A (en) * | 2020-03-05 | 2020-07-03 | 青岛海信网络科技股份有限公司 | Case clue obtaining method and device based on technical and tactical model |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2882159A1 (en) * | 2013-12-06 | 2015-06-10 | Cyberlytic Limited | Profiling cyber threats detected in a target environment and automatically generating one or more rule bases for an expert system usable to profile cyber threats detected in a target environment |
| CN105376245A (en) * | 2015-11-27 | 2016-03-02 | 杭州安恒信息技术有限公司 | Rule-based detection method of ATP attack behavior |
| CN105681286A (en) * | 2015-12-31 | 2016-06-15 | 中电长城网际***应用有限公司 | Association analysis method and association analysis system |
| CN107196910A (en) * | 2017-04-18 | 2017-09-22 | 国网山东省电力公司电力科学研究院 | Threat early warning monitoring system, method and the deployment framework analyzed based on big data |
-
2019
- 2019-08-23 CN CN201910787650.8A patent/CN110489611B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2882159A1 (en) * | 2013-12-06 | 2015-06-10 | Cyberlytic Limited | Profiling cyber threats detected in a target environment and automatically generating one or more rule bases for an expert system usable to profile cyber threats detected in a target environment |
| CN105376245A (en) * | 2015-11-27 | 2016-03-02 | 杭州安恒信息技术有限公司 | Rule-based detection method of ATP attack behavior |
| CN105681286A (en) * | 2015-12-31 | 2016-06-15 | 中电长城网际***应用有限公司 | Association analysis method and association analysis system |
| CN107196910A (en) * | 2017-04-18 | 2017-09-22 | 国网山东省电力公司电力科学研究院 | Threat early warning monitoring system, method and the deployment framework analyzed based on big data |
Non-Patent Citations (1)
| Title |
|---|
| 基于告警属性聚类的攻击场景关联规则挖掘方法研究;陈兴蜀 等;《工程科学与技术》;20190531;第51卷(第03期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110489611A (en) | 2019-11-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10867034B2 (en) | Method for detecting a cyber attack | |
| US11030311B1 (en) | Detecting and protecting against computing breaches based on lateral movement of a computer file within an enterprise | |
| EP3068095B1 (en) | Monitoring apparatus and method | |
| EP2892197B1 (en) | Determination of a threat score for an IP address | |
| US10282542B2 (en) | Information processing apparatus, information processing method, and computer readable medium | |
| CN111355697B (en) | Detection method, device, equipment and storage medium for botnet domain name family | |
| JP6058246B2 (en) | Information processing apparatus, information processing method, and program | |
| CN102075516A (en) | Method for identifying and predicting network multi-step attacks | |
| CN112333195B (en) | APT attack scene reduction detection method and system based on multi-source log correlation analysis | |
| CN104871171B (en) | Distributed mode is found | |
| CN109714346B (en) | Searching and killing method and device for back door files | |
| CN104935601A (en) | Cloud-based method, device and system for analyzing website log safety | |
| CN116566674A (en) | Automated penetration test method, system, electronic equipment and storage medium | |
| CN110598959A (en) | Asset risk assessment method and device, electronic equipment and storage medium | |
| CN112801359A (en) | Industrial internet security situation prediction method and device, electronic equipment and medium | |
| CN103455754B (en) | A kind of malicious searches keyword recognition methods based on regular expression | |
| CN110489611B (en) | Intelligent clue analysis method and system | |
| CN113709097B (en) | Network risk sensing method and defense method | |
| CN112751863B (en) | Attack behavior analysis method and device | |
| CN115827379A (en) | Abnormal process detection method, device, equipment and medium | |
| CN114584391A (en) | Method, device, equipment and storage medium for generating abnormal flow processing strategy | |
| KR100638480B1 (en) | Method of visualizing intrusion detection using correlation of intrusion detection alert message | |
| Malviya et al. | An Efficient Network Intrusion Detection Based on Decision Tree Classifier & Simple K-Mean Clustering using Dimensionality Reduction-A Review | |
| CN114726623A (en) | Advanced threat attack evaluation method and device, electronic equipment and storage medium | |
| CN113872959A (en) | Risk asset grade judgment and dynamic degradation method, device and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |