Threat intelligence processing methods, devices, electronic equipment and storage media

Through comprehensive analysis and real-time monitoring by the threat intelligence platform, the problem of isolated security devices has been solved, the accuracy and real-time nature of threat intelligence analysis have been improved, security strategies have been dynamically adjusted, and security threats have been responded to and dealt with quickly.

CN117436072BActive Publication Date: 2026-06-30QI AN XIN TECHNOLOGY GROUP INC

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
QI AN XIN TECHNOLOGY GROUP INC
Filing Date
2023-11-14
Publication Date
2026-06-30

Smart Images

  • Figure CN117436072B_ABST
    Figure CN117436072B_ABST
Patent Text Reader

Abstract

This application provides a threat intelligence processing method, apparatus, electronic device, and storage medium. The method includes: acquiring target intelligence data for a preset duration, analyzing the target intelligence data, and obtaining analysis results; the target intelligence data is obtained by recording data points when a threat intelligence consuming device calls an API interface provided by a threat intelligence platform; based on the analysis results, determining whether a previously created security event has been detected. In this embodiment, when a threat intelligence consuming device accesses the threat intelligence platform, the data accessed by the threat intelligence consuming device is recorded, and a comprehensive analysis is performed on the target intelligence data corresponding to multiple threat intelligence consuming devices for a preset duration, thereby improving the accuracy of the target intelligence data analysis.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of cybersecurity technology, and more specifically, to a threat intelligence processing method, apparatus, electronic device, and storage medium. Background Technology

[0002] As enterprises become increasingly digitalized and intelligent, the threats posed by information security incidents to them are also growing daily.

[0003] With the development of network infrastructure and the increasing number of security products, the lack of unified and professional security management, coupled with the lack of information exchange between security devices and solutions, hinders the effective integration of security resources. Each security device becomes an isolated island, unable to maximize its value. Network administrators are easily overwhelmed by massive amounts of information and unable to see the big picture clearly and promptly. Consequently, they are unable to accurately analyze and process threat intelligence. Summary of the Invention

[0004] The purpose of this application is to provide a method, apparatus, electronic device, and storage medium for processing threat intelligence, so as to improve the accuracy of threat intelligence analysis and processing.

[0005] In a first aspect, embodiments of this application provide a threat intelligence processing method applied to a threat intelligence platform, the threat intelligence platform including a threat analysis module and an event management module, the method comprising:

[0006] The threat analysis module acquires target intelligence data for a preset duration, analyzes the target intelligence data, and obtains analysis results; the target intelligence data is obtained by recording points when the threat intelligence consuming device calls the API interface provided by the threat intelligence platform.

[0007] The event management module determines whether a previously created security event has been detected based on the analysis results.

[0008] In this embodiment of the application, when a threat intelligence consuming device accesses a threat intelligence platform, the data accessed by the threat intelligence consuming device is recorded, and the target intelligence data corresponding to multiple threat intelligence consuming devices for a preset duration is comprehensively analyzed, thereby improving the accuracy of target intelligence data analysis.

[0009] In any embodiment, the threat intelligence platform further includes a threat data recording module, and the method further includes:

[0010] The threat data logging module receives API call requests from threat intelligence consuming devices.

[0011] The threat data recording module returns intelligence query results to the threat intelligence consumption device based on the call request, and records the intelligence query results. The recorded intelligence data is then stored in the database.

[0012] This application embodiment monitors the access information of threat intelligence consuming devices and, while returning intelligence query results to the threat intelligence consuming devices, also records the intelligence query results to provide a data foundation for subsequent time-segmented analysis.

[0013] In any embodiment, before storing the intelligence data of the tracking records into the database, the method further includes:

[0014] If the event switch is enabled, additional attributes are added to the intelligence data. These additional attributes include at least one of the following: event mode, event type, device type, and device name.

[0015] This application embodiment adds additional attributes to intelligence data to facilitate network administrators' understanding of relevant information about the intelligence data, enabling them to quickly and accurately summarize events.

[0016] In any embodiment, target intelligence data for a preset duration is acquired, and the target intelligence data is analyzed to obtain analysis results, including:

[0017] Define a sliding window and initialize it with the first k elements of a number list to obtain the initialized sliding window; the first k elements refer to the first k target intelligence data obtained from the database in terms of time, and the duration corresponding to the k target intelligence data is equal to the preset duration;

[0018] Define an analysis results list and write the maximum value in the initial sliding window into the analysis results list; the maximum value is used to represent the maximum number of times the target intelligence data in the initial sliding window hits the same IOC rule;

[0019] Starting from the k-th element, traverse the list of numbers. In each loop, remove the first element from the sliding window, add the next element to the end of the sliding window, and write the maximum value in the sliding window into the analysis results list, until all target intelligence data is obtained.

