A method, apparatus and medium for updating local threat intelligence data
By comparing the differences between cloud-based and local threat intelligence data, and using synchronous or asynchronous tasks to update local devices, the timeliness and accuracy issues of threat intelligence data synchronization are resolved, resulting in more efficient threat detection.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- QI AN XIN TECHNOLOGY GROUP INC
- Filing Date
- 2023-04-18
- Publication Date
- 2026-06-09
AI Technical Summary
In existing technologies, threat intelligence data suffers from timeliness and accuracy issues when synchronizing with local data in the cloud. In particular, network failures or synchronization mechanism problems can lead to significant discrepancies between local and cloud-based intelligence data, affecting the timeliness and accuracy of threat detection.
By comparing the differences between cloud and local threat intelligence data, the system obtains and updates the data accordingly. It then uses synchronous or asynchronous tasks to promptly push the threat intelligence changes from the cloud to local devices, and optimizes the data updates by combining the comparison fields and weight values selected by the user.
It improves the accuracy and timeliness of threat intelligence data updates, reduces the frequency of unnecessary local device data updates, and enhances the accuracy and immediacy of threat analysis and detection.
Smart Images

Figure CN116389510B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of threat detection, and more specifically, embodiments of this application relate to a method, apparatus, and medium for updating local threat intelligence data. Background Technology
[0002] In threat detection and analysis, the real-time nature and accuracy of threat intelligence detection are crucial requirements and objectives for security products and security analysis. With the increasing number of advanced threats identified through threat intelligence analysis, updating intelligence data and improving its accuracy are currently the primary goals pursued by security products.
[0003] The typical practice for updating threat intelligence data is to periodically upgrade cloud-based threat intelligence data to on-premises (products or servers). This process heavily relies on the update frequency of the cloud and the on-premises data, including the volume of data being upgraded. When the cloud-to-on-premises synchronization mechanism malfunctions or network failures occur, significant discrepancies arise between the on-premises and cloud-based intelligence data, impacting the timeliness and accuracy of threat detection. Even retrying or reducing the upgrade frequency cannot completely eliminate the impact of real-time intelligence changes. Summary of the Invention
[0004] The purpose of this application is to provide a method, apparatus, and medium for updating local threat intelligence data. The technical solution of this application can ensure the timeliness and accuracy of threat intelligence data updates, and push the changes in threat intelligence from the cloud to the local device completely and in a timely manner.
[0005] In a first aspect, embodiments of this application provide a method for updating local threat intelligence data, the method comprising: obtaining a comparison field selected from multiple fields; comparing cloud-based threat intelligence data with local threat intelligence data based on the comparison field to obtain differential threat intelligence data; and updating the local threat intelligence data based on the differential threat intelligence data.
[0006] Some embodiments of this application improve the accuracy and timeliness of data updates by comparing selected comparison fields to determine the threat intelligence data that needs to be updated.
[0007] In some embodiments, obtaining the field to be compared selected from multiple fields includes: obtaining the field to be compared in response to a user's selection operation of the multiple fields on a web page.
[0008] Some embodiments of this application allow users to select fields of interest through user intervention, making the updated data obtained based on these fields more in line with user needs and improving the application scenarios of the technical solution.
[0009] In some embodiments, updating the local threat intelligence data based on the differential threat intelligence data includes: updating the local threat intelligence data based on the differential threat intelligence data and the compared field in response to a user-selected synchronization operation; or, updating the local threat intelligence data based on the differential threat intelligence data and the compared field when performing batch data synchronization using an asynchronous task.
[0010] Some embodiments of this application update the threat intelligence data of the local device relative to the cloud in a synchronous or asynchronous manner, thereby improving the versatility of the technical solution and pushing the changes in threat intelligence from the cloud to the local device completely and in a timely manner.
[0011] In some embodiments, the threat intelligence data belongs to a target data type among multiple data types, and each data type is characterized by multiple dimensions, each dimension including multiple fields. The field being compared belongs to the fields included in all dimensions. Before obtaining the differential threat intelligence data, the method further includes: confirming that the total cloud-ground data difference corresponding to the differential threat intelligence data is greater than the difference threshold. The total cloud-ground data difference is determined by the field difference of the field being compared in all dimensions corresponding to the target data type.
[0012] Some embodiments of this application update the local device's threat intelligence data only when the difference between the threat intelligence data in the cloud and the locally stored data is confirmed to be sufficiently large, thereby reducing overly frequent data updates to the local device.
[0013] In some embodiments, before confirming that the total cloud-ground data difference corresponding to the differential threat intelligence data is greater than the difference threshold, the method includes: obtaining the field difference corresponding to each field in the compared fields; and obtaining the total cloud-ground data difference based at least on the field difference.
[0014] Some embodiments of this application determine the total cloud-to-ground data difference by obtaining the field difference of the compared fields, thereby improving the accuracy of the obtained value.
[0015] In some embodiments, obtaining the total cloud-ground data difference based at least on the field difference includes: determining the weight value of the field difference based on the weight value of the dimension to which the field corresponding to the field difference belongs, wherein the weight values corresponding to different dimensions are different; and obtaining the total cloud-ground data difference based on the weight value and the field difference.
[0016] Some embodiments of this application also assign corresponding weight values to each dimension according to their importance, and then comprehensively determine the total amount of cloud and ground data differences based on the weight values and the corresponding field differences, thereby improving the accuracy of the value.
[0017] In some embodiments, the weight value is related to the priority corresponding to the respective dimension.
[0018] In some embodiments, the target data type is IP reputation data, and the multiple dimensions corresponding to the IP reputation data are: basic information, geographical information, compromise information, malicious behavior information, and summary information. The multiple dimensions are ordered from highest to lowest priority as follows: basic information, malicious behavior information, compromise information, summary information, and geographical information. Before determining the weight value of the field difference based on the weight value of the dimension to which the field difference belongs, the method further includes: setting a corresponding weight value for each dimension among the multiple dimensions corresponding to the IP reputation data according to the principle that the higher the priority, the greater the weight value.
[0019] Some embodiments of this application set corresponding weight values for different dimensions according to priority, and the higher the priority, the greater the weight value. This can ensure that updates of high-priority dimensions are more easily detected, and improve the speed and timeliness of obtaining sensitive updated data.
[0020] In some embodiments, the basic information includes: Autonomous System Number (ASN) information, agent information, user type, or whether it belongs to an Internet Data Center (IDC).
[0021] In some embodiments, the malicious behavior information is used to characterize whether different malicious behaviors exist and when each different malicious behavior occurs.
[0022] In some embodiments, the compromise information includes: the time of each compromise, the type of malware, and the malware family.
[0023] In some embodiments, the summary information includes: recommended whitelisting level, network type, malicious label, and whether it has been compromised.
[0024] In some embodiments, the geographic information includes: country, province / state, city, district / county, and latitude and longitude.
[0025] In some embodiments, the multiple data types further include: a vulnerability detection data type and a file reputation data type, with the multiple dimensions corresponding to the vulnerability detection data type being: basic information, associated information, and judgment information, and the multiple dimensions corresponding to the file reputation data type being: basic information, judgment information, and network behavior.
[0026] Secondly, some embodiments of this application provide an apparatus for updating local device threat intelligence data. The apparatus includes: a field selection module configured to select a comparison field from a plurality of fields; a comparison module configured to compare cloud-based threat intelligence data with local threat intelligence data based on the comparison field to obtain differential threat intelligence data; and an update module configured to update the local threat intelligence data based on the differential threat intelligence data during data synchronization.
[0027] Thirdly, some embodiments of this application provide a computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, can implement the method described in any embodiment of the first aspect.
[0028] Fourthly, some embodiments of this application provide an electronic device including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor, when executing the program, can implement the method as described in any embodiment of the first aspect. Attached Figure Description
[0029] To more clearly illustrate the technical solutions of the embodiments of this application, the accompanying drawings used in the embodiments of this application will be briefly introduced below. It should be understood that the following drawings only show some embodiments of this application and should not be regarded as a limitation of the scope. For those skilled in the art, other related drawings can be obtained based on these drawings without creative effort.
[0030] Figure 1 An architecture diagram of a system for updating local threat intelligence data provided in this application embodiment;
[0031] Figure 2 One of the flowcharts for a method of updating local threat intelligence data provided in the embodiments of this application;
[0032] Figure 3 A block diagram showing the module composition of each terminal for updating local threat intelligence data, provided in the embodiments of this application;
[0033] Figure 4 A second flowchart illustrating the method for updating local threat intelligence data provided in this application embodiment;
[0034] Figure 5 A block diagram of the apparatus for updating local threat intelligence data provided in the embodiments of this application;
[0035] Figure 6 This is a schematic diagram of the electronic device provided in the embodiments of this application. Detailed Implementation
[0036] The technical solutions in the embodiments of this application will now be described with reference to the accompanying drawings.
[0037] It should be noted that similar reference numerals and letters in the following figures indicate similar items; therefore, once an item is defined in one figure, it does not need to be further defined and explained in subsequent figures. Furthermore, in the description of this application, terms such as "first," "second," etc., are used only to distinguish descriptions and should not be construed as indicating or implying relative importance.
[0038] To address the problems existing in the background section, some embodiments of this application propose a method for updating local threat intelligence data. The threat intelligence data comparison algorithm in some embodiments of this application solves the timeliness problem of massive threat intelligence sinking and synchronization. A technical implementation optimized by using a backscan method in the data update scheme is proposed, which enables local devices to obtain the latest IOC information in real time when using the sinked threat intelligence IOC, thereby improving the accuracy of threat analysis and detection.
[0039] In other words, unlike existing threat intelligence data updates on local devices on a scheduled basis, the embodiments of this application employ differentiated backscanning in terms of the content of threat intelligence data upgrades. For example, some embodiments of this application use two methods for data upgrade synchronization: the first is scheduled data synchronization upgrade, which involves data acquisition and local updates under normal network conditions; the second is asynchronous task backscanning processing, which provides backscanning updates for specific sets of data (e.g., specifying specific sets of data through the compared field), batch cloud acquisition of updates, and manual data updates.
[0040] Please refer to Figure 1 , Figure 1 A system for updating local threat intelligence data, provided for some embodiments of this application, includes: at least one local device (e.g., Figure 1 The first terminal 100) and the server 200 located in the cloud, it is understood that the cloud may also include multiple servers.
[0041] In some embodiments of this application, the local device needs to obtain the latest threat intelligence data from a cloud server in order to perform threat detection on the local device.
[0042] Unlike related technologies that provide threat intelligence data to local devices in full or incremental form on a timed basis from the cloud, some embodiments of this application obtain difference data by comparing the differences between threat intelligence data from the cloud and local devices, and then provide the difference data to the local device.
[0043] It should be noted that some embodiments of this application can compare local threat intelligence data and cloud threat intelligence data in the cloud, while other embodiments of this application can compare local threat intelligence data and cloud threat intelligence data in a local device.
[0044] The following example illustrates a method for updating local threat intelligence data performed by a local device.
[0045] like Figure 2 As shown in some embodiments of this application, a method for updating local threat intelligence data is provided. The method includes: S101, obtaining a comparison field selected from multiple fields; S102, comparing cloud-based threat intelligence data with local threat intelligence data according to the comparison field to obtain differential threat intelligence data; S103, updating the local threat intelligence data according to the differential threat intelligence data.
[0046] It is easy to understand that some embodiments of this application improve the accuracy and timeliness of data updates by comparing selected comparison fields to determine the threat intelligence data that needs to be updated.
[0047] The following example illustrates... Figure 2 The implementation process of each step.
[0048] It is understandable that, since users sometimes do not need all fields in a data structure, some embodiments of this application have designed custom field comparison algorithms to address this situation.
[0049] In some embodiments of this application, S101 includes, for example, obtaining the compared fields in response to a user's selection operation on the plurality of fields on a web page. In other words, some embodiments of this application allow users to select fields of interest through user intervention, making the updated data obtained based on these fields more suitable for user needs and improving the application scenarios of the technical solution.
[0050] For example, users can uncheck fields they don't want to be compared by clicking on the header fields of an intelligence table on a web page, and then click save. These selections are then passed to the server via an API and saved locally as a configuration file. Each time cloud-based threat intelligence data is compared with threat intelligence data stored in a local database, some embodiments of this application read the user-saved configuration file to obtain the fields to be compared (i.e., the fields being compared).
[0051] Threat intelligence differs from other types of data in that it is composed of different data from multiple dimensions. Some embodiments of this application introduce a set of comparison algorithms based on different dimensions when comparing cloud and local threat intelligence data. These algorithms compare the required fields of the threat intelligence (i.e., the fields being compared) and determine whether the local threat intelligence data needs to be updated based on the results of the algorithms.
