A network security threat analysis method, device, equipment and medium
By acquiring the current adjudication logs of mimicry devices and performing log correlation and credibility scoring, the problem of insufficient systematic evaluation of the credibility of executors in mimicry networks is solved, enabling timely early warning and defense against potential threats and improving network security defense capabilities.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- PURPLE MOUNTAIN LAB
- Filing Date
- 2023-08-31
- Publication Date
- 2026-06-19
AI Technical Summary
In existing technologies, the methods for assessing the credibility of agents in mimicry networks are not systematic or efficient enough, making it difficult to effectively defend against cybersecurity threats.
By acquiring the current adjudication log of the mimicry device, determining the target scheduling log using preset log association technology, and scoring the credibility of the adjudication log based on the target scheduling log and the perturbation factors of the executor, and issuing early warning prompts in combination with credibility evaluation rules, the credibility measurement of the executor is realized.
It improves the security defense capabilities of mimicry networks, enabling timely warnings of potential threats, reducing the probability of common-mode escape, and enhancing network security.
Smart Images

Figure CN117201102B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of network security technology, and in particular to a network security threat analysis method, apparatus, device, and medium. Background Technology
[0002] With the rapid development and widespread adoption of computer networks, people's work, study, and daily life are inseparable from computers and the internet. At the same time, cybersecurity threats are also constantly escalating and becoming more sophisticated and intelligent.
[0003] Several new technologies are currently attempting to address cybersecurity issues, such as mobile target defense, zero-trust architecture, network resilience, and intrinsic security theory. Intrinsic security technologies encompass dynamism, diversity, and redundancy. Based on this, the proposed DHR (Dynamic Heterogeneous Redundancy) architecture is better able to defend against "unknown unknowns." The DHR architecture primarily utilizes the threat perception capabilities of multiple functionally equivalent but heterogeneous agents to resist cyberattacks; this capability is known as group awareness. The effectiveness of group awareness heavily depends on the heterogeneity of these agents and the adjudication results of their outputs. During the adjudication process, technicians often assign the same trust to these agents, but in reality, the more vulnerable an agent is, the lower its trust should be. Therefore, it is necessary to measure the trustworthiness of each agent to achieve effective defense against cybersecurity threats.
[0004] Therefore, there is an urgent need for a systematic and efficient method to assess the credibility of an executive. Summary of the Invention
[0005] In view of this, the purpose of this invention is to provide a network security threat analysis method, apparatus, device, and medium, which can measure the trustworthiness of the executor to improve the security defense capability of the mimicry network. The specific solution is as follows:
[0006] Firstly, this application discloses a method for analyzing cybersecurity threats, including:
[0007] Obtain the current decision log output by the mimicry device; wherein, the current decision log includes decision results obtained by deciding the outputs of several current executors;
[0008] The target scheduling log associated with the current decision log is determined based on a preset log association technology; wherein the current decision log and the target scheduling log are logs generated under the same event stream, and the event stream is the process by which relevant components in the mimicry device respond to target events in target order;
[0009] The credibility of the current decision log is scored based on the target scheduling log and several target disturbance factors of the current executor to obtain a target credibility score;
[0010] The credibility score of the target is evaluated by a preset credibility evaluation rule, and a warning is issued based on the evaluation result to achieve network security threat analysis.
[0011] Optionally, before determining the target scheduling log associated with the current adjudication log based on a preset log association technique, the method further includes:
[0012] The message identifier of the current log is generated based on the target dimension element information of the target event, the timestamp, and the identification number of the current component responding to the target event; wherein, the current log is the log recorded by the current component, and the current log includes any one or a combination of several of the following: adjudication log, scheduling log, and other logs;
[0013] The message identifier of the current log is added to the tag field of the log recorded by the next component to achieve association between the various logs generated by the event stream.
[0014] Optionally, the step of determining the target scheduling log associated with the current decision log based on a preset log association technique includes:
[0015] Obtain the message identifier of the current ruling log;
[0016] Retrieve the target scheduling log associated with the current decision log based on the message identifier of the current decision log.
[0017] Optionally, the network security threat analysis method further includes:
[0018] The current adjudication log and the target scheduling log are represented using a unified event representation method, so that the terminology used to represent the same events in the current adjudication log and the target scheduling log is consistent.
[0019] Optionally, the target disturbance factor includes any one or a combination of several of the following: the historical disturbance record of the current executor, the current disturbance cause, the number of disturbances, and the runtime.
[0020] Optionally, the step of scoring the credibility of the current adjudication log based on the target scheduling log and several target perturbation factors of the current executor to obtain a target credibility score includes:
[0021] The reliability of the current ruling log is scored based on the number of current executors that contain the historical disturbance records, resulting in the first round of scoring.
[0022] Based on the first round of scoring results, the credibility of the current ruling log is scored according to whether the current disturbance cause is a historical disturbance cause, to obtain the second round of scoring results;
[0023] Based on the second round of scoring results, the credibility of the current adjudication log is scored according to the number of current executors whose number of disturbances is greater than the historical average number of disturbances, thus obtaining the third round of scoring results;
[0024] Based on the third round of scoring results, the runtime is determined through the target scheduling log, and the credibility of the current adjudication log is scored according to the number of current execution entities whose runtime is greater than the preset runtime, thus obtaining the target credibility score.
[0025] Optionally, the step of evaluating the target credibility score using preset credibility evaluation rules and determining whether to issue a warning based on the evaluation results includes:
[0026] If the target credibility score is within the first score range, the mimicry device is determined to be suspected of escaping, and the log identifier of the current adjudication log is recorded, and then an early warning is issued.
[0027] If the target credibility score is within the second score range, it is determined that the mimicry device has an escape risk, and the log identifier of the current adjudication log is recorded, and then an early warning is issued;
[0028] If the target credibility score is within the third score range, it is determined that the mimicry device does not pose an escape risk and no warning is required.
[0029] Wherein, the first score interval is smaller than the second score interval, and the second score interval is smaller than the third score interval.
[0030] Secondly, this application discloses a network security threat analysis device, comprising:
[0031] The current adjudication log acquisition module is used to acquire the current adjudication log output by the mimicry device; wherein, the current adjudication log includes the adjudication results obtained by adjudicating the outputs of several current executors;
[0032] The target scheduling log generation module is used to determine the target scheduling log associated with the current decision log based on a preset log association technology; wherein the current decision log and the target scheduling log are logs generated under the same event stream, and the event stream is the process of related components in the mimicry device responding to target events in target order;
[0033] The credibility determination module is used to score the credibility of the current decision log based on the target scheduling log and several target disturbance factors of the current executor, and obtain a target credibility score.
[0034] The credibility evaluation and early warning module is used to evaluate the credibility score of the target according to preset credibility evaluation rules, and determine whether to issue an early warning based on the evaluation results, so as to realize network security threat analysis.
[0035] Thirdly, this application discloses an electronic device, including:
[0036] Memory, used to store computer programs;
[0037] A processor is used to execute the computer program to implement the aforementioned disclosed network security threat analysis method.
[0038] Fourthly, this application discloses a computer-readable storage medium for storing a computer program; wherein, when the computer program is executed by a processor, it implements the aforementioned network security threat analysis method.
[0039] Therefore, this application proposes a network security threat analysis method, comprising: acquiring a current adjudication log output by a mimicry device; wherein the current adjudication log includes adjudication results obtained by adjudicating the outputs of several current executors; determining a target scheduling log associated with the current adjudication log based on a preset log association technology; wherein the current adjudication log and the target scheduling log are logs generated under the same event stream, and the event stream is the process of relevant components within the mimicry device responding to target events in target order; scoring the credibility of the current adjudication log based on the target scheduling log and the target disturbance factors of several current executors to obtain a target credibility score; evaluating the target credibility score through preset credibility evaluation rules, and determining whether to issue an early warning based on the evaluation result, so as to achieve network security threat analysis. It should be noted that since potential attacks suffered by the executor can be analyzed and measured through logs, this application first obtains the current adjudication log output by the mimicry device. Furthermore, it achieves log association between different mimicry devices through a preset log association technology, and obtains the scheduling log associated with the current adjudication log based on the association technology. Then, it scores the credibility of the current adjudication log based on the current adjudication log, the scheduling log, and the target disturbance factors of the executor, and provides early warning based on the score. In other words, this application achieves the credibility measurement of the executor through the credibility measurement of the current adjudication log, thereby providing early warning when the measurement result of the current adjudication log indicates that the current executor is at risk, improving the security defense capability of the mimicry network. Moreover, this application obtains the log association of different mimicry devices under the same event flow based on log association technology, providing strong protection for the credibility measurement of the adjudication log, thereby further enhancing the network's security defense capability. Attached Figure Description
[0040] To more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on the provided drawings without creative effort.
[0041] Figure 1 This is a flowchart of a network security threat analysis method disclosed in this application;
[0042] Figure 2 This application discloses a specific method for analyzing cybersecurity threats.
[0043] Figure 3 This is a schematic diagram of the structure of a network security threat analysis device disclosed in this application;
[0044] Figure 4 This is a structural diagram of an electronic device disclosed in this application. Detailed Implementation
[0045] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0046] The group awareness capability of the DHR architecture heavily relies on the heterogeneity of these executors and the adjudication results of their outputs. During the adjudication process, technicians often assign the same level of trust to these executors, but in reality, the more vulnerable an executor is, the lower its trustworthiness should be. Therefore, it is necessary to measure the trustworthiness of each executor to effectively defend against cybersecurity threats.
[0047] It should be noted that, since each mimicry device in the entire mimicry network can communicate with each other the threat information they perceive, this application is not limited to the collective perception capability of functionally equivalent agents, but focuses on the collective perception capability of the entire mimicry network, and improves the collective perception capability of the entire mimicry network by sharing and analyzing the threat information perceived by various types of mimicry devices in the mimicry network.
[0048] Therefore, this application proposes a network security threat analysis scheme that can effectively assess the trustworthiness of the executor, thereby achieving the effect of effectively defending against network security threats.
[0049] This application discloses a method for network security threat analysis. (See also...) Figure 1 As shown, the method includes:
[0050] Step S11: Obtain the current decision log output by the mimicry device; wherein the current decision log includes decision results obtained by deciding the outputs of several current executors.
[0051] In the DHR architecture, multiple functionally equivalent executors run simultaneously on a single input and produce multiple output results. The adjudicator generates a final adjudication result based on the multiple output results according to predefined adjudication rules. The current adjudication log is used to record the current adjudication result.
[0052] It should be noted that each mimicry device may contain several functionally equivalent execution entities, including but not limited to mimicry routers, mimicry switches, and mimicry firewalls.
[0053] Step S12: Determine the target scheduling log associated with the current decision log based on a preset log association technology; wherein the current decision log and the target scheduling log are logs generated under the same event stream, and the event stream is the process by which relevant components in the mimicry device respond to target events in target order.
[0054] It should be noted that to share threat information perceived by various types of mimicry devices in a mimicry network, it is necessary to comprehensively analyze the mimicry logs of various types of mimicry devices. Since mimicry logs are often stored separately in the backend log system, a log association technology is needed to associate the mimicry logs of different types of mimicry devices. Therefore, this embodiment introduces a preset log association technology to achieve the above effect. The preset log association technology will be described in detail below:
[0055] In this embodiment, in order to associate the mimicry logs of different types of mimicry devices, it is necessary to first unify the expression methods of the mimicry logs of different types of mimicry devices, such as adjudication logs, scheduling logs, security logs, and other logs. That is, this embodiment needs to first solve the problem of inconsistent terminology for the same event among suppliers of mimicry devices for different business applications within the field.
[0056] To address this issue, this embodiment provides a unified structured event representation model. This model mainly includes the information dimensions of event representation, the field dictionary of event representation, the vocabulary of event representation classification tags, and the data organization format of event representation, explained in detail below:
[0057] (1) Information dimensions of an event: event domain, event action, target, service type, event result, and event significance. The event domain, as the name suggests, refers to the spatiotemporal information, scope, or context of the event; the event action is the action performed during the event; the target is the object or object affected by the event; the service object describes the service or operation type involved in the event; the event result is the outcome after the event occurs; and the event significance is the impact or meaning of the event. Specifically, taking an attacker tampering with a router's routing table to forward user data packets to a location specified by the attacker as an example, the event domain is a routing table event, the event action is routing table tampering, the target is the routing table, the service type is a forwarding service, the event result is the routing table being tampered with, and the event significance is the interception of user data.
[0058] (2) Field dictionary for event representation: including a general field dictionary and a special field dictionary. The general field dictionary defines the field dictionary across mimicry devices and applications, while the special field dictionary defines the field dictionary used within mimicry devices and applications within a single business model.
[0059] (3) Event Classification Label Table: This table consists of a set of categories and a label value for each category that best describes the event. A unified classification label vocabulary is used to assign event classification labels to events within the domain. Similar to the field dictionary, the classification label table is divided into a general event classification label table and a dedicated event classification label table. For example, if an attacker tamperes with a router's routing table to forward user data packets to a location specified by the attacker, the event classification label would be a service label for the forwarding type.
[0060] (4) Data organization format for event expression: The contents of (1), (2) and (3) are organized in a certain data format and encoded into information that the system can understand using JSON (JavaScript Object Notation, a lightweight data exchange format). An event expression record includes a header and an entity. The header includes a version number, timestamp, priority, location information, and log type. Optional options include message ID (Identification) and message start position offset. It is understood that different mimicry devices have their corresponding dedicated field dictionaries. As the devices are upgraded and improved, some new words need to be added to the dedicated field dictionaries. The field dictionary with added new words is the upgraded version of the field dictionary. That is to say, in this embodiment, the version number needs to be marked in the header so that the log can be parsed using the field dictionary with the same version number. The timestamp refers to the time when the event occurred, which is also the time when the log was recorded. The priority refers to the threat level of the event. The location information refers to the location where the event occurred. The log type includes adjudication logs, scheduling logs, etc. The entity includes six information dimensions of the event expression. The label values of the information dimensions are taken from the event classification label vocabulary. Optional parts include structured information records. The fields of the information records are taken from the field dictionary.
[0061] Once a unified event representation method is established, mimicry logs from different types of mimicry devices can be correlated, thereby solving the pain point of the inability to correlate logs from different components triggered by the same event in mimicry log analysis, and providing strong support for the credibility measurement of mimicry adjudication results.
[0062] The pre-defined log association technology proposed in this embodiment is an information association analysis technology based on unified content tags. The following are some of the terminology definitions for this technology:
[0063] Event flow: The process by which related components within a mimicry device respond to a certain event in a specific order;
[0064] Uniform content label: also known as Label, is a field in the log data of the mimicry device. Its value is the message identifier of each component. The message identifier is a 128-bit MD5 value (Message-Digest Algorithm 5). If it is the log of the first component, the uniform content label is the initial value 0 (128 bits).
[0065] SR: The first component in a mimicry device to record logs;
[0066] TR: The component that is not the first to log in the mimicry device; there can be 0 or more.
[0067] Furthermore, the specific implementation method of log association technology based on unified content tags is as follows:
[0068] 1. The event stream triggers the mimicry device to record logs. The SR generates a 128-bit MSGID (message identifier) according to the following formula:
[0069] MSGID = MD5(Event Six Elements + Timestamp + Component ID);
[0070] 2. SR adds a Label field to the custom fields of the log, initialized to 128 bits of 0;
[0071] 3. SR pushes the MSGID value to TR along with the event stream;
[0072] 4. When TR records logs, it generates a 128-bit MSGID according to the above formula;
[0073] 5. TR adds a Label field to the custom fields of the log, with the value being the MSGID from the previous SR or TR.
[0074] In other words, this embodiment generates a message identifier for the current log based on the target dimension element information of the target event, the timestamp, and the identification number of the current component responding to the target event. The current log is the log recorded by the current component, and includes any one or a combination of adjudication logs, scheduling logs, and other logs. Furthermore, the message identifier of the current log is added to the tag field of the log recorded by the next component to achieve association between the various logs generated by the event stream.
[0075] Furthermore, after clarifying the preset log association technology and the current adjudication log, the target scheduling log associated with the current adjudication log is determined based on the preset log association technology. Specifically, the message identifier of the current adjudication log is obtained, and the target scheduling log associated with the current adjudication log is retrieved based on the message identifier of the current adjudication log. It should be noted that since the scheduling log records the scheduling status of the executor, the scheduling log is generated after the adjudication log. Therefore, this implementation needs to backtrack to obtain the scheduling log. Specifically, the Label of log data under the same date for the same mimicry device is retrieved based on the log field value MSGID, and the above steps are repeated until no matching logs are found. It should be noted that in some scenarios, it is also possible to backtrack to retrieve logs generated before the current adjudication log based on the current adjudication log. Specifically, the MSGID of log data under the same date for the same mimicry device is retrieved based on the log Label field value, and the above steps are repeated until the Label value is 0 or no matching logs are found, at which point the process ends.
[0076] Step S13: Score the credibility of the current decision log based on the target scheduling log and several target disturbance factors of the current executor to obtain the target credibility score.
[0077] It should be noted that, based on the research of the intrinsic security mimicry defense theory and the mimicry defense baseline function experiment, this embodiment has determined that the following target disturbance factors affect the credibility of the mimicry adjudication results: the historical sequence of the execution entity disturbance, the current cause of the execution entity disturbance, the number of disturbances of the execution entity, and the execution entity runtime.
[0078] Furthermore, the process of scoring the current adjudication log based on the aforementioned target disturbance factors includes: scoring the credibility of the current adjudication log based on the number of current executors containing the historical disturbance records to obtain a first-round scoring result; based on the first-round scoring result, scoring the credibility of the current adjudication log based on whether the current disturbance cause is a historical disturbance cause to obtain a second-round scoring result; based on the second-round scoring result, scoring the credibility of the current adjudication log based on the number of current executors whose disturbance count is greater than the historical average disturbance count to obtain a third-round scoring result; based on the third-round scoring result, determining the runtime through the target scheduling log, and scoring the credibility of the current adjudication log based on the number of current executors whose runtime is greater than a preset runtime to obtain the target credibility score.
[0079] The above process will be described in detail below using three executors as an example:
[0080] The credibility scoring process for adjudication logs mainly involves five sub-modules: numerator module for the execution body perturbation history sequence, numerator module for the execution body perturbation cause, numerator module for the execution body perturbation count, numerator module for the execution body runtime, and output scoring result module. First, the initial score is set to 1. Then, the current adjudication log is processed sequentially through the above four sub-modules, with the corresponding scores subtracted to obtain the total score. Finally, the total score is determined to fall into a specific tier. The following is a detailed description of each scoring step:
[0081] Disturbance history sequence scoring: Check if the three executors in the current adjudication log's online executor list are in the historical attack executor list (i.e., whether there are historical disturbance records). If they are, record the executor and count the number. If the number is greater than or equal to 2, the severity level is considered high, and the score is score-0.1. If the number is 1, check if the executor is in the current abnormal executor list. If not, the severity level is considered moderate, and the score is score-0.05. Otherwise, the severity level is zero, and no action is taken. Then, the score and the executor list are sent to the disturbance cause scoring module.
[0082] Disturbance cause scoring: Check if the current disturbance cause in the current adjudication log is in the historical disturbance cause list. If it is, then score = score - 0.1; otherwise, do not process it. Then, pass the score and the list of execution bodies to the disturbance count scoring module.
[0083] Disturbance Count Scoring: First, calculate the historical average number of disturbances. Then, count the number of executions in the execution list whose disturbance count is greater than the average number of disturbances. If the number is greater than or equal to 2, the severity level is considered high, and the score is score-0.1. If the number is 1, check if the execution is in the current list of abnormal executions. If it is not, the severity level is considered moderate, and the score is score-0.05. Otherwise, no action is taken. Finally, the score and the execution list are passed to the execution runtime scoring module.
[0084] S4 Executor Runtime Scoring: First, check if the executor in the executor list is in the historical scheduling list. If it is, use information association analysis technology based on unified content tags to associate the current adjudication log and scheduling log to calculate the runtime of the executor. If the runtime exceeds a set threshold, increment the count by 1. If the total count is greater than or equal to 2, the severity level is considered high, and score = score - 0.1. If the count is 1, check if the executor is in the current abnormal executor list. If not, the severity level is considered moderate, and score = score - 0.05. Otherwise, no action is taken. Finally, output the score, i.e., the target credibility score, to the scoring result module.
[0085] Step S14: Evaluate the target credibility score using preset credibility evaluation rules, and determine whether to issue an early warning based on the evaluation results, so as to achieve network security threat analysis.
[0086] In this embodiment, the scoring result output module determines which tier the target credibility score falls into. Specifically, if the target credibility score is within the first scoring interval, the mimicry device is suspected of escaping, and the log identifier of the current adjudication log is recorded, followed by an early warning. If the target credibility score is within the second scoring interval, the mimicry device is deemed to have an escape risk, and the log identifier of the current adjudication log is recorded, followed by an early warning. If the target credibility score is within the third scoring interval, the mimicry device is deemed not to have an escape risk, and no early warning is required. The first scoring interval is smaller than the second scoring interval, and the second scoring interval is smaller than the third scoring interval. In one specific implementation, if the target confidence score is in the range of [0-0.65], a detailed identifier indicating suspected escape is output and a decision log is recorded, including the identifier ID and index of the decision log; if the target confidence score is in the range of (0.65-0.85), a detailed identifier indicating escape risk is output and a decision log is recorded; if the target confidence score is in the range of (0.85,1), there is no escape risk, and no result is output. That is, this embodiment can predict whether the mimicry device has an escape risk, provide early warning to the mimicry device, and take relevant measures, such as scheduling the execution unit with the risk, to avoid common-mode escape and improve the security of the mimicry device.
[0087] In summary, since potential attacks suffered by the executor can be analyzed and measured through logs, this application first obtains the current adjudication log output by the mimicry device. Furthermore, it achieves log association between different mimicry devices through a preset log association technology, and obtains the scheduling log associated with the current adjudication log based on the association technology. Then, it scores the credibility of the current adjudication log based on the current adjudication log, the scheduling log, and the target disturbance factors of the executor, and provides early warnings based on the scores. In other words, this application achieves the credibility measurement of the executor through the credibility measurement of the current adjudication log, thereby providing early warnings when the measurement results of the current adjudication log indicate that the current executor is at risk, improving the security defense capability of the mimicry network. Moreover, this application obtains log associations between different mimicry devices under the same event flow based on log association technology, providing strong support for the credibility measurement of the adjudication log, thereby further enhancing the network's security defense capability.
[0088] It should be noted that the aforementioned network security threat analysis method can be implemented using the mimicry device log unified platform designed in this application. The specific architecture of the mimicry device log unified platform is as follows: Figure 2 As shown, specifically, it includes a platform system management module, a policy management module, a user permission management module, an analysis engine management module, a knowledge base management module, a data acquisition module, a data access module, a data processing module, a data storage module, a data analysis module, a data retrieval module, and a data display module.
[0089] This platform can visually manage and process mimicry logs, and detect and warn of cybersecurity threats. This allows security personnel to promptly take effective defensive measures against attacks (patching, upgrades, execution entity cleanup and scheduling, etc.). Since execution entity scheduling generates service jitter, traditional methods, such as scheduling execution entities at preset time intervals, increase the frequency of execution entity scheduling, thereby increasing the frequency of service jitter caused by differential mode disturbances. However, in this embodiment, the decision to schedule execution entities is based on a trust score, significantly reducing the frequency of execution entity scheduling. This reduces the frequency of service jitter caused by differential mode disturbances and lowers the probability of common mode escape, providing data support for developing accurate and effective scheduling and adjudication strategies.
[0090] The platform mainly includes the following key functions: centralized collection of log data, unified log data preprocessing, standardized log data parsing, categorized log data indexing, centralized log data storage, real-time log querying, multi-dimensional log data analysis, and visualized log data display.
[0091] (1) Centralized collection of log data: Log collectors are deployed on the mimicry device through the data collection module in the mimicry device log unified platform. Furthermore, these collectors output the collected log data to the platform, thereby realizing distributed collection and centralized reception of log data.
[0092] (2) Mimicry device authentication: Verify whether the mimicry device to which the log belongs is a mimicry device that has been registered on this platform through the data access module in the unified mimicry device log platform.
[0093] (3) Log data standardization preprocessing: Through the unified data processing module in the mimicry device log unified platform, a unified data preprocessing program is designed to solve preprocessing problems such as field filtering, field format conversion, and field deduplication.
[0094] (4) Standardized log data parsing: The data processing module in the mimicry device log unified platform performs standardized log data parsing according to key factors such as unified field encoding format, field type, and field value, thereby improving the efficiency of log data parsing.
[0095] (5) Log data index classification: The data processing module in the mimicry device log unified platform creates log data indexes according to the type and statistical dimensions of the logs, so as to meet the needs of different users to obtain, query and analyze log data from different perspectives.
[0096] (6) Centralized storage of log data: Logs are centrally stored through the data storage module in the mimicry device log unified platform, and reliable data backup is provided to facilitate data query and analysis.
[0097] (7) Real-time log data query: The data retrieval module in the unified platform for mimicry device logs supports the collection of adjudication logs, scheduling logs and performance logs of mimicry devices, and provides a real-time query function for terminal information collection results.
[0098] (8) Multi-dimensional analysis of log data: Through the data analysis module in the unified platform for simulated device logs, it supports analysis of various statistical dimensions and granularities, and also supports correlation analysis of log data, solving the difficulty of cross-device and cross-component analysis of log data, and can effectively support deeper data mining.
[0099] (9) Log data visualization: Through the data display module in the mimicry device log unified platform, the visualization of raw log data and log data analysis results is supported. It can clearly display the current status, numerical distribution, trend prediction, etc. of raw log data and log analysis results.
[0100] Accordingly, this application also discloses a network security threat analysis device, see [link to relevant documentation]. Figure 3 As shown, the device includes:
[0101] The current adjudication log acquisition module 11 is used to acquire the current adjudication log output by the mimicry device; wherein, the current adjudication log includes adjudication results obtained by adjudicating the outputs of several current executors;
[0102] The target scheduling log generation module 12 is used to determine the target scheduling log associated with the current adjudication log based on a preset log association technology; wherein the current adjudication log and the target scheduling log are logs generated under the same event stream, and the event stream is the process of related components in the mimicry device responding to target events in target order;
[0103] The credibility determination module 13 is used to score the credibility of the current decision log based on the target scheduling log and several target disturbance factors of the current executor, and obtain the target credibility score.
[0104] The credibility evaluation and early warning module 14 is used to evaluate the credibility score of the target according to the preset credibility evaluation rules, and determine whether to issue an early warning based on the evaluation results, so as to realize network security threat analysis.
[0105] For more detailed information on the working process of each of the above modules, please refer to the relevant content disclosed in the foregoing embodiments, which will not be repeated here.
[0106] In summary, since potential attacks suffered by the executor can be analyzed and measured through logs, this application first obtains the current adjudication log output by the mimicry device. Furthermore, it achieves log association between different mimicry devices through a preset log association technology, and obtains the scheduling log associated with the current adjudication log based on the association technology. Then, it scores the credibility of the current adjudication log based on the current adjudication log, the scheduling log, and the target disturbance factors of the executor, and provides early warnings based on the scores. In other words, this application achieves the credibility measurement of the executor through the credibility measurement of the current adjudication log, thereby providing early warnings when the measurement results of the current adjudication log indicate that the current executor is at risk, improving the security defense capability of the mimicry network. Moreover, this application obtains log associations between different mimicry devices under the same event flow based on log association technology, providing strong support for the credibility measurement of the adjudication log, thereby further enhancing the network's security defense capability.
[0107] Furthermore, embodiments of this application also provide an electronic device. Figure 4 This is a structural diagram of an electronic device 20 according to an exemplary embodiment. The content of the diagram should not be construed as limiting the scope of this application.
[0108] Figure 4 This is a schematic diagram of the structure of an electronic device 20 provided in an embodiment of this application. Specifically, the electronic device 20 may include: at least one processor 21, at least one memory 22, a display screen 23, an input / output interface 24, a communication interface 25, a power supply 26, and a communication bus 27. The memory 22 stores a computer program, which is loaded and executed by the processor 21 to implement the relevant steps in the network security threat analysis method disclosed in any of the foregoing embodiments. Furthermore, the electronic device 20 in this embodiment may specifically be an electronic computer.
[0109] In this embodiment, the power supply 26 is used to provide operating voltage for each hardware device on the electronic device 20; the communication interface 25 can create a data transmission channel between the electronic device 20 and external devices, and the communication protocol it follows can be any communication protocol applicable to the technical solution of this application, and is not specifically limited here; the input / output interface 24 is used to acquire external input data or output data to the outside world, and its specific interface type can be selected according to specific application needs, and is not specifically limited here.
[0110] Furthermore, the memory 22, as a carrier for resource storage, can be a read-only memory, random access memory, disk, or optical disk, etc. The resources stored thereon may include computer programs 221, and the storage method may be temporary storage or permanent storage. In addition to including computer programs capable of performing the network security threat analysis method executed by the electronic device 20 as disclosed in any of the foregoing embodiments, the computer program 221 may further include computer programs capable of performing other specific tasks.
[0111] Furthermore, embodiments of this application also disclose a computer-readable storage medium for storing a computer program; wherein, when the computer program is executed by a processor, it implements the aforementioned disclosed network security threat analysis method.
[0112] For the specific steps of this method, please refer to the relevant content disclosed in the foregoing embodiments, which will not be repeated here.
[0113] The various embodiments in this application are described in a progressive manner, with each embodiment focusing on the differences from other embodiments. For the same or similar parts between the various embodiments, refer to each other. As for the apparatus disclosed in the embodiments, since it corresponds to the method disclosed in the embodiments, the description is relatively simple, and relevant parts can be referred to in the method section.
[0114] Those skilled in the art will further recognize that the units and algorithm steps of the various examples described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, computer software, or a combination of both. To clearly illustrate the interchangeability of hardware and software, the components and steps of the various examples have been generally described in terms of functionality in the foregoing description. Whether these functions are implemented in hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementation should not be considered beyond the scope of this application.
[0115] The steps of the methods or algorithms described in conjunction with the embodiments disclosed herein can be implemented directly by hardware, a software module executed by a processor, or a combination of both. The software module can be located in random access memory (RAM), main memory, read-only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, removable disk, CD-ROM, or any other form of storage medium known in the art.
[0116] Finally, it should be noted that in this document, relational terms such as "first" and "second" are used only to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes said element.
[0117] The foregoing has provided a detailed description of a network security threat analysis method, apparatus, device, and storage medium provided in this application. Specific examples have been used to illustrate the principles and implementation methods of this application. The descriptions of the above embodiments are only for the purpose of helping to understand the method and core ideas of this application. At the same time, for those skilled in the art, there will be changes in the specific implementation methods and application scope based on the ideas of this application. Therefore, the content of this specification should not be construed as a limitation of this application.
