Network threat analysis method and device, electronic equipment and storage medium

A technology of threat analysis and network equipment, applied in the field of network information security, can solve problems such as time-consuming

Active Publication Date: 2020-03-10
HARBIN ANTIY TECH
5 Cites 14 Cited by

AI-Extracted Technical Summary

Problems solved by technology

This analysis method requires a lot of manpower and consumes a lot of time
Moreover, due to the confrontation and uncertainty in the field of network security, ex...
View more

Abstract

The embodiment of the invention discloses a network threat analysis method and device, electronic equipment and a storage medium, and relates to the field of network information security. The method comprises the following steps: acquiring historical data of network equipment in a current network environment; performing semantic processing on the historical data according to a preset semantic tagtype to obtain tag data; creating a threat knowledge graph according to the label data and a stored network environment threat mode; constructing a threat analysis model through the threat knowledge graph and pre-configured threat sample data; when current data of network equipment is received, inputting the current data into the threat analysis model to obtain a threat analysis result of the current data; and updating the threat knowledge graph according to the threat analysis result. According to the method, effective fusion of artificial experience and an automatic analysis technology is realized, and the adversarial resistance and uncertainty in the field of network security can be resisted more comprehensively.

Application Domain

TransmissionSemantic tool creation

Technology Topic

EngineeringAnalytic model +9

Image

  • Network threat analysis method and device, electronic equipment and storage medium
  • Network threat analysis method and device, electronic equipment and storage medium
  • Network threat analysis method and device, electronic equipment and storage medium

Examples

  • Experimental program(1)