[0052] In other words, some embodiments of this application design multiple dimensions for different types of data and set multiple fields for each dimension. For example, the various data types in some embodiments of this application include: compromise detection data type, file reputation data type, and IP reputation data. The multiple dimensions corresponding to the detection data type are: basic information, correlation information, and analysis information. The multiple dimensions corresponding to the file reputation data type are: basic information, analysis information, and network behavior. The multiple dimensions corresponding to the IP reputation data are: basic information, geographical information, compromise information, malicious behavior information, and summary information.
[0053] The above-mentioned different types of data are categorized into the following dimensions:
[0054] The first data type: Failure detection data includes the following dimensions: basic information, related information, and analysis information.
[0055] i) Basic information includes the following fields: IOC itself, IOC type, and publication date.
[0056] ii) Related information includes the following fields: malicious family, attack group, alarm name, and affected platforms.
[0057] iii) The assessment information includes the following fields: confidence level, current status, threat level, kill chain status, tag, whether it is a targeted attack, and TTP technology, tactics and process information.
[0058] The second data type: IP reputation data is divided into the following dimensions: basic information, geographical information, compromise information, malicious behavior information, and summary information.
[0059] i) Basic information includes the following fields: ASN information, agent information, user type, and whether it belongs to an IDC.
[0060] ii) Geographic information includes the following fields: country, province / state, city, latitude and longitude, and district / county.
[0061] iii) The compromise information includes the following fields: time of each compromise, type of malware, and malware family. iv) The malicious behavior information includes the following fields: whether there are different malicious behaviors and their corresponding times.
[0062] v) The summary information includes the following fields: recommended whitelist level, network type, malicious label, and whether it has been compromised.
[0063] The third data type: Document reputation data includes the following dimensions: basic information, analytical information, and network behavior.
[0064] i) Basic information includes the following fields: file hash value, file type, file name, file size, occurrence time, and scan time.
[0065] ii) The analysis information includes the following fields: whether it is malicious, type of malicious activity, malicious family, whether it is a targeted attack, and attack group.
[0066] iii) Network behavior information includes the following fields: associated DNS, domain name, IP address, IOC, etc.
[0067] To avoid frequent updates to threat intelligence data on local devices, the sum of field differences of the required fields can be determined to reduce the number of updates. For example, in some embodiments of this application, the threat intelligence data in S102 belongs to a target data type among multiple data types, and each data type is characterized by multiple dimensions, each dimension including multiple fields. The field being compared belongs to the fields included in all dimensions. Before obtaining the differential threat intelligence data in S102, the method further includes: confirming that the total cloud-to-ground data difference corresponding to the differential threat intelligence data is greater than a difference threshold, wherein the total cloud-to-ground data difference is determined by the field differences of the compared fields of all dimensions corresponding to the target data type.
[0068] It is easy to understand that some embodiments of this application update the local device's threat intelligence data only when the difference between the threat intelligence data in the cloud and the locally stored data is confirmed to be large enough, thereby reducing the need for excessively frequent data updates to the local device.
[0069] In some embodiments of this application, before confirming that the total cloud-to-ground data difference corresponding to the differential threat intelligence data is greater than a difference threshold, the method includes: obtaining the field difference corresponding to each field in the compared fields; and obtaining the total cloud-to-ground data difference based at least on the field differences. Some embodiments of this application determine the total cloud-to-ground data difference by obtaining the field differences of the compared fields to improve the accuracy of the obtained value. Here, the field difference corresponding to each field refers to the data difference existing in each corresponding field in the threat intelligence data stored in the cloud and locally, and the total data difference can be obtained based on each field difference.
[0070] For example, in some embodiments of this application, obtaining the total cloud-to-ground data difference based at least on the field difference includes: determining a weight value for the field difference based on the weight value of the dimension to which the field corresponding to the field difference belongs, wherein different dimensions correspond to different weight values; and obtaining the total cloud-to-ground data difference based on the weight value and the field difference. Some embodiments of this application also assign corresponding weight values to each dimension according to their importance, and then comprehensively determine the total cloud-to-ground data difference based on the weight values and the corresponding field differences, thereby improving the accuracy of the obtained value. In some embodiments, the weight value is related to the priority corresponding to the respective dimension.
