CN112398849B - Method and device for updating embedded threat information data set - Google Patents

Method and device for updating embedded threat information data set Download PDF

Info

Publication number
CN112398849B
CN112398849B CN202011265053.8A CN202011265053A CN112398849B CN 112398849 B CN112398849 B CN 112398849B CN 202011265053 A CN202011265053 A CN 202011265053A CN 112398849 B CN112398849 B CN 112398849B
Authority
CN
China
Prior art keywords
threat intelligence
data set
embedded
intelligence data
threat
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011265053.8A
Other languages
Chinese (zh)
Other versions
CN112398849A (en
Inventor
刘彤
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202011265053.8A priority Critical patent/CN112398849B/en
Publication of CN112398849A publication Critical patent/CN112398849A/en
Application granted granted Critical
Publication of CN112398849B publication Critical patent/CN112398849B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Alarm Systems (AREA)

Abstract

The application relates to the technical field of network security, and provides a method and a device for updating an embedded threat information data set. Based on the technical concept that frequently used threat information data is more valuable and should be put into an embedded threat information data set, the method associates the query record parameters of each threat information data with the updating action, and updates the threat information data to the embedded threat information data set under the condition that the query record parameters exceed the preset threshold (indicating that the threat information data is frequently queried).

Description

Method and device for updating embedded threat information data set
Technical Field
The invention relates to the technical field of network security, in particular to an updating method and device of an embedded threat intelligence data set.
Background
The security detection device bypass is deployed at the user network, and by monitoring network message data and utilizing known threat information data, security events are found in time and alarm is given.
The method for detecting the known threats by using the threat intelligence data is an efficient method for improving the network security, but the complete threat intelligence data set is very huge, the magnitude of the threat intelligence data set can reach hundreds of millions or even billions, and the threat intelligence data set can only be deployed on a cloud threat intelligence server and is externally used in a mode of threat intelligence data query service.
The embedded threat intelligence data set is a simplification of a huge threat intelligence data set, the magnitude of the embedded threat intelligence data set can be reduced from hundreds of millions to millions, high-value threat intelligence data in the complete threat intelligence data set are reserved, the data volume is greatly reduced, and the embedded threat intelligence data set can be built in safety detection equipment for use.
The safety detection device is internally provided with an embedded threat intelligence data set for safety detection, but the embedded threat intelligence data set is limited by data volume and cannot cover everything, so that the effectiveness and the real-time performance of the threat intelligence data can be maintained by frequent updating.
At present, the embedded threat intelligence data set in the security detection equipment is updated in the following way: the embedded threat intelligence data set is placed on a server which can be accessed by a network, a large threat intelligence data set is manually simplified at regular intervals to generate a new embedded threat intelligence data set which is uploaded to the server, and the security detection equipment downloads the new embedded threat intelligence data set from the server at regular intervals to finish updating. Because the above-mentioned simplification process is accomplished by the manual work, the labor cost is high, and it can not be guaranteed that high-value threat information data can be picked out from the threat information data set, resulting in low availability of the embedded threat information data set.
Disclosure of Invention
An object of the embodiments of the present application is to provide an updating method and apparatus for an embedded threat intelligence data set, so as to improve the above technical problems.
In order to achieve the above purpose, the present application provides the following technical solutions:
in a first aspect, an embodiment of the present application provides a method for updating an embedded threat intelligence data set, including: when an inquiry request sent by safety detection equipment is monitored, updating inquiry record parameters of at least one corresponding piece of threat intelligence data according to the inquiry request, wherein the inquiry request is used for inquiring the at least one piece of threat intelligence data; judging whether the query record parameter of each threat intelligence data exceeds a preset threshold value; and if the inquiry record parameters exceeding the preset threshold exist, updating the embedded threat information data set based on the threat information data corresponding to the inquiry record parameters exceeding the preset threshold so that the safety detection equipment acquires the updated embedded threat information data set.
Based on the technical concept that frequently used threat information data is more valuable and should be put into an embedded threat information data set, the method associates the query record parameters of each threat information data with the updating action, and updates the threat information data to the embedded threat information data set under the condition that the query record parameters exceed the preset threshold (indicating that the threat information data is frequently queried).
In an optional implementation, after updating the embedded threat intelligence data set based on threat intelligence data corresponding to the query record parameter exceeding the preset threshold, the method further comprises: and clearing the query record parameters of the threat intelligence data.
And after the updating is finished, clearing the query record parameters of the threat intelligence data corresponding to the threat intelligence data set. When the security detection device queries the threat intelligence data, the query record parameters are recalculated from the starting values.
In an optional implementation manner, the deploying of the embedded threat intelligence data set in an embedded threat intelligence server, and the updating of the embedded threat intelligence data set based on the threat intelligence data corresponding to the query record parameter exceeding the preset threshold includes: and sending an update notice to an embedded threat intelligence server, wherein the update notice is used for indicating the embedded threat intelligence server to update the embedded threat intelligence data set based on the threat intelligence data corresponding to the query record parameters exceeding the preset threshold value.
The method separates the inquiry service of the threat information data from the download service of the embedded threat information data set, updates the embedded threat information data set by a single embedded threat information server, and provides the updated embedded threat information data set for the safety detection equipment, so that the service processing is more efficient.
In an alternative embodiment, the method further comprises: when a downloading request sent by the safety detection equipment is monitored, determining whether a current embedded threat intelligence data set is updated or not compared with an embedded threat intelligence data set downloaded last time by the safety detection equipment according to the downloading request; and if so, providing the downloading resource of the current embedded threat intelligence data set to the safety detection equipment so that the safety detection equipment can obtain the updated embedded threat intelligence data set.
The downloading resource is provided only when the current embedded threat information data set is updated compared with the embedded threat information data set downloaded last time by the safety detection equipment, and the safety detection equipment can not need to download the embedded threat information data set again under the condition of no update, thereby saving the downloading time and the network resource.
In a second aspect, an embodiment of the present application provides an updating method for an embedded threat intelligence data set, including: receiving an update notification sent by a cloud threat information server, wherein the update notification is sent by the cloud threat information server after detecting that inquiry record parameters exceeding a preset threshold exist, each inquiry record parameter corresponds to threat information data, and the inquiry record parameters of the threat information data are updated after the threat information data are inquired by a safety detection device; updating the embedded threat intelligence data set based on the threat intelligence data corresponding to the query record parameter exceeding the preset threshold value; and when a downloading request sent by the safety detection equipment is monitored, providing a downloading resource of the embedded threat intelligence data set for the safety detection equipment.