Claims
1. A network security threat analysis method, characterized by, include: Obtain the current decision log output by the mimicry device; wherein, the current decision log includes decision results obtained by deciding the outputs of several current executors; The target scheduling log associated with the current decision log is determined based on a preset log association technology; wherein the current decision log and the target scheduling log are logs generated under the same event stream, and the event stream is the process by which relevant components in the mimicry device respond to target events in target order; The credibility of the current decision log is scored based on the target scheduling log and several target disturbance factors of the current executor to obtain a target credibility score; The credibility score of the target is evaluated by a preset credibility evaluation rule, and a warning is issued based on the evaluation result to achieve network security threat analysis. Before determining the target scheduling log associated with the current adjudication log based on a preset log association technique, the method further includes: The message identifier of the current log is generated based on the target dimension element information of the target event, the timestamp, and the identification number of the current component responding to the target event; wherein, the current log is the log recorded by the current component, and the current log includes any one or a combination of several of the following: adjudication log, scheduling log, and other logs; The message identifier of the current log is added to the tag field of the log recorded by the next component to achieve association between the various logs generated by the event stream.
2. The network security threat analysis method of claim 1, wherein, The method for determining the target scheduling log associated with the current adjudication log based on a preset log association technique includes: Obtain the message identifier of the current ruling log; Retrieve the target scheduling log associated with the current decision log based on the message identifier of the current decision log.
3. The network security threat analysis method according to claim 1, characterized in that, Also includes: The current adjudication log and the target scheduling log are represented using a unified event representation method, so that the terminology used to represent the same events in the current adjudication log and the target scheduling log is consistent.
4. The network security threat analysis method of claim 1, wherein, The target disturbance factors include any one or a combination of several of the following: the historical disturbance records of the current executor, the current disturbance cause, the number of disturbances, and the runtime.
5. The network security threat analysis method of claim 4, wherein, The step of scoring the credibility of the current adjudication log based on the target scheduling log and several target disturbance factors of the current executor to obtain a target credibility score includes: The reliability of the current ruling log is scored based on the number of current executors that contain the historical disturbance records, resulting in the first round of scoring. Based on the first round of scoring results, the credibility of the current ruling log is scored according to whether the current disturbance cause is a historical disturbance cause, to obtain the second round of scoring results; Based on the second round of scoring results, the credibility of the current adjudication log is scored according to the number of current executors whose number of disturbances is greater than the historical average number of disturbances, thus obtaining the third round of scoring results; Based on the third round of scoring results, the runtime is determined through the target scheduling log, and the credibility of the current adjudication log is scored according to the number of current execution entities whose runtime is greater than the preset runtime, thus obtaining the target credibility score.
6. The network security threat analysis method of any of claims 1 to 5, wherein, The process of evaluating the target credibility score using preset credibility evaluation rules and determining whether to issue a warning based on the evaluation results includes: If the target credibility score is within the first score range, the mimicry device is determined to be suspected of escaping, and the log identifier of the current adjudication log is recorded, and then an early warning is issued. If the target credibility score is within the second score range, it is determined that the mimicry device has an escape risk, and the log identifier of the current adjudication log is recorded, and then an early warning is issued; If the target credibility score is within the third score range, it is determined that the mimicry device does not pose an escape risk and no warning is required. Wherein, the first score interval is smaller than the second score interval, and the second score interval is smaller than the third score interval.
7. A cyber-security threat analysis apparatus, characterized by, include: The current adjudication log acquisition module is used to acquire the current adjudication log output by the mimicry device; wherein, the current adjudication log includes adjudication results obtained by adjudicating the outputs of several current executors; The target scheduling log generation module is used to determine the target scheduling log associated with the current decision log based on a preset log association technology; wherein the current decision log and the target scheduling log are logs generated under the same event stream, and the event stream is the process of related components in the mimicry device responding to target events in target order; The credibility determination module is used to score the credibility of the current decision log based on the target scheduling log and several target disturbance factors of the current executor, and obtain the target credibility score. The credibility evaluation and early warning module is used to evaluate the credibility score of the target according to the preset credibility evaluation rules, and determine whether to issue an early warning based on the evaluation results, so as to realize network security threat analysis. Before determining the target scheduling log associated with the current adjudication log based on a preset log association technique, the method further includes: The message identifier of the current log is generated based on the target dimension element information of the target event, the timestamp, and the identification number of the current component responding to the target event; wherein, the current log is the log recorded by the current component, and the current log includes any one or a combination of several of the following: adjudication log, scheduling log, and other logs; The message identifier of the current log is added to the tag field of the log recorded by the next component to achieve association between the various logs generated by the event stream.
8. An electronic device, comprising: include: Memory, used to store computer programs; A processor for executing the computer program to implement the network security threat analysis method as described in any one of claims 1 to 6.
9. A computer-readable storage medium, characterized in that, Used to store computer programs; wherein, when the computer programs are executed by a processor, they implement the network security threat analysis method as described in any one of claims 1 to 6.