[0020] This application embodiment uses a sliding window to analyze intelligence data within the sliding window. The sliding window can dynamically update and maintain real-time calculation results based on the passage of time, thereby improving the real-time performance of intelligence data analysis.

[0021] In any embodiment, a security event corresponds to at least one Intrusion Indicator (IOC) rule; based on the analysis results, determining whether a created security event has been matched includes:

[0022] Match the analysis results with the IOC rules;

[0023] If a match is found, a security event is determined to have been hit; otherwise, a security event is determined to have not been hit.

[0024] This application's embodiments, by matching analysis results with IOC rules, can better record and track the overall situation of network security incidents, assisting security personnel in performing post-incident analysis, incident analysis clues, data collection and archiving, and continuous monitoring and tracking after security incident recovery. Through continuous security monitoring, analysis, judgment, prediction, and early warning, security strategies can be dynamically adjusted, security risks can be proactively identified and security weaknesses addressed, and rapid response and handling can effectively eliminate security threats.

[0025] In any embodiment, the method further includes:

[0026] Obtain information on external security incidents;

[0027] Parse external security event information to obtain the corresponding IOC data.

[0028] Store IOC data in a custom intelligence database.

[0029] This application embodiment can obtain IOC data corresponding to external security events by monitoring them, and populate the IOC data into a custom intelligence database, so that the custom intelligence database contains more comprehensive IOC data and improves the accuracy of threat intelligence analysis.

[0030] In any embodiment, after determining whether a previously created security event has been hit based on the analysis results, the method further includes:

[0031] Receive a report generation request, which includes a time period;

[0032] Acquire target security events that occur within a given time period;

[0033] Extract key information from the data of the target security incident, and fill the key information into the preset report template to obtain the incident operation report.

[0034] This application embodiment can generate an event operation report for a corresponding time period based on the time period selected by the user, which is convenient for network security administrators to view.

[0035] Secondly, embodiments of this application provide a threat intelligence processing device, applied to a threat intelligence platform, comprising:

[0036] The threat analysis module is used to retrieve target intelligence data from the database for a preset duration, analyze the target intelligence data, and obtain analysis results; the target intelligence data is recorded when the threat intelligence consuming device calls the API interface provided by the threat intelligence platform.

[0037] The event management module is used to determine whether a created security event has been hit based on the analysis results.

[0038] Thirdly, embodiments of this application provide an electronic device, including: a processor, a memory, and a bus, wherein,

[0039] The processor and the memory communicate with each other via the bus;

[0040] The memory stores program instructions that can be executed by the processor, and the processor can execute the method of the first aspect by calling the program instructions.

[0041] Fourthly, embodiments of this application provide a non-transitory computer-readable storage medium, comprising:

[0042] The non-transitory computer-readable storage medium stores computer instructions that cause the computer to perform the method of the first aspect.

[0043] Other features and advantages of this application will be set forth in the following description and will be apparent in part from the description or may be learned by practicing embodiments of this application. The objectives and other advantages of this application may be realized and obtained by means of the structures particularly pointed out in the written description, claims, and drawings. Attached Figure Description

[0044] To more clearly illustrate the technical solutions of the embodiments of this application, the accompanying drawings used in the embodiments of this application will be briefly introduced below. It should be understood that the following drawings only show some embodiments of this application and should not be regarded as a limitation of the scope. For those skilled in the art, other related drawings can be obtained based on these drawings without creative effort.

[0045] Figure 1 This is a schematic flowchart of a threat intelligence processing method provided in an embodiment of this application;

[0046] Figure 2 This is a schematic diagram of another information processing method provided in an embodiment of this application;

[0047] Figure 3 A schematic diagram of a threat intelligence processing device provided in this application embodiment;

[0048] Figure 4This is a schematic diagram of the physical structure of an electronic device provided in an embodiment of this application. Detailed Implementation

[0049] The embodiments of the technical solution of this application will now be described in detail with reference to the accompanying drawings. These embodiments are only used to more clearly illustrate the technical solution of this application and are therefore merely examples, and should not be used to limit the scope of protection of this application.

[0050] Unless otherwise defined, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application pertains; the terminology used herein is for the purpose of describing particular embodiments only and is not intended to limit the application; the terms “comprising” and “having”, and any variations thereof, in the specification, claims, and foregoing description of the drawings are intended to cover non-exclusive inclusion.

[0051] In the description of the embodiments of this application, technical terms such as "first" and "second" are used only to distinguish different objects and should not be construed as indicating or implying relative importance or implicitly specifying the number, specific order, or primary and secondary relationship of the indicated technical features. In the description of the embodiments of this application, "multiple" means two or more, unless otherwise explicitly defined.

[0052] In this document, the term "embodiment" means that a particular feature, structure, or characteristic described in connection with an embodiment may be included in at least one embodiment of this application. The appearance of this phrase in various places throughout the specification does not necessarily refer to the same embodiment, nor is it a separate or alternative embodiment mutually exclusive with other embodiments. It will be explicitly and implicitly understood by those skilled in the art that the embodiments described herein can be combined with other embodiments.

[0053] In the description of the embodiments in this application, the term "and / or" is merely a description of the relationship between related objects, indicating that three relationships can exist. For example, A and / or B can represent: A existing alone, A and B existing simultaneously, and B existing alone. Additionally, the character " / " in this document generally indicates that the preceding and following related objects have an "or" relationship.

[0054] In the description of the embodiments of this application, the term "multiple" refers to two or more (including two), similarly, "multiple sets" refers to two or more (including two sets), and "multiple pieces" refers to two or more (including two pieces).

[0055] In the description of the embodiments of this application, unless otherwise expressly specified and limited, technical terms such as "installation," "connection," "joining," and "fixing" should be interpreted broadly. For example, they can refer to a fixed connection, a detachable connection, or an integral part; they can refer to a mechanical connection or an electrical connection; they can refer to a direct connection or an indirect connection through an intermediate medium; they can refer to the internal communication of two components or the interaction between two components. For those skilled in the art, the specific meaning of the above terms in the embodiments of this application can be understood according to the specific circumstances.

[0056] As enterprises become increasingly digitalized and intelligent, the threats posed by information security incidents are also growing daily. Therefore, information security incident management has become an unavoidable issue for all enterprises in their data compliance efforts. The most significant characteristic of information security incidents is their difficulty in prevention and the potential for serious consequences once they occur. Various security strategies can only reduce the probability of incidents and control their impact. Therefore, it is essential for any enterprise to establish comprehensive security incident management procedures beforehand and to respond proactively after an incident occurs. With the continuous improvement of the cybersecurity legal system, many traditional technical standards and information security best practices have been elevated to legal obligations, placing an increasingly important role on cybersecurity professionals in the process of information security incident management.

[0057] With the development of network construction and the continuous increase of security products, due to the lack of unified and professional security management, there is a lack of information exchange between security devices and security solutions, making it impossible to effectively integrate security resources. Each security device can only be a security island, unable to maximize its due value. Network administrators are easily overwhelmed by massive amounts of information and unable to see the overall picture in a timely and clear manner. As a result, enterprise security construction may enter a vicious cycle of overlapping product functions, increasingly slower response speed to security incidents, and the inability of purchased products and solutions to solve the most pressing problems. Due to the importance and special nature of enterprise security construction, hidden security vulnerabilities and threats may develop and amplify into risks, posing hidden dangers to the continuous construction and operation of enterprise IT systems.

[0058] Behind every cybersecurity incident, three types of intelligence are typically required: private intelligence, commercial intelligence, and external intelligence. Private intelligence refers to intelligence data generated by the enterprise itself during its security operations; commercial intelligence is purchased from one or more security vendors; and external intelligence usually involves sudden security incidents exposed on the network or information shared within the industry. However, due to their respective processing logics and the complexities of interaction between different security devices from different manufacturers, this often prevents a comprehensive threat analysis and discovery, hindering effective contextual understanding and resulting in lower accuracy in threat intelligence analysis and processing.

[0059] To address this issue, this application provides a threat intelligence processing method. With multiple intelligence sources, a complete security incident management mechanism can be formed. As threat intelligence is used in conjunction with various network element devices such as Security Operations Center (SOC), Security Orchestration, Automation and Response (SOAR), Firewall (FW), and Network Traffic Analysis (NTA), threat intelligence has inherent advantages in incident perception, recording, and management.

[0060] Figure 1 This is a schematic flowchart of a threat intelligence processing method provided in an embodiment of this application, as shown below. Figure 1 As shown, this threat intelligence processing method can be applied to a threat intelligence platform, which includes a threat analysis module and an event management module. The method includes:

[0061] Step 101: Obtain target intelligence data for a preset duration through the threat analysis module, analyze the target intelligence data, and obtain analysis results; the target intelligence data is obtained by recording points when the threat intelligence consuming device calls the API interface provided by the threat intelligence platform;

[0062] Step 102: Using the event management module, determine whether a security event that has already been created has been hit based on the analysis results.

[0063] In the specific implementation process, the threat intelligence consuming device communicates with the threat intelligence platform. The threat intelligence platform issues an API key and a corresponding device name to the threat intelligence consuming device through its threat data recording module. The device name refers to the name of the threat intelligence consuming device, used to uniquely identify it. Threat intelligence consuming devices can include: SOC, SOAR, FW, NTA, etc. The purpose of issuing the API key is for the threat intelligence platform to authenticate the threat intelligence consuming device. That is, the threat intelligence consuming device sends an API key request to the threat intelligence platform. After successful authentication, the threat intelligence platform returns the required data to the threat intelligence consuming device, and its threat data recording module records the data information returned to the threat intelligence consuming device, i.e., the threat data. Therefore, the threat data can include IOC data returned to the threat intelligence consuming device, timestamps, and the device name of the threat intelligence consuming device. The threat intelligence platform stores the recorded threat data in its database.

[0064] When analyzing threat data using the threat analysis module of a threat intelligence platform, the accuracy of analyzing individual threat data is relatively low. Therefore, to improve the accuracy of threat data analysis, the analysis time period can be set according to the actual situation, such as analyzing by hour, day, or week. Intelligence data of a preset duration is retrieved from the database as target intelligence data. After retrieving the target intelligence data, it is analyzed to obtain the analysis results. Specific analysis methods can include: counting the total number of times a certain IOC is hit in the target intelligence data; or calculating the average number of times a certain IOC is hit in the target intelligence data over multiple preset time periods, etc.

[0065] After obtaining the analysis results, the analysis results are matched against rules using the security events already created in the event management module of the threat intelligence platform. If a match is successful, it means that the analysis result hits the security event. For example, a created security event might be: a certain IOC hits N times. If the analysis result shows that the number of hits for this IOC is N, it proves that the match is successful and the security event is triggered; otherwise, it means that the match is unsuccessful and the security event is not triggered.

[0066] In this embodiment of the application, when a threat intelligence consuming device accesses a threat intelligence platform, the data accessed by the threat intelligence consuming device is recorded, and the target intelligence data corresponding to multiple threat intelligence consuming devices for a preset duration is comprehensively analyzed, thereby improving the accuracy of target intelligence data analysis.

[0067] Based on the above embodiments, before storing the intelligence data of the point-tracking records into the database, the method further includes:

[0068] If the event switch is enabled, additional attributes are added to the intelligence data. These additional attributes include at least one of the following: event mode, event type, device type, and device name.

[0069] In practice, users can pre-configure whether to enable the event switch based on their actual needs. If the event switch is disabled, the threat intelligence platform provides API interfaces to threat intelligence consuming devices. In this case, the memory used by the threat intelligence platform is dedicated to querying, resulting in faster query speeds. If the event switch is enabled, the threat intelligence platform, in addition to providing API interfaces to threat intelligence consuming devices, is also used for recording query results returned to threat intelligence consuming devices and analyzing threat data, leading to slower query speeds. Therefore, users can enable the event switch when they need to perform joint analysis of accesses from multiple threat intelligence consuming devices using the threat intelligence platform.

[0070] With the event switch enabled, the threat intelligence platform marks the recorded threat data as an event pattern. Different threat data are then categorized by event type. Event types include: Advanced Persistent Threat (APT) activity, malicious downloads, black market tools, adware promotions, infectious viruses, network worms, ransomware, botnets, and other events. The platform can also categorize threat data by device type, such as endpoint, gateway, perimeter network device, and behavior auditing device. Furthermore, it can differentiate device names using authorization information (APIKEY). Thus, threat data can also include event pattern, event type, device type, and device name.

[0071] In another embodiment, the threat intelligence platform can also tag relevant events and, through the analysis of threat data, automatically classify, filter, and generate summaries of telemetry intelligence data. During automatic classification, intelligence data with the same device name and event type can be grouped together. During filtering, intelligence data that does not belong to a specific security event is removed. During summary generation, key information from the intelligence data is extracted and entered into the corresponding positions in the module to generate a summary describing the intelligence data.

[0072] This application embodiment adds additional attributes to intelligence data to facilitate network administrators' understanding of relevant information about the intelligence data, enabling them to quickly and accurately summarize events.

[0073] Based on the above embodiments, target intelligence data of a preset duration is obtained from the database, and the target intelligence data is analyzed to obtain analysis results, including:

[0074] Define a sliding window and initialize it with the first k elements of a number list to obtain the initialized sliding window; the first k elements refer to the first k target intelligence data obtained from the database with the earliest time; k is a positive integer, and the duration corresponding to the k target intelligence data is equal to the preset duration;

[0075] Define an analysis results list and write the maximum value in the initial sliding window into the analysis results list; the maximum value is used to represent the maximum number of times the target intelligence data in the initial sliding window hits the same IOC rule;

[0076] Starting from the k-th element, traverse the list of numbers. In each loop, remove the first element from the sliding window, add the next element to the end of the sliding window, and write the maximum value in the sliding window into the analysis results list.

[0077] In the specific implementation process, when an IOC is hit and the event mode is enabled, after threat data is generated, the threat analysis module accumulates the number of hits through real-time calculation.

[0078] The threat analysis module employs the "HyperLogLog" (HLL) algorithm model, which, combined with the key-value characteristics of IOC data, can efficiently deduplicate intelligence information such as IP, domain, MD5, and SHA256, and can estimate the number of unique keys for statistical analysis of IOC occurrences.

[0079] Segmented statistical analysis, based on real-time calculations, performs independent calculations in units of hours, days, weeks, months, and quarters. The query and analysis service also supports statistics within user-selected time ranges.

[0080] The segmented statistical analysis is performed in real time using a sliding window algorithm model.

[0081] The sliding window algorithm, based on the concept of a time window, divides data into time segments and performs independent calculations within each time segment. It can effectively process real-time calculation results and generate statistical results at different time granularities.

[0082] Here is a simple example to illustrate how the sliding window algorithm works:

[0083] 1) Define the time window length: Determine the length of the time window based on the time granularity to be calculated (e.g., hour, day, week, month, quarter). For example, for hourly calculations, the time window length can be set to 1 hour. This patent uses an hourly length.

[0084] 2) Create a sliding window: Create a fixed-size sliding window in memory to store real-time calculation results.

[0085] 3) Real-time updated sliding window: When new real-time calculation results arrive, they are stored in the current time window, and expired data is discarded. Based on the length of the time window and the current time, it can be determined which data belongs to the current time window.

[0086] 4) Independent Calculation: Within the sliding window, calculations can be performed independently by hour, day, week, month, quarter, etc. Statistical indicators, such as totals and averages, can be calculated for different time periods as needed.

[0087] The sliding window algorithm can dynamically update and maintain real-time calculation results based on the passage of time, and perform independent statistical calculations according to different time granularities. This can effectively handle a large amount of IOC query hit data and provide accurate time-aggregated statistical results.

[0088] def qax_sliding_window(numbers, k):

[0089] n = len(numbers)

[0090] window = numbers[:k]

[0091] result = [max(window)]

[0092] for i in range(k, n):

[0093] window.pop(0)

[0094] window.append(numbers[i])

[0095] result.append(max(window)).

[0096] This example function, `qax_sliding_window`, takes two arguments: `numbers` is a list of integers, and `k` is the size of the sliding window. It returns a list where each element represents the maximum value within the sliding window.

[0097] The function first checks the validity of the input parameters. If the input is an empty list or the sliding window size is greater than the list length, it returns an empty list directly.

[0098] Then, the function defines a variable `window`, initialized with the first k elements of the list `numbers`, representing the initial sliding window. Simultaneously, a result list `result` is defined, and the maximum value from the initial sliding window is added to the result list. This means the maximum value in the initial window refers to the maximum value of the target intelligence data within the initial sliding window that matches a specific IOC rule. When iterating through the target intelligence data in the initial sliding window, for each target intelligence data point, if it matches an IOC rule, the value is incremented by 1. After iterating through all the target intelligence data in the initial sliding window, the maximum value recorded for matching IOC rule 1 is 10, and the maximum value recorded for matching IOC rule 2 is 20. Therefore, the result list contains 10 for IOC rule 1 and 20 for IOC rule 2.

[0099] Next, a loop iterates through the `numbers` list, starting from the k-th element. In each iteration, the window slides one position to the right, removing the first element and adding the next element to the end. Then, the maximum value is found within each sliding window and added to the results list, until all target intelligence data is obtained. It's understandable that the method for obtaining the maximum value within a sliding window is the same as the method for obtaining the initial maximum value of the sliding window, so it will not be elaborated further here.

[0100] Finally, return the list of results.

[0101] This application embodiment uses a sliding window to analyze intelligence data within the sliding window. The sliding window can dynamically update and maintain real-time calculation results based on the passage of time, thereby improving the real-time performance of intelligence data analysis.

[0102] Based on the above embodiments, the method further includes:

[0103] Obtain information on external security incidents;

[0104] Parse the external security event information to obtain the IOC data corresponding to the external security event information;

[0105] The IOC data is stored in a custom intelligence database.

[0106] In the specific implementation process Figure 2 This is a schematic diagram of another information processing method provided in an embodiment of this application, such as... Figure 2 As shown. When an external event is detected, such as an organization attacking a company in the same industry, it requires close attention. The threat intelligence platform acquires information about this external security event and stores it in the event management database. Based on the specific details of the external security event, users can decide whether to add the corresponding Indicator of Computation (IOC) to their custom intelligence database. If it is necessary to add it, the threat intelligence platform can parse the external security event information to obtain the corresponding IOC data, and then store the parsed IOC data in the custom intelligence database.

[0107] When the threat intelligence platform receives a request to call the API interface, it can query the data required by the threat intelligence consumption device from the commercial intelligence database and the custom intelligence database, record the data, and store the recorded intelligence data in the database.

[0108] This application embodiment can obtain IOC data corresponding to external security events by monitoring them, and populate the IOC data into a custom intelligence database, so that the custom intelligence database contains more comprehensive IOC data and improves the accuracy of threat intelligence analysis.

[0109] Based on the above embodiments, after determining whether a created security event has been hit based on the analysis results, the method further includes:

[0110] Receive a report generation request, which includes a time period;

[0111] Acquire target security events that occur within a given time period;

[0112] Extract key information from the data of the target security incident, and fill the key information into the preset report template to obtain the incident operation report.

[0113] The threat intelligence platform can generate incident operation reports based on the user's actual needs. Specifically, the threat intelligence platform receives a report generation request triggered by the user. This request includes a time period, which can be 1 hour, 1 day, 2 days, 1 week, or a specific start and end point. This indicates the generation of an incident operation report corresponding to that time period. The threat intelligence platform obtains the target security events that occurred within the user-specified time period and extracts key information about these events. This key information may include: Indicator of Compromise (IOC), event name, threat level, etc. After extracting the key information, it is filled into a preset report template to obtain the incident operation report.

[0114] In another embodiment, users can create events in the threat intelligence platform and enter information (e.g., IOC). They can also tag the created events and mark the visibility of the events. The Threat Intelligence Platform (TLP) traffic light specification is supported by default to mark and control the distribution scope.

[0115] Understandably, the TLP (Traffic Lighting) specification was released as version 2.0 by the Incident Response and Security Teams Forum (FIRST) in August 2022. The TLP standard is used by the Computer Security Incident Response Teams (CSIRT) community to facilitate the secure sharing of sensitive information. This protocol is also used to label and indicate to recipients the sharing restrictions they must consider when communicating potentially sensitive information to others. TLP provides a simple and intuitive model, using four color-coded labels (red, yellow, green, and white) (TLP:RED, TLP:AMBER, TLP:GREEN, and TLP:WHITE) to indicate with whom a recipient can share potentially sensitive information.

[0116] When entering IOC, you can call the analysis results generated by the intelligence analysis module with one click and generate different presentation methods such as time axis and dot plot.

[0117] Furthermore, multiple related events can be linked based on IOC data. For example, events with at least one identical IOC data can be linked together, making it easier for network security administrators to view the connections between different events.

[0118] Furthermore, threat data can also include ATT&CK matrix markers. Within an event, it can be marked which ATT&CK matrices the event is associated with, facilitating network security managers in summarizing the event's (tactical, technical, process) TTP. Specifically, the ATT&CK matrix markers can include: general: hybrid remote control endpoint; connect: reporting configuration information after being controlled; download: downloading malware components; c2: command and control channel.

[0119] DataLeak connects to servers that host data.

[0120] For a single event, its version and timeline can be maintained, recording each version of the event and its corresponding update time, so that network security managers can clearly understand the evolution history over time.

[0121] The threat intelligence platform provided in this application supports the input and generation of Snort and Yara rules. Users can input Snort and Yara rules collected from the Internet or written by themselves into events. It also supports one-click generation of Snort rules from IOC data that can be used in devices such as intrusion detection systems (IDS).

[0122] In another embodiment, network security administrators can pre-configure the generation of event notifications, such as setting the display duration, the scope of organizations notifying, the personnel notifying, the data scope notifying, and the notification method. When a new security event occurs in the threat intelligence platform, a notification can be issued according to the configuration.

[0123] In another embodiment, when an IOC alert of a certain threat type is triggered X times, an event can be automatically generated and a notification can be issued.

[0124] In another embodiment, when an event already exists and contains an IOC, the intelligence consumption device calls the intelligence query API and activates event mode. If an IOC is matched within a given time period, a policy can be set to alert network security administrators that a historical event has recurred after X alerts, prompting them to pay attention. For example, a cloud host has a weak password vulnerability, and a threat event occurred in January 2023. In May 2023, the business needs to restore a snapshot of the cloud host, reactivating the previously addressed vulnerability and generating external network connections. After the intelligence consumption security device detects the threat intelligence, the event management system, combined with the intelligence query and analysis service, generates an alert indicating that the historical event has recurred, and automatically updates the event timeline.

[0125] In another embodiment, each entered IOC can be independently marked as valid, and can also be linked to the IOC switch within the threat intelligence platform to whitelist IOCs with a single click, facilitating continuous tracking of security incidents and ongoing monitoring of IOCs in security operations. For example, a C2 address may become invalid or be converted to normal business operations six months after a security incident, a situation very common in the cloud era. This feature can be used in such cases.

[0126] Figure 3 This is a schematic diagram of a threat intelligence processing device provided in an embodiment of this application. The device can be a module, program segment, or code on an electronic device. It should be understood that this device is similar to the one described above. Figure 1 The method implementation corresponds to this and can be executed. Figure 1 The various steps involved in the method embodiment, and the specific functions of the device, can be found in the description above. To avoid repetition, detailed descriptions are appropriately omitted here. The device includes: a threat analysis module 301 and an event management module 302, wherein:

[0127] The threat analysis module 301 is used to acquire target intelligence data for a preset duration, analyze the target intelligence data, and obtain analysis results; the target intelligence data is recorded and obtained when the threat intelligence consumption device calls the API interface provided by the threat intelligence platform.

[0128] The event management module 302 is used to determine whether a security event that has already been created has been hit based on the analysis results.

[0129] Based on the above embodiments, the device further includes a threat data logging module, used for:

[0130] Receive API call requests sent by the threat intelligence consumption device;

[0131] Based on the call request, the system returns the intelligence query results to the threat intelligence consumption device and records the intelligence query results, storing the recorded intelligence data in the database.

[0132] Based on the above embodiments, the device further includes an attribute adding module, used for:

[0133] If the event switch is enabled, additional attributes are added to the intelligence data, including at least one of event mode, event type, device type, and device name.

[0134] Based on the above embodiments, the threat analysis module 301 is specifically used for:

[0135] Define a sliding window and initialize it with the first k elements of a number list to obtain the initialized sliding window; the first k elements refer to the first k target intelligence data obtained from the database with the earliest time; k is a positive integer, and the duration corresponding to the k target intelligence data is equal to the preset duration;

[0136] Define an analysis result list, and write the maximum value in the initial sliding window into the analysis result list; the maximum value is used to characterize the maximum number of target intelligence data in the initial sliding window that hit the same IOC rule;

[0137] Starting from the k-th element, traverse the list of numbers. In each loop, remove the first element from the sliding window, add the next element to the end of the sliding window, and write the maximum value in the sliding window into the analysis result list, until all target intelligence data is obtained.

[0138] Based on the above embodiments, the security event corresponds to at least one IOC rule; the event management module 302 is specifically used for:

[0139] Match the analysis results with the IOC rules;

[0140] If a match is found, the security event is determined to have been hit; otherwise, the security event is determined not to have been hit.

[0141] Based on the above embodiments, the device further includes an intelligence database filling module, used for:

[0142] Obtain information on external security incidents;

[0143] Parse the external security event information to obtain the IOC data corresponding to the external security event information;

[0144] The IOC data is stored in a custom intelligence database.

[0145] Based on the above embodiments, the method further includes a report generation module, used for:

[0146] Receive a report generation request, the report generation request including a time period;

[0147] Obtain the target security events that occurred within the specified time period;

[0148] Extract key information from the data of the target security event, and fill the key information into a preset report template to obtain an event operation report.

[0149] Figure 4 This is a schematic diagram of the physical structure of the electronic device provided in the embodiments of this application, such as... Figure 4 As shown, the electronic device includes: a processor 401, a memory 402, and a bus 403; wherein,

[0150] The processor 401 and the memory 402 communicate with each other through the bus 403;

[0151] The processor 401 is used to call program instructions in the memory 402 to execute the methods provided in the above-described method embodiments, such as: acquiring target intelligence data for a preset duration, analyzing the target intelligence data, and obtaining analysis results; the target intelligence data is obtained by recording points when the threat intelligence consumption device calls the API interface provided by the threat intelligence platform; based on the analysis results, determining whether a security event that has been created has been hit.

[0152] Processor 401 can be an integrated circuit chip with signal processing capabilities. The processor 401 can be a general-purpose processor, including a central processing unit (CPU), a network processor (NP), etc.; it can also be a digital signal processor (DSP), an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or other programmable logic devices, discrete gate or transistor logic devices, or discrete hardware components. It can implement or execute the various methods, steps, and logic block diagrams disclosed in the embodiments of this application. The general-purpose processor can be a microprocessor or any conventional processor.

[0153] The memory 402 may include, but is not limited to, random access memory (RAM), read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), etc.

[0154] This embodiment discloses a computer program product, which includes a computer program stored on a non-transitory computer-readable storage medium. The computer program includes program instructions, and when the program instructions are executed by a computer, the computer can perform the methods provided in the above-described method embodiments, such as: acquiring target intelligence data for a preset duration, analyzing the target intelligence data, and obtaining analysis results; the target intelligence data is obtained by recording data when a threat intelligence consuming device calls the API interface provided by the threat intelligence platform; and based on the analysis results, determining whether a security event that has been created has been hit.

[0155] This embodiment provides a non-transitory computer-readable storage medium storing computer instructions that cause the computer to execute the methods provided in the above-described method embodiments. These instructions may include: acquiring target intelligence data for a preset duration, analyzing the target intelligence data, and obtaining analysis results; the target intelligence data is obtained by recording data points when a threat intelligence consuming device calls the API interface provided by the threat intelligence platform; and determining, based on the analysis results, whether a previously created security event has been detected.

[0156] In the embodiments provided in this application, it should be understood that the disclosed apparatus and methods can be implemented in other ways. The apparatus embodiments described above are merely illustrative. For example, the division of units is only a logical functional division, and in actual implementation, there may be other division methods. Furthermore, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. Additionally, the displayed or discussed mutual couplings, direct couplings, or communication connections may be through some communication interfaces; indirect couplings or communication connections between devices or units may be electrical, mechanical, or other forms.

[0157] Furthermore, the units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the units can be selected to achieve the purpose of this embodiment according to actual needs.

[0158] Furthermore, the functional modules in the various embodiments of this application can be integrated together to form an independent part, or each module can exist independently, or two or more modules can be integrated to form an independent part.

[0159] In this document, relational terms such as first and second are used only to distinguish one entity or operation from another entity or operation, without necessarily requiring or implying any such actual relationship or order between these entities or operations.

[0160] The above description is merely an embodiment of this application and is not intended to limit the scope of protection of this application. Various modifications and variations can be made to this application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this application should be included within the scope of protection of this application.

Claims

1. A threat intelligence processing method, characterized by comprising: Applied to a threat intelligence platform, which includes a threat analysis module and an event management module, the method includes: The threat analysis module acquires target intelligence data for a preset duration and analyzes the target intelligence data to obtain analysis results; the target intelligence data is obtained by recording points when the threat intelligence consuming device calls the API interface provided by the threat intelligence platform. Based on the analysis results, the event management module determines whether a previously created security event has been detected. The process of acquiring target intelligence data for a preset duration and analyzing the target intelligence data to obtain analysis results includes: Define a sliding window and initialize it with the first k elements of a number list to obtain the initialized sliding window; the first k elements refer to the first k target intelligence data obtained from the database with the earliest time; k is a positive integer, and the duration corresponding to the k target intelligence data is equal to the preset duration; Define an analysis result list and write the maximum value in the initial sliding window into the analysis result list; the maximum value is used to represent the maximum number of times the target intelligence data in the initial sliding window hits the same IOC rule; Starting from the k-th element, traverse the list of numbers. In each loop, remove the first element from the sliding window, add the next element to the end of the sliding window, and write the maximum value in the sliding window into the analysis result list, until all target intelligence data is obtained.

2. The method according to claim 1, characterized in that, The threat intelligence platform also includes a threat data logging module, and the method further includes: The threat data recording module receives API call requests sent by the threat intelligence consumption device. The threat data recording module returns intelligence query results to the threat intelligence consumption device based on the call request, and records the intelligence query results, storing the recorded intelligence data in the database.

3. The method according to claim 2, characterized in that, Before storing the intelligence data from the tracking records into the database, the method further includes: If the event switch is enabled, additional attributes are added to the intelligence data, including at least one of event mode, event type, device type, and device name.

4. The method according to claim 1, characterized in that, The security event corresponds to at least one Intrusion Indicator (IOC) rule; The step of determining whether a previously created security event has been matched based on the analysis results includes: Match the analysis results with the IOC rules; If a match is found, the security event is determined to have been hit; otherwise, the security event is determined not to have been hit.

5. The method according to claim 1, characterized in that, The method further includes: Obtain information on external security incidents; Parse the external security event information to obtain the IOC data corresponding to the external security event information; The IOC data is stored in a custom intelligence database.

6. The method according to any one of claims 1-5, characterized in that, After determining whether a previously created security event has been detected based on the analysis results, the method further includes: Receive a report generation request, the report generation request including a time period; Obtain the target security events that occurred within the specified time period; Extract key information from the data of the target security event, and fill the key information into a preset report template to obtain an event operation report.

7. A threat intelligence processing device, characterized in that, Applications in threat intelligence platforms include: The threat analysis module is used to retrieve target intelligence data from the database for a preset duration, analyze the target intelligence data, and obtain analysis results; the target intelligence data is recorded and obtained when the threat intelligence consuming device calls the API interface provided by the threat intelligence platform. The event management module is used to determine whether a created security event has been hit based on the analysis results. The threat analysis module is specifically used for: Define a sliding window and initialize it with the first k elements of a number list to obtain the initialized sliding window; the first k elements refer to the first k target intelligence data obtained from the database with the earliest time; k is a positive integer, and the duration corresponding to the k target intelligence data is equal to the preset duration; Define an analysis result list and write the maximum value in the initial sliding window into the analysis result list; the maximum value is used to represent the maximum number of times the target intelligence data in the initial sliding window hits the same IOC rule; Starting from the k-th element, traverse the list of numbers. In each loop, remove the first element from the sliding window, add the next element to the end of the sliding window, and write the maximum value in the sliding window into the analysis result list, until all target intelligence data is obtained.

8. An electronic device, characterized in that, include: Processor, memory, and bus, among which, The processor and the memory communicate with each other via the bus; The memory stores program instructions that can be executed by the processor, and the processor can execute the method as described in any one of claims 1-6 by calling the program instructions.

9. A non-transitory computer-readable storage medium, characterized in that, The non-transitory computer-readable storage medium stores computer instructions, which, when executed by a computer, cause the computer to perform the method as described in any one of claims 1-6.