Example Embodiment

[0049] The embodiments of the present invention will be described in detail below in conjunction with the drawings.
[0050] It should be clear that the described embodiments are only a part of the embodiments of the present invention, rather than all the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative work shall fall within the protection scope of the present invention.
[0051] Attached below figure 1 , The solution provided by the embodiment of the present invention is explained in detail, figure 1 This is a flowchart of a network threat analysis method provided by an embodiment of the present invention. In the embodiment of the present invention, the implementation subject is an electronic device. The electronic device may be a terminal device, for example, a personal computer, a desktop computer, etc. The electronic device can also be a server. Such as figure 1 As shown, the method of this embodiment specifically includes the following steps:
[0052] Step 110: Obtain historical data of network devices in the current network environment.
[0053] In the embodiment of the present invention, the historical data of the network device specifically refers to information that records whether the network device has been attacked, the type of attack, the source of the attack, and the insecure factors of the network device in the current network environment.
[0054] Step 120: Perform semantic processing on historical data according to preset semantic tag types to obtain tag data.
[0055] In the embodiment of the present invention, the semantic tag type is set by the user (or technician) in advance. The user (or technician) creates a storage structure in the database in advance, and stores the semantic tag type in the storage structure. The database may be set inside or outside the electronic device, which is not limited in the embodiment of the present invention.
[0056] The semantic tag types specifically include: at least one of attack behavior type, beacon type, malicious code type, insecure factor type, attack tool type, threat source type, and attack target type.
[0057] The electronic device can extract a corresponding match for each type from historical data according to at least one of the attack behavior type, beacon type, malicious code type, insecure factor type, attack tool type, threat source type, and attack target type. Label information. The electronic device uses the extracted pieces of label information as label data.
[0058] Step 130: Create a threat knowledge graph based on the tag data and the stored threat mode of the network environment.
[0059] In the embodiment of the present invention, the user (or technician) can obtain some threat methods (or threat awareness) that pose a security threat to the existing network environment after analyzing the historical data of the network device. For example, malicious code transmission behavior, C&C attack, etc.
[0060] After users obtain these threat methods (or threat awareness), they store them in electronic devices. The electronic device creates a threat knowledge graph based on the acquired tag data and the threat mode (or threat perception).
[0061] In the embodiment of the present invention, the threat knowledge graph is composed of pieces of knowledge. Each piece of knowledge is represented as an SPO triple (subject-predicate-object). In one implementation, the triple example is: Entity1-Relation-Entity2 (for example, China-Capital-Beijing); in another implementation, the triple example is: Entity-Attribute-Attribute Value (For example: Beijing-population-20.693 million).
[0062] In one example, the known threat method (or threat awareness) is to use the xxx vulnerability of the network device to perform a yyy behavior on the network device. The electronic device maps the threat mode (or threat awareness) to the network device, and the content of the mapping includes the point where the asset can be used, the acquired threat behavior data, and so on.
[0063] The threat knowledge map formed by the electronic equipment is: the attack target A is the entity, the threat type is the attribute, and the number of threats is the attribute value.
[0064] Step 140: Construct a threat analysis model through the threat knowledge graph and pre-configured threat sample data.
[0065] In the embodiment of the present invention, after the electronic device forms a threat knowledge graph, it obtains pre-configured threat sample data. The pre-configured threat sample data can also be referred to as threat training data, and there are a large number of known threat methods (or threat awareness) in the threat training data.
[0066] The electronic device builds a threat analysis model by learning the known threat methods (or threat perception) and the threat knowledge graph constructed in step 130.
[0067] The threat analysis model learns threat behavior patterns of known categories through threat training data.
[0068] It should be noted that the threat analysis model in the embodiment of the present invention may be a machine learning component (or module).
[0069] Step 150: When the current data of the network device is received, input the current data into the threat analysis model to obtain the threat analysis result of the current data.
[0070] In the embodiment of the present invention, after the electronic device constructs the threat analysis model, it can perform threat analysis on the current data of the network device that is subsequently received again to obtain the threat analysis result of the current data. The threat analysis result is the threat type to which the current data belongs.
[0071] For example, after receiving the current data, the electronic device performs semantic processing on the current data. The electronic device determines that the label data included in the current data is specifically: "Attack Behavior Type" is "Mail", "Communication"; "Insecure Factor Type", "Attack Target Type" and other fields are not empty, etc. The electronic device inputs the above-mentioned label data into the threat analysis model. At this time, the threat analysis result given by the threat analysis model is: the current data is a mail threat.
[0072] Step 160: Update the threat knowledge graph according to the threat analysis result.
[0073] In the embodiment of the present invention, after obtaining the threat analysis result of the current data, the electronic device stores the result of semantic processing of the current data in the threat knowledge graph, and then updates the threat knowledge graph.
[0074] Therefore, by applying the network threat analysis provided by the embodiment of the present invention, the electronic device performs semantic processing on the historical data of the network device to obtain label data. Based on label data and known threats to the network environment, electronic devices create a threat knowledge graph. Electronic equipment builds a threat analysis model through the threat knowledge map and pre-configured threat sample data. When the current data of the network device is received, the threat analysis model is used to obtain the threat analysis result, and the threat knowledge map is updated. The aforementioned scheme realizes the effective integration of manual experience and automated analysis technology, and can more comprehensively counter the antagonism and uncertainty in the field of network security.
[0075] The network threat analysis method provided by the embodiment of the present invention realizes the automatic discovery, identification and automatic analysis of controllable network threats, and improves the accuracy of control of network threats.
[0076] Attached below figure 2 , The solution provided by the embodiment of the present invention is explained in detail, figure 2 This is a flowchart of another network threat analysis method provided by an embodiment of the present invention. In the embodiment of the present invention, the implementation subject is an electronic device. The electronic device may be a terminal device, for example, a personal computer, a desktop computer, etc. The electronic device can also be a server. Such as figure 2 As shown, the method of this embodiment specifically includes the following steps:
[0077] Step 200: The electronic device obtains historical data of the network device in the current network environment.
[0078] Step 201: According to the preset semantic tag type, the electronic device performs semantic processing on historical data to obtain tag data.
[0079] In the embodiment of the present invention, the implementation process of step 200 to step 201 is similar to step 110 to step 120 of the foregoing method embodiment, and will not be repeated here.
[0080] In an example, the electronic device processes historical data into the following format according to the semantic tag type described in the foregoing embodiment.
[0081] The specific format is as follows, where "label" represents the type of attack behavior, "beacon" represents the type of beacon, "is_malicious" represents the type of malicious code, "utilize" represents the type of insecure factors, such as vulnerabilities, and "tool" represents Attack tool type, "source" represents the threat source type, and "object" represents the attack target class.
[0082] Further, "cp" indicates that the address and port information about the electronic device stored in the beacon type, and "domain" indicates domain name information.
[0083]
[0084]
[0085] Step 202: The electronic device stores the tag data in the semantic tag type included in the database storage structure.
[0086] In the embodiment of the present invention, the electronic device stores the tag information that matches each semantic tag type recorded in the format of step 201 into the created storage structure in the database one by one.
[0087] Step 203: According to the tag data and the stored threat mode of the network environment, the electronic device creates a threat knowledge graph.
[0088] In the embodiment of the present invention, the electronic device obtains at least one threat attribute (for example, through which vulnerability, specific threat behavior, etc.) of the threat mode of the network environment; when there is label information corresponding to the at least one threat attribute in the label data At the time, the electronic device establishes the mapping relationship between the network device and the tag information; the electronic device uses the mapping relationship as the threat knowledge map.
[0089] The specific form of the threat knowledge graph has been described in detail in the foregoing embodiment, and will not be repeated here.
[0090] Step 204: The electronic device constructs a threat analysis model through the threat knowledge graph and the pre-configured threat sample data.
[0091] Step 205: When receiving the current data of the network device, the electronic device inputs the current data into the threat analysis model to obtain the threat analysis result of the current data.
[0092] Step 206: According to the threat analysis result, the electronic device updates the threat knowledge graph.
[0093] In the embodiment of the present invention, the implementation process of step 204 to step 206 is similar to step 140 to step 160 of the foregoing method embodiment, and will not be repeated here.
[0094] Step 207: The electronic device displays the threat analysis result.
[0095] In the embodiment of the present invention, after the electronic device obtains the threat analysis result in step 206, the electronic device displays the threat analysis result on its own display screen.
[0096] Step 208: The electronic device receives an adjustment instruction input by the user according to the threat analysis result.
[0097] In the embodiment of the present invention, after the electronic device displays the threat analysis result, the user inputs an adjustment instruction according to the displayed threat analysis result.
[0098] For example, users can adjust the semantic tag types, the mapping relationship established in the threat knowledge graph, and the algorithm parameters in the threat analysis model based on the threat analysis results. The user inputs an adjustment instruction, and the adjustment instruction includes a first field for modifying the semantic tag type, a second field for modifying the mapping relationship, and a third field for modifying the threat analysis model parameters.
[0099] It is understandable that the user can adjust the semantic tag type, the mapping relationship or the algorithm parameter individually, or adjust the semantic tag type, the mapping relationship or the algorithm parameter separately multiple times.
[0100] Among them, algorithm parameters specifically refer to hyperparameters, that is, parameters that are manually set by users before the threat analysis model starts the learning process, rather than parameters obtained through training.
[0101] In one example, the adjustment to the learning rate. Generally, as the number of iterations increases, when the loss function (loSS) cannot obtain a reasonable value again, the training model will be suspended at this time. Then, adjust the learning rate to 1/10 of the original and continue training.
[0102] Step 209: Using the first field, the second field, and the third field, the electronic device modifies the semantic tag type, the mapping relationship, and the threat analysis model parameters.
[0103] In the embodiment of the present invention, the electronic device obtains the field corresponding to the instruction to modify the related content from the adjustment instruction, and is modifying the related content according to the content of the field.
[0104] It is understandable that the electronic device will also correspondingly store the relevant content corrected according to the adjustment instruction input by the user in the storage structure, thereby updating the threat knowledge graph. The electronic device repeats the aforementioned steps 200-209, and gradually iteratively forms an automated analysis capability for cyber threats.
[0105] It should be noted that the electronic device can execute the process of displaying the threat analysis result and receiving the adjustment instruction input by the user through its own display device and input device. In practical applications, the electronic device can also construct an interactive module, through which the process of displaying the threat analysis result and receiving the adjustment instruction input by the user is completed.
[0106] In the embodiment of the present invention, the electronic device performs semantic processing on the historical data of the network device to obtain label data. Based on label data and known threats to the network environment, electronic devices create a threat knowledge graph. Electronic equipment builds a threat analysis model through the threat knowledge map and pre-configured threat sample data. When the current data of the network device is received, the threat analysis model is used to obtain the threat analysis result and update the threat knowledge graph. The aforementioned scheme realizes the effective integration of manual experience and automated analysis technology, and can more comprehensively counter the antagonism and uncertainty in the network security field.
[0107] The network threat analysis method provided by the embodiment of the present invention realizes automatic discovery, identification and automatic analysis of controllable network threats, and improves the accuracy of control of network threats.
[0108] image 3 It is a schematic structural diagram of a network threat analysis apparatus provided by an embodiment of the present invention, such as image 3 As shown, the network threat analysis apparatus of the embodiment of the present invention may include: a first acquisition unit 310, a processing unit 320, a creation unit 330, a construction unit 340, a second acquisition unit 350, and an update unit 360.
[0109] Wherein, the first obtaining unit 310 is configured to obtain historical data of network devices in the current network environment;
[0110] The processing unit 320 is configured to perform semantic processing on the historical data according to preset semantic tag types to obtain tag data;
[0111] The creating unit 330 is configured to create a threat knowledge graph based on the tag data and the stored threat mode of the network environment;
[0112] The construction unit 340 is configured to construct a threat analysis model through the threat knowledge graph and pre-configured threat sample data;
[0113] The second acquiring unit 350 is configured to input the current data into the threat analysis model when receiving the current data of the network device to obtain the threat analysis result of the current data;
[0114] The update unit 360 is configured to update the threat knowledge graph according to the threat analysis result.
[0115] Optionally, the semantic tag type includes at least one of attack behavior type, beacon type, malicious code type, insecure factor type, attack tool type, threat source type, and attack target type;
[0116] The processing unit 320 is specifically configured to obtain from the historical data according to at least one of the attack behavior type, beacon type, malicious code type, insecure factor type, attack tool type, threat source type, and attack target type. , Extract the label information corresponding to each type;
[0117] The extracted label information is used as the label data.
[0118] Optionally, the creating unit 330 is specifically configured to obtain at least one threat attribute of the threat mode of the network environment;
[0119] When there is tag information corresponding to the at least one threat attribute in the tag data, establishing a mapping relationship between the network device and the tag information;
[0120] Use the mapping relationship as the threat knowledge graph.
[0121] Optionally, the device further includes:
[0122] A display unit (not shown in the figure) for displaying the threat analysis result;
[0123] A receiving unit (not shown in the figure), configured to receive an adjustment instruction input by the user according to the threat analysis result, the adjustment instruction including a first field for modifying the semantic tag type, and for modifying the mapping relationship The second field of and the third field used to modify the parameters of the threat analysis model;
[0124] The correction unit (not shown in the figure) is configured to use the first field, the second field, and the third field to correct the semantic tag type, the mapping relationship, and the threat analysis model parameters.
[0125] The device of the embodiment of the present invention can be used to execute figure 1 , figure 2 The implementation principles and technical effects of the technical solutions of the illustrated method embodiments are similar, and will not be repeated here.
[0126] Correspondingly, the network threat analysis device provided by the embodiment of the present invention can also be implemented in another structure. Figure 4 A schematic structural diagram of an embodiment of an electronic device provided by the present invention can realize the present invention Figure 1-2 The flow of the illustrated embodiment, such as Figure 4 As shown, the above electronic device may include: a housing 41, a processor 42, a memory 43, a circuit board 44, and a power circuit 45. Among them, the circuit board 44 is arranged inside the space enclosed by the housing 41, the processor 42 and the memory 43 are arranged on the circuit board 44; the power supply circuit 45 is used for supplying power to the various circuits or devices of the above electronic equipment; the memory 43 is used for The executable program code is stored; the processor 42 runs the program corresponding to the executable program code by reading the executable program code stored in the memory 43, and is used to execute the method described in the foregoing embodiment.