In an optional implementation manner, the providing, to a security detection device, a download resource of an embedded threat intelligence data set when a download request sent by the security detection device is monitored includes: when a downloading request sent by a safety detection device is monitored, determining whether a current embedded threat intelligence data set is updated or not compared with an embedded threat intelligence data set downloaded last time by the safety detection device according to the downloading request; and if so, providing the downloading resource of the current embedded threat intelligence data set to the safety detection equipment so that the safety detection equipment can obtain the updated embedded threat intelligence data set.
In an alternative embodiment, the determining from the download request whether the current embedded threat intelligence data set is updated compared to the last downloaded embedded threat intelligence data set by the security detection apparatus comprises: judging whether the version number of the last downloaded embedded threat intelligence data set carried by the downloading request is consistent with the current version number of the embedded threat intelligence data set or not; and if the embedded threat information data sets are inconsistent, determining that the current embedded threat information data set is updated compared with the embedded threat information data set downloaded last time by the safety detection equipment.
The version number can be generated according to the update date or in other ways, and can represent the version of the embedded threat information data set downloaded last time by the safety detection equipment, so that whether the embedded threat information data set is updated or not can be quickly judged.
In an optional implementation manner, the updating the embedded threat intelligence data set based on the threat intelligence data corresponding to the query record parameter exceeding the preset threshold includes: updating an embedded threat intelligence data set based on threat intelligence data corresponding to the query record parameters exceeding a preset threshold, and deleting the threat intelligence data with the earliest date from the embedded threat intelligence data set when the data volume of the threat intelligence data in the embedded threat intelligence data set exceeds a preset range until the data volume of the threat intelligence data in the embedded threat intelligence data set is within the preset range.
The embedded threat intelligence data set has a limited data volume, and if the data volume exceeds a specified range, old threat intelligence data is deleted, and high-value and recently active threat intelligence data is kept as much as possible.
In a third aspect, an embodiment of the present application provides an apparatus for updating an embedded threat intelligence data set, including: the system comprises a parameter updating module, a parameter updating module and a parameter updating module, wherein the parameter updating module is used for updating at least one inquiry record parameter of corresponding threat intelligence data according to an inquiry request when the inquiry request sent by the safety detection equipment is monitored, and the inquiry request is used for inquiring the at least one threat intelligence data; the parameter judging module is used for judging whether the query record parameter of each threat information data exceeds a preset threshold value; and the first updating module is used for updating the embedded threat information data set based on the threat information data corresponding to the query record parameters exceeding the preset threshold value when the query record parameters exceeding the preset threshold value exist, so that the safety detection equipment can obtain the updated embedded threat information data set.
In a fourth aspect, an embodiment of the present application provides an apparatus for updating an embedded threat intelligence data set, including: the system comprises an update indicating module, a security detection device and a security detection device, wherein the update indicating module is used for receiving an update notification sent by a cloud threat information server, the update notification is sent by the cloud threat information server after the cloud threat information server detects that inquiry record parameters exceeding a preset threshold exist, each inquiry record parameter corresponds to threat information data, and the inquiry record parameters of the threat information data are updated after the threat information data are inquired by the security detection device; the second updating module is used for updating the embedded threat intelligence data set based on the threat intelligence data corresponding to the query record parameters exceeding the preset threshold value; and the downloading module is used for providing downloading resources of the embedded threat intelligence data set for the safety detection equipment when a downloading request sent by the safety detection equipment is monitored.
Drawings
To more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
FIG. 1 is a schematic diagram of an embedded threat intelligence data set update system provided in a first embodiment of the present application;
FIG. 2 is a flow chart illustrating a method for updating an embedded threat intelligence data set according to a first embodiment of the present application;
FIG. 3 is a flow chart showing the downloading of an embedded threat intelligence data set by a security detection apparatus in a first embodiment of the present application;
FIG. 4 is a flow chart of one embodiment of a method for updating embedded threat intelligence data sets provided in a first embodiment of the present application;
FIG. 5 is a schematic diagram of an embedded threat intelligence data set update system provided in a second embodiment of the present application;
FIG. 6 is a flow chart of one embodiment of a method for updating an embedded threat intelligence data set provided by a second embodiment of the present application;
fig. 7 is a schematic diagram of an embedded threat intelligence data set updating apparatus according to a third embodiment of the present application;
fig. 8 is a schematic diagram of another embedded threat intelligence data set update apparatus provided in a third embodiment of the present application;
fig. 9 shows a schematic diagram of a server provided in a third embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined or explained in subsequent figures. The terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element. The terms "first," "second," "third," and the like are used solely to distinguish one from another and are not to be construed as indicating or implying relative importance.
The definition of threat intelligence is: an evidence-based knowledge includes context, mechanism, metrics, impact, and operational recommendations. Threat intelligence describes an existing, or imminent, threat or danger to an asset and may be used to notify a subject to take some response to the relevant threat or danger. In short, threat intelligence is a collection of information that creates potential and non-potential hazards to a user or business. Thus, the security detection device can utilize known threat intelligence data for security detection.
First embodiment
In the present embodiment, as shown in fig. 1, the updating system of an embedded threat intelligence data set includes a security detection device 110, a cloud threat intelligence server 120, and an embedded threat intelligence server 130. Security detection device 110 is respectively network connected to cloud threat intelligence server 120 and embedded threat intelligence server 130, and cloud threat intelligence server 120 is network connected to embedded threat intelligence server 130.
The security detection device 110 is deployed by-pass at the user network and has embedded threat intelligence data sets built in. A complete threat intelligence data set is deployed on the cloud threat intelligence server 120 and is provided for external use in a threat intelligence data query service manner, and the security detection device 110 can initiate a query on threat intelligence data to the cloud threat intelligence server 120 through a network and obtain a query result. Embedded threat intelligence server 130 has an embedded threat intelligence data set deployed thereon, which is a subset of the huge threat intelligence data set, and retains high-value and recently active threat intelligence data in the complete threat intelligence data set, and the data volume is smaller than the complete threat intelligence data set, so that it can be downloaded by security detection apparatus 110.
Security detection device 110 periodically downloads new embedded threat intelligence data sets from embedded threat intelligence server 130 to improve the effectiveness of the security detection.
Cloud threat intelligence server 120 and embedded threat intelligence server 130 may be a cluster of servers or may be individual servers.
As shown in fig. 2, based on the above updating system, the flow of the method for updating an embedded threat intelligence data set provided by the embodiment of the present application is as follows:
step 210: when an inquiry request sent by the safety detection equipment is monitored, the cloud threat intelligence server updates inquiry record parameters of at least one piece of corresponding threat intelligence data according to the inquiry request.
In some scenarios, if the security detection device does not query the required threat intelligence data in the built-in embedded threat intelligence data set, a query request may be initiated to the cloud-based threat intelligence server, where the query request carries one or more requested identifiers, where the identifiers include, but are not limited to, a file HASH, an IP address, a domain name, and the like. And the cloud threat information server inquires corresponding threat information data according to the identification carried in the inquiry request, and returns the threat information data obtained by inquiry to the safety detection equipment.
For example, the security detection device may carry an IP address in the query request, and the cloud threat intelligence server queries a corresponding piece of threat intelligence data according to the IP address and returns the threat intelligence data to the security detection device; the safety detection equipment can also simultaneously carry a plurality of IP addresses or a combination of files HASH, IP addresses and domain names in the query request, and if the five IP addresses are simultaneously carried, the cloud threat information server queries corresponding five pieces of threat information data according to the five IP addresses and returns the five pieces of threat information data to the safety detection equipment.
When monitoring an inquiry request initiated by the security detection equipment, the cloud threat information server normally completes an inquiry service and returns inquired threat information data to the security detection equipment on the one hand, and updates inquiry record parameters of the threat information data obtained by the current inquiry of the security detection equipment on the other hand.
The query record parameter may be a query count value, for example, when a security detection device queries a certain threat intelligence data, the query count value corresponding to the threat intelligence data is incremented by one; the query log parameter may also be a query frequency within a predetermined time range (e.g., the last month), for example, whenever a security detection device queries a certain threat intelligence data, the frequency of the threat intelligence data queried in the last month is recalculated, and the query frequency of the threat intelligence data is updated.
The query record parameters represent the query frequency of the corresponding threat information data, which can indirectly reflect the value of the threat information data, and obviously, the value of the threat information data is higher for the more frequent query of the threat information data, so the embodiment takes the query record parameters of the threat information data as the update triggering conditions to update the embedded threat information data set.
Step 220: and the cloud threat intelligence server judges whether the query record parameter of each threat intelligence data exceeds a preset threshold value.
And after updating the query record parameter of at least one piece of threat intelligence data obtained by query, the cloud threat intelligence server judges whether the value of the updated query record parameter of each piece of threat intelligence data obtained by query exceeds a preset threshold value. The specific numerical value of the preset threshold value can be flexibly set, the numerical value setting of the preset threshold value is related to the number of the safety detection devices, if the number of the safety detection devices is large, the numerical value of the preset threshold value can be set slightly larger, so that the condition that the query record parameter easily exceeds the preset threshold value is avoided, and the embedded threat information data set is frequently updated.
If the query record parameter is a query count value, the preset threshold value is a threshold value of the count value, and if the query record parameter is a query frequency, the preset threshold value is a threshold value of the frequency.
Step 230: if the inquiry record parameters exceeding the preset threshold exist, the cloud threat information server updates the embedded threat information data set based on the threat information data corresponding to the inquiry record parameters exceeding the preset threshold, so that the safety detection equipment obtains the updated embedded threat information data set.
If the inquiry record parameters exceed the preset threshold value, the threat intelligence data corresponding to the inquiry record parameters are considered to be recently inquired frequently data, the value is high, and the threat intelligence data can be added into the embedded threat intelligence data set. The embedded threat intelligence data set is then updated based on the threat intelligence data.
In one particular embodiment, the step of updating the embedded threat intelligence data set comprises: and the cloud threat information server sends an update notification to the embedded threat information server, wherein the update notification is used for indicating the embedded threat information server to update the embedded threat information data set based on the threat information data corresponding to the query record parameter exceeding the preset threshold value.
The embedded threat information server updates the piece of threat information data in the embedded threat information data set based on the data content carried in the update notice.
Specifically, the embedded threat information server inquires the embedded threat information data set stored by the embedded threat information server after receiving the update notification, if corresponding threat information data exists, the data content is updated in a covering mode, and if corresponding threat information data does not exist, the threat information data is added into the embedded threat information data set.
Since the embedded threat intelligence data set has a limited amount of data, old threat intelligence data is deleted if the amount of data is outside a specified range. Therefore, if the data volume of the threat intelligence data in the embedded threat intelligence data set exceeds the preset range in the updating process, the threat intelligence data with the earliest date is deleted from the embedded threat intelligence data set until the data volume of the threat intelligence data in the embedded threat intelligence data set is in the preset range, and the updating is completed.
After the embedded threat information server finishes updating the embedded threat information data set, an update completion notice is sent to the cloud threat information server, and after the cloud threat information server receives the update completion notice, the query record parameters of the threat information data corresponding to the threat information data set are cleared. When the security detection device queries the threat intelligence data, the query record parameters are recalculated from the starting values.
The safety detection equipment downloads the embedded threat intelligence data set from the embedded threat intelligence server regularly, and it should be noted that the downloading process and all the steps are not limited in sequence and do not have a chronological relationship. When monitoring a downloading request sent by the security detection equipment, the embedded threat information server provides a downloading resource of the embedded threat information data set for the security detection equipment, so that the security detection equipment can acquire the updated embedded threat information data set.
Referring to fig. 3, the step of downloading the embedded threat intelligence data set from the embedded threat intelligence server by the security detection apparatus includes:
step 310: when the embedded threat intelligence server monitors a downloading request sent by the safety detection equipment, determining whether a current embedded threat intelligence data set is updated or not compared with an embedded threat intelligence data set downloaded last time by the safety detection equipment according to the downloading request; if so, go to step 320.
The embedded threat information data set is compared with the embedded threat information data set downloaded last time by the safety detection equipment, and addition, deletion, change and the like are added, deleted, changed and the like, and are all updated. Specifically, the implementation manner of the embedded threat information server determining whether the embedded threat information data set has an update may be:
the safety detection equipment sends a downloading request to the embedded threat information server, and carries the version number of the embedded threat information data set downloaded once in the downloading request. The embedded threat intelligence server judges whether the version number carried by the downloading request is consistent with the current version number of the embedded threat intelligence data set; if the embedded threat information data sets are inconsistent with the embedded threat information data sets downloaded last time by the safety detection equipment, determining that the current embedded threat information data sets are updated; and if the embedded threat intelligence data sets are consistent, determining that the current embedded threat intelligence data set is not updated compared with the embedded threat intelligence data set downloaded last time by the safety detection equipment. If there is an update, step 320 is executed to enable the security detection device to obtain the updated embedded threat intelligence data set, and if there is no update, a notification message of no update may be returned to the security detection device.
The version number may be generated based on the date of the update, e.g., the version number of the embedded threat intelligence dataset changes to the date of the day of the update each time it is updated.
Step 320: and providing the downloading resource of the current embedded threat intelligence data set to the security detection equipment so that the security detection equipment can obtain the updated embedded threat intelligence data set.
In some embodiments, the embedded threat intelligence server may provide download resources of the entire embedded threat intelligence data set to the security detection apparatus, or may only provide download resources of updated threat intelligence data as compared to the last downloaded embedded threat intelligence data set by the security detection apparatus. The download resource can be a download address of the embedded threat information data set, the security detection equipment accesses the download address to download, or the embedded threat information server directly sends a data packet of the embedded threat information data set to the security detection equipment.
Referring to fig. 4, a specific implementation of the updating method provided in this embodiment is described based on the contents of the above embodiment. As shown in fig. 4, one embodiment of the method for updating an embedded threat intelligence data set is as follows:
step 410: the security detection device initiates a first authentication request to a cloud threat information server.
The first authentication request carries first authentication information, where the first authentication information includes, but is not limited to, an IP address, a product name, a product serial number, and the like of the security detection device, and the first authentication information may be a combination of one or more items of information.
Step 420: and the cloud threat information server authenticates the safety detection equipment according to the prestored authentication record data, and returns a first authentication certificate to the safety detection equipment if the authentication is successful.
The cloud threat information server stores authentication record data, the authentication record data records pre-authentication information of a safety detection device capable of accessing the cloud threat information server, if corresponding pre-authentication information can be inquired from the authentication record data according to first authentication information of the safety detection device, the safety detection device is authenticated successfully, first authentication credentials are returned to the safety detection device, and meanwhile, an authentication log is recorded.
And if the authentication is not successful, rejecting the first authentication request of the security detection equipment.
The safety detection equipment only needs to send a first authentication request to the cloud threat information server once, and after authentication is successful, the safety detection equipment only needs to carry a first authentication certificate when sending an inquiry request.
Step 430: the safety detection device sends an inquiry request to a cloud threat information server, and the inquiry request carries a first authentication certificate and an inquiry identifier.
The identity of the query includes, but is not limited to, file HASH, IP address, domain name, etc.
Step 440: and the cloud threat intelligence server determines whether the security detection equipment is authenticated equipment or not according to the first authentication certificate, if so, inquires corresponding threat intelligence data in the threat intelligence data set according to the identification carried by the inquiry request, and if so, executes the step 450 and the step 460.
Step 450: and the cloud threat intelligence server returns the inquired threat intelligence data to the safety detection equipment.
Step 460: the cloud threat intelligence server updates the query record parameters of the corresponding threat intelligence data, judges whether the query record parameters of each threat intelligence data exceed a preset threshold value, and if so, executes step 470.
Step 470: and the cloud threat information server sends an update notification to the embedded threat information server to indicate the embedded threat information server to update the threat information data corresponding to the query record parameter exceeding the preset threshold value.
Step 480: the embedded threat intelligence server updates the embedded threat intelligence data set according to the update notification.
Step 490: and after the update is completed, the embedded threat information server returns an update completion notification to the cloud threat information server.
Step 500: and the cloud threat information server clears the query record parameters of the corresponding threat information data.
It should be noted that the following steps 510-550 are performed asynchronously with respect to the previous steps, and it is not limited that the steps 510-550 are performed after any of the steps 410-500.
Step 510: and the security detection equipment initiates a second authentication request to the embedded threat intelligence server.
The second authentication request carries second authentication information, where the second authentication information includes, but is not limited to, an IP address, a product name, a product serial number, and the like of the security detection device, and the second authentication information may be a combination of one or more items of information.
Step 520: and the embedded threat information server authenticates the safety detection equipment according to the pre-stored authentication record data, and returns a second authentication certificate to the safety detection equipment if the authentication is successful.
The embedded threat information server stores authentication record data, the authentication record data records pre-authentication information of security detection equipment capable of accessing the embedded threat information server, if corresponding pre-authentication information can be inquired from the authentication record data according to second authentication information of the security detection equipment, the security detection equipment is successfully authenticated, second authentication credentials are returned to the security detection equipment, and authentication logs are recorded.
And if the authentication is not successful, rejecting a second authentication request of the safety detection equipment.
The security detection equipment only needs to initiate a second authentication request to the embedded threat information server once, and after the authentication is successful, the security detection equipment only needs to carry a second authentication certificate when initiating a downloading request.
The authentication record data in the embedded threat information server may be the same as or different from the authentication record data in the cloud threat information server.
Step 530: and the safety detection equipment sends a downloading request to the embedded threat information server, wherein the downloading request carries a second authentication certificate.
The security detection device may periodically initiate a download request to the embedded threat intelligence server, which may be as often as once a day.
Step 540: and the embedded threat information server determines whether the security detection equipment is authenticated equipment according to the second authentication certificate, if so, determines whether the current embedded threat information data set is updated compared with the embedded threat information data set downloaded last time by the security detection equipment, and if so, executes step 550.
Step 550: the embedded threat intelligence server provides download resources of the updated embedded threat intelligence data set to the security detection equipment.
And the safety detection equipment obtains an updated embedded threat intelligence data set according to the downloading resource.
In the embodiment of the application, the inquiry service of threat information data and the download service of an embedded threat information data set are separated, the cloud threat information server processes the inquiry request of the safety detection equipment and provides the inquiry result for the safety detection equipment, and the embedded threat information server processes the download request of the safety detection equipment and provides the download resource of the embedded threat information data set for the safety detection equipment. The cloud threat information server and the embedded threat information server are associated through the query record parameters of the threat information data, and when the query record parameters of the threat information data in the cloud threat information server exceed a preset threshold value, the threat information data is automatically updated to the embedded threat information data set in the embedded threat information server.
Therefore, threat information data in the embedded threat information data set can be reserved as threat information data which is frequently inquired by the security detection equipment, threat information data which is frequently inquired and has higher value is also reserved in the embedded threat information data set obtained by downloading of each security detection equipment, and along with gradual updating of the embedded threat information data set, for most security detection scenes, each security detection equipment can directly inquire required threat information data in the embedded threat information data set which is locally built in, and does not need to inquire the embedded threat information data set at the cloud side, so that a large amount of inquiry time is saved, and the efficiency of security detection is improved.
It can be understood that the updating frequency of the embedded threat information data set will be gradually reduced, and the frequency of the security detection device downloading the data set from the embedded threat information server will be gradually reduced, so that a great deal of downloading time is saved, and network resources are saved.
In summary, the embodiment of the application is based on the technical concept that frequently used threat information data is more valuable and should be put into an embedded threat information data set, and associates the query record parameters of each threat information data with the updating action, and updates the threat information data to the embedded threat information data set under the condition that the query record parameters exceed the preset threshold (indicating that the threat information data is frequently queried).
Second embodiment
In this embodiment, as shown in fig. 5, the updating system of the embedded threat intelligence data set includes a security detection device 610 and a cloud threat intelligence server 620. Security detection device 610 is networked with cloud threat intelligence server 620.
The security detection device 610 is deployed by-pass at the user network and has embedded threat intelligence data sets built in. The cloud threat intelligence server 620 is deployed with a complete threat intelligence data set and provides a threat intelligence data query service for external use, and the security detection device 610 can initiate a query on threat intelligence data to the cloud threat intelligence server 620 through a network and obtain a query result. The cloud threat information server 620 is also provided with an embedded threat information data set, the embedded threat information data set is a simplified huge threat information data set and is a subset of the threat information data set, high-value and recently active threat information data in the complete threat information data set are reserved, and the data volume is smaller than that of the complete threat information data set. The security detection device 610 periodically downloads new embedded threat intelligence data sets from the cloud threat intelligence server 620 to improve the security detection.
Cloud threat intelligence server 620 may be a cluster of servers or may be a single server.
The difference between this embodiment and the first embodiment is that, in this embodiment, an embedded threat information server is not separately provided, and the function implemented by the embedded threat information server in the first embodiment is integrated into a cloud threat information server, which simultaneously processes an inquiry service of threat information data and a download service of an embedded threat information data set.
In the method for updating an embedded threat information data set provided in this embodiment, the implementation of the security detection device may refer to the implementation of the security detection device in the previous embodiment, and the implementation of the cloud threat information server may refer to the implementation of the cloud threat information server and the embedded threat information server in the previous embodiment, which are not repeated in this embodiment.
Referring to fig. 6, a specific implementation of the updating method provided in this embodiment is described based on the contents of the above embodiment. As shown in fig. 6, the embodiment of the method for updating the embedded threat intelligence data set is as follows:
step 710: and the safety detection equipment initiates an authentication request to a cloud threat information server.
Step 720: and the cloud threat information server authenticates the safety detection equipment according to the pre-stored authentication record data, and returns an authentication certificate to the safety detection equipment if the authentication is successful.
The cloud threat information server stores authentication record data, the authentication record data records pre-authentication information of a safety detection device capable of accessing the cloud threat information server, if corresponding pre-authentication information can be inquired from the authentication record data according to the authentication information of the safety detection device, the safety detection device is authenticated successfully, authentication certificates are returned to the safety detection device, and authentication logs are recorded.
Step 730: the safety detection equipment sends an inquiry request to the cloud threat information server, and the inquiry request carries an authentication certificate and an inquiry identifier.
Step 740: and the cloud threat information server determines whether the safety detection equipment is authenticated equipment or not according to the authentication voucher, if so, inquires corresponding threat information data in the threat information data set according to the identification carried by the inquiry request, and if so, executes the step 750 and the step 760.
Step 750: and the cloud threat intelligence server returns the inquired threat intelligence data to the safety detection equipment.
Step 760: the cloud threat intelligence server updates the query record parameters of the corresponding threat intelligence data, judges whether the query record parameters of each threat intelligence data exceed a preset threshold value, and if so, executes step 770.
Step 770: and the cloud threat intelligence server updates threat intelligence data corresponding to the query record parameter exceeding the preset threshold in the embedded threat intelligence data set.
Step 780: and after the updating is finished, the cloud threat information server clears the query record parameters of the corresponding threat information data.
Step 790: the safety detection equipment sends a downloading request to the cloud threat information server, and the downloading request carries an authentication certificate.
The security detection device may periodically initiate a download request to the cloud threat intelligence server, which may be once a day.
Step 800: the cloud threat information server determines whether the security detection device is an authenticated device according to the authentication certificate, if so, determines whether the current embedded threat information data set is updated compared with the embedded threat information data set downloaded last time by the security detection device, and if so, executes step 810.
Step 810: and the cloud threat information server provides a download resource of the updated embedded threat information data set to the safety detection equipment.
And the safety detection equipment obtains an updated embedded threat intelligence data set according to the downloading resource.
Third embodiment
Referring to fig. 7, an embodiment of the present application provides an apparatus for updating an embedded threat intelligence data set, including:
a parameter updating module 910, configured to update an inquiry record parameter of at least one corresponding threat intelligence data according to an inquiry request when the inquiry request sent by a security detection device is monitored, where the inquiry request is used to inquire the at least one threat intelligence data;
a parameter determining module 920, configured to determine whether an inquiry record parameter of each threat intelligence data exceeds a preset threshold;
the first updating module 930 is configured to update the embedded threat intelligence data set based on the threat intelligence data corresponding to the query record parameter exceeding the preset threshold when the query record parameter exceeding the preset threshold exists, so that the security detection apparatus obtains the updated embedded threat intelligence data set.
Optionally, the updating apparatus further includes: and the parameter zero clearing module is used for clearing the query record parameters of the threat intelligence data after the first updating module updates the embedded threat intelligence data set.
Optionally, the embedded threat intelligence data set is deployed in an embedded threat intelligence server, and the first updating module 930 is specifically configured to: and sending an update notification to an embedded threat intelligence server, wherein the update notification is used for indicating the embedded threat intelligence server to update the embedded threat intelligence data set based on threat intelligence data corresponding to the query record parameters exceeding a preset threshold value.
Optionally, the apparatus further comprises: the system comprises a downloading module, a judging module and a judging module, wherein the downloading module is used for determining whether a current embedded threat intelligence data set is updated or not compared with an embedded threat intelligence data set downloaded last time by the safety detection equipment according to a downloading request when the downloading request sent by the safety detection equipment is monitored; and if so, providing the downloading resource of the current embedded threat intelligence data set to the safety detection equipment so that the safety detection equipment can obtain the updated embedded threat intelligence data set.
For a brief description, the embodiment of the apparatus is not mentioned, and reference may be made to the corresponding contents in the method embodiment.
Referring to fig. 8, an embodiment of the present application further provides an apparatus for updating an embedded threat intelligence data set, including:
an update indication module 950, configured to receive an update notification sent by a cloud threat information server, where the update notification is sent by the cloud threat information server after detecting that there are query record parameters exceeding a preset threshold, each query record parameter corresponds to a piece of threat information data, and the query record parameters of the threat information data are updated after the threat information data are queried by a security detection device;
a second updating module 960, configured to update the embedded threat intelligence data set based on the threat intelligence data corresponding to the query record parameter exceeding the preset threshold;
the downloading module 970 is configured to provide a downloading resource of the embedded threat intelligence data set to the security detection device when a downloading request sent by the security detection device is monitored.
Optionally, the download module 970 is specifically configured to: when a downloading request sent by a safety detection device is monitored, determining whether a current embedded threat intelligence data set is updated or not compared with an embedded threat intelligence data set downloaded last time by the safety detection device according to the downloading request; and if so, providing the downloading resource of the current embedded threat intelligence data set to the safety detection equipment so that the safety detection equipment can obtain the updated embedded threat intelligence data set.
Optionally, the download module 970 is further specifically configured to: judging whether the version number of the last downloaded embedded threat intelligence data set carried by the downloading request is consistent with the current version number of the embedded threat intelligence data set or not; and if the embedded threat intelligence data sets are inconsistent, determining that the current embedded threat intelligence data set is updated compared with the embedded threat intelligence data set downloaded last time by the safety detection equipment.
Optionally, the second update module 960 is specifically configured to: updating an embedded threat intelligence data set based on threat intelligence data corresponding to the query record parameters exceeding a preset threshold, and deleting the threat intelligence data with the earliest date from the embedded threat intelligence data set when the data volume of the threat intelligence data in the embedded threat intelligence data set exceeds a preset range until the data volume of the threat intelligence data in the embedded threat intelligence data set is within the preset range.
For a brief description, the embodiment of the apparatus is not mentioned, and reference may be made to the corresponding contents in the method embodiment.
Fig. 9 shows a possible structure of a server provided in an embodiment of the present application. Referring to fig. 9, the server 1000 includes: a processor 1010, a memory 1020, and a communication interface 1030, which are interconnected and in communication with each other via a communication bus 1040 and/or other form of connection mechanism (not shown).
The Memory 1020 includes one or more (Only one is shown in the figure), which may be, but not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Programmable Read-Only Memory (EPROM), an electrically Erasable Programmable Read-Only Memory (EEPROM), and the like. The processor 1010, and possibly other components, may access, read from, and/or write to the memory 1020.
Processor 1010 includes one or more (only one shown), which may be an integrated circuit chip having signal processing capabilities. The processor 1010 may be a general-purpose processor, including a Central Processing Unit (CPU), a Micro Control Unit (MCU), a Network Processor (NP), or other conventional processors; or a special-purpose processor, including a Graphics Processing Unit (GPU), a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, a discrete Gate or transistor logic device, and a discrete hardware component. Also, where there are multiple processors 1010, some may be general-purpose processors and others may be special-purpose processors.
The communication interface 1030 includes one or more (only one shown) that can be used to communicate directly or indirectly with other devices or servers for data interaction. Communication interface 1030 may include interfaces for wired and/or wireless communication.
One or more computer program instructions may be stored in memory 1020 and read and executed by processor 1010 to implement the embedded threat intelligence data set updating methods provided by embodiments of the present application, as well as other desired functions.
It is to be understood that the configuration shown in fig. 9 is merely illustrative and that server 1000 may include more or fewer components than shown in fig. 9 or have a different configuration than shown in fig. 9. The components shown in fig. 9 may be implemented in hardware, software, or a combination thereof. The server 1000 may be the cloud threat intelligence server described in the first embodiment and the second embodiment, or may be the embedded threat intelligence server described in the first embodiment, and the server 1000 is not limited to a single server device, or may be a combination of multiple devices or a server cluster composed of a large number of devices.
The embodiment of the present application further provides a computer-readable storage medium, where computer program instructions are stored on the computer-readable storage medium, and when the computer program instructions are read and executed by a processor of a computer, the method for updating an embedded threat intelligence data set provided in the embodiment of the present application is executed. For example, the computer readable storage medium may be embodied as memory 1020 in server 1000 in fig. 9.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the unit is only a logical division, and other divisions may be realized in practice. Furthermore, the functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made to the present application by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present application shall be included in the protection scope of the present application.

Claims (8)

1. An update method for an embedded threat intelligence data set, comprising:
when an inquiry request sent by a safety detection device is monitored, updating an inquiry record parameter of at least one corresponding threat intelligence data according to the inquiry request, wherein the inquiry request is used for inquiring the at least one threat intelligence data;
judging whether the query record parameter of each threat intelligence data exceeds a preset threshold value;
if the inquiry record parameters exceeding the preset threshold exist, updating the embedded threat intelligence data set based on the threat intelligence data corresponding to the inquiry record parameters exceeding the preset threshold so that the safety detection equipment can obtain the updated embedded threat intelligence data set;
wherein, the updating method further comprises: when a downloading request sent by the safety detection equipment is monitored, determining whether a current embedded threat intelligence data set is updated or not compared with an embedded threat intelligence data set downloaded last time by the safety detection equipment according to the downloading request; and if so, providing the downloading resource of the current embedded threat intelligence data set to the safety detection equipment so that the safety detection equipment can obtain the updated embedded threat intelligence data set.
2. The method of claim 1, wherein after updating the embedded threat intelligence data set based on threat intelligence data corresponding to the query record parameters exceeding a preset threshold, the method further comprises:
and clearing the query record parameters of the threat intelligence data.
3. The method of claim 1, wherein the embedded threat intelligence data set is deployed in an embedded threat intelligence server, and wherein updating the embedded threat intelligence data set based on threat intelligence data corresponding to query record parameters that exceed a preset threshold comprises:
and sending an update notification to an embedded threat intelligence server, wherein the update notification is used for indicating the embedded threat intelligence server to update the embedded threat intelligence data set based on threat intelligence data corresponding to the query record parameters exceeding a preset threshold value.
4. An update method for an embedded threat intelligence data set, comprising:
receiving an updating notice sent by a cloud threat information server, wherein the updating notice is sent by the cloud threat information server after the cloud threat information server detects that inquiry record parameters exceeding a preset threshold exist, each inquiry record parameter corresponds to one piece of threat information data, and the inquiry record parameters of the threat information data are updated after the threat information data are inquired by a safety detection device;
updating the embedded threat intelligence data set based on the threat intelligence data corresponding to the query record parameters exceeding the preset threshold;
when a downloading request sent by a safety detection device is monitored, providing a downloading resource of an embedded threat intelligence data set for the safety detection device;
wherein, when monitoring a download request sent by a security detection device, providing a download resource of an embedded threat intelligence data set to the security detection device comprises: when a downloading request sent by a safety detection device is monitored, determining whether a current embedded threat intelligence data set is updated or not compared with an embedded threat intelligence data set downloaded last time by the safety detection device according to the downloading request; and if so, providing the downloading resource of the current embedded threat intelligence data set to the safety detection equipment so that the safety detection equipment can obtain the updated embedded threat intelligence data set.
5. The method of claim 4, wherein said determining from said download request whether a current embedded threat intelligence data set is updated compared to a last downloaded embedded threat intelligence data set of said security detection device comprises:
judging whether the version number of the last downloaded embedded threat intelligence data set carried by the downloading request is consistent with the current version number of the embedded threat intelligence data set or not;
and if the embedded threat information data sets are inconsistent, determining that the current embedded threat information data set is updated compared with the embedded threat information data set downloaded last time by the safety detection equipment.
6. The method of claim 4, wherein updating the embedded threat intelligence data set based on threat intelligence data corresponding to the query record parameters exceeding the preset threshold comprises:
updating an embedded threat intelligence data set based on threat intelligence data corresponding to the query record parameters exceeding a preset threshold, and deleting the threat intelligence data with the earliest date from the embedded threat intelligence data set when the data volume of the threat intelligence data in the embedded threat intelligence data set exceeds a preset range until the data volume of the threat intelligence data in the embedded threat intelligence data set is within the preset range.
7. An apparatus for updating an embedded threat intelligence data set, comprising:
the system comprises a parameter updating module, a parameter updating module and a parameter updating module, wherein the parameter updating module is used for updating at least one inquiry record parameter of corresponding threat intelligence data according to an inquiry request when the inquiry request sent by the safety detection equipment is monitored, and the inquiry request is used for inquiring the at least one threat intelligence data;
the parameter judgment module is used for judging whether the query record parameter of each threat intelligence data exceeds a preset threshold value;
the first updating module is used for updating the embedded threat information data set based on the threat information data corresponding to the query record parameters exceeding the preset threshold value when the query record parameters exceeding the preset threshold value exist, so that the safety detection equipment can obtain the updated embedded threat information data set;
wherein the updating device is further configured to: when a downloading request sent by the safety detection equipment is monitored, determining whether a current embedded threat intelligence data set is updated or not compared with an embedded threat intelligence data set downloaded last time by the safety detection equipment according to the downloading request; and if so, providing the downloading resource of the current embedded threat intelligence data set to the safety detection equipment so that the safety detection equipment can obtain the updated embedded threat intelligence data set.
8. An apparatus for updating an embedded threat intelligence data set, comprising:
the system comprises an update indicating module, a security detection device and a security detection device, wherein the update indicating module is used for receiving an update notification sent by a cloud threat information server, the update notification is sent by the cloud threat information server after the cloud threat information server detects that inquiry record parameters exceeding a preset threshold exist, each inquiry record parameter corresponds to threat information data, and the inquiry record parameters of the threat information data are updated after the threat information data are inquired by the security detection device;
the second updating module is used for updating the embedded threat intelligence data set based on the threat intelligence data corresponding to the query record parameters exceeding the preset threshold value;
the system comprises a downloading module, a judging module and a processing module, wherein the downloading module is used for providing a downloading resource of an embedded threat intelligence data set for a safety detection device when a downloading request sent by the safety detection device is monitored;
wherein, the download module is further configured to: when a downloading request sent by a safety detection device is monitored, determining whether a current embedded threat intelligence data set is updated or not compared with an embedded threat intelligence data set downloaded last time by the safety detection device according to the downloading request; and if so, providing the downloading resource of the current embedded threat intelligence data set to the safety detection equipment so that the safety detection equipment can obtain the updated embedded threat intelligence data set.
CN202011265053.8A 2020-11-12 2020-11-12 Method and device for updating embedded threat information data set Active CN112398849B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011265053.8A CN112398849B (en) 2020-11-12 2020-11-12 Method and device for updating embedded threat information data set

