Third-party linkage threat intelligence blocking policy issuing method and device and processing equipment

By constructing multi-source threat intelligence collection channels and deep learning models, and combining internal and external enterprise intelligence, network threats can be identified and blocked in real time. This solves the problems of limited threat intelligence collection channels and insufficient linkage mechanisms in existing technologies, and achieves more efficient network security protection.

CN122160115APending Publication Date: 2026-06-05WUHAN SIPU TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
WUHAN SIPU TECH CO LTD
Filing Date
2026-03-02
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

Existing cyber threat intelligence applications suffer from limited threat intelligence collection channels, low analysis and processing efficiency, and a lack of effective coordination mechanisms, resulting in an inability to respond quickly and prevent the spread of threats.

Method used

By building multi-source threat intelligence collection channels, utilizing machine learning and artificial intelligence algorithms to construct deep learning models, and combining internal and external threat intelligence, potential threats can be identified, and blocking strategies can be automatically generated and executed in conjunction with network security devices to achieve real-time blocking.

Benefits of technology

It enables comprehensive and timely identification and real-time blocking of network threats, provides a more complete network threat intelligence application system, and improves network security protection capabilities.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122160115A_ABST
    Figure CN122160115A_ABST
Patent Text Reader

Abstract

The application provides a third-party linkage threat intelligence blocking strategy issuing method and device and processing equipment, which can comprehensively and timely acquire various threat intelligence by constructing a multi-source threat intelligence collection channel, and can quickly and accurately identify potential threats by using machine learning and artificial intelligence algorithms for intelligent analysis, and can realize real-time blocking of threats by automatically generating a blocking strategy and executing the blocking strategy in linkage with network security equipment, so that a more perfect network threat intelligence application system is provided for enterprise network security work, and network security is better guaranteed.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of cybersecurity technology, specifically to methods, devices, and processing equipment for distributing third-party collaborative threat intelligence blocking strategies. Background Technology

[0002] With the continuous development of network technology, the types and number of network threats are increasing day by day. Cybersecurity incidents such as hacker attacks, malware propagation, and data breaches occur frequently, causing huge losses to individuals, businesses, and society.

[0003] Traditional network security protection methods, such as firewalls and intrusion detection systems, can defend against common network attacks to a certain extent, but they are often ineffective against new and complex network threats.

[0004] Threat intelligence, as an emerging cybersecurity technology, provides more forward-looking and targeted support for cybersecurity protection by collecting, analyzing, and sharing information about cyber threats.

[0005] However, the inventors of this application have discovered that current applications of network threat intelligence still have some problems, such as limited channels for collecting threat intelligence, making it impossible to comprehensively obtain various types of threat information; low efficiency in analyzing and processing threat intelligence, making it difficult to identify real threats in a timely and accurate manner; and a lack of effective linkage mechanisms in threat blocking, resulting in an inability to respond quickly and prevent the spread of threats. Summary of the Invention

[0006] This application provides a method, device, and processing equipment for distributing third-party linked threat intelligence blocking strategies. By constructing multi-source threat intelligence collection channels, it can comprehensively and timely acquire various types of threat intelligence. It also uses machine learning and artificial intelligence algorithms for intelligent analysis to quickly and accurately identify potential threats. Furthermore, by automatically generating blocking strategies and linking them with network security devices for execution, it achieves real-time blocking of threats. This provides enterprises with a more complete network threat intelligence application system for network security work, and better protects network security.

[0007] Firstly, this application provides a method for distributing third-party collaborative threat intelligence blocking strategies, the method including: Under the pre-set diversified third-party linkage mechanism, the first network threat intelligence configured by different third-party intelligence sources outside the enterprise is obtained through a unified linkage interface; Acquire secondary cyber threat intelligence configured by the enterprise itself; Based on sample network traffic, a network threat identification model is constructed by combining first and second network threat intelligence. The network threat identification model is a deep learning model, which is used to identify network threats based on the network traffic input to the model. Configure corresponding blocking policies based on the network threat identification results of the network threat identification model, and distribute the blocking policies to the corresponding network security devices to achieve the updating of blocking policy configurations.

[0008] Secondly, this application provides a third-party collaborative threat intelligence blocking strategy distribution device, the device comprising: The first acquisition unit is used to acquire first network threat intelligence configured by different third-party intelligence sources outside the enterprise through a unified linkage interface under a preset diversified third-party linkage mechanism. The second acquisition unit is used to acquire second network threat intelligence configured by the enterprise itself; The construction unit is used to build a network threat identification model based on sample network traffic and by combining the first network threat intelligence and the second network threat intelligence. The network threat identification model is a deep learning model and is used to perform network threat identification processing based on the network traffic input to the model. The configuration unit is used to configure corresponding blocking policies based on the network threat identification results of the network threat identification model, and to distribute the blocking policies to the corresponding network security devices to realize the configuration update of the blocking policies.

[0009] Thirdly, this application provides a processing device, including a processor and a memory, wherein a computer program is stored in the memory, and the processor executes the method provided in the first aspect of this application when it invokes the computer program in the memory.

[0010] Fourthly, this application provides a computer-readable storage medium storing a plurality of instructions adapted for loading by a processor to execute the method provided in the first aspect of this application.

[0011] From the above, it can be concluded that this application has the following beneficial effects: Under the objective of network threat intelligence applications, this application constructs a multi-source threat intelligence collection channel, enabling comprehensive and timely acquisition of various threat intelligence. It also utilizes machine learning and artificial intelligence algorithms for intelligent analysis to quickly and accurately identify potential threats. Furthermore, by automatically generating blocking strategies and coordinating their execution with network security devices, it achieves real-time blocking of threats. This provides enterprises with a more complete network threat intelligence application system, better ensuring network security. Attached Figure Description

[0012] To more clearly illustrate the technical solutions in the embodiments of this application, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0013] Figure 1 This is a flowchart illustrating a method for distributing third-party collaborative threat intelligence blocking strategies in this application. Figure 2 This is a schematic diagram of the processing architecture of the solution in this application; Figure 3 This is a schematic diagram of a third-party collaborative threat intelligence blocking strategy distribution device for this application. Figure 4 This is a schematic diagram of one type of processing equipment used in this application. Detailed Implementation

[0014] The technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, and not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.

[0015] The terms "first," "second," etc., used in the specification, claims, and accompanying drawings of this application are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It should be understood that such data can be interchanged where appropriate so that the embodiments described herein can be implemented in a sequence other than that illustrated or described herein. Furthermore, the terms "comprising" and "having," and any variations thereof, are intended to cover non-exclusive inclusion; for example, a process, method, system, product, or device that includes a series of steps or modules is not necessarily limited to those explicitly listed, but may include other steps or modules not explicitly listed or inherent to such processes, methods, products, or devices. The naming or numbering of steps appearing in this application does not imply that the steps in the method flow must be performed in the chronological / logical order indicated by the naming or numbering. The execution order of named or numbered process steps can be changed according to the desired technical purpose, as long as the same or similar technical effect is achieved.

[0016] The module division described in this application is a logical division. In practical applications, there may be other division methods. For example, multiple modules may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the shown or discussed mutual coupling, direct coupling, or communication connections may be through interfaces, and the indirect coupling or communication connections between modules may be electrical or other similar forms, none of which are limited in this application. Moreover, the modules or sub-modules described as separate components may or may not be physically separated, may or may not be physical modules, or may be distributed across multiple circuit modules. Some or all of the modules can be selected according to actual needs to achieve the purpose of the solution in this application.

[0017] Before introducing the method for distributing third-party collaborative threat intelligence blocking strategies provided in this application, we will first introduce the background content involved in this application.

[0018] The third-party collaborative threat intelligence blocking strategy distribution method, device, and computer-readable storage medium provided in this application can be applied to processing devices. By constructing multi-source threat intelligence collection channels, it can comprehensively and timely acquire various types of threat intelligence. Furthermore, by using machine learning and artificial intelligence algorithms for intelligent analysis, it can quickly and accurately identify potential threats. By automatically generating blocking strategies and executing them in conjunction with network security devices, it achieves real-time blocking of threats. This provides enterprises with a more complete network threat intelligence application system for network security work, and better protects network security.

[0019] The third-party collaborative threat intelligence blocking policy distribution method mentioned in this application can be implemented by a third-party collaborative threat intelligence blocking policy distribution device, or a network node (such as a firewall, security gateway, intrusion prevention system, intrusion detection system, or other relevant network nodes in the enterprise network architecture, or a dedicated device of this application), server, physical host, or user equipment (UE), etc. The third-party collaborative threat intelligence blocking policy distribution device can be implemented in hardware or software. The UE can be a smartphone, tablet, laptop, desktop computer, or personal digital assistant (PDA), etc., and the processing devices can be configured in a device cluster.

[0020] The following section introduces the method for distributing third-party collaborative threat intelligence blocking strategies provided in this application.

[0021] First, refer to Figure 1 , Figure 1This paper illustrates a flowchart of a method for distributing third-party collaborative threat intelligence blocking strategies according to this application. The method for distributing third-party collaborative threat intelligence blocking strategies provided by this application may specifically include the following steps S101 to S104: Step S101: Under the preset diversified third-party linkage mechanism, obtain the first network threat intelligence configured by different third-party intelligence sources outside the enterprise through the unified linkage interface. Understandably, this application specifically establishes a diversified third-party collaboration mechanism for cybersecurity work based on network threat intelligence. By accessing different third-party intelligence sources through this mechanism, it can conveniently, efficiently, and with high quality obtain network threat intelligence from outside the enterprise. This multi-source threat intelligence collection channel can comprehensively and timely obtain various threat intelligence, enriching intelligence sources and improving the ability to perceive network threats.

[0022] To distinguish them from network threat intelligence configured internally by the enterprise, network threat intelligence obtained through diversified third-party collaboration mechanisms is designated as first network threat intelligence, while network threat intelligence configured internally by the enterprise is designated as second network threat intelligence.

[0023] At the same time, it can also be seen that this application involves the application of a unified linkage interface for diversified third-party linkage mechanisms, so as to better complete the acquisition of first-hand network threat intelligence by negotiating, agreeing and configuring a dedicated data channel with external third-party intelligence sources in advance.

[0024] In terms of details, the acquisition and processing of first-hand network threat intelligence can be initiated by third-party intelligence sources or triggered by the enterprise itself. Furthermore, both sides can involve more flexible push triggering strategies.

[0025] Step S102: Obtain the second network threat intelligence configured by the enterprise itself; As mentioned above, in practice, some companies also configure their own second network threat intelligence.

[0026] It should be noted that, in practice, if the enterprise does not currently generate new network threat intelligence, does not have new network threat intelligence that needs to be included in the network threat intelligence update scope, or directly disables the configuration for acquiring the second network threat intelligence, then step S102 here may not require any substantial processing.

[0027] Step S103: Based on the sample network traffic, and combined with the first network threat intelligence and the second network threat intelligence, a network threat identification model is constructed. The network threat identification model is a deep learning model, which is used to perform network threat identification processing based on the network traffic input to the model. Understandably, this application introduces deep learning methods from machine learning approaches. Leveraging its efficient and accurate artificial intelligence (AI) performance, it performs in-depth analysis of the acquired network threat intelligence, establishing a deep learning-based network threat identification model (which may involve deep learning architectures such as TensorFlow or PyTorch). By learning from a large amount of historical threat data, it automatically extracts threat features and identifies potential threat behaviors and attack patterns. This enables the rapid and accurate identification of potential threats, improving the efficiency and accuracy of threat identification and compensating for the shortcomings of traditional security protection methods.

[0028] For example, neural network algorithms can be used to analyze network traffic data and detect abnormal traffic patterns, such as DDoS attacks and port scans; machine learning algorithms can be used to analyze malicious code characteristics and identify new malware variants; and real-time network traffic monitoring data and user behavior data can be combined to dynamically verify and supplement threat intelligence, thereby improving the accuracy of network threat identification.

[0029] The training samples involved in the model construction process, namely sample network traffic, include normal network traffic and various types of attack traffic. They can include historical network traffic collected internally by the enterprise, network traffic obtained by processing data based on historical network traffic collected internally by the enterprise, historical network traffic collected externally by the enterprise, network traffic obtained by processing data based on historical network traffic collected externally by the enterprise, and directly generated network traffic. This is quite flexible.

[0030] During training, the model's parameters and structure are continuously adjusted to optimize its performance, enabling it to accurately identify different types of threat behaviors and attack patterns.

[0031] The specific model training scheme and loss function adopted, like the specific deep learning model architecture, can be flexibly configured according to actual needs.

[0032] The intelligence content of the first and second network threat intelligence can be directly used as annotations for sample network traffic, or used to identify whether sample network traffic contains network threats and use the identification results as annotations for sample network traffic. Alternatively, other types of intelligence content utilization methods can be used to assist in model building.

[0033] Step S104: Configure the corresponding blocking policy based on the network threat identification results of the network threat identification model, and distribute the blocking policy to the corresponding network security devices to realize the updated configuration of the blocking policy.

[0034] Understandably, the network threat intelligence model that has been built can serve as a valid reference and clue for network threat blocking strategies, based on the network threat identification results involved in its construction and / or actual application after construction. This allows for the configuration of corresponding blocking strategies that can be identified or even directly deployed on the network security device side.

[0035] Once a blocking policy is configured, it can be distributed to compatible network security devices that are within the scope of this application's blocking policy update, so as to prompt one or more types of network security devices to update their blocking policy configurations according to the received blocking policy, thereby enhancing their ability to identify new network threats through the new blocking policy content.

[0036] For example, access control rules can be set to prohibit communication with threat sources (such as an IP address identified as a malicious attack source); hosts infected with malware can be isolated to prevent the spread of threats; and malicious domain names can be hijacked using the Domain Name System (DNS) to resolve them to invalid addresses.

[0037] The distribution of blocking strategies may also involve the setting of corresponding dedicated linkage interfaces.

[0038] This coordinated action with network security equipment enables real-time blocking of threats, significantly shortens threat response time, effectively prevents the spread of threats, and improves network security protection capabilities.

[0039] From the above Figure 1 As can be seen from the embodiments shown, under the objective of network threat intelligence application, this application can comprehensively and timely obtain various types of threat intelligence by constructing multi-source threat intelligence collection channels, and quickly and accurately identify potential threats by using machine learning and artificial intelligence algorithms for intelligent analysis, and achieve real-time blocking of threats by automatically generating blocking policies and linking them with network security devices. In this way, a more complete network threat intelligence application system is provided for enterprise network security work, and network security is better protected.

[0040] Continue with the above Figure 1 The steps of the illustrated embodiment and their possible implementation methods in practical applications are described in detail.

[0041] For the different third-party intelligence sources specifically involved in the diversified third-party linkage mechanism of this application in step S101, this application also provides a more specific and practical implementation scheme.

[0042] Correspondingly, as another exemplary implementation method, this diversified third-party collaboration mechanism may specifically involve web crawlers, security vendor intelligence sharing platforms, honeypot systems, open-source intelligence sources, and user feedback.

[0043] Specifically, web crawling technology can be used to write crawler programs in Python, and reasonable crawling rules and frequencies can be set to regularly or in real-time monitor security forums and vulnerability disclosure platforms on the Internet to collect the latest threat intelligence, such as newly discovered vulnerabilities and malware samples. It can establish intelligence-sharing partnerships with multiple security vendors and achieve real-time data synchronization through the Application Programming Interface (API) to obtain their latest exclusive threat intelligence data; Honeypot systems can be deployed within enterprises. By selecting appropriate operating systems and applications to build a honeypot environment, a real network service can be simulated to actively lure attackers and obtain intelligence such as their attack behavior, tools, and malicious code. We can use Natural Language Processing (NLP) techniques to analyze text data from open-source intelligence sources such as social media and academic papers to extract potential threat intelligence, such as descriptions of new attack methods and discussions of security vulnerabilities. In addition, user feedback channels can be established, with convenient feedback entry points set up on internal enterprise and public security platforms to encourage users or specific users to report threats in a timely manner, and to provide certain rewards for effective feedback, thereby enriching intelligence sources.

[0044] Furthermore, as another exemplary implementation, before constructing a network threat identification model based on the first and second network threat intelligence and combined with sample network traffic in step S103, the method of this application may further include: Preprocessing is performed on the first and second network threat intelligence, specifically including data cleaning, format standardization, and deduplication.

[0045] Understandably, the introduction of preprocessing helps improve the data quality of the obtained cyber threat intelligence, which in turn helps to build a more efficient cyber threat identification model.

[0046] The data cleaning operation can use regular expressions and data filtering algorithms to remove noise and invalid information from threat intelligence data, such as garbled characters and incorrectly formatted data. The format standardization operation can convert threat intelligence data from different sources into a unified format according to predefined data format specifications, which facilitates subsequent processing and analysis. The deduplication operation can use hash algorithms to perform hash calculations on the intelligence data, and compare the hash values ​​to determine whether the data is duplicated and remove duplicate data records.

[0047] Since existing technologies can be directly used to improve the quality of collected data through preprocessing operations such as data cleaning, format standardization, and deduplication, this will not be elaborated on here.

[0048] Of course, in practical applications, other self-developed novel technologies can also be used to achieve better preprocessing performance in the threat intelligence processing scenario in which this application is located.

[0049] Meanwhile, as another exemplary implementation, before step S103 constructs a network threat identification model based on the first and second network threat intelligence and combined with sample network traffic, the method of this application may further include: The first and second network threat intelligence are fused to obtain a unified data model in a preset format, which is then used for model building and processing.

[0050] As can be seen from the settings here, this application also involves the integration of network threat intelligence, in order to integrate threat intelligence from different channels. This can effectively integrate scattered threat intelligence, eliminate information silos, and form a comprehensive and unified threat intelligence view. By establishing a data model in a unified format, different types of threat intelligence content (such as IP addresses, domain names, malicious code characteristics, etc.) can be linked together, providing a more complete and easier-to-use data foundation for subsequent analysis.

[0051] As mentioned earlier, reference data from other dimensions can be introduced during model building. As another exemplary implementation, step S103, based on sample network traffic and combining first and second network threat intelligence to build a network threat identification model, may further include: Based on sample network traffic, a network threat identification model is constructed by combining primary and secondary network threat intelligence, along with relevant network traffic monitoring data and user behavior data.

[0052] At the operational level, network traffic monitoring can be achieved by deploying traffic monitoring devices at key network nodes to collect network traffic data, including information such as source IP address, destination IP address, port number, and traffic volume. Meanwhile, for the collection of user behavior data, user behavior analysis tools can be used to collect user operation data on the network, such as login time, websites visited, file download records, etc. This real-time data can be combined with threat intelligence data to dynamically verify and supplement the results of threat identification models, thereby improving the accuracy of threat identification.

[0053] In addition, from another perspective, this application also considers starting with different types of threat intelligence and different third-party intelligence sources to achieve a more refined model building effect with differentiated characteristics.

[0054] As another exemplary implementation, a network threat identification model is constructed based on sample network traffic, combining first and second network threat intelligence, including: Based on sample network traffic, a network threat identification model is constructed by combining first and second network threat intelligence, as well as the confidence level, whitelist, weighted voting results, cross-validation, and contextual relationships involved in different intelligence sources of the first network threat intelligence.

[0055] Understandably, for different types of threat intelligence and different third-party intelligence sources, factors such as confidence level, whitelists, weighted voting results, cross-validation, and contextual relationships can be used. Each factor can be further subdivided according to different situations and have corresponding different influence weights. In this way, a good balance can be achieved between different types of threat intelligence and different third-party intelligence sources, so as to avoid single intelligence bias, reduce or even abandon the reference of low-quality intelligence content, and amplify the reference of high-quality intelligence content. This allows for a more refined capture of usable intelligence content, thereby assisting in a more refined and accurate model building effect.

[0056] At the same time, this application also involves further feedback to continuously optimize the threat intelligence blocking system.

[0057] Specifically, as another exemplary embodiment, after configuring the corresponding blocking policy based on the network threat identification result of the network threat identification model and distributing the blocking policy to the corresponding network security devices in step S104, the method of this application may further include: Evaluate the blocking effect of the blocking strategy; Based on the evaluation results of the blocking effect, the blocking strategy may be optimized as appropriate.

[0058] Understandably, network security devices can be internal enterprise devices, network security vendor devices, or other third-party devices involved in network security work. They can use a network management platform to provide feedback on the work logs generated during the operation of blocking policies. Based on this network management platform, the blocking effect / performance of the blocking policies under specified evaluation indicators can be evaluated.

[0059] The specific evaluation indicators may include actual threat blocking rate, attack success rate reduction rate, affected host reduction rate, and network traffic recovery time.

[0060] Based on the quantified blocking effect through various indicators, we can continue to monitor changes in these indicators. If the blocking effect is found to be unsatisfactory, we can analyze the reasons, such as unreasonable blocking strategy settings, incorrect network security device configuration, or inaccurate threat intelligence data. For different reasons, we can take corresponding optimization measures, such as adjusting the parameters of the blocking strategy, checking and updating the configuration of network security devices, and re-examining and supplementing threat intelligence data. Then, we can feed the optimized information back to the entire threat intelligence blocking system to achieve continuous optimization of the entire threat intelligence blocking system, thereby making it more adaptable to the ever-changing network security environment.

[0061] In addition, the processing procedures (including the results) involved in the above solutions can also be further displayed so that network administrators and other relevant personnel can intuitively view the specific situation.

[0062] In response, the processing device can display content through its own built-in display screen (including a touch screen), an external display device, or other devices with a display screen.

[0063] Furthermore, it is understood that this application can be implemented based on a specially designed network management platform, which can be understood as the processing device itself or an application platform built on the processing device for network administrators. It can integrate functions such as displaying processing progress / results, local / remote storage, push functions, or further data processing and analysis, so as to better apply the solution of this application in specific applications.

[0064] In conjunction with the network management platform, it can also be combined Figure 2 The diagram shown illustrates one aspect of the processing architecture of this application, providing a more intuitive understanding of the aforementioned processing solution.

[0065] The above is an introduction to the method for distributing third-party collaborative threat intelligence blocking strategies provided in this application. To facilitate better implementation of the method for distributing third-party collaborative threat intelligence blocking strategies provided in this application, this application also provides a device for distributing third-party collaborative threat intelligence blocking strategies from the perspective of functional modules.

[0066] See Figure 3 , Figure 3 This is a schematic diagram of a third-party collaborative threat intelligence blocking strategy distribution device according to this application. In this application, the third-party collaborative threat intelligence blocking strategy distribution device 300 may specifically include the following structure: The first acquisition unit 301 is used to acquire first network threat intelligence configured by different third-party intelligence sources outside the enterprise through a unified linkage interface under a preset diversified third-party linkage mechanism. The second acquisition unit 302 is used to acquire second network threat intelligence configured by the enterprise itself; The construction unit 303 is used to construct a network threat identification model based on the sample network traffic and by combining the first network threat intelligence and the second network threat intelligence. The network threat identification model is a deep learning model and is used to perform network threat identification processing based on the network traffic input to the model. Configuration unit 304 is used to configure corresponding blocking policies based on the network threat identification results of the network threat identification model, and to distribute the blocking policies to the corresponding network security devices to realize the updating configuration of the blocking policies.

[0067] In one exemplary embodiment, the diversified third-party collaboration mechanism specifically involves web crawlers, security vendor intelligence sharing platforms, honeypot systems, open-source intelligence sources, and user feedback.

[0068] In yet another exemplary embodiment, the apparatus further includes a processing unit 305, configured to: Preprocessing is performed on the first and second network threat intelligence, specifically including data cleaning, format standardization, and deduplication.

[0069] In yet another exemplary embodiment, the apparatus further includes a processing unit 305, configured to: The first and second network threat intelligence are fused to obtain a unified data model in a preset format, which is then used for model building and processing.

[0070] In yet another exemplary embodiment, construction unit 303 is specifically used for: Based on sample network traffic, a network threat identification model is constructed by combining primary and secondary network threat intelligence, along with relevant network traffic monitoring data and user behavior data.

[0071] In yet another exemplary embodiment, construction unit 303 is specifically used for: Based on sample network traffic, a network threat identification model is constructed by combining first and second network threat intelligence, as well as the confidence level, whitelist, weighted voting results, cross-validation, and contextual relationships involved in different intelligence sources of the first network threat intelligence.

[0072] In yet another exemplary embodiment, the device further includes a feedback unit 306, configured to: Evaluate the blocking effect of the blocking strategy; Based on the evaluation results of the blocking effect, the blocking strategy may be optimized as appropriate.

[0073] This application also provides a processing device from a hardware architecture perspective. As mentioned earlier, in practice, a processing device may exist as a device cluster. In this case, each device in the device cluster can also be referred to as a processing device. See [reference needed]. Figure 4 , Figure 4 This diagram illustrates a structural schematic of the processing device of this application. Specifically, the processing device may include a processor 401, a memory 402, and an input / output device 403. The processor 401 executes the computer program stored in the memory 402 to implement, for example... Figure 1 The steps of the third-party collaborative threat intelligence blocking strategy distribution method in the corresponding embodiment; or, when the processor 401 executes the computer program stored in the memory 402, it implements as follows: Figure 3 Corresponding to the functions of each unit in the embodiment, the memory 402 is used to store the functions executed by the processor 401 as described above. Figure 1 The computer program required for the third-party collaborative threat intelligence blocking strategy distribution method in the corresponding embodiment.

[0074] For example, a computer program may be divided into one or more modules / units, one or more of which are stored in memory 402 and executed by processor 401 to complete this application. One or more modules / units may be a series of computer program instruction segments capable of performing a specific function, which describe the execution process of the computer program in a computer device.

[0075] The processing device may include, but is not limited to, processor 401, memory 402, and input / output device 403. Those skilled in the art will understand that the illustrations are merely examples of the processing device and do not constitute a limitation on the processing device. It may include more or fewer components than illustrated, or combine certain components, or different components. For example, the processing device may also include network access devices, buses, etc., and processor 401, memory 402, input / output device 403, etc., are connected via a bus.

[0076] Processor 401 can be a Central Processing Unit (CPU), or other general-purpose processors, digital signal processors (DSPs), application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. A general-purpose processor can be a microprocessor or any conventional processor. The processor is the control center of the processing device, connecting various parts of the device through various interfaces and lines.

[0077] The memory 402 can be used to store computer programs and / or modules. The processor 401 implements various functions of the computer device by running or executing the computer programs and / or modules stored in the memory 402 and by calling data stored in the memory 402. The memory 402 may mainly include a program storage area and a data storage area. The program storage area may store the operating system, application programs required for at least one function, etc.; the data storage area may store data created according to the use of the processing device, etc. In addition, the memory may include high-speed random access memory, and may also include non-volatile memory, such as hard disk, RAM, plug-in hard disk, smart media card (SMC), secure digital (SD) card, flash card, at least one disk storage device, flash memory device or other volatile solid-state storage device.

[0078] When processor 401 executes a computer program stored in memory 402, it can specifically perform the following functions: Those skilled in the art will clearly understand that, for the sake of convenience and brevity, the specific working process of the third-party collaborative threat intelligence blocking strategy distribution device, processing equipment, and its corresponding units described above can be found in, for example... Figure 1The description of the method for distributing third-party collaborative threat intelligence blocking strategies in the corresponding embodiments will not be repeated here.

[0079] Those skilled in the art will understand that all or part of the steps in the various methods of the above embodiments can be performed by instructions, or by instructions controlling related hardware. These instructions can be stored in a computer-readable storage medium and loaded and executed by a processor.

[0080] Therefore, this application provides a computer-readable storage medium storing a plurality of instructions that can be loaded by a processor to execute the present application. Figure 1 The steps of the third-party collaborative threat intelligence blocking strategy distribution method in the corresponding embodiment can be found in the following example. Figure 1 The description of the method for distributing third-party collaborative threat intelligence blocking strategies in the corresponding embodiments will not be repeated here.

[0081] The computer-readable storage medium may include: read-only memory (ROM), random access memory (RAM), disk or optical disk, etc.

[0082] Because of the instructions stored in the computer-readable storage medium, the present application can be executed as described above. Figure 1 The steps of the third-party collaborative threat intelligence blocking strategy distribution method in the corresponding embodiment can therefore achieve the purpose of this application. Figure 1 The beneficial effects that the third-party collaborative threat intelligence blocking strategy distribution method can achieve in the corresponding embodiment are detailed in the preceding description and will not be repeated here.

[0083] The foregoing has provided a detailed description of the method, apparatus, processing device, and computer-readable storage medium for distributing third-party collaborative threat intelligence blocking strategies. Specific examples have been used to illustrate the principles and implementation methods of this application. The descriptions of these embodiments are merely for the purpose of helping to understand the core ideas of this application; furthermore, those skilled in the art will recognize that, based on the ideas of this application, there will be changes in the specific implementation methods and application scope. Therefore, the content of this specification should not be construed as a limitation of this application.

Claims

1. A method for disseminating third-party collaborative threat intelligence blocking strategies, characterized in that, The method includes: Under the pre-set diversified third-party linkage mechanism, the first network threat intelligence configured by different third-party intelligence sources outside the enterprise is obtained through a unified linkage interface; Acquire secondary cyber threat intelligence configured by the enterprise itself; Based on the sample network traffic, a network threat identification model is constructed by combining the first network threat intelligence and the second network threat intelligence. The network threat identification model is a deep learning model, which is used to perform network threat identification processing based on the network traffic input to the model. Configure corresponding blocking policies based on the network threat identification results of the network threat identification model, and distribute the blocking policies to the corresponding network security devices to achieve the configuration update of the blocking policies.

2. The method according to claim 1, characterized in that, The aforementioned diversified third-party collaboration mechanism specifically involves web crawlers, security vendor intelligence sharing platforms, honeypot systems, open-source intelligence sources, and user feedback.

3. The method according to claim 1, characterized in that, Before constructing a network threat identification model based on the first network threat intelligence and the second network threat intelligence, combined with sample network traffic, the method further includes: Preprocessing is performed on the first network threat intelligence and the second network threat intelligence, wherein the preprocessing specifically includes data cleaning, format standardization, and deduplication.

4. The method according to claim 1, characterized in that, Before constructing a network threat identification model based on the first network threat intelligence and the second network threat intelligence, combined with sample network traffic, the method further includes: The first network threat intelligence and the second network threat intelligence are fused to obtain a unified data model in a preset format, which is then used for model building.

5. The method according to claim 1, characterized in that, The process of constructing a network threat identification model based on sample network traffic, combined with the first network threat intelligence and the second network threat intelligence, includes: Based on the sample network traffic, the network threat identification model is constructed by combining the first network threat intelligence and the second network threat intelligence, along with relevant network traffic monitoring data and user behavior data.

6. The method according to claim 1, characterized in that, The process of constructing a network threat identification model based on sample network traffic, combined with the first network threat intelligence and the second network threat intelligence, includes: Based on the sample network traffic, the network threat identification model is constructed by combining the first network threat intelligence and the second network threat intelligence, as well as the confidence level, whitelist, weighted voting results, cross-validation and contextual relationships involved in different intelligence sources of the first network threat intelligence.

7. The method according to claim 1, characterized in that, After configuring corresponding blocking policies based on the network threat identification results of the network threat identification model and distributing the blocking policies to the corresponding network security devices, the method further includes: Evaluate the blocking effect of the proposed blocking strategy; Based on the evaluation results of the blocking effect, the blocking strategy may be optimized as appropriate.

8. A device for disseminating third-party collaborative threat intelligence blocking strategies, characterized in that, The device includes: The first acquisition unit is used to acquire first network threat intelligence configured by different third-party intelligence sources outside the enterprise through a unified linkage interface under a preset diversified third-party linkage mechanism. The second acquisition unit is used to acquire second network threat intelligence configured by the enterprise itself; The construction unit is used to construct a network threat identification model based on sample network traffic, combined with the first network threat intelligence and the second network threat intelligence. The network threat identification model is a deep learning model, and the network threat identification model is used to perform network threat identification processing based on the network traffic input to the model. The configuration unit is used to configure corresponding blocking policies based on the network threat identification results of the network threat identification model, and to distribute the blocking policies to the corresponding network security devices to realize the configuration update of the blocking policies.

9. A processing device, characterized in that, The method includes a processor and a memory, wherein the memory stores a computer program, and the processor executes the method as described in any one of claims 1 to 7 when it invokes the computer program in the memory.

10. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores a plurality of instructions adapted for loading by a processor to perform the method of any one of claims 1 to 7.