[0127] For the specific execution process of the above-mentioned steps by the processor 42 and the steps further executed by the processor 42 by running the executable program code, please refer to the present invention Figure 1-2 The description of the illustrated embodiment will not be repeated here.
[0128] The electronic device: a device that provides computing services. The composition of electronic devices includes processors, hard disks, memory, system buses, etc. The electronic devices are similar to general computer architectures, but because they need to provide highly reliable services, they have High requirements in terms of performance, reliability, security, scalability, and manageability.
[0129] Correspondingly, an embodiment of the present invention provides a computer-readable storage medium, and the computer-readable storage medium stores one or more programs. Among them, one or more programs may be executed by one or more processors to implement the network threat analysis method described in the foregoing embodiment.
[0130] It should be noted that in this article, terms such as "include", "include" or any other variants thereof are intended to cover non-exclusive inclusion, so that a process, method, article or device including a series of elements not only includes those elements , And also include other elements not explicitly listed, or elements inherent to this process, method, article or equipment. Without more restrictions, the element defined by the sentence "including a..." does not exclude the existence of other same elements in the process, method, article, or equipment including the element.
[0131] The various embodiments in this specification are described in a related manner, and the same or similar parts between the various embodiments can be referred to each other, and each embodiment focuses on the differences from other embodiments.
[0132] In particular, as for the device embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and for related parts, please refer to the part of the description of the method embodiment.
[0133] The logic and/or steps represented in the flowchart or described in other ways herein, for example, can be considered as a sequenced list of executable instructions for implementing logic functions, and can be embodied in any computer-readable medium, For use by instruction execution systems, devices, or equipment (such as computer-based systems, systems including processors, or other systems that can fetch and execute instructions from instruction execution systems, devices, or equipment), or combine these instruction execution systems, devices Or equipment. For the purposes of this specification, a "computer-readable medium" can be any device that can contain, store, communicate, propagate, or transmit a program for use by an instruction execution system, device, or device or in combination with these instruction execution systems, devices, or devices.
[0134] More specific examples (non-exhaustive list) of computer readable media include the following: electrical connections (electronic devices) with one or more wiring, portable computer disk cases (magnetic devices), random access memory (RAM), Read only memory (ROM), erasable and editable read only memory (EPROM or flash memory), fiber optic devices, and portable compact disk read only memory (CDROM). In addition, the computer-readable medium may even be paper or other suitable media on which the program can be printed, because it can be used, for example, by optically scanning the paper or other media, and then editing, interpreting, or other suitable media if necessary. The program is processed in a manner to obtain the program electronically and then stored in the computer memory.
[0135] It should be understood that each part of the present invention can be implemented by hardware, software, firmware or a combination thereof.
[0136] In the foregoing embodiments, multiple steps or methods can be implemented by software or firmware stored in a memory and executed by a suitable instruction execution system. For example, if it is implemented by hardware, as in another embodiment, it can be implemented by any one or a combination of the following technologies known in the art: a logic gate circuit for implementing logic functions on data signals Discrete logic circuits, application-specific integrated circuits with suitable combinational logic gates, programmable gate array (PGA), field programmable gate array (FPGA), etc.
[0137] Those of ordinary skill in the art can understand that all or part of the steps carried in the method of the foregoing embodiments can be implemented by a program instructing relevant hardware to complete, and the program can be stored in a computer-readable storage medium. When executed, it includes one of the steps of the method embodiment or a combination thereof.
[0138] For the convenience of description, the above devices are described in terms of functions divided into various units/modules. Of course, when implementing the present invention, the functions of each unit/module can be implemented in the same one or more software and/or hardware.
[0139] It can be known from the description of the above embodiments that those skilled in the art can clearly understand that the present invention can be implemented by means of software plus a necessary general hardware platform. Based on this understanding, the technical solution of the present invention can be embodied in the form of a software product in essence or a part that contributes to the existing technology. The computer software product can be stored in a storage medium, such as ROM/RAM, magnetic disk , CD-ROM, etc., including a number of instructions to enable a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the various embodiments or some parts of the embodiments of the present invention.

PUM

no PUM

Description & Claims & Application Information

We can also present the details of the Description, Claims and Application information to help users get a comprehensive understanding of the technical details of the patent, such as background art, summary of invention, brief description of drawings, description of embodiments, and other original content. On the other hand, users can also determine the specific scope of protection of the technology through the list of claims; as well as understand the changes in the life cycle of the technology with the presentation of the patent timeline. Login to view more.
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products