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011265053.8A CN112398849B (en) 2020-11-12 2020-11-12 Method and device for updating embedded threat information data set

Publications (2)

Publication Number Publication Date
CN112398849A CN112398849A (en) 2021-02-23
CN112398849B true CN112398849B (en) 2022-12-20

Family

ID=74600011

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011265053.8A Active CN112398849B (en) 2020-11-12 2020-11-12 Method and device for updating embedded threat information data set

Country Status (1)

Country Link
CN (1) CN112398849B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106878262A (en) * 2016-12-19 2017-06-20 新华三技术有限公司 Message detecting method and device, the method and device for setting up high in the clouds threat information bank
CN110598138A (en) * 2018-06-12 2019-12-20 北京京东尚科信息技术有限公司 Cache-based processing method and device
CN111291079A (en) * 2020-02-20 2020-06-16 京东数字科技控股有限公司 Data query method and device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106878262A (en) * 2016-12-19 2017-06-20 新华三技术有限公司 Message detecting method and device, the method and device for setting up high in the clouds threat information bank
CN110598138A (en) * 2018-06-12 2019-12-20 北京京东尚科信息技术有限公司 Cache-based processing method and device
CN111291079A (en) * 2020-02-20 2020-06-16 京东数字科技控股有限公司 Data query method and device

Also Published As

Publication number Publication date
CN112398849A (en) 2021-02-23

Similar Documents

Publication Publication Date Title
US11068587B1 (en) Dynamic guest image creation and rollback
CN107634959B (en) Protection method, device and system based on automobile
JP6408395B2 (en) Blacklist management method
WO2014106489A1 (en) Method and system for processing browser crash information
CN113489713B (en) Network attack detection method, device, equipment and storage medium
CN108418787B (en) Method for acquiring enterprise resource planning data, terminal device and medium
CN103607385A (en) Method and apparatus for security detection based on browser
CN111898124B (en) Process access control method and device, storage medium and electronic equipment
CN111262726B (en) Configuration information updating method and device and computer readable storage medium
CN111262822B (en) File storage method, device, block link point and system
CN110968478A (en) Log collection method, server and computer storage medium
CN110677384A (en) Phishing website detection method and device, storage medium and electronic device
WO2015039562A1 (en) Method and device for account information processing
CN108696562B (en) Method and device for acquiring website resources
WO2018019010A1 (en) Dynamic behavioral analysis method, device, system, and apparatus
CN112398849B (en) Method and device for updating embedded threat information data set
CN113965406A (en) Network blocking method, device, electronic device and storage medium
US11431795B2 (en) Method, apparatus and storage medium for resource configuration
CN112148545A (en) Security baseline detection method and security baseline detection system of embedded system
JP6658301B2 (en) Application support program, application support device, and application support method
CN111949363A (en) Service access management method, computer equipment, storage medium and system
CN113595797B (en) Alarm information processing method and device, electronic equipment and storage medium
US20230022044A1 (en) ANALYSIS DEVICE, AND METHOD FOR DETECTING MALWARE IN AN iOS DEVICE
CN111654398B (en) Configuration updating method and device, computer equipment and readable storage medium
CN109104499B (en) Session establishing method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant