CN114697110A - A network attack detection method, device, equipment and storage medium - Google Patents

Abstract

The application discloses a network attack detection method, a device, equipment and a storage medium, wherein the method comprises the following steps: obtaining the context of the IOC, and extracting the evidence chain integrity characteristic, the standardization characteristic and the timeliness characteristic in the context of the IOC; detecting the respective corresponding credibility of the integrity characteristic, the standardization characteristic and the timeliness characteristic of the evidence chain by using a preset credibility measurement rule; and determining the credibility of the IOC based on the credibility corresponding to the integrity characteristic, the standardization characteristic and the timeliness characteristic of the evidence chain, and performing corresponding network attack detection based on the credibility of the IOC. The method is mainly applied to the field of network security, and by the technical scheme of the method, the network security threat intelligence can be simply and efficiently detected, so that the IOC can be conveniently used in subsequent network security services.

Description

Translated fromChinese

一种网络攻击检测方法、装置、设备及存储介质A network attack detection method, device, equipment and storage medium

技术领域technical field

本发明涉及网络安全领域，特别涉及一种网络攻击检测方法、装置、设备及存储介质。The invention relates to the field of network security, in particular to a network attack detection method, device, equipment and storage medium.

背景技术Background technique

当前网络安全领域威胁情报非常火热，主要的原因在于威胁情报提供了一个新的视角，即基于攻击者视角的网络安全解决方法，让网络安全运营者，能够更加清晰地评估网络攻击的意图、动向、目标，以此做出更加有效、高效的决策。然而，当前网络威胁情报供应商体系非常复杂，仅开源情报机构就有50多家；加之威胁情报作为新生事物仍在发展壮大、标准不断完善的过程中，因此，如何检测情报数据的可信度，特别是检测威胁情报IOC(Indicators of Compromise，陷落标识)数据的可信度是一个重要的问题，对于关联碰撞到的情报数据，如何采信也是一个重要问题。在现有技术中，通常是对获取的威胁情报IOC进行分析并建立网络威胁行为活动和社区，然后间隔预设时间对建立的模型进行动态调优，其主要依赖于安全厂商的自有设备以及设备中的日志来对情报的准确度进行匹配分析，得到信誉度分析值，也即建立不同情报源在不同威胁类型情报的信誉度模型。然而，该方法需要使用大量网络日志，不仅投入的日志量大，导致计算量增加，还需要长时间才能够评估出结论，成本也高，而且最终效果可能会因为网络环境的差异产生不同的结论。At present, threat intelligence in the field of network security is very hot. The main reason is that threat intelligence provides a new perspective, that is, a network security solution based on the attacker's perspective, so that network security operators can more clearly evaluate the intention and trend of network attacks. , goals, in order to make more effective and efficient decisions. However, the current cyber threat intelligence provider system is very complex, with more than 50 open source intelligence agencies alone. In addition, threat intelligence, as a new thing, is still in the process of developing and improving standards. Therefore, how to detect the credibility of intelligence data? , especially the reliability of detecting threat intelligence IOC (Indicators of Compromise) data is an important issue, and how to accept the intelligence data associated with collision is also an important issue. In the existing technology, the obtained threat intelligence IOC is usually analyzed to establish cyber threat behavior activities and communities, and then the established model is dynamically tuned at preset time intervals, which mainly relies on the security vendor's own equipment and The log in the device is used to match and analyze the accuracy of the intelligence to obtain the credibility analysis value, that is, to establish the credibility model of different intelligence sources in different threat types. However, this method requires the use of a large number of network logs, which not only requires a large amount of logs, resulting in an increase in the amount of computation, but also takes a long time to evaluate the conclusion, which is also costly, and the final effect may produce different conclusions due to differences in the network environment. .

综上，如何对任意的情报源提供的网络安全威胁情报IOC数据，快速有效、科学的基于其可信度实现网络攻击的检测，以便于在后续的网络安全业务中使用该情报IOC是目前有待解决的问题。To sum up, how to quickly, effectively and scientifically realize the detection of network attacks based on the reliability of the cyber security threat intelligence IOC data provided by any intelligence source, so as to facilitate the use of the intelligence IOC in the subsequent cyber security business is still to be done. solved problem.

发明内容SUMMARY OF THE INVENTION

有鉴于此，本发明的目的在于提供一种网络攻击检测方法、装置、设备及存储介质，能够对任意的情报源提供的网络安全威胁情报IOC数据，快速有效、科学的基于其可信度实现网络攻击的检测，以便于在后续的网络安全业务中使用该情报IOC。其具体方案如下：In view of this, the purpose of the present invention is to provide a network attack detection method, device, equipment and storage medium, which can quickly, effectively and scientifically realize the network security threat intelligence IOC data provided by any intelligence source based on its credibility. Detection of cyber attacks to facilitate use of this intelligence IOC in subsequent cyber security operations. Its specific plan is as follows:

第一方面，本申请公开了一种网络攻击检测方法，包括：In a first aspect, the present application discloses a network attack detection method, including:

获取网络安全威胁情报IOC的上下文，并提取所述网络安全威胁情报IOC的上下文中的证据链完整性特征、标准化特征和时效性特征；Obtain the context of the cybersecurity threat intelligence IOC, and extract the evidence chain integrity features, standardized features and timeliness features in the context of the cybersecurity threat intelligence IOC;

利用预设可信度衡量规则检测所述证据链完整性特征、所述标准化特征和所述时效性特征各自对应的可信度；Detecting the respective credibility of the integrity feature of the evidence chain, the standardized feature and the timeliness feature by using a preset credibility measurement rule;

基于所述证据链完整性特征、所述标准化特征和所述时效性特征各自对应的可信度确定出所述网络安全威胁情报IOC的可信度，并基于所述网络安全威胁情报IOC的可信度进行相应的网络攻击检测。The credibility of the cybersecurity threat intelligence IOC is determined based on the respective credibility levels of the evidence chain integrity feature, the standardized feature, and the timeliness feature, and based on the availability of the cybersecurity threat intelligence IOC Corresponding network attack detection is carried out according to the reliability.

可选的，利用预设可信度衡量规则检测所述证据链完整性特征的可信度，包括：Optionally, use a preset credibility measurement rule to detect the credibility of the integrity feature of the evidence chain, including:

利用第一预设可信度衡量规则检测所述证据链完整性特征中的攻击者信息的可信度、安全事件信息的可信度和标签信息的可信度。The credibility of the attacker information, the credibility of the security event information and the credibility of the label information in the integrity feature of the evidence chain are detected by using the first preset credibility measurement rule.

可选的，所述利用第一预设可信度衡量规则检测所述证据链完整性特征中的攻击者信息的可信度、安全事件信息的可信度和标签信息的可信度之前，还包括：Optionally, before using the first preset credibility measurement rule to detect the credibility of the attacker information, the credibility of the security event information, and the credibility of the label information in the integrity feature of the evidence chain, Also includes:

若所述证据链完整性特征中存在所述攻击者信息、所述安全事件信息和所述标签信息，则判定证据链完整，触发所述利用第一预设可信度衡量规则检测所述证据链完整性特征中的攻击者信息、安全事件信息和标签信息的可信度的步骤。If the attacker information, the security event information and the label information exist in the integrity feature of the evidence chain, it is determined that the evidence chain is complete, and the detection of the evidence using the first preset credibility measurement rule is triggered. The steps for the credibility of attacker information, security event information and label information in the chain integrity feature.

可选的，利用预设可信度衡量规则检测所述标准化特征的可信度，包括：Optionally, the reliability of the standardized feature is detected by using a preset reliability measurement rule, including:

利用第二预设可信度衡量规则检测所述标准化特征中威胁模型的相关数据的可信度。The reliability of the data related to the threat model in the standardized features is detected by using the second preset reliability measurement rule.

可选的，利用预设可信度衡量规则检测所述时效性特征的可信度，包括：Optionally, the reliability of the timeliness feature is detected by using a preset reliability measurement rule, including:

确定所述网络安全威胁情报IOC首次出现的时间、所述网络安全威胁情报IOC的更新时间；Determine the time when the cybersecurity threat intelligence IOC first appears, and the update time of the cybersecurity threat intelligence IOC;

基于所述首次出现的时间和所述更新时间确定出所述网络安全威胁情报IOC的时间跨度，并利用第三预设可信度衡量规则检测所述时间跨度的可信度。The time span of the network security threat intelligence IOC is determined based on the first occurrence time and the update time, and the reliability of the time span is detected by using a third preset reliability measurement rule.

可选的，所述基于所述证据链完整性特征、所述标准化特征和所述时效性特征各自对应的可信度确定出所述网络安全威胁情报IOC的可信度，包括：Optionally, determining the credibility of the network security threat intelligence IOC based on the respective credibility of the evidence chain integrity feature, the standardized feature, and the timeliness feature, including:

利用预设加权规则为所述证据链完整性特征、所述标准化特征和所述时效性特征各自对应的可信度分配不同的权重比例，以得到各自分配后的对应的可信度；Using a preset weighting rule to assign different weight ratios to the respective credibility of the evidence chain integrity feature, the standardized feature, and the timeliness feature, so as to obtain the respective assigned credibility;

将所述分配后的对应的可信度进行求和，以得到所述网络安全威胁情报IOC的可信度。The assigned corresponding reliability is summed to obtain the reliability of the network security threat intelligence IOC.

可选的，所述利用预设可信度衡量规则检测所述证据链完整性特征、所述标准化特征和所述时效性特征各自对应的可信度，包括：Optionally, the detection of the respective credibility of the integrity feature of the evidence chain, the standardized feature, and the timeliness feature by using a preset credibility measurement rule includes:

对所述证据链完整性特征、所述标准化特征和所述时效性特征中存在有效值的相关数据赋予各自对应的可信度。Corresponding credibility is assigned to the relevant data with valid values in the evidence chain integrity feature, the standardized feature, and the timeliness feature.

第二方面，本申请公开了一种网络攻击检测装置，包括：In a second aspect, the present application discloses a network attack detection device, comprising:

特征提取模块，用于获取网络安全威胁情报IOC的上下文，并提取所述网络安全威胁情报IOC的上下文中的证据链完整性特征、标准化特征和时效性特征；a feature extraction module, used for acquiring the context of the cybersecurity threat intelligence IOC, and extracting the integrity features, standardized features and timeliness features of the evidence chain in the context of the cybersecurity threat intelligence IOC;

可信度检测模块，用于利用预设可信度衡量规则检测所述证据链完整性特征、所述标准化特征和所述时效性特征各自对应的可信度；a credibility detection module, configured to detect the respective credibility of the integrity feature of the evidence chain, the standardized feature and the timeliness feature by using a preset credibility measurement rule;

网络攻击检测模块，用于基于所述证据链完整性特征、所述标准化特征和所述时效性特征各自对应的可信度确定出所述网络安全威胁情报IOC的可信度，并基于所述网络安全威胁情报IOC的可信度进行相应的网络攻击检测。A network attack detection module, configured to determine the credibility of the network security threat intelligence IOC based on the respective credibility of the evidence chain integrity feature, the standardized feature, and the timeliness feature, and based on the The credibility of the cyber security threat intelligence IOC carries out corresponding cyber attack detection.

第三方面，本申请公开了一种电子设备，所述电子设备包括处理器和存储器；其中，所述存储器用于存储计算机程序，所述计算机程序由所述处理器加载并执行以实现如前所述的网络攻击检测方法。In a third aspect, the present application discloses an electronic device, which includes a processor and a memory; wherein, the memory is used to store a computer program, and the computer program is loaded and executed by the processor to achieve the above The network attack detection method.

第四方面，本申请公开了一种计算机可读存储介质，用于存储计算机程序；其中所述计算机程序被处理器执行时实现如前所述的网络攻击检测方法。In a fourth aspect, the present application discloses a computer-readable storage medium for storing a computer program; wherein the computer program implements the aforementioned network attack detection method when executed by a processor.