[0071] In other words, in some embodiments of this application, the target data type is IP reputation data, and the multiple dimensions corresponding to the IP reputation data are: basic information, geographical information, compromise information, malicious behavior information, and summary information. The multiple dimensions are ordered from highest to lowest priority as follows: basic information, malicious behavior information, compromise information, summary information, and geographical information. Before determining the weight value of the field difference based on the weight value of the dimension to which the field difference belongs, the method further includes: setting corresponding weight values for each dimension among the multiple dimensions corresponding to the IP reputation data according to the principle that higher priority means higher weight value. Some embodiments of this application set corresponding weight values for different dimensions according to priority, with higher priority resulting in higher weight values. This ensures that updates to high-priority dimensions are more easily detected, improving the speed and timeliness of acquiring sensitive updated data.
[0072] As described above, in some embodiments of this application, the dimensions corresponding to IP reputation data include the following field settings: the basic information includes: Autonomous System Number (ASN) information, proxy information, user type, or whether it belongs to an Internet Data Center (IDC); the malicious behavior information is used to characterize whether different malicious behaviors exist and the occurrence time of each different malicious behavior; the compromise information includes: the time of each compromise, the malicious type, and the malicious family; the summary information includes: suggested whitelisting level, network type, malicious label, and whether it has been compromised; the geographical information includes: country, province / state, city, district / county, and latitude and longitude.
[0073] The comparison method described above, provided in some embodiments of this application, is applicable to threat intelligence data and can provide a comprehensive and accurate cloud-to-ground data comparison method.
[0074] The formula for calculating the total difference between cloud and ground data is as follows:
[0075]
[0076] In the above formula, Delta represents the total difference between cloud and ground data, m is the dimension number of the data, pi represents the weight value of the i-th dimension, and ni represents the field difference in that dimension (hereinafter referred to as field difference). That is, the total difference between cloud and ground data is quantified as the sum of the number of field differences in each weighted dimension. The field difference in each dimension is obtained by comparing whether there are differences between the compared objects, avoiding homogenization in the comparison and improving accuracy and applicability. In some embodiments of this application, when Delta is greater than a certain threshold, it can be determined that there is a difference between cloud and ground data, and synchronization can be performed. Because massive amounts of data need to be selected for comparison, users can also customize this threshold to flexibly control the degree of cloud-ground comparison.
[0077] The overall idea behind calculating the field difference ni is to compare data from different dimensions in the cloud and on-premises. When discrepancies are found between the cloud and local data, the value of ni increases. This application uses IP reputation data as an example to describe the calculation process for ni. First, based on daily user attention and the importance of the fields, they are prioritized from highest to lowest as follows: basic information, malicious behavior information, compromise information, summary information, and geographical information. Initially, all fields are compared. In the basic information, if there is a discrepancy between the cloud and local data for a field, the data to be updated is recorded. In the malicious behavior information, more attention is paid to fields with a malicious behavior value of true, comparing them between the cloud and local data and recording the results. Data on malicious behavior is used to generate data in the summary information. In the compromise information, some embodiments of this application compare and synchronize the compromise records of the cloud and the ground. This data is used to generate malicious tags in the summary information and determine whether a compromise has occurred. In the summary information, by comparing the whitening level of the cloud and the ground, its values 1, 2, 3, 4, and 5 are divided into three intervals: 1 is the first interval, [2, 3] is the second interval, and [4, 5] is the third interval. When there is a change between intervals, the data is synchronized. In the geographic information, some embodiments of this application use a one-to-one comparison. Because the probability of changes in geographic information is low, the priority is defined as low. When the field of each dimension undergoes the above changes, its field difference ni is incremented by 1. Based on the above method and the user configuration field mentioned, when a high-priority field changes, or when multiple low-priority data changes, some embodiments of this application synchronize the cloud API data to the local machine. The following is a practical calculation example to describe how to calculate m, pi, ni, and Delta.
[0078] For example, suppose two fields in the basic information of a pair of IP reputation data are inconsistent, with a weight of 1 for the basic information; the local whitening level in the summary information is 1, while the cloud whitening level is 4, with a weight of 0.5 for the summary information; the other dimensions are the same, then m=5, p0=1, n0=2, p3=0.5. Observing that the whitening level in the summary information has changed from level 1 to level 3, a jump of two levels, n3=2. Therefore, according to the formula, Delta=1*2+0.5*2=3. If the threshold is ≥3, the current difference is considered acceptable, and synchronization is unnecessary; if the threshold is <3, the current difference is considered significant, and synchronization is required. Finally, the data results are updated and integrated based on the scores. The synchronized data is then reverse-processed to generate a format suitable for database storage, thus achieving backscanning and database storage of cloud and ground data.
[0079] In some embodiments of this application, S103, updating the local threat intelligence data based on the differential threat intelligence data, includes, for example, updating the local threat intelligence data based on the differential threat intelligence data and the compared field in response to a user-selected synchronization operation; or, updating the local threat intelligence data based on the differential threat intelligence data and the compared field when performing batch data synchronization using an asynchronous task.
[0080] For example, when a user clicks "one-click synchronization" or performs batch data synchronization using an asynchronous task, some embodiments of this application will also update the corresponding fields in the local data according to the contents of the configuration file (used to obtain the fields to be compared).
[0081] Some embodiments of this application update the threat intelligence data of the local device relative to the cloud in a synchronous or asynchronous manner, thereby improving the versatility of the technical solution and pushing the changes in threat intelligence from the cloud to the local device completely and in a timely manner.
[0082] Some embodiments of this application propose a method for updating threat intelligence data on local devices. This method is based on a threat intelligence differential comparison method, optimizes the synchronization scheme for the massive amounts of threat intelligence data updated daily, and adopts both synchronous and asynchronous methods. It simultaneously provides update methods for threat intelligence data and hotspot data, and utilizes a backscan mechanism to provide data updates and data context fields. This method and device have been applied and implemented in threat intelligence platform products, achieving good timeliness of intelligence updates and solving the problem of inaccurate intelligence caused by delayed updates. It improves the basis and context accuracy for users to assess and handle key IOC objects in threat analysis.
[0083] The following is combined Figure 3 This document provides an illustrative description of the functional modules that update local threat intelligence data on each endpoint.
[0084] The local intelligence storage module is responsible for periodically updating threat intelligence data and storing it on the local device.
[0085] The data storage module is modified to store data updated to the local device by synchronous and asynchronous task querying of threat intelligence.
[0086] The scheduled update module is used for asynchronous tasks, updating full or incremental information at regular intervals.
[0087] The backscan module is used for querying or batch importing, and the Indicator of Compromise (IOC) is updated in a polling manner.
[0088] The matching module is used to complete the difference information of data updates by comparing various fields, and at the same time update the Tactics, Techniques and Procedures (TTP) information.
[0089] The difference comparison module is used to... Figure 2 The algorithm and user configuration are used to compare the field differences between the updated incremental data and the local IOC of the same object entity, and data completion is supported after manual confirmation.
[0090] The intelligence processing and query module is used for batch data updates and local device updates.
[0091] like Figure 4 As shown, some embodiments of this application provide a method for updating local device threat intelligence data, the method comprising:
[0092] The first step is for the user to manually query a specific IOC and then import the IOCs to be queried in batches.
[0093] The second step is to determine whether the IOC data exists locally. If it does, proceed to the third step; otherwise, proceed to the seventh step.
[0094] The third step is to determine whether the time window T has been updated. If so, the IOC result is displayed; otherwise, the fourth step is executed.
[0095] The fourth step is to perform an IOC backscan, where the task scheduler queries the cloud IOC results based on the dataset in the query table.
[0096] Fifth step: Store to local IOC, then proceed to eighth step.
[0097] Step 6: Cloud-based intelligence query.
[0098] Step 7: Obtain the latest IOC results from the cloud.
[0099] Step 8: Match and determine field consistency.
[0100] Step 9: Determine whether local data needs to be updated. If not, local data will not be updated; otherwise, proceed to step 10.
[0101] Step 10: Compare the data differences and display them externally, while updating the local IOC data fields.
[0102] Step 11: Determine if any existing local data fields have been added or updated. If not, display the IOC result; otherwise, proceed to step 12.
[0103] Step 12: Add data fields and complete the TTP field Fuhua.
[0104] Step 13: Update local intelligence data (i.e., update local threat intelligence data).
[0105] Step fourteen, the end.
