Network threat intelligence issuing method and related device
By collecting multi-source internet data to assess the activity level of threat intelligence and combining it with target device attribute information for dynamic sorting and filtering, the problem of low intelligence distribution efficiency and delayed response in existing technologies has been solved, achieving efficient and accurate distribution of network threat intelligence.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- BEIJING QIHOOD TECHNOLOGY CO LTD
- Filing Date
- 2026-04-10
- Publication Date
- 2026-07-03
AI Technical Summary
Existing methods for distributing cyber threat intelligence face challenges due to the massive and diverse nature of the intelligence volume. They cannot differentiate the distribution based on the processing capabilities of different devices, and it is difficult to dynamically adjust the activity assessment and priority ranking of intelligence, resulting in excessive system load and delayed response.
By collecting multi-source internet data, using an activity scoring model to assess the activity level of threat intelligence, prioritizing and filtering based on the attribute information of target devices, dynamically adjusting the intelligence distribution strategy, forming a target intelligence set, and packaging and distributing it.
It enables dynamic sorting and filtering of intelligence based on its real-time activity level, improving the timeliness and accuracy of security response, optimizing equipment resource utilization, and reducing the impact of invalid intelligence.
Smart Images

Figure CN122339775A_ABST
Abstract
Description
Technical Field
[0001] This application relates to the fields of computer and communication technology, and more specifically, to a method and related equipment for distributing network threat intelligence. Background Technology
[0002] With the increasing number of cybersecurity threats, threat intelligence has become a crucial component of defense systems. However, current intelligence delivery methods face several challenges: the volume and diversity of intelligence are enormous, intelligence distribution efficiency is low, and it is impossible to differentiate delivery based on the processing capabilities of different devices. Furthermore, existing systems struggle to dynamically adjust intelligence activity assessments and prioritization. Traditional intelligence delivery systems cannot effectively cope with real-time changes in intelligence, leading to excessive system load and delayed responses. Summary of the Invention
[0003] The embodiments of this application provide a method and related equipment for distributing network threat intelligence, which can at least to some extent dynamically filter and accurately distribute intelligence based on the attribute information of the target device.
[0004] Other features and advantages of this application will become apparent from the following detailed description, or may be learned in part from practice of this application.
[0005] According to one aspect of the embodiments of this application, a method for distributing network threat intelligence is provided, comprising: inputting multi-source Internet data collected from target threat intelligence into an activity scoring model to obtain a corresponding activity level; prioritizing the target threat intelligence according to the activity level to obtain an intelligence activity sequence; filtering the intelligence activity sequence according to target device attribute information to obtain a target intelligence set, wherein the target device attribute information is attribute information of a target security device; and packaging the target intelligence set and distributing it to the target security device.
[0006] According to one aspect of the embodiments of this application, a network threat intelligence distribution device is provided, the network threat intelligence distribution device comprising: an activity scoring module, used to collect multi-source Internet data based on the target threat intelligence and input it into an activity scoring model to obtain a corresponding activity level; an intelligence sorting module, used to prioritize the target threat intelligence according to the activity level to obtain an intelligence activity sequence; a sequence filtering module, used to filter the intelligence activity sequence according to target device attribute information to obtain a target intelligence set, wherein the target device attribute information is the attribute information of a target security device; and a packaging and distribution module, used to package the target intelligence set and distribute it to the target security device.
[0007] According to one aspect of the embodiments of this application, a computer program product is provided, including one or more computer programs that, when executed by one or more processors, implement the steps of the network threat intelligence distribution method as described above.
[0008] According to one aspect of the embodiments of this application, a computer-readable medium is provided having a computer program stored thereon, which, when executed by a processor, implements the network threat intelligence distribution method as described in the above embodiments.
[0009] According to one aspect of the embodiments of this application, an electronic device is provided, including: one or more processors; and a storage device for storing one or more programs, which, when executed by the one or more processors, cause the one or more processors to implement the network threat intelligence distribution method as described in the above embodiments.
[0010] In some embodiments of this application, the technical solutions provide that combine multi-source internet data to assess the activity level of threat intelligence, dynamically sort and filter intelligence that meets the needs of target security devices, thereby achieving more efficient and accurate distribution of network threat intelligence. This embodiment can dynamically sort intelligence based on its real-time activity level, effectively improving the timeliness and accuracy of security protection responses, optimizing device resource utilization, and reducing the impact of invalid intelligence.
[0011] It should be understood that the above general description and the following detailed description are exemplary and explanatory only, and do not limit this application. Attached Figure Description
[0012] The accompanying drawings, which are incorporated in and form part of this specification, illustrate embodiments consistent with this application and, together with the description, serve to explain the principles of this application. It is obvious that the drawings described below are merely some embodiments of this application, and those skilled in the art can obtain other drawings based on these drawings without any inventive effort. In the drawings:
[0013] Figure 1 A schematic diagram of an exemplary system architecture to which the technical solutions of the embodiments of this application can be applied is shown.
[0014] Figure 2 The illustration shows a flowchart of a method for distributing network threat intelligence according to an embodiment of this application.
[0015] Figure 3 It shows that according to Figure 2 A flowchart illustrating a specific implementation of step S100 in the network threat intelligence distribution method shown in the corresponding embodiment.
[0016] Figure 4 It shows that according to Figure 2 A flowchart illustrating a specific implementation of step S300 in the network threat intelligence distribution method shown in the corresponding embodiment.
[0017] Figure 5 A schematic diagram of a network threat intelligence distribution device provided in an embodiment of this application is shown.
[0018] Figure 6 A schematic diagram of the structure of an electronic device provided in an embodiment of this application is shown. Detailed Implementation
[0019] Exemplary embodiments will now be described more fully with reference to the accompanying drawings. However, these exemplary embodiments can be implemented in many forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided to make this application more comprehensive and complete, and to fully convey the concept of the exemplary embodiments to those skilled in the art.
[0020] Furthermore, the described features, structures, or characteristics can be combined in any suitable manner in one or more embodiments. Numerous specific details are provided in the following description to give a thorough understanding of embodiments of this application. However, those skilled in the art will recognize that the technical solutions of this application can be practiced without one or more of the specific details, or other methods, components, apparatuses, steps, etc., can be employed. In other instances, well-known methods, apparatuses, implementations, or operations are not shown or described in detail to avoid obscuring various aspects of this application.
[0021] The block diagrams shown in the accompanying drawings are merely functional entities and do not necessarily correspond to physically independent entities. That is, these functional entities can be implemented in software, in one or more hardware modules or integrated circuits, or in different network and / or processor devices and / or microcontroller devices.
[0022] The flowcharts shown in the accompanying drawings are merely illustrative and do not necessarily include all content and operations / steps, nor do they necessarily have to be performed in the described order. For example, some operations / steps can be broken down, while others can be combined or partially combined; therefore, the actual execution order may change depending on the specific circumstances.
[0023] Figure 1 A schematic diagram of an exemplary system architecture to which the technical solutions of the embodiments of this application can be applied is shown.
[0024] like Figure 1As shown, the system architecture may include target security devices (such as firewall device 101, secure domain name system server 102, traffic probe device 103, etc.), network 104, and server 105. Network 104 serves as the medium for providing a communication link between the target device and server 105. Network 104 may include various connection types, such as wired communication links, wireless communication links, etc. Server 105 is responsible for executing the network threat intelligence distribution method described in this invention, processing multi-source data, calculating activity scores, and performing intelligence filtering, packaging, and distribution.
[0025] It should be understood that Figure 1 The number of target devices, networks, and servers shown is merely illustrative. Depending on actual needs, the system can have multiple target devices, servers, and networks. Server 105 can be a server cluster consisting of multiple servers to handle large-scale threat intelligence distribution tasks. Users can interact with server 105 via network 104 through terminal devices (such as computers or smart terminals) to receive or send intelligence data, etc.
[0026] It should be noted that the network threat intelligence distribution method provided in this embodiment is generally executed by server 105, and correspondingly, the network threat intelligence distribution device is set in server 105. Through this server, the system can perform a precise intelligence filtering and distribution mechanism based on device attribute information, and make dynamic adjustments based on real-time feedback.
[0027] The implementation details of the technical solutions in the embodiments of this application are described in detail below: Figure 2 A flowchart of a network threat intelligence distribution method according to an embodiment of this application is shown. This method can be executed by a server, which may be... Figure 1 The server shown. (Refer to...) Figure 2 As shown, this method for distributing network threat intelligence includes at least the following: S100: Based on target threat intelligence, multi-source Internet data is collected and input into the activity scoring model to obtain the corresponding activity level.
[0028] S200, prioritize the target threat intelligence according to the activity level to obtain an intelligence activity sequence.
[0029] S300, the active intelligence sequence is filtered according to the target device attribute information to obtain a target intelligence set, wherein the target device attribute information is the attribute information of the target security device.
[0030] S400, the target intelligence set is packaged and sent to the target security device.
[0031] In the embodiments of this application, the activity level of threat intelligence is assessed by combining multi-source Internet data, and intelligence that meets the needs of target security devices is dynamically sorted and filtered, thereby achieving more efficient and accurate distribution of network threat intelligence. This embodiment can dynamically sort intelligence according to its real-time activity level, effectively improving the timeliness and accuracy of security protection response, optimizing device resource utilization, and reducing the impact of invalid intelligence.
[0032] In S100, the activity level of target threat intelligence is assessed by collecting internet data from multiple sources. This internet data undergoes preprocessing such as data cleaning and normalization before being input into an activity scoring model to calculate the activity level of the target threat intelligence. This model uses weighted calculations based on the weight coefficients of different data sources to form a comprehensive result.
[0033] Specifically, in some embodiments, the specific implementation of step S100 can be found in [reference needed]. Figure 3 . Figure 3 It is based on Figure 2 According to the detailed description of step S100 in the network threat intelligence distribution method shown in the corresponding embodiment, step S100 in the network threat intelligence distribution method may include the following steps: S110 collects multi-source internet data on target threat intelligence.
[0034] S120: Based on the multi-source Internet data, the corresponding activity level is obtained using a preset activity scoring model.
[0035] In this embodiment, by collecting multi-source internet data and utilizing a pre-defined activity scoring model to assess the activity level of target threat intelligence, this method provides an accurate quantitative basis for subsequent intelligence prioritization and screening. This method effectively improves the accuracy of intelligence screening, ensuring that only the most active and threatening intelligence is processed in a timely manner during network security protection, thereby improving the system's response efficiency and overall protection capabilities.
[0036] In S110, multi-source Internet data includes various types of data from multiple sources, and different collection methods are used for different types of data.
[0037] Specifically, for Domain Name System (DNS) log data, the number and frequency of recursive DNS queries on the internet for the domain name or IP address corresponding to the target threat intelligence can be collected. Frequently appearing domain names or IP addresses indicate that the intelligence is spreading rapidly and has high activity. For Search Engine Optimization (SEO) ranking data, the ranking of the threat intelligence in major search engines can be analyzed. The higher the ranking, the more attention the threat intelligence receives from the public and automated systems, indicating a wider dissemination range and higher activity. For community popularity data, the frequency of requests related to the intelligence on threat intelligence sharing platforms can be queried. Frequent requests reflect the level of attention the intelligence receives in the security industry, indicating a strong momentum of its spread. For device tracking data, the number of alerts or event tracking data related to the threat intelligence can be collected from deployed security devices. A high tracking number indicates that the intelligence has been triggered multiple times in the local network environment, indicating that the threat intelligence has high activity.
[0038] All data will be collected uniformly and standardized before being input into the subsequent activity scoring model. The collection of multi-source data can comprehensively reflect the network activity of target threat intelligence and assess the intelligence's potential harm from multiple dimensions.
[0039] In S120, the collected multi-source Internet data is input into a preset activity scoring model, and the overall activity level of the target threat intelligence is calculated based on the specific indicators of each data source.
[0040] This scoring model typically includes feature extraction, weighted calculation, and activity level calculation.
[0041] In the feature extraction section, key features are extracted from various data sources. For example, domain name frequency is extracted from DNS log data, ranking values are extracted from SEO rankings, and request frequency is extracted from community popularity.
[0042] In the weighted calculation section, features from each data source are weighted according to preset weight coefficients. These weight coefficients are adjusted based on actual conditions to ensure the scoring model's adaptability and accuracy across data sources. The weight coefficients can be set based on historical data or automatically optimized using machine learning models.
[0043] In the activity level calculation section, a comprehensive activity level score is output based on the weighted calculation of each feature value. This score is used to quantify the activity level of target threat intelligence in the network.
[0044] Through the calculations of the above parts, the model can comprehensively consider the activity status of different dimensions, ensuring that the final activity score can truly reflect the threat potential of threat intelligence.
[0045] The resulting activity score will be used for subsequent intelligence prioritization and filtering. A higher activity score indicates that the intelligence is highly active on the network, has a strong propagation momentum, and may pose a significant security risk, thus requiring priority processing. Through this scoring process, the system can dynamically identify the most urgent and dangerous threat intelligence, optimizing protection decisions.
[0046] Specifically, in some embodiments, the specific implementation of step S120 can be found in the following embodiments. This embodiment is based on... Figure 3 In the detailed description of step S120 of the network threat intelligence distribution method shown in the corresponding embodiment, the multi-source Internet data in the network threat intelligence distribution method includes at least one of DNS log data, SEO ranking data, community popularity data, and device tracking data. Step S120 may include the following steps: By using a preset activity scoring model to extract features from the multi-source Internet data, the behavioral characteristics of the target threat intelligence under each preset dimension are obtained.
[0047] Based on the behavioral characteristics of each dimension and their corresponding weight coefficients, a weighted aggregation operation is performed to obtain the corresponding activity level.
[0048] In this embodiment, by extracting features and weighting and aggregating multi-source internet data, this method can accurately assess the activity level of target threat intelligence from multiple dimensions. This process can effectively quantify the activity level of threat intelligence in different network environments, thereby ensuring higher accuracy in intelligence prioritization and filtering, and providing more reliable data support for subsequent network security protection decisions.
[0049] Specifically, the activity scoring model first extracts features from the collected multi-source internet data. Data from different sources is processed using appropriate methods to extract key features that reflect intelligence activity. Specifically, the model extracts features such as DNS log data, SEO ranking data, community popularity data, and device tracking data from each data source.
[0050] Extracting DNS log data involves determining the frequency of occurrence of the domain name or IP address identified by the target threat intelligence in the DNS logs. Frequent occurrences indicate that the intelligence may be widely accessed or that an attack is being carried out, thus indicating high activity. Extracted characteristics include the number of queries made to the domain name / IP address within a specified time period and their frequency.
[0051] Extracting SEO ranking data involves retrieving the rankings of the domain or website corresponding to the threat intelligence from major search engines. Top-ranking domains typically indicate a wider reach of the threat intelligence, potentially attracting numerous users or automated tools. Extracted features include search engine rankings at different points in time and their trends.
[0052] Extracting community popularity data involves identifying the frequency of requests related to the target threat intelligence from threat intelligence sharing platforms. A higher request frequency typically indicates that the intelligence has garnered more attention from security researchers and practitioners, suggesting higher activity levels for the threat intelligence. Extracted features include the number of API queries per unit of time, the number of community comments, and annotations.
[0053] Extracting device event tracking data involves collecting event tracking data from deployed security devices to determine the number of alerts or events triggered by the target threat intelligence on those devices. Frequent alerts or event occurrences indicate that the intelligence has been repeatedly acknowledged and responded to within the network, suggesting high activity. Extracted characteristics include the number of alerts triggered by the intelligence within a specific time window.
[0054] After feature extraction, each data source will yield multi-dimensional behavioral features related to intelligence activity.
[0055] After extracting behavioral features from all data sources, the activity scoring model weights and aggregates the features across all dimensions based on their respective weight coefficients. Features from different data sources have varying importance, therefore different weight coefficients are assigned to each dimension.
[0056] Specifically, firstly, weight coefficients are assigned to behavioral characteristics across various dimensions based on historical data, device requirements, and actual security scenarios. These weight coefficients can be adjusted according to the model's configuration, typically assigning values based on the importance of a particular dimension to threat intelligence activity. For example, the frequency of DNS logs might have a higher weight than changes in SEO rankings, as frequent DNS queries often indicate that the domain is under attack.
[0057] A comprehensive activity score is obtained by weighting and aggregating the behavioral characteristics of each dimension.
[0058] Using this weighted calculation method, the model can combine activity levels from different dimensions to obtain a final activity score for the target threat intelligence. This score will serve as the basis for subsequent prioritization and filtering, ensuring that the most threatening intelligence is processed first.
[0059] The activity score, obtained after weighted aggregation, represents the activity level of the target threat intelligence. This score can be directly used in the intelligence prioritization and screening process to ensure that intelligence with high activity and high threat potential is given priority.
[0060] In some embodiments, the activity level described above is obtained by the following formula:
[0061] in, For activity level, T represents target threat intelligence. This is a normalized value representing the frequency of occurrence in DNS logs. Reverse ranking for search engine results Requesting popularity for the community To accumulate points for safety equipment, , , , These are the weighting coefficients for each dimension.
[0062] The above formula can accurately assess the activity level of threat intelligence across different dimensions, ensuring that the most urgent and high-potential threat intelligence is prioritized when it is distributed, effectively improving the accuracy of intelligence screening and making cybersecurity protection more timely and accurate.
[0063] In some feasible embodiments, the aforementioned weighting coefficients are adjustable. Specifically, the adjustment steps may include: Receive actual interception data or alarm data from the target security device.
[0064] Based on the deviation between the actual intercepted data or alarm data and the activity level score, the weight coefficients corresponding to each dimension are dynamically adjusted.
[0065] In this embodiment, by receiving data from the target security device and dynamically adjusting the weight coefficients in the activity scoring model based on actual interception or alarm situations, this method can continuously optimize the accuracy of intelligence activity assessment. This mechanism enhances the model's adaptability, enabling the system to adjust the assessment method according to the actual protection effect, further improving the accuracy of intelligence screening and the timeliness of response, thereby enhancing overall protection efficiency.
[0066] Specifically, after the intelligence is delivered to the target security device, feedback data is received from the target device. This feedback data includes actual interception data and alert data. Actual interception data indicates the number of times the target device successfully intercepted attacks or anomalous behaviors related to the threat intelligence. For example, a firewall might report that access from a specific IP address or domain name was successfully blocked. Alert data indicates the number of alerts triggered by the target device in response to specific threat intelligence, or the severity of the alerts. The device may issue alerts based on detected anomalous behavior, indicating that the threat intelligence has generated suspicious activity within the network. This feedback data provides a direct reflection of the actual effectiveness of the threat intelligence, helping to assess the true threat level of the intelligence.
[0067] After receiving the feedback data, the deviation between the actual interception data or alert data and the previously calculated activity score is compared. This deviation reflects the difference between the actual performance of threat intelligence in the network and the assessed activity.
[0068] For example, if a piece of intelligence is very active in actual interception data, or if the device frequently intercepts attacks related to that intelligence, but has a low activity score, it indicates that the scoring model has failed to accurately assess the actual threat level of that intelligence. Conversely, if a piece of intelligence has a high activity score, but the device fails to trigger an interception or alert, it may indicate that the activity score of that intelligence is too high, and the system has overestimated the threat of that intelligence.
[0069] Based on the discrepancy between the feedback data and the activity score, dynamic adjustments are made to optimize the weight coefficients in the scoring model. Specifically, this adjustment process includes increasing the weight of high-efficiency features and decreasing the weight of insensitive features.
[0070] Specifically, if certain features show a strong correlation in the feedback data, the weight of these features is increased accordingly to ensure that similar intelligence in the future can more accurately assess their threat potential; if certain features fail to significantly reflect the true extent of the threat in actual interception or alert data, the weight of these features is reduced to prevent them from having an excessive impact on the activity score.
[0071] The weighting coefficients can be adjusted by setting dynamic learning rules or through manual intervention. The adjusted weighting coefficients will be immediately applied to subsequent activity score calculations, ensuring continuous system optimization and improving the accuracy of intelligence screening and response.
[0072] This dynamic adjustment mechanism enables the active scoring model to adaptively optimize based on feedback data, continuously improving the accuracy of intelligence screening over time. This optimization approach not only helps improve the accuracy of current intelligence assessment but also continuously adjusts the scoring criteria under different network environments and device configurations, enhancing the system's adaptability.
[0073] In the S200 system, threat intelligence with higher activity levels is prioritized and processed first. This prioritization is based not only on the real-time activity of the intelligence but can also be dynamically adjusted according to factors such as device processing capabilities and real-time requirements. By prioritizing, it ensures that the most active threat intelligence with the highest potential risk is addressed and dealt with first.
[0074] Specifically, in some embodiments, the specific implementation of step S200 can be found in the following embodiments. This embodiment is based on... Figure 2According to the detailed description of step S200 in the network threat intelligence distribution method shown in the corresponding embodiment, step S200 in the network threat intelligence distribution method may include the following steps: The activity level is corrected by using a time decay factor to obtain the corrected result.
[0075] Based on the correction results, the target threat intelligence is prioritized to obtain an intelligence activity sequence.
[0076] In this embodiment, by introducing a time decay factor to correct for activity levels, this method can effectively reduce the impact of outdated intelligence on system decisions, ensuring that the system prioritizes currently active intelligence with potential threats. This mechanism significantly improves the timeliness of intelligence and the responsiveness of defense responses, helping to prevent the system from over-relying on threat intelligence that is no longer active or outdated.
[0077] Specifically, in the intelligence activity score calculation, a time decay factor is used to correct the activity score to reflect the impact of time on intelligence activity. Specifically, the activity of threat intelligence gradually decreases over time unless the intelligence continues to frequently cause activity or attacks in the network. Therefore, the time decay factor can effectively reduce the weight of outdated intelligence, ensuring that the system allocates more resources to handling emerging threats. Specifically, the original activity score can be multiplied by the decay factor to obtain a new corrected score. This corrected activity score will more accurately reflect the actual activity level of current threat intelligence. For older intelligence, the corrected score will be relatively lower, and such intelligence will be prioritized lower, thus reducing interference from outdated information.
[0078] After completing the time decay correction, the system will adjust the score for all threat intelligence. Prioritize the intelligence. The prioritization method typically involves arranging the intelligence based on its adjusted activity score from highest to lowest, with higher-scoring intelligence receiving priority. This allows the system to prioritize the most active and threatening intelligence within the network, ensuring the timeliness and accuracy of the protection system's response.
[0079] After sorting, the resulting intelligence activity sequence will be ranked according to the corrected scores of each intelligence, with higher-priority intelligence being processed first. This activity sequence is dynamic and will be updated in real time based on the real-time activity score and the effects of time decay, ensuring that the protection system can respond quickly to the most critical threats.
[0080] In some embodiments, the activity level can be corrected using the following formula:
[0081] in, To correct the results, The activity level is represented by t, the time difference from the first discovery of the intelligence to the present, λ, the decay coefficient, and e, the natural base.
[0082] The above formula, by introducing a time decay factor to correct for activity levels, can more accurately reflect the timeliness of threat intelligence, ensuring that outdated intelligence does not affect real-time protection decisions. This mechanism optimizes intelligence prioritization, helps improve the response efficiency of the protection system, avoids processing inactive intelligence, and thus maximizes the effectiveness of network protection.
[0083] In the S300 system, target device attribute information plays a crucial role, including the target device's type, performance requirements, and processing capabilities. Based on this attribute information, a pre-defined hierarchical classification strategy is applied to filter active intelligence sequences.
[0084] For example, if the target device is a firewall, high-threat intelligence can be filtered out, and the number of messages sent can be limited, such as no more than 1 million. If the target device is a secure DNS server, domain intelligence of all threat levels can be filtered out, and a larger number of messages can be sent, such as 10 million. If the target device is a traffic probe device, medium- and high-risk intelligence can be prioritized, and the number of messages sent can be limited based on the device's processing capacity.
[0085] The filtered target intelligence set will only include high-priority and resource-adaptable threat intelligence that is suitable for the device to process.
[0086] Specifically, in some embodiments, the specific implementation of step S300 can be found in [reference needed]. Figure 4 . Figure 4 It is based on Figure 2 According to the detailed description of step S300 in the network threat intelligence distribution method shown in the corresponding embodiment, step S300 in the network threat intelligence distribution method may include the following steps: S310 matches a preset hierarchical classification strategy based on the target device attribute information.
[0087] S320, according to the hierarchical classification strategy, the active intelligence sequence is filtered to obtain the target intelligence set.
[0088] In this embodiment, by matching the target device's attribute information with a pre-defined hierarchical classification strategy, this method can customize the filtering of threat intelligence for different types of security devices. This step ensures that each device receives intelligence that matches its processing capabilities and protection needs, thereby improving resource utilization efficiency and optimizing the response capabilities of the network protection system.
[0089] In S310, each target security device has different attribute information, such as device type, hardware capacity, processing power, supported intelligence types, priority requirements, etc. Therefore, a pre-defined hierarchical classification strategy needs to be matched based on this attribute information.
[0090] Specifically, first, the system determines which types of threat intelligence a target device can process based on its type. For example, firewall devices might prioritize IP address and domain name-based intelligence, while secure DNS devices might focus more on domain name-related intelligence. For devices with varying processing capabilities, the amount of intelligence sent is limited based on the device's hardware limitations. For instance, lower-performance devices might only receive a small amount of high-priority intelligence to avoid system overload. Based on the device's response speed requirements, the system might filter out the latest, high-risk threat intelligence for devices with high real-time requirements, while reserving low-risk, low-priority intelligence for other devices to process.
[0091] By matching the pre-set hierarchical classification strategy, the system can flexibly adjust the distribution strategy according to the different attribute information of the devices to ensure that each device receives the intelligence most suitable for its functions and performance.
[0092] Specifically, in some embodiments, the specific implementation of step S310 can be found in the following embodiments. This embodiment is based on... Figure 2 The detailed description of step S310 in the network threat intelligence distribution method shown in the corresponding embodiment is as follows: In the network threat intelligence distribution method, the hierarchical classification strategy includes distribution rules for different types of security devices, and step S310 may include the following steps: If the target device attribute information indicates that the target security device is a firewall device, intelligence with a threat level of medium to high risk and a type of IP or domain name is filtered, and the number of messages sent is limited to a first threshold range.
[0093] If the target device attribute information indicates that the target security device is a secure DNS server, filter the full threat level intelligence of the domain name type and limit the number of messages sent to it to a second threshold range, wherein the second threshold is greater than the first threshold.
[0094] If the target device attribute information indicates that the target security device is a traffic probe, intelligence with a threat level of medium to high risk is filtered out, and the number of messages sent is limited to a third threshold range.
[0095] In this embodiment, by setting customized intelligence distribution rules based on different types of security devices, threat intelligence best suited to the processing capabilities and protection needs of each type of device can be provided. This strategy not only optimizes resource allocation but also ensures that various devices can efficiently process threat intelligence, improving the overall performance and response speed of the protection system.
[0096] Specifically, If the target device's attribute information indicates that the device is a firewall, filtering is performed based on the firewall's functional requirements and processing capabilities. Firewall devices are primarily responsible for intercepting and blocking malicious access to the network, typically focusing on medium- to high-risk threat intelligence, especially intelligence related to IP addresses or domain names.
[0097] Specifically, the screening process requires filtering out threat intelligence based on IP addresses or domain names. This is because firewall devices typically operate by blocking domain names and IP addresses, and other types of intelligence are not suitable for their processing. Furthermore, only intelligence classified as medium-high risk or above needs to be filtered. This intelligence carries significant potential risk, and firewall devices need to prioritize processing this high-risk intelligence to maximize protection effectiveness. Depending on the firewall's hardware processing capabilities, the number of intelligence messages sent each time also needs to be limited. For example, the number of messages sent can be limited to a first threshold, the size of which can be set based on the actual processing capacity of the firewall device.
[0098] If the target device's attribute information indicates that the device is a secure DNS (DNS) server, filter domain-related intelligence for it and adjust it according to the device's capacity and network traffic requirements.
[0099] Specifically, the filtering process only needs to filter threat intelligence based on domain name type, specifically domain intelligence across all threat levels. DNS servers primarily handle and resolve domain names, therefore they only need to process domain-related intelligence. However, unlike firewalls, DNS servers need to process intelligence across various threat levels, including low- and high-risk threats, and they typically have greater processing capacity, allowing for a larger volume of intelligence to be distributed. The number of distributed intelligence is then limited to a second threshold, which is greater than the firewall's first threshold, allowing for the distribution of more intelligence.
[0100] If the target device's attribute information indicates that the device is a traffic probe, it is necessary to filter out medium- to high-risk threat intelligence related to traffic. Traffic probe devices are mainly used to detect abnormal behavior in network traffic; therefore, the intelligence issued should primarily focus on threats related to traffic attacks and virus propagation.
[0101] Specifically, it's necessary to filter out medium- to high-risk intelligence. Traffic probes typically don't process low-risk intelligence; instead, they prioritize medium- to high-risk intelligence that could potentially lead to large-scale cyberattacks. Simultaneously, based on the traffic probe's processing capacity, the number of intelligence reports sent is limited to a third threshold. This threshold is generally higher than the firewall's first threshold but lower than the DNS server's second threshold to ensure the device doesn't become overloaded by processing too much intelligence.
[0102] In S320, once the target device's attribute information is matched with the corresponding hierarchical classification strategy, the sorted intelligence activity sequence can be filtered according to these strategies. The filtering includes intelligence type filtering, threat level filtering, quantity limit filtering, etc.
[0103] Specifically, the information is first filtered according to the type of information the device can process. For example, a firewall device may only receive information related to IP addresses or domain names, while a secure DNS server device may only receive information related to domain names.
[0104] Then, based on the device's protection capabilities, the system will filter intelligence to different threat levels. High-performance devices may be able to handle intelligence at all threat levels, while low-performance devices may only receive medium- to high-risk intelligence.
[0105] It's best to limit the number of intelligence messages sent each time, based on the device's hardware capacity and processing power. For example, a firewall device might limit itself to receiving no more than 1 million intelligence messages at a time, while a traffic probe device might receive more.
[0106] The filtered intelligence set is an intelligence set that is adapted to the target device's processing capabilities, needs, and strategies, ensuring that the device can process intelligence efficiently without reducing performance due to information overload or mismatch.
[0107] The filtered intelligence set constitutes the threat intelligence set required by the target device. This set contains intelligence that matches the device's capabilities and needs, and the device will process, analyze, and defend against it according to this set. The intelligence set received by each device is customized to match the device's processing capabilities and protection objectives, helping to maximize resource utilization efficiency and improve protection effectiveness.
[0108] In the S400, the selected target intelligence set is packaged into a data file or data stream and distributed to the target security device according to predetermined rules. This enables intelligence filtering, sorting, and precise distribution based on activity assessment, thereby improving the overall efficiency of network threat protection. The data packet format can be configured according to the device's needs and protocol requirements.
[0109] Specifically, in some embodiments, the specific implementation of step S400 can be found in the following embodiments. This embodiment is based on... Figure 2 The detailed description of step S400 in the network threat intelligence distribution method shown in the corresponding embodiment includes the following steps: The target intelligence set is packaged into a file or data stream and sent to the target security device according to predetermined rules.
[0110] If the activity level of any target threat intelligence in the target intelligence set suddenly increases beyond a certain threshold, a high-priority push will be triggered immediately.
[0111] In this embodiment, by packaging the target intelligence set and distributing it to the target security device according to predetermined rules, and triggering a high-priority push when the intelligence activity level suddenly increases, this method can ensure timely response to the most dangerous threats at the most critical moments, optimizing intelligence transmission efficiency and response speed. This mechanism improves the real-time performance and emergency response capabilities of the protection system, enabling the device to quickly process important threat intelligence.
[0112] Specifically, once the target intelligence set is filtered and prioritized, this intelligence is packaged into files or data streams. The packaging format and method can be adjusted according to the target device's protocols and requirements.
[0113] For example, intelligence sets can be packaged into a standardized file format. This file contains relevant information and metadata about the intelligence. The choice of file format will be optimized based on the device's capabilities and processing methods. Alternatively, if the target device supports real-time data streaming, the intelligence set can be distributed as a data stream. Data streams can transmit large amounts of intelligence instantly, making them suitable for devices requiring rapid response, such as traffic probes or real-time analytics platforms.
[0114] Whether it's a file or a data stream, the packaged content includes basic intelligence information, activity score, intelligence type, threat level, etc., to ensure that the receiving device can fully understand and effectively process the intelligence.
[0115] Once the intelligence dataset is packaged, it is distributed to the target security device according to predetermined rules. These rules are typically based on several factors, including device capabilities, intelligence priority, network bandwidth, and transmission protocols.
[0116] Specifically, device capability refers to the system's batching and on-demand distribution of intelligence based on the processing power and configuration of the target device. For example, high-performance devices may receive a large amount of intelligence at once, while low-performance devices may only receive a concise set of intelligence. Intelligence priority refers to the system's prioritization of intelligence based on its activity level and threat level, ensuring that the most urgent threats receive priority responses. Network bandwidth and transmission protocol refer to the fact that intelligence distribution may be limited by network bandwidth, and the system will select an appropriate distribution method based on the network environment and transmission protocol.
[0117] Through these rules, the system can ensure that intelligence is transmitted effectively and that receiving devices can process intelligence within an appropriate timeframe.
[0118] If, during the process of packaging and distributing intelligence, the activity level of a particular intelligence suddenly increases and exceeds a set threshold, the system will trigger a high-priority push mechanism to immediately push the intelligence to the target security device.
[0119] Specifically, the activity score of each intelligence piece is compared with a set threshold before transmission. If the activity score exceeds the threshold, the intelligence is considered urgent and requires priority processing. Once a sudden surge in intelligence activity is detected, the regular distribution process is skipped, and a high-priority push is immediately initiated. This push typically uses a faster transmission channel to ensure that the intelligence reaches the target device as quickly as possible.
[0120] High-priority push mechanisms can significantly improve the response speed of protection systems to sudden threats, ensuring a rapid response in the event of a sudden increase in threats and preventing the further spread of malicious activities.
[0121] To enable those skilled in the art to better understand the technical solution of this application, it is assumed below that a network threat intelligence platform needs to distribute threat intelligence to different types of security devices. In this embodiment, the platform uses a confidence-weighted adaptive scoring model to evaluate the activity level of each piece of intelligence, and filters and distributes it based on the attribute information of the target device.
[0122] Specifically, the platform collects data including DNS logs, SEO rankings, and community request frequency through a multi-source data acquisition module, and then cleans and preprocesses this data. Data from each data source is transformed into features, and information entropy is calculated to assess data volatility. For data sources with low volatility, the system automatically reduces the weight of that data source to avoid misleading intelligence scoring.
[0123] In the model, each data source has a source reputation factor and a dynamic weight. The source reputation factor is adjusted based on historical feedback; if a data source has previously caused a large number of false positives, the system will reduce its weight. The data entropy value is determined by calculating the information entropy of each data dimension; if the data in a certain dimension changes little, its weight will automatically decrease. The final activity score is calculated using the following formula:
[0124] Where α represents the source reputation factor, This represents the reputation feedback coefficient as it changes over time. The weights are dynamically calculated. It is standardized data.
[0125] To further improve the timeliness of activity scores, burst prediction can be performed based on the trend slope. Specifically, by using sliding window sampling, the activity slope and acceleration of the intelligence are calculated, and the final score is corrected according to the following formula:
[0126] in, This is the revised score. The score before correction, where k is the activity slope and a is the acceleration. and These are the weighting coefficients.
[0127] In this formula, the slope and acceleration of activity reflect the speed and trend of intelligence changes. For a new DGA domain name that currently has low popularity but a rapid growth rate, the system will prioritize increasing its activity score to ensure that the intelligence is delivered in a timely manner during the initial rapid growth phase.
[0128] During the intelligence screening and distribution process, a knapsack problem-based strategy is employed to optimize resource allocation. The weight of each intelligence piece is determined by the resources it occupies, while its value is calculated using activity scores and threat level coefficients. The system uses greedy algorithms or dynamic programming to ensure that, with limited resources, it prioritizes the most cost-effective intelligence combinations, enabling the equipment to process intelligence with the greatest threat blocking value.
[0129] Once intelligence is filtered and packaged into a data stream or file, it will be distributed to target devices according to predetermined rules. If the activity score of a particular intelligence spikes, the system will immediately trigger a high-priority push, ensuring that devices can obtain the most important intelligence as soon as a cybersecurity incident occurs. After receiving the intelligence, the device will provide feedback on actual interception and alarm data. The system will then dynamically adjust the weights based on this feedback to ensure adaptive optimization of the intelligence scoring model.
[0130] Suppose a company's network protection system needs to cope with constantly evolving threat intelligence, especially when facing large-scale distributed denial-of-service attacks or new types of malware. The platform can dynamically adjust the priority of intelligence based on real-time collected data and respond quickly to initial attacks through trend slope and acceleration mechanisms. Through resource-constrained distribution strategies, firewall devices and traffic probe devices can maximize the processing of highly active and high-threat intelligence, ensuring that the company's network protection system achieves maximum protective effectiveness with limited resources.
[0131] The above embodiments, by introducing a confidence-weighted adaptive scoring model, a trend slope-based burst prediction mechanism, and a resource-constrained distribution strategy based on the knapsack problem, enable this method to dynamically adjust weights, accurately predict explosive threats, and optimize intelligence distribution and equipment resource utilization efficiency. The system not only automatically adapts to changes in threat intelligence screening but also ensures maximum protection effectiveness under resource constraints.
[0132] The following describes an embodiment of the apparatus described in this application, which can be used to execute the network threat intelligence distribution method described above in this application. For details not disclosed in the apparatus embodiments of this application, please refer to the embodiments of the network threat intelligence distribution method described above in this application.
[0133] Figure 5 A block diagram of a network threat intelligence delivery device according to an embodiment of this application is shown.
[0134] Reference Figure 5 As shown, a network threat intelligence distribution device 500 according to an embodiment of this application includes: an activity scoring module 510, an intelligence sorting module 520, a sequence filtering module 530, and a packaged distribution module 540.
[0135] The system includes: an activity scoring module 510, which collects multi-source Internet data based on target threat intelligence and inputs it into an activity scoring model to obtain the corresponding activity level; an intelligence sorting module 520, which prioritizes the target threat intelligence based on the activity level to obtain an intelligence activity sequence; a sequence filtering module 530, which filters the intelligence activity sequence based on target device attribute information to obtain a target intelligence set, wherein the target device attribute information is the attribute information of the target security device; and a packaging and distribution module 540, which packages the target intelligence set and distributes it to the target security device.
[0136] Optionally, the activity scoring module 510 specifically includes: an intelligence gathering submodule, used to collect multi-source Internet data on target threat intelligence; and an activity scoring submodule, used to obtain the corresponding activity level based on the multi-source Internet data and using a preset activity scoring model.
[0137] Optionally, the multi-source internet data includes at least one of DNS log data, SEO ranking data, community popularity data, and device tracking data. The activity scoring submodule specifically includes: a feature extraction unit, used to extract features from the multi-source internet data using a preset activity scoring model to obtain the behavioral characteristics of the target threat intelligence under each preset dimension; and a weighted aggregation unit, used to perform a weighted aggregation operation based on the behavioral characteristics of each dimension and their corresponding weight coefficients to obtain the corresponding activity level.
[0138] Optionally, the activity level is obtained by the following formula:
[0139] in, For activity level, T represents target threat intelligence. This is a normalized value representing the frequency of occurrence in DNS logs. Reverse ranking for search engine results Requesting popularity for the community To accumulate points for safety equipment, , , , These are the weighting coefficients for each dimension.
[0140] Optionally, the device further includes: a data feedback unit for receiving actual interception data or alarm data from the target security device; and a weight adjustment unit for dynamically adjusting the weight coefficients corresponding to each dimension based on the score deviation between the actual interception data or alarm data and the activity level.
[0141] Optionally, the intelligence sorting module 520 specifically includes: an activity level correction submodule, used to correct the activity level by a time decay factor to obtain a correction result; and an activity level sequence submodule, used to prioritize the target threat intelligence according to the correction result to obtain an intelligence activity sequence.
[0142] Optionally, the activity level can be corrected using the following formula:
[0143] in, To correct the results, The activity level is represented by t, the time difference from the first discovery of the intelligence to the present, λ, the decay coefficient, and e, the natural base.
[0144] Optionally, the sequence filtering module 530 specifically includes: a strategy configuration submodule, used to match a preset hierarchical classification strategy according to the target device attribute information; and a sequence filtering submodule, used to filter the intelligence active sequence according to the hierarchical classification strategy to obtain a target intelligence set.
[0145] Optionally, the hierarchical classification strategy includes distribution rules for different types of security devices; the strategy configuration submodule specifically includes: a first configuration unit, used to filter intelligence with a threat level of medium to high risk and a type of IP or domain name when the target device attribute information indicates that the target security device is a firewall device, and limit the number of distributions within a first threshold range; a second configuration unit, used to filter intelligence with a type of domain name of all threat levels when the target device attribute information indicates that the target security device is a secure DNS server, and limit the number of distributions within a second threshold range, wherein the second threshold is greater than the first threshold; a third configuration unit, used to filter intelligence with a threat level of medium to high risk when the target device attribute information indicates that the target security device is a traffic probe, and limit the number of distributions within a third threshold range.
[0146] Optionally, the packaging and distribution module 540 specifically includes: a packaging and distribution submodule, used to package the target intelligence set into a file or data stream and distribute it to the target security device according to a predetermined rule; and a priority push submodule, used to immediately trigger a high-priority push if the activity level of any target threat intelligence in the target intelligence set suddenly increases beyond a specific threshold.
[0147] In the embodiments of this application, the activity level of threat intelligence is assessed by combining multi-source Internet data, and intelligence that meets the needs of target security devices is dynamically sorted and filtered, thereby achieving more efficient and accurate distribution of network threat intelligence. This embodiment can dynamically sort intelligence according to its real-time activity level, effectively improving the timeliness and accuracy of security protection response, optimizing device resource utilization, and reducing the impact of invalid intelligence.
[0148] Figure 6 A schematic diagram of the structure of a computer system suitable for implementing the electronic device of the present application is shown.
[0149] It should be noted that, Figure 6 The computer system of the electronic device shown is merely an example and should not impose any limitation on the functionality and scope of use of the embodiments of this application.
[0150] like Figure 6As shown, the computer system includes a Central Processing Unit (CPU) 1801, which can perform various appropriate actions and processes based on programs stored in Read-Only Memory (ROM) 1802 or programs loaded from storage portion 1808 into Random Access Memory (RAM) 1803, such as performing the methods described in the above embodiments. Various programs and data required for system operation are also stored in RAM 1803. The CPU 1801, ROM 1802, and RAM 1803 are interconnected via bus 1804. An Input / Output (I / O) interface 1805 is also connected to bus 1804.
[0151] The following components are connected to I / O interface 1805: an input section 1806 including a keyboard, mouse, etc.; an output section 1807 including a cathode ray tube (CRT), liquid crystal display (LCD), etc., and speakers, etc.; a storage section 1808 including a hard disk, etc.; and a communication section 1809 including a network interface card such as a LAN (Local Area Network) card, modem, etc. The communication section 1809 performs communication processing via a network such as the Internet. A drive 1810 is also connected to I / O interface 1805 as needed. Removable media 1811, such as a disk, optical disk, magneto-optical disk, semiconductor memory, etc., are installed on drive 1810 as needed so that computer programs read from them can be installed into storage section 1808 as needed.
[0152] Specifically, according to embodiments of this application, the processes described above with reference to the flowcharts can be implemented as computer software programs. For example, embodiments of this application include a computer program product comprising a computer program carried on a computer-readable medium, the computer program including a computer program for performing the methods shown in the flowcharts. In such embodiments, the computer program can be downloaded and installed from a network via communication section 1809, and / or installed from removable medium 1811. When the computer program is executed by central processing unit (CPU) 1801, it performs various functions defined in the system of this application.
[0153] It should be noted that the computer-readable medium shown in the embodiments of this application can be a computer-readable signal medium or a computer-readable storage medium, or any combination of the two. A computer-readable storage medium can be, for example,—but not limited to—an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples of a computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer disk, a hard disk, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM), flash memory, optical fiber, portable compact disc read-only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination thereof. In this application, a computer-readable storage medium can be any tangible medium containing or storing a program that can be used by or in conjunction with an instruction execution system, apparatus, or device. In this application, a computer-readable signal medium can include a data signal propagated in baseband or as part of a carrier wave, carrying a computer-readable computer program. The transmitted data signal can take various forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination thereof. The computer-readable signal medium can also be any computer-readable medium other than a computer-readable storage medium, which can send, propagate, or transmit a program for use by or in connection with an instruction execution system, apparatus, or device. The computer program contained on the computer-readable medium can be transmitted using any suitable medium, including but not limited to wireless, wired, etc., or any suitable combination thereof.
[0154] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of this application. Each block in a flowchart or block diagram may represent a module, segment, or portion of code, which contains one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions indicated in the blocks may occur in a different order than those indicated in the drawings. For example, two consecutively indicated blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in a block diagram or flowchart, and combinations of blocks in a block diagram or flowchart, can be implemented using a dedicated hardware-based system that performs the specified function or operation, or using a combination of dedicated hardware and computer instructions.
[0155] The units described in the embodiments of this application can be implemented in software or hardware, and the described units can also be located in a processor. The names of these units do not necessarily limit the specific unit itself.
[0156] In another aspect, this application also provides a computer-readable medium, which may be included in the electronic device described in the above embodiments; or it may exist independently and not assembled into the electronic device. The computer-readable medium carries one or more programs, which, when executed by the electronic device, cause the electronic device to perform the methods described in the above embodiments.
[0157] It should be noted that although several modules or units for the device used to perform actions have been mentioned in the detailed description above, this division is not mandatory. In fact, according to the embodiments of this application, the features and functions of two or more modules or units described above can be embodied in one module or unit. Conversely, the features and functions of one module or unit described above can be further divided and embodied by multiple modules or units.
[0158] Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein can be implemented by software or by combining software with necessary hardware. Therefore, the technical solutions according to the embodiments of this application can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (such as a CD-ROM, USB flash drive, external hard drive, etc.) or on a network, including several instructions to cause a computing device (such as a personal computer, server, touch terminal, or network device, etc.) to execute the methods according to the embodiments of this application.
[0159] Other embodiments of this application will readily occur to those skilled in the art upon consideration of the specification and practice of the embodiments disclosed herein. This application is intended to cover any variations, uses, or adaptations of this application that follow the general principles of this application and include common knowledge or customary techniques in the art not disclosed herein.
[0160] It should be understood that this application is not limited to the precise structure described above and shown in the accompanying drawings, and various modifications and changes can be made without departing from its scope. The scope of this application is limited only by the appended claims.
Claims
1. A method for distributing network threat intelligence, characterized in that, include: Based on target threat intelligence, multi-source internet data is collected and input into the activity scoring model to obtain the corresponding activity level; The target threat intelligence is prioritized according to the activity level to obtain an intelligence activity sequence; The intelligence activity sequence is filtered based on the target device attribute information to obtain a target intelligence set, wherein the target device attribute information is the attribute information of the target security device; The target intelligence set is packaged and sent to the target security device.
2. The network threat intelligence distribution method of claim 1, wherein, The process of collecting multi-source internet data based on target threat intelligence and inputting it into an activity scoring model to obtain the corresponding activity level specifically includes: Collect multi-source internet data on target threat intelligence; Based on the multi-source internet data, the corresponding activity level is obtained using a preset activity scoring model.
3. The network threat intelligence distribution method of claim 2, wherein, The multi-source internet data includes at least one of DNS log data, SEO ranking data, community popularity data, and device tracking data. The step of obtaining the corresponding activity level based on the multi-source internet data using a preset activity scoring model specifically includes: The multi-source Internet data is used to extract features using a preset activity scoring model to obtain the behavioral characteristics of the target threat intelligence under each preset dimension; Based on the behavioral characteristics of each dimension and their corresponding weight coefficients, a weighted aggregation operation is performed to obtain the corresponding activity level.
4. The network threat intelligence distribution method of claim 3, wherein, The activity level is obtained by the following formula: in, For activity level, T represents target threat intelligence. This is a normalized value representing the frequency of occurrence in DNS logs. Reverse ranking for search engine results To generate buzz for the community To accumulate points for safety equipment, , , , These are the weighting coefficients for each dimension.
5. The method for distributing network threat intelligence as described in claim 3, characterized in that, Also includes: Receive actual interception data or alarm data from the target security device; Based on the deviation between the actual intercepted data or alarm data and the activity level score, the weight coefficients corresponding to each dimension are dynamically adjusted.
6. The method for distributing network threat intelligence as described in claim 1, characterized in that, The step of prioritizing the target threat intelligence based on its activity level to obtain an intelligence activity sequence specifically includes: The activity level is corrected using a time decay factor to obtain the correction result; Based on the correction results, the target threat intelligence is prioritized to obtain an intelligence activity sequence.
7. A computer-readable medium having a computer program stored thereon, characterized in that, When the computer program is executed by the processor, it implements the network threat intelligence distribution method as described in any one of claims 1 to 6.
8. An electronic device, characterized in that, include: One or more processors; A storage device for storing one or more programs, which, when executed by one or more processors, cause the one or more processors to implement the network threat intelligence delivery method as described in any one of claims 1 to 6.
9. A computer program product, characterized in that, It includes one or more computer programs that, when executed by one or more processors, implement the steps of the network threat intelligence delivery method according to any one of claims 1 to 6.
10. A network threat intelligence distribution device, characterized in that, The network threat intelligence distribution device includes: The activity scoring module is used to collect multi-source Internet data based on target threat intelligence and input it into the activity scoring model to obtain the corresponding activity level. The intelligence sorting module is used to prioritize the target threat intelligence according to the activity level to obtain an intelligence activity sequence; The sequence filtering module is used to filter the active intelligence sequence based on the target device attribute information to obtain a target intelligence set, wherein the target device attribute information is the attribute information of the target security device; The packaging and distribution module is used to package the target intelligence set and distribute it to the target security device.