Threat intelligence-based network threat identification method and identification system

An identification method and identification system technology, applied in the field of network threat identification method and identification system based on threat intelligence, can solve the problems of inconvenient network attack traceability analysis, inaccurate judgment, and lack of correlation analysis, etc., to achieve convenient traceability and Post-processing, efficiency improvement, and low false alarm rate

Active Publication Date: 2020-01-21
HANGZHOU ANHENG INFORMATION TECH CO LTD
View PDF10 Cites 51 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0006] The present invention solves the simple matching of threat intelligence existing in the prior art, and there is no correlation analysis between threat situations, which is inconvenient for network attack traceability analysis and inconvenient

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Threat intelligence-based network threat identification method and identification system
  • Threat intelligence-based network threat identification method and identification system

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0069] Example 1: A compromised host on the intranet periodically accesses a certain C&C domain name, and the attribution label of the domain name in the intelligence database is "malware", so it is necessary to check whether the access of the device is an operation of uploading data (after collecting data upload), whether to periodically try to download files (may be used by malware to update a certain component of itself), or to receive instructions for the next attack behavior.

Embodiment 2

[0070] Example 2: Multiple compromised hosts have accessed the same mining server (there is a flag in the threat intelligence database, which marks the domain name as belonging to the mining pool server), and they frequently interact with the server and send the same or similar requests, then it can be judged that these The device is controlled by an active mining botnet.

Embodiment 3

[0071] Embodiment 3: It is detected that a vulnerability exploit event has occurred in a compromised host in the protected network, and the host attempts to send a vulnerability exploit message to other devices in the same network, then analyze the subsequent network behavior of the compromised host, for example, the host may It has been controlled and used as a springboard to scan other devices in the LAN to obtain further information.

[0072] Step 6: Make statistics of threat event information and / or lost host event information, analyze the relationship between threat event information and / or lost host event; display.

[0073] In said step 6, the statistical information includes threat event information and lost host event information;

[0074] The threat event information includes the event type, threat type, number of attacked hosts, number of attacking hosts, number of event occurrences, first occurrence time and latest occurrence time of the threat event information in ...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention relates to a threat intelligence-based network threat identification method and identification system. The method includes: after the detection module is started, loading all the threatinformation updated by the information updating module to the local; acquiring the collected and analyzed audit data, matching the audit data with data in a threat intelligence library, analyzing andacquiring threat event information based on risk data through an analysis and display module if the audit data is successfully matched with the data in the threat intelligence library, acquiring and analyzing associated information of possible lost host events, and counting, analyzing and displaying the relationship between the events. According to the invention, the threat condition of the wholenetwork is analyzed and displayed from two perspectives of threat event information and a lost host event; a collapsed host is determined, targeted attacks are accurately recognized, correlation analysis and display are carried out on the threats, the efficiency of processing network attack events is improved, the false alarm rate is low, potential threats can be found, tracing and post-processingof the threat events are greatly facilitated, attacks possibly occurring in the future are predicted, and therefore truly valuable attack events are deeply analyzed and found.

Description

technical field [0001] The present invention relates to the transmission of digital information, such as the technical field of telegram communication, and in particular to a network threat identification method and identification system based on threat intelligence characterized by protocols. Background technique [0002] With the continuous emergence of new threats and network attacks such as APT, malicious mining, and ransomware viruses, the number continues to rise, and network threats are rapidly evolving viciously. At the same time, the means and channels of network attacks are also diversified. Higher requirements are put forward for the analysis and processing capabilities of network security personnel, and enterprises and organizations increasingly need to rely on sufficient, efficient, and accurate security threat intelligence as a support in the process of preventing external attacks to help them better discover and address these new threats. [0003] Threat inte...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): H04L29/06
CPCH04L63/1416
Inventor 程华才范渊
Owner HANGZHOU ANHENG INFORMATION TECH CO LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap