Threat hunting method and apparatus

CN117792715BActive Publication Date: 2026-06-12XIAN SECLOVER INFORMATION TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
XIAN SECLOVER INFORMATION TECH CO LTD
Filing Date
2023-12-15
Publication Date
2026-06-12

AI Technical Summary

Technical Problem

Traditional threat hunting methods are less accurate and efficient, making it difficult to quickly detect attack traces in the internal network environment and reduce the harm caused by attackers.

Method used

A method based on a preset threat hunting model is adopted. Network traffic data is acquired and input into the preset threat hunting model for calculation to generate threat hunting results. The preset threat hunting model is generated based on a preset scenario detection model. The preset scenario detection model is generated based on a threat intelligence dataset, a threat correction pattern dataset, and a preset scenario kernel model. The preset scenario kernel model is constructed in a static simulation network environment and undergoes an unsupervised learning mechanism.

Benefits of technology

It improves the accuracy and efficiency of threat hunting, reduces costs, and has more comprehensive handling capabilities and higher generalization ability.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN117792715B_ABST
    Figure CN117792715B_ABST
Patent Text Reader

Abstract

The application discloses a threat hunting method and device, the method comprising: acquiring current network traffic data, inputting the current network traffic data into a preset threat hunting model for calculation, and generating a threat hunting result corresponding to the current network traffic data. According to the scheme, the preset threat hunting model trained in advance is directly used to calculate the current network traffic data, and the corresponding threat hunting result can be obtained, thereby improving the accuracy and efficiency of threat hunting. In addition, the preset threat hunting model is used to replace expert hunting, the accuracy is improved, the model has lower cost and more comprehensive disposal capacity, and the preset threat hunting model has higher generalization ability and adaptability by adopting a combination of a microkernel, a scene and artificial evaluation.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of cybersecurity technology, and in particular to threat hunting methods and apparatus. Background Technology

[0002] Threat hunting, also known as threat capture or threat search, assumes that an attacker is already lurking in the internal network environment. The job of a threat hunter is to discover their attack traces as quickly as possible and minimize the harm caused by the attacker. The significance of threat hunting lies in considering how to proactively monitor and prevent threat events before a security incident occurs, rather than passively defending or responding negatively.

[0003] Traditionally, threat hunting is mostly based on rule-driven methods, which yield results. However, this approach suffers from low accuracy and efficiency. Summary of the Invention

[0004] This application aims to at least solve the technical problems existing in the prior art. To this end, the first aspect of this application proposes a threat hunting method, which includes:

[0005] Get current network traffic data;

[0006] The current network traffic data is input into the preset threat hunting model for calculation, generating threat hunting results corresponding to the current network traffic data. The preset threat hunting model is generated based on the preset scenario detection model, which is generated based on the threat intelligence dataset, the threat correction pattern dataset, and the preset scenario kernel model. The preset scenario kernel model is a model constructed in a static simulated network environment and processed by an unsupervised learning mechanism.

[0007] In one possible implementation, the process of constructing the preset scene kernel model includes:

[0008] Obtain the preset threat detection kernel model;

[0009] An unsupervised learning mechanism is used to learn and evaluate the preset threat detection kernel model to generate a preset scenario kernel model.

[0010] In one possible implementation, the process of building a pre-defined threat detection kernel model includes:

[0011] Obtain a sample set of malicious network behaviors;

[0012] An initial threat detection model is constructed using a pre-defined deep learning model, and a first pre-defined evaluation index is constructed. The initial threat detection model is trained and evaluated using a set of malicious network behaviors until the evaluation results meet the first pre-defined evaluation index, thus generating a pre-defined threat detection model.

[0013] The preset threat detection model is migrated to a static simulation network environment to generate a preset threat detection kernel model.

[0014] In one possible implementation, an unsupervised learning mechanism is used to learn and evaluate a preset threat detection kernel model to generate a preset scenario kernel model, including:

[0015] Obtain the threat detection results corresponding to the second preset evaluation index and the preset threat detection kernel model;

[0016] Cluster the threat detection results to generate clustering results;

[0017] The clustering results are evaluated to generate the current evaluation result.

[0018] Based on the current evaluation results and the second preset evaluation index, the preset threat detection kernel model is learned and evaluated to generate a preset scenario kernel model.

[0019] In one possible implementation, the process of constructing the preset scene detection model includes:

[0020] Construct a static simulation network environment; wherein, the static simulation network environment includes fixed network traffic data;

[0021] Acquire threat intelligence datasets, threat correction pattern datasets, and preset scenario kernel models;

[0022] Based on the threat intelligence dataset, threat correction pattern dataset, and preset scenario kernel model, a preset scenario detection model is generated.

[0023] In one possible implementation, the method further includes:

[0024] Obtain the evaluation results corresponding to the threat hunting results;

[0025] The preset threat hunting model is updated based on the evaluation results to generate a new preset threat hunting model.

[0026] In one possible implementation, current network traffic data is input into a preset threat hunting model for calculation, generating threat hunting results corresponding to the current network traffic data, including:

[0027] The current network traffic data is input into a new preset threat hunting model for calculation, generating threat hunting results corresponding to the current network traffic data.

[0028] A second aspect of this application discloses a threatening hunting device, the device comprising:

[0029] The acquisition module is used to acquire current network traffic data;

[0030] The generation module is used to input the current network traffic data into the preset threat hunting model for calculation and generate threat hunting results corresponding to the current network traffic data. The preset threat hunting model is generated based on the preset scenario detection model, which is generated based on the threat intelligence dataset, the threat correction pattern dataset, and the preset scenario kernel model. The preset scenario kernel model is a model constructed in a static simulation network environment and processed by an unsupervised learning mechanism.

[0031] In one possible implementation, the aforementioned threat hunting device is also used for:

[0032] Obtain the preset threat detection kernel model;

[0033] An unsupervised learning mechanism is used to learn and evaluate the preset threat detection kernel model to generate a preset scenario kernel model.

[0034] In one possible implementation, the aforementioned threat hunting device is also used for:

[0035] Obtain a sample set of malicious network behaviors;

[0036] An initial threat detection model is constructed using a pre-defined deep learning model, and a first pre-defined evaluation metric is also constructed.

[0037] The initial threat detection model is trained and evaluated using a sample set of malicious network behaviors until the evaluation results meet the first preset evaluation index, thus generating a preset threat detection model.

[0038] The preset threat detection model is migrated to a static simulation network environment to generate a preset threat detection kernel model.

[0039] In one possible implementation, the aforementioned threat hunting device is also used for:

[0040] Obtain the threat detection results corresponding to the second preset evaluation index and the preset threat detection kernel model;

[0041] Cluster the threat detection results to generate clustering results;

[0042] The clustering results are evaluated to generate the current evaluation result.

[0043] Based on the current evaluation results and the second preset evaluation index, the preset threat detection kernel model is learned and evaluated to generate a preset scenario kernel model.

[0044] In one possible implementation, the aforementioned threat hunting device is also used for:

[0045] Construct a static simulation network environment; wherein, the static simulation network environment includes fixed network traffic data;

[0046] Acquire threat intelligence datasets, threat correction pattern datasets, and preset scenario kernel models;

[0047] Based on the threat intelligence dataset, threat correction pattern dataset, and preset scenario kernel model, a preset scenario detection model is generated.

[0048] In one possible implementation, the aforementioned threat hunting device is also used for:

[0049] Obtain the evaluation results corresponding to the threat hunting results;

[0050] The preset threat hunting model is updated based on the evaluation results to generate a new preset threat hunting model.

[0051] In one possible implementation, the above-mentioned generation module is specifically used for:

[0052] The current network traffic data is input into a new preset threat hunting model for calculation, generating threat hunting results corresponding to the current network traffic data.

[0053] A third aspect of this application provides an electronic device comprising a processor and a memory, wherein the memory stores at least one instruction, at least one program, a code set, or an instruction set, the at least one instruction, the at least one program, the code set, or the instruction set being loaded and executed by the processor to implement the threat hunting method as described in the first aspect.

[0054] The fourth aspect of this application provides a computer-readable storage medium storing at least one instruction, at least one program, a code set, or an instruction set, wherein the at least one instruction, the at least one program, the code set, or the instruction set is loaded and executed by a processor to implement the threat hunting method as described in the first aspect.

[0055] The embodiments of this application have the following beneficial effects:

[0056] The threat hunting method provided in this application includes: acquiring current network traffic data, inputting the current network traffic data into a preset threat hunting model for calculation, and generating a threat hunting result corresponding to the current network traffic data. The preset threat hunting model is generated based on a preset scenario detection model, which is generated based on a threat intelligence dataset, a threat correction pattern dataset, and a preset scenario kernel model. The preset scenario kernel model is a model constructed in a static simulated network environment and processed through an unsupervised learning mechanism. This solution directly calculates the current network traffic data using a pre-trained preset threat hunting model to obtain the corresponding threat hunting result, improving the accuracy and efficiency of threat hunting. Furthermore, by replacing expert hunting with a preset threat hunting model, accuracy is improved while the model has lower costs and more comprehensive processing capabilities. Simultaneously, the combination of microkernel, scenario-based approach, and manual evaluation gives the preset threat hunting model high generalization and adaptability. Attached Figure Description

[0057] Figure 1 A block diagram of a computer device provided in an embodiment of this application;

[0058] Figure 2 A flowchart illustrating the steps of the threat hunting method provided in this application embodiment;

[0059] Figure 3 A flowchart illustrating the steps for constructing a preset scene kernel model is provided in this application embodiment;

[0060] Figure 4 A flowchart illustrating the steps for constructing a preset threat detection kernel model, as provided in this application embodiment;

[0061] Figure 5 A flowchart illustrating the steps for constructing a preset scene detection model, as provided in this application embodiment;

[0062] Figure 6 A flowchart illustrating the steps for constructing a preset scene kernel model is provided in this application embodiment;

[0063] Figure 7 A flowchart illustrating the steps for updating a preset threat hunting model, as provided in this application embodiment;

[0064] Figure 8 This is a structural block diagram of the threat hunting device provided in an embodiment of this application. Detailed Implementation

[0065] The technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, and not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those of ordinary skill in the art without creative effort are within the scope of protection of this application.

[0066] Hereinafter, the terms "first" and "second" are used for descriptive purposes only and should not be construed as indicating or implying relative importance or implicitly specifying the number of indicated technical features. Thus, a feature defined as "first" or "second" may explicitly or implicitly include one or more of that feature. In the description of embodiments of this disclosure, unless otherwise stated, "a plurality of" means two or more. Furthermore, the use of "based on" or "according to" implies openness and inclusiveness, because processes, steps, calculations, or other actions "based on" or "according to" one or more of the stated conditions or values ​​may in practice be based on additional conditions or beyond the stated values.

[0067] The threat hunting method provided in this application can be applied to computer devices (electronic devices). The computer device can be a server or a terminal. The server can be a single server or a server cluster composed of multiple servers. This application does not specifically limit this. The terminal can be, but is not limited to, various personal computers, laptops, smartphones, tablets and portable wearable devices.

[0068] Taking a computer device as an example, Figure 1 A block diagram of a server is shown, such as Figure 1 As shown, the server may include a processor and memory connected via a system bus. The processor provides computing and control capabilities. The memory includes non-volatile storage media and internal memory. The non-volatile storage media stores the operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. When the computer program is executed by the processor, it implements a threat hunting method.

[0069] Those skilled in the art will understand that Figure 1 The structure shown is merely a block diagram of a portion of the structure related to the present application and does not constitute a limitation on the server to which the present application is applied. Optionally, the server may include more or fewer components than shown in the figure, or combine certain components, or have different component arrangements.

[0070] It should be noted that the execution subject of the embodiments of this application can be a computer device or a threat hunting device. The following method embodiments will be described with a computer device as the execution subject.

[0071] Figure 2 A flowchart illustrating the steps of the threat hunting method provided in this application embodiment. Figure 2 As shown, the method includes the following steps:

[0072] Step 202: Obtain current network traffic data.

[0073] Threat hunting, also known as threat capture or threat search, assumes that attackers are already lurking in the internal network environment. The task of threat hunters is to discover their attack traces as quickly as possible and to minimize the harm caused by the attackers. The significance of threat hunting lies in considering how to proactively monitor and prevent threat events before a security incident occurs, rather than passively defending or responding negatively.

[0074] When conducting threat hunting, it is necessary to first obtain current network traffic data, which may include multiple data entries. Alternatively, current network traffic data can be obtained by capturing traffic packets using packet capture tools, or by obtaining detailed network log information using network log tools. Of course, other methods can also be used to obtain current network traffic data, and this application embodiment does not specifically limit this method.

[0075] Step 204: Input the current network traffic data into the preset threat hunting model for calculation, and generate threat hunting results corresponding to the current network traffic data.

[0076] Among them, the preset threat hunting model is generated based on the preset scenario detection model, which is generated based on the threat intelligence dataset, the threat correction pattern dataset, and the preset scenario kernel model. The preset scenario kernel model is a model constructed in a static simulation network environment and then processed by an unsupervised learning mechanism.

[0077] After obtaining the current network traffic data, it can be input into a preset threat hunting model for calculation, thereby generating a threat hunting result corresponding to the current network traffic data. The threat hunting result may include threat subtype, threat probability value, and detailed information about the threat, which may be the current network traffic data itself corresponding to the threat. Of course, other types of threat hunting results may also be included, but this application embodiment does not specifically limit this.

[0078] The aforementioned preset scene detection model and preset scene kernel model need to be pre-built. In some optional embodiments, such as Figure 3 As shown, Figure 3A flowchart illustrating the steps for constructing a preset scene kernel model, as provided in this application embodiment, includes:

[0079] Step 302: Obtain the preset threat detection kernel model.

[0080] Among them, when constructing the preset threat detection kernel model, such as Figure 4 As shown, Figure 4 A flowchart illustrating the steps for constructing a preset threat detection kernel model, as provided in this application embodiment, includes:

[0081] Step 402: Obtain a sample set of malicious network behaviors.

[0082] Step 404: Construct an initial threat detection model using a preset deep learning model, and construct the first preset evaluation index.

[0083] Step 406: Train and evaluate the initial threat detection model using a sample set of malicious network behaviors until the evaluation results meet the first preset evaluation index, and generate the preset threat detection model.

[0084] Step 408: Migrate the preset threat detection model to the static simulation network environment to generate the preset threat detection kernel model.

[0085] The network malicious behavior sample set is a large-scale, multimodal dataset of pre-collected common network threat traffic data, log files, event records, etc. This set collects various malicious behaviors, excluding normal behaviors. To ensure the effectiveness of the model's identification, the collected malicious behaviors should be as comprehensive as possible.

[0086] In addition, common types of malicious cyber threats can include malware, cyberattacks, identity theft, vulnerability exploitation, IoT threats, malicious advertising, and password attacks. Malware can include, but is not limited to, viruses, worms, and Trojans; cyberattacks can include, but are not limited to, denial-of-service attacks, DNS attacks, and man-in-the-middle attacks; identity theft can include, but is not limited to, phishing attacks and identity spoofing; vulnerability exploitation can include, but is not limited to, zero-day vulnerabilities and SQL injection attacks; IoT threats can include, but are not limited to, unauthorized access and internal data leaks; and password attacks can include, but are not limited to, brute-force attacks and password stuffing attacks.

[0087] Next, the collected sample set of malicious network behaviors can be preprocessed. The data preprocessing process may include, but is not limited to, cleaning, noise reduction, handling missing values ​​and outliers, standardization, normalization, etc., so as to obtain the preprocessed sample set of malicious network behaviors.

[0088] Feature engineering can be performed on the preprocessed network malicious behavior sample set to extract key features related to network behavior, including but not limited to packet size, source and destination IP addresses, port information, communication mode, protocol type, etc.

[0089] The next step is data annotation, which can be done using a combination of automated annotation tools and manual annotation. Common data annotation tools can be used to automatically annotate some feature information. During manual annotation, data showing known normal and malicious behavior can be labeled manually, enabling subsequent models to learn correct behavioral patterns when using this data. The main labeling content can include the attack type and whether the behavior is malicious.

[0090] After data annotation, the annotated set of malicious network behavior samples can be processed through data encoding, segmentation, desensitization, and format conversion. Specifically, since malicious network behavior sample sets are typically text data, the non-numerical annotated sample sets can be encoded into a numerical form that the model can recognize and process; for example, one-hot encoding can be used. Then, the encoded malicious network behavior sample set can be divided into training and testing sets. If there are class-imbalanced samples in the training and testing sets, sampling or undersampling methods can be used to address this. Furthermore, data containing sensitive information can be protected using encryption or other desensitization methods to ensure compliance and privacy security.

[0091] Next, an initial threat detection model can be built using a pre-defined deep learning model, such as a Gated Recurrent Unit (GRU) or a Long Short-Term Memory (LSTM) model. When building the initial threat detection model, its framework needs to be established. Taking GRU as an example, building the framework includes constructing an input layer, a GRU layer, and an output layer. Additionally, appropriate parameters such as the loss function, optimizer, first pre-defined evaluation metric, accuracy threshold, precision threshold, and recall threshold need to be set.

[0092] When constructing evaluation metrics for a model, you can include overall accuracy, overall precision, and recall.

[0093] Taking the overall accuracy rate as an example, the overall accuracy rate r(accuracy) can be calculated using formula (1).

[0094]

[0095] Where i represents the i-th threat subtype among all threat subtypes; w(i) represents the percentage of network malicious behavior sample data corresponding to the i-th threat subtype to the total data volume of the network malicious behavior sample set, which is also the weight when calculating the overall accuracy; c(i) represents the number of times the i-th threat subtype is correctly classified, which can be determined by comparing the threat detection results predicted by the model with the labeled data; t represents the amount of data in the training set.

[0096] Therefore, the initial threat detection model can be trained using the aforementioned training set, during which the model will learn various malicious behavior patterns. After training, the model can be evaluated using the aforementioned test set. The first preset evaluation metrics can include overall accuracy, overall precision, and recall. The overall accuracy, overall precision, and recall, along with their corresponding thresholds, are used to evaluate the model's training performance. Then, the optimization method is determined based on the training performance until all the first preset evaluation metrics are met.

[0097] Finally, the model that meets the first preset evaluation index can be parameterized and encapsulated to generate a preset threat detection model. This preset threat detection model can then be migrated to a static simulation network environment to generate the preset threat detection kernel model. Through microkerneling and scenario-based approaches, the obtained preset threat detection kernel model can be migrated to different simulation environments to complete tasks in specific scenarios, resulting in low migration costs and strong adaptability.

[0098] Step 304: Use an unsupervised learning mechanism to learn and evaluate the preset threat detection kernel model to generate a preset scenario kernel model.

[0099] The preset scenario detection model is generated based on the threat intelligence dataset, the threat correction pattern dataset, and the preset scenario kernel model, such as... Figure 5 As shown, Figure 5 A flowchart illustrating the steps for constructing a preset scene detection model, as provided in this application embodiment, includes:

[0100] Step 502: Construct a static simulation network environment.

[0101] Step 504: Obtain the threat intelligence dataset, threat correction pattern dataset, and preset scenario kernel model.

[0102] Step 506: Generate a preset scenario detection model based on the threat intelligence dataset, threat correction pattern dataset, and preset scenario kernel model.

[0103] The static simulation network environment includes fixed network traffic data, representing a highly reliable and representative static simulation network environment over a specific time period, encompassing various network activities and threats. This fixed network traffic data can be historical network traffic data or dynamically generated based on actual network traffic data, thus simulating different types of network events. Furthermore, this static simulation network environment can mimic a sandbox environment, where network defenses exist in a realistic form. Models trained in this environment can then exhibit high recognition accuracy for corresponding network threats. Therefore, the static simulation network environment has a crucial impact on the effectiveness of scene detection models.

[0104] In addition, the network traffic data in the static simulation network environment needs to be formatted according to the input requirements of the preset threat detection kernel model so that it can be directly adapted to the preset threat detection kernel model. Parameters can also be organized according to the parameter requirements of the preset threat detection kernel model, and threat detection results can be received according to the output format of the preset threat detection kernel model.

[0105] When constructing a pre-defined scenario kernel model, such as Figure 6 As shown, Figure 6 A flowchart illustrating the steps for constructing a preset scene kernel model, as provided in this application embodiment, includes:

[0106] Step 602: Obtain the threat detection results corresponding to the second preset evaluation index and the preset threat detection kernel model.

[0107] Step 604: Perform clustering processing on the threat detection results to generate clustering results.

[0108] Step 606: Evaluate the clustering results and generate the current evaluation result.

[0109] Step 608: Based on the current evaluation results and the second preset evaluation index, the preset threat detection kernel model is learned and evaluated to generate a preset scenario kernel model.

[0110] The second preset evaluation index can be the threshold corresponding to the silhouette coefficient, the variance ratio criterion (Calinski-Harabasz index), or the Jaccard similarity coefficient. Taking the silhouette coefficient as an example, the silhouette coefficient is generally set to [-1, 1]. The closer it is to 1, the more similar the samples are within the same group, and the less similar the samples are between groups. The initial value of the threshold can be given by experts according to the actual scenario.

[0111] Network threats can be clustered based on the threat subtypes and detailed information of the threats in the threat detection results, thus obtaining clustering results. The initial number of clusters selected during clustering can be the number of threat subtypes. This application does not limit the clustering algorithm; for example, Principal Component Analysis (PCA) can be used for clustering.

[0112] Next, the current evaluation result needs to be calculated using the calculation method corresponding to the second preset evaluation index. For example, if the second preset evaluation index uses a threshold corresponding to the silhouette coefficient, then the silhouette coefficient calculation method is used to evaluate the clustering results and generate the current evaluation result. Then, the current evaluation result can be compared with the second preset evaluation index. If it does not meet the second preset evaluation index, the above process needs to be repeated. If it fails to meet the second preset evaluation index multiple times, expert intervention or modification of the second preset evaluation index is possible.

[0113] For example, the second preset evaluation metric is a threshold of 0.8 corresponding to the silhouette coefficient. If the current evaluation result is less than 0.8, it indicates that the second preset evaluation metric is not met. Finally, after learning and evaluating the preset threat detection kernel model, a kernel model for the preset scenario in a static simulated network environment can be formed. By employing supervised learning and reinforcement learning to construct this model, supervised learning enables the model to have a high threat recognition capability, while reinforcement learning eliminates the need for labeling more datasets, keeping the cost of model construction within a certain range and achieving a good balance between performance and cost control. Furthermore, the reinforcement learning mechanism enhances the model's self-learning ability.

[0114] After constructing the preset scenario kernel model, a threat correction mode also needs to be built. The threat correction mode is a patching mode designed to add additional model patching measures, causing specific models to be subject to additional impacts during operation. The threat correction mode is initially empty. In subsequent scenario threat detection, if experts add threat corrections, the relevant information is repeatedly verified and normalized here before the results are sent to the scenario extension module for processing.

[0115] When constructing the aforementioned scenario extension module, a threat intelligence dataset and a threat correction pattern dataset can be acquired first, and then these two datasets can be fused. Specifically, the threat intelligence dataset can be first identified, thereby setting the network threat weight related to the current threat subtype in the threat intelligence dataset to 100%. Additionally, the data weight in the threat correction pattern dataset can be set to k2. It should be noted that this weight value k2 can be set differently in different static simulation network environments. Finally, the threat intelligence dataset and the threat correction pattern dataset are converted to the same data format for storage, and the two types of data are distinguished, thus obtaining the scenario extension module.

[0116] Therefore, when constructing a preset scenario detection model, the aforementioned scenario extension module and preset scenario kernel model can be fused. Specifically, the weight of the scenario kernel result corresponding to the preset scenario kernel model can be set to k1, and then the scenario kernel result and the scenario extension result corresponding to the scenario extension module can be weighted and represented using a weighted form. That is, the final threat value r(i) = [threat intelligence result] * 100% + [threat correction result] * k2 + [scenario kernel result] * k1, where r(i) is the i-th threat subtype, [threat intelligence result] represents the relevance of the i-th network threat in the threat intelligence dataset, usually a percentage, which can be obtained by similarity calculation. That is, first, network threats related to the current threat subtype are screened from the threat intelligence dataset, and then the similarity between the current threat subtype and each screened network threat is calculated. [Threat correction result] is the threat probability value in the i-th network threat correction result in the threat correction pattern dataset, which can be set by experts during correction. [Scene Kernel Result] represents the i-th threat probability value calculated by the preset scene kernel model. If there are multiple threat probability values, the largest threat probability value can be selected.

[0117] Finally, the above process can be parameterized and encapsulated to generate a preset scenario detection model. The input data of the preset scenario detection model can include threat intelligence dataset, threat correction pattern dataset, and network traffic dataset. The output data of the model can include threat subtype, final threat value r(i), and detailed information about the threat.

[0118] In some optional embodiments, the preset threat hunting model is implemented based on the preset scenario detection model, and the threat hunting result is the threat detection result generated by the preset scenario detection model. The preset threat hunting model can be deployed on the bypass of the switch, thereby enabling real-time detection of network behavior. During the detection process, relevant personnel can manually evaluate the detection effect and results. The system incorporates the evaluation results as corrections to the model into the preset scenario detection model. Subsequent detections will be more accurate due to the addition of human evaluation and correction. By combining machine learning and human evaluation, the model achieves a high degree of automation. Initially, a small amount of human intervention in evaluation and correction is required, but the degree of automation increases further as the model's detection capabilities improve.

[0119] Specifically, such as Figure 7 As shown, Figure 7 A flowchart illustrating the steps for updating a preset threat hunting model, as provided in this application embodiment, includes:

[0120] Step 702: Obtain the evaluation results corresponding to the threat hunting results.

[0121] Step 704: Update the preset threat hunting model based on the evaluation results to generate a new preset threat hunting model.

[0122] During threat hunting, it can also connect in real time through network switches, usually by opening bypass traffic to the core switch, and monitor network traffic data in real time through a preset scenario detection model. The threat detection results can be displayed and communicated to relevant security experts in a pre-set manner, such as in web format.

[0123] Therefore, security experts can evaluate the threat detection results detected by the preset scenario detection model. Specifically, they can label whether it is a threat, label the threat type, and label the probability of it being the current type of threat, thereby obtaining the evaluation result.

[0124] When updating the preset threat hunting model based on the evaluation results, it is actually updating the preset scene detection model. That is, the evaluation results can be input into the preset scene detection model in a small batch for updating, thus obtaining a new preset scene detection model for subsequent scene detection. Obtaining the new preset scene detection model is equivalent to updating the preset threat hunting model, thereby obtaining a new preset threat hunting model.

[0125] Furthermore, when generating threat hunting results, the current network traffic data can be input into a new preset threat hunting model for calculation to generate threat hunting results corresponding to the current network traffic data.

[0126] This application provides a threat hunting method, which includes: acquiring current network traffic data; inputting the current network traffic data into a preset threat hunting model for calculation; and generating threat hunting results corresponding to the current network traffic data. The preset threat hunting model is generated based on a preset scenario detection model, which is generated based on a threat intelligence dataset, a threat correction pattern dataset, and a preset scenario kernel model. The preset scenario kernel model is a model constructed in a static simulated network environment and processed through an unsupervised learning mechanism. This solution directly calculates the corresponding threat hunting results using a pre-trained preset threat hunting model on the current network traffic data, improving the accuracy and efficiency of threat hunting. Furthermore, by replacing expert hunting with a preset threat hunting model, accuracy is improved while the model has lower costs and more comprehensive processing capabilities. Simultaneously, the combination of microkernel, scenario-based approach, and human evaluation gives the preset threat hunting model high generalization and adaptability.

[0127] Figure 8 This is a structural block diagram of a threat hunting device provided in an embodiment of this application.

[0128] like Figure 8 As shown, the threat hunting device 800 includes:

[0129] The acquisition module 802 is used to acquire current network traffic data.

[0130] The generation module 804 is used to input the current network traffic data into the preset threat hunting model for calculation and generate the threat hunting result corresponding to the current network traffic data. The preset threat hunting model is generated based on the preset scenario detection model, which is generated based on the threat intelligence dataset, the threat correction pattern dataset, and the preset scenario kernel model. The preset scenario kernel model is a model constructed in a static simulation network environment and processed by an unsupervised learning mechanism.

[0131] Regarding the apparatus in the above embodiments, the specific manner in which each module performs its operations has been described in detail in the embodiments related to the method, and will not be elaborated upon here. Each module in the above-described threat hunting apparatus can be implemented entirely or partially through software, hardware, or a combination thereof. Each module can be embedded in or independent of the processor in a computer device in hardware form, or it can be stored in the memory of a computer device in software form, so that the processor can call and execute the operations of each module.

[0132] In one embodiment of this application, a computer device is provided, the computer device including a memory and a processor, the memory storing a computer program, and the processor executing the computer program to perform the following steps:

[0133] Get current network traffic data;

[0134] The current network traffic data is input into the preset threat hunting model for calculation, generating threat hunting results corresponding to the current network traffic data. The preset threat hunting model is generated based on the preset scenario detection model, which is generated based on the threat intelligence dataset, the threat correction pattern dataset, and the preset scenario kernel model. The preset scenario kernel model is a model constructed in a static simulated network environment and processed by an unsupervised learning mechanism.

[0135] In one embodiment of this application, the processor further performs the following steps when executing the computer program:

[0136] Obtain the preset threat detection kernel model;

[0137] An unsupervised learning mechanism is used to learn and evaluate the preset threat detection kernel model to generate a preset scenario kernel model.

[0138] In one embodiment of this application, the processor further performs the following steps when executing the computer program:

[0139] Obtain a sample set of malicious network behaviors;

[0140] An initial threat detection model is constructed using a pre-defined deep learning model, and a first pre-defined evaluation metric is also constructed.

[0141] The initial threat detection model is trained and evaluated using a sample set of malicious network behaviors until the evaluation results meet the first preset evaluation index, thus generating a preset threat detection model.

[0142] The preset threat detection model is migrated to a static simulation network environment to generate a preset threat detection kernel model.

[0143] In one embodiment of this application, the processor further performs the following steps when executing the computer program:

[0144] Obtain the threat detection results corresponding to the second preset evaluation index and the preset threat detection kernel model;

[0145] Cluster the threat detection results to generate clustering results;

[0146] The clustering results are evaluated to generate the current evaluation result.

[0147] Based on the current evaluation results and the second preset evaluation index, the preset threat detection kernel model is learned and evaluated to generate a preset scenario kernel model.

[0148] In one embodiment of this application, the processor further performs the following steps when executing the computer program:

[0149] Construct a static simulation network environment; wherein, the static simulation network environment includes fixed network traffic data;

[0150] Acquire threat intelligence datasets, threat correction pattern datasets, and preset scenario kernel models;

[0151] Based on the threat intelligence dataset, threat correction pattern dataset, and preset scenario kernel model, a preset scenario detection model is generated.

[0152] In one embodiment of this application, the processor further performs the following steps when executing the computer program:

[0153] Obtain the evaluation results corresponding to the threat hunting results;

[0154] The preset threat hunting model is updated based on the evaluation results to generate a new preset threat hunting model.

[0155] In one embodiment of this application, the processor further performs the following steps when executing the computer program:

[0156] The current network traffic data is input into a new preset threat hunting model for calculation, generating threat hunting results corresponding to the current network traffic data.

[0157] The computer device provided in this application embodiment has a similar implementation principle and technical effect to the above method embodiment, and will not be described again here.

[0158] In one embodiment of this application, a computer-readable storage medium is provided, on which a computer program is stored, and when the computer program is executed by a processor, it performs the following steps:

[0159] Get current network traffic data;

[0160] The current network traffic data is input into the preset threat hunting model for calculation, generating threat hunting results corresponding to the current network traffic data. The preset threat hunting model is generated based on the preset scenario detection model, which is generated based on the threat intelligence dataset, the threat correction pattern dataset, and the preset scenario kernel model. The preset scenario kernel model is a model constructed in a static simulated network environment and processed by an unsupervised learning mechanism.

[0161] In one embodiment of this application, the computer program, when executed by a processor, further performs the following steps:

[0162] Obtain the preset threat detection kernel model;

[0163] An unsupervised learning mechanism is used to learn and evaluate the preset threat detection kernel model to generate a preset scenario kernel model.

[0164] In one embodiment of this application, the computer program, when executed by a processor, further performs the following steps:

[0165] Obtain a sample set of malicious network behaviors;

[0166] An initial threat detection model is constructed using a pre-defined deep learning model, and a first pre-defined evaluation metric is also constructed.

[0167] The initial threat detection model is trained and evaluated using a sample set of malicious network behaviors until the evaluation results meet the first preset evaluation index, thus generating a preset threat detection model.

[0168] The preset threat detection model is migrated to a static simulation network environment to generate a preset threat detection kernel model.

[0169] In one embodiment of this application, the computer program, when executed by a processor, further performs the following steps:

[0170] Obtain the threat detection results corresponding to the second preset evaluation index and the preset threat detection kernel model;

[0171] Cluster the threat detection results to generate clustering results;

[0172] The clustering results are evaluated to generate the current evaluation result.

[0173] Based on the current evaluation results and the second preset evaluation index, the preset threat detection kernel model is learned and evaluated to generate a preset scenario kernel model.

[0174] In one embodiment of this application, the computer program, when executed by a processor, further performs the following steps:

[0175] Construct a static simulation network environment; wherein, the static simulation network environment includes fixed network traffic data;

[0176] Acquire threat intelligence datasets, threat correction pattern datasets, and preset scenario kernel models;

[0177] Based on the threat intelligence dataset, threat correction pattern dataset, and preset scenario kernel model, a preset scenario detection model is generated.

[0178] In one embodiment of this application, the computer program, when executed by a processor, further performs the following steps:

[0179] Obtain the evaluation results corresponding to the threat hunting results;

[0180] The preset threat hunting model is updated based on the evaluation results to generate a new preset threat hunting model.

[0181] In one embodiment of this application, the computer program, when executed by a processor, further performs the following steps:

[0182] The current network traffic data is input into a new preset threat hunting model for calculation, generating threat hunting results corresponding to the current network traffic data.

[0183] The computer-readable storage medium provided in this embodiment is similar in principle and technical effect to the method embodiment described above, and will not be repeated here.

[0184] Those skilled in the art will understand that all or part of the processes in the methods of the above embodiments can be implemented by a computer program instructing related hardware. This computer program can be stored in a non-volatile computer-readable storage medium. When executed, the computer program can include the processes of the embodiments of the above methods. Any references to memory, storage, databases, or other media used in the embodiments provided in this application can include non-volatile and / or volatile memory. Non-volatile memory can include read-only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), or flash memory. Volatile memory can include random access memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in various forms, such as static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), dual data rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous link DRAM (SLDRAM), RAMbus direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and RAMbus dynamic RAM (RDRAM), etc.

[0185] Other embodiments of this disclosure will readily occur to those skilled in the art upon consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of this disclosure that follow the general principles of this disclosure and include common knowledge or customary techniques in the art not disclosed herein. The specification and examples are to be considered exemplary only, and the true scope and spirit of this disclosure are indicated by the following claims.

[0186] It should be understood that this disclosure is not limited to the precise structures described above and shown in the accompanying drawings, and various modifications and changes can be made without departing from its scope. The scope of this disclosure is limited only by the appended claims.

Claims

1. A method of threatening hunting, characterized in that, The method includes: Get current network traffic data; The current network traffic data is input into a preset threat hunting model for calculation, generating a threat hunting result corresponding to the current network traffic data. The preset threat hunting model is generated based on a preset scenario detection model, which is based on a threat intelligence dataset, a threat correction pattern dataset, and a preset scenario kernel model. The preset scenario kernel model is a model constructed in a static simulated network environment and then processed through an unsupervised learning mechanism. The generation process of the preset scenario detection model includes: using a weighted approach to calculate the final threat value by weighting the threat intelligence result, the threat correction result, and the scenario kernel result; and then parameterizing and encapsulating the weighted calculation process to generate the preset scenario detection model. The construction process of the preset scenario kernel model includes: obtaining a preset threat detection kernel model, wherein the construction process of the preset threat detection kernel model includes: obtaining a set of network malicious behavior samples; constructing an initial threat detection model using a preset deep learning model and constructing a first preset evaluation index; training and evaluating the initial threat detection model using the set of network malicious behavior samples until the evaluation result meets the first preset evaluation index, thereby generating a preset threat detection model; and migrating the preset threat detection model to the static simulation network environment to generate the preset threat detection kernel model; the first preset evaluation index includes comprehensive accuracy, comprehensive precision, and recall. The unsupervised learning mechanism is used to learn and evaluate the preset threat detection kernel model to generate the preset scenario kernel model. This includes: obtaining a second preset evaluation metric and the threat detection results corresponding to the preset threat detection kernel model; performing clustering processing on the threat detection results to generate clustering results; evaluating the clustering results to generate a current evaluation result; and learning and evaluating the preset threat detection kernel model based on the current evaluation result and the second preset evaluation metric to generate the preset scenario kernel model. The second preset evaluation metric includes thresholds corresponding to the silhouette coefficient, variance ratio criterion, and Jaccard similarity, respectively.

2. The method according to claim 1, characterized in that, The construction process of the preset scene detection model includes: Construct a static simulation network environment; wherein, the static simulation network environment includes fixed network traffic data; Acquire the threat intelligence dataset, the threat correction pattern dataset, and the preset scenario kernel model; Based on the threat intelligence dataset, the threat correction pattern dataset, and the preset scenario kernel model, the preset scenario detection model is generated.

3. The method according to claim 1, characterized in that, The method further includes: Obtain the evaluation result corresponding to the threat hunting result; Based on the evaluation results, the preset threat hunting model is updated to generate a new preset threat hunting model.

4. The method according to claim 3, characterized in that, The step of inputting the current network traffic data into a preset threat hunting model for calculation to generate a threat hunting result corresponding to the current network traffic data includes: The current network traffic data is input into the new preset threat hunting model for calculation, generating threat hunting results corresponding to the current network traffic data.

5. A threatening hunting device, characterized in that, The device includes: The acquisition module is used to acquire current network traffic data; A generation module is used to input the current network traffic data into a preset threat hunting model for calculation, generating a threat hunting result corresponding to the current network traffic data; wherein, the preset threat hunting model is generated based on a preset scenario detection model, which is generated based on a threat intelligence dataset, a threat correction pattern dataset, and a preset scenario kernel model, and the preset scenario kernel model is a model constructed in a static simulated network environment and processed by an unsupervised learning mechanism; the generation process of the preset scenario detection model includes: using a weighted method to perform weighted calculation on the threat intelligence result, threat correction result, and scenario kernel result to obtain the final threat value, and then parameterizing and encapsulating the weighted calculation process to generate the preset scenario detection model; The construction process of the preset scenario kernel model includes: obtaining a preset threat detection kernel model, wherein the construction process of the preset threat detection kernel model includes: obtaining a set of network malicious behavior samples; constructing an initial threat detection model using a preset deep learning model and constructing a first preset evaluation index; training and evaluating the initial threat detection model using the set of network malicious behavior samples until the evaluation result meets the first preset evaluation index, thereby generating a preset threat detection model; and migrating the preset threat detection model to the static simulation network environment to generate the preset threat detection kernel model; the first preset evaluation index includes comprehensive accuracy, comprehensive precision, and recall. The unsupervised learning mechanism is used to learn and evaluate the preset threat detection kernel model to generate the preset scenario kernel model. This includes: obtaining a second preset evaluation metric and the threat detection results corresponding to the preset threat detection kernel model; performing clustering processing on the threat detection results to generate clustering results; evaluating the clustering results to generate a current evaluation result; and learning and evaluating the preset threat detection kernel model based on the current evaluation result and the second preset evaluation metric to generate the preset scenario kernel model. The second preset evaluation metric includes thresholds corresponding to the silhouette coefficient, variance ratio criterion, and Jaccard similarity, respectively.

6. An electronic device, characterized in that, The electronic device includes a processor and a memory, the memory storing at least one instruction, at least one program, a code set, or an instruction set, the at least one instruction, the at least one program, the code set, or the instruction set being loaded and executed by the processor to implement the threat hunting method as described in any one of claims 1-4.

7. A computer-readable storage medium, characterized in that, The storage medium stores at least one instruction, at least one program, code set, or instruction set, wherein the at least one instruction, the at least one program, the code set, or instruction set is loaded and executed by a processor to implement the threat hunting method as described in any one of claims 1-4.