[0106] In other words, some embodiments of this application target IOC intelligence updates within a specific time window T. A task query table is maintained. When manually queried intelligence or when users import IOC datasets in batches, an asynchronous task is performed using a differential comparison algorithm to periodically request data from the cloud and save it locally. Once the user confirms the comparison results, the local data is updated. At this time, the updated data includes TTP (Technical, Tactical, and Procedures) update data, as well as more contextual update data, completing data supplementation and backscanning. Data comparison and judgment are performed for task queries within the time window T.
[0107] Please refer to Figure 5 , Figure 5 This application illustrates an apparatus for updating local device threat intelligence data, and it should be understood that this apparatus is similar to the one described above. Figure 2 Corresponding to the method embodiments, it can execute the various steps involved in the above method embodiments. The specific functions of the device can be found in the description above. To avoid repetition, detailed descriptions are appropriately omitted here. The device includes at least one software function module that can be stored in the memory or embedded in the device's operating system in the form of software or firmware. The device for updating local device threat intelligence data includes: a field selection module 101, a comparison module 102, and an update module 103.
[0108] The field selection module is configured to select the field to be compared from multiple fields.
[0109] The comparison module is configured to compare cloud-based threat intelligence data with local threat intelligence data based on the compared fields to obtain differential threat intelligence data.
[0110] The update module is configured to update the local threat intelligence data based on the differential threat intelligence data during data synchronization.
[0111] Those skilled in the art will understand that, for the sake of convenience and brevity, the specific working process of the device described above can be referred to the corresponding process in the aforementioned method, and will not be elaborated further here.
[0112] Some embodiments of this application provide a computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, can implement the method described in any of the embodiments of the method for updating local device threat intelligence data described above.
[0113] like Figure 6 As shown, some embodiments of this application provide an electronic device 500, including a memory 510, a processor 520, and a computer program stored in the memory 510 and executable on the processor 520, wherein when the processor 520 reads and executes the program via a bus 530, it can implement the method described in any of the embodiments of the method for updating local device threat intelligence data described above.
[0114] Processor 520 can process digital signals and can include various computing architectures. For example, it can be a complex instruction set computer architecture, a reduced instruction set computer architecture, or an architecture that implements multiple instruction set combinations. In some examples, processor 520 can be a microprocessor.
[0115] The memory 510 can be used to store instructions executed by the processor 520 or data related to the execution of instructions. These instructions and / or data may include code used to implement some or all of the functions of one or more modules described in the embodiments of this application. The processor 520 of the embodiments of this disclosure can be used to execute the instructions in the memory 510 to implement… Figure 2 The method shown. Memory 510 includes dynamic random access memory, static random access memory, flash memory, optical memory, or other memory well known to those skilled in the art.
[0116] In the several embodiments provided in this application, it should be understood that the disclosed apparatus and methods can also be implemented in other ways. The apparatus embodiments described above are merely illustrative. For example, the flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods, and computer program products according to various embodiments of this application. In this regard, each block in a flowchart or block diagram may represent a module, segment, or portion of code containing one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions marked in the blocks may occur in a different order than those marked in the drawings. For example, two consecutive blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in a block diagram and / or flowchart, and combinations of blocks in block diagrams and / or flowcharts, can be implemented using a dedicated hardware-based system that performs the specified function or action, or using a combination of dedicated hardware and computer instructions.
[0117] In addition, the functional modules in the various embodiments of this application can be integrated together to form an independent part, or each module can exist independently, or two or more modules can be integrated to form an independent part.
[0118] If the aforementioned functions are implemented as software functional modules and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this application, in essence, or the part that contributes to the prior art, or a portion of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of this application. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.
[0119] The above description is merely an embodiment of this application and is not intended to limit the scope of protection of this application. Various modifications and variations can be made to this application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this application should be included within the scope of protection of this application. It should be noted that similar reference numerals and letters in the following figures indicate similar items; therefore, once an item is defined in one figure, it does not need to be further defined and explained in subsequent figures.
[0120] The above description is merely a specific embodiment of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.
[0121] It should be noted that, in this document, relational terms such as "first" and "second" are used only to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes said element.
Claims
1. A method for updating local threat intelligence data, characterized in that, The method includes: Get the field difference for each field in the compared fields; At least the total cloud-ground data difference should be obtained based on the aforementioned field differences; Confirm that the total cloud-ground data difference corresponding to the differential threat intelligence data is greater than the difference threshold, wherein the total cloud-ground data difference is determined by the field difference of the compared fields of all dimensions corresponding to the target data type; Retrieves the field to be compared selected from multiple fields; Based on the compared fields, cloud-based threat intelligence data is compared with local threat intelligence data to obtain differential threat intelligence data; Update the local threat intelligence data based on the differential threat intelligence data; The total amount of cloud-ground data difference is obtained at least based on the field differences, including: The weight value of the field difference is determined based on the weight value of the dimension to which the field to which the field difference belongs, wherein the weight value is different for different dimensions; The total difference in cloud and ground data is obtained based on the weight value and the field difference.
2. The method as described in claim 1, characterized in that, The step of obtaining the comparison field selected from multiple fields includes: In response to a user's selection of the multiple fields on a web page, the field being compared is obtained.
3. The method as described in claim 1, characterized in that, The step of updating the local threat intelligence data based on the differential threat intelligence data includes: In response to a user-selected synchronization operation, the local threat intelligence data is updated based on the differential threat intelligence data and the compared field; or, When performing batch data synchronization using an asynchronous task, the local threat intelligence data is updated based on the differential threat intelligence data and the compared field.
4. The method as described in claim 1, characterized in that, The threat intelligence data belongs to the target data type among multiple data types, and each data type is represented by multiple dimensions. Each dimension includes multiple fields, and the field being compared belongs to the fields included in all dimensions.
5. The method as described in claim 1, characterized in that, The weight values are related to the priority of the corresponding dimension.
6. The method as described in claim 5, characterized in that, The target data type is IP reputation data, and the multiple dimensions corresponding to the IP reputation data are: basic information, geographical information, compromise information, malicious behavior information, and summary information. The priority of these dimensions, from highest to lowest, is: basic information, malicious behavior information, compromise information, summary information, and geographical information. Before determining the weight value of the field difference based on the weight value of the dimension to which the corresponding field belongs, the method further includes: Based on the principle that higher priority means higher weight, corresponding weight values are set for each dimension among the multiple dimensions corresponding to the IP reputation data.
7. The method as described in claim 6, characterized in that, The basic information includes: Autonomous System ID information, agent information, user type, or whether it belongs to an Internet Data Center (IDC).
8. The method as described in claim 6, characterized in that, The malicious behavior information is used to characterize whether different malicious behaviors exist and when each different malicious behavior occurs.
9. The method as described in claim 6, characterized in that, The compromise information includes: the time of each compromise, the type of malware, and the malware family.
10. The method as described in claim 6, characterized in that, The summary information includes: recommended whitelist level, network type, malicious label, and whether it has been compromised.
11. The method as described in claim 6, characterized in that, The geographic information includes: country, province / state, city, district / county, and latitude and longitude.
12. The method as described in claim 4, characterized in that, The various data types also include: a vulnerability detection data type and a file reputation data type. The multiple dimensions corresponding to the vulnerability detection data type are: basic information, related information, and judgment information. The multiple dimensions corresponding to the file reputation data type are: basic information, judgment information, and network behavior.
13. An apparatus for updating local device threat intelligence data, characterized in that, The device includes: The field selection module is configured to obtain the field difference for each field in the compared fields. At least the total cloud-ground data difference should be obtained based on the aforementioned field differences; Confirm that the total cloud-ground data difference corresponding to the differential threat intelligence data is greater than the difference threshold, wherein the total cloud-ground data difference is determined by the field difference of the compared fields of all dimensions corresponding to the target data type; The total amount of cloud-ground data difference is obtained at least based on the field differences, including: The weight value of the field difference is determined based on the weight value of the dimension to which the field to which the field difference belongs, wherein the weight value is different for different dimensions; The total difference in cloud and ground data is obtained based on the weight value and the field difference. Select the field to be compared from multiple fields; The comparison module is configured to compare cloud-based threat intelligence data with local threat intelligence data based on the compared field to obtain differential threat intelligence data; The update module is configured to update the local threat intelligence data based on the differential threat intelligence data during data synchronization.
14. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the program is executed by a processor, it can implement the method described in any one of claims 1-12.
15. An electronic device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein, When the processor executes the program, it can implement the method described in any one of claims 1-12.