本申请中，首先获取网络安全威胁情报IOC的上下文，并提取所述网络安全威胁情报IOC的上下文中的证据链完整性特征、标准化特征和时效性特征；然后利用预设可信度衡量规则检测所述证据链完整性特征、所述标准化特征和所述时效性特征各自对应的可信度；最后基于所述证据链完整性特征、所述标准化特征和所述时效性特征各自对应的可信度确定出所述网络安全威胁情报IOC的可信度，并基于所述网络安全威胁情报IOC的可信度进行相应的网络攻击检测。可见，因为可信度高的情报一定是来自于情报生产流程规范化、标准化的厂商，所以从网络安全威胁情报的上下文来甄别情报的数据结构可以实现有效的根据情报可信度进行相应的网络攻击检测。也即，通过对网络安全威胁情报IOC的上下文中的证据链完整性特征、标准化特征和时效性特征检测各自对应的可信度，并利用各自对应的可信度确定出网络安全威胁情报IOC的可信度，进而基于网络安全威胁情报IOC的可信度进行相应的网络攻击检测。如此一来，对于多源情报的接入、聚合、分析提供帮助，能够简单、高效的评估网络安全威胁情报IOC的可信度，快速有效、科学的基于其可信度实现网络攻击的检测，以便于在后续的网络安全业务中使用该情报IOC。In this application, the context of the network security threat intelligence IOC is first obtained, and the integrity features, standardized features and timeliness features of the evidence chain in the context of the network security threat intelligence IOC are extracted; then, the preset credibility measurement rules are used to detect the corresponding credibility of the integrity feature of the evidence chain, the standardized feature, and the timeliness feature; finally, based on the respective credibility of the integrity feature of the evidence chain, the standardized feature, and the timeliness feature Determine the credibility of the network security threat intelligence IOC, and perform corresponding network attack detection based on the credibility of the network security threat intelligence IOC. It can be seen that because highly credible intelligence must come from vendors with standardized and standardized intelligence production processes, identifying the data structure of intelligence from the context of cybersecurity threat intelligence can effectively carry out corresponding cyberattacks based on intelligence credibility detection. That is, by detecting the corresponding credibility of the evidence chain integrity features, standardized features and timeliness features in the context of the network security threat intelligence IOC, and using the respective corresponding credibility to determine the network security threat intelligence IOC. Based on the credibility of the network security threat intelligence IOC, the corresponding network attack detection is carried out. In this way, it provides help for the access, aggregation and analysis of multi-source intelligence, can simply and efficiently evaluate the credibility of the network security threat intelligence IOC, and realize the detection of network attacks based on its credibility quickly, effectively and scientifically. To facilitate the use of this intelligence IOC in subsequent cybersecurity operations.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案，下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍，显而易见地，下面描述中的附图仅仅是本发明的实施例，对于本领域普通技术人员来讲，在不付出创造性劳动的前提下，还可以根据提供的附图获得其他的附图。In order to explain the embodiments of the present invention or the technical solutions in the prior art more clearly, the following briefly introduces the accompanying drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only It is an embodiment of the present invention. For those of ordinary skill in the art, other drawings can also be obtained according to the provided drawings without creative work.

图1为本申请公开的一种网络攻击检测方法流程图；FIG. 1 is a flow chart of a network attack detection method disclosed in the application;

图2为本申请公开的一种网络攻击检测方法示意图；2 is a schematic diagram of a network attack detection method disclosed in the present application;

图3为本申请公开的一种具体的网络攻击检测方法流程图；3 is a flowchart of a specific network attack detection method disclosed in the application;

图4为本申请公开的一条情报数据结构示意图；FIG. 4 is a schematic diagram of a piece of information data structure disclosed by the application;

图5为本申请公开的一种网络攻击检测装置结构示意图；5 is a schematic structural diagram of a network attack detection device disclosed in the present application;

图6为本申请公开的一种电子设备结构图。FIG. 6 is a structural diagram of an electronic device disclosed in this application.

具体实施方式Detailed ways

下面将结合本发明实施例中的附图，对本发明实施例中的技术方案进行清楚、完整地描述，显然，所描述的实施例仅仅是本发明一部分实施例，而不是全部的实施例。基于本发明中的实施例，本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例，都属于本发明保护的范围。The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only a part of the embodiments of the present invention, but not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.

当前，在网络安全领域威胁情报非常火热，然而如何检测情报数据的可信度，特别是检测威胁情报IOC数据的可信度是一个重要的问题，对于关联碰撞到的情报数据，如何采信也是一个重要问题。现有技术中，对网络安全威胁情报IOC的动态评估计算量大、耗时长、性价比不高，且最终效果可能会因为网络环境差异而产生不同的结论。At present, threat intelligence is very hot in the field of network security. However, how to detect the credibility of intelligence data, especially the credibility of threat intelligence IOC data is an important issue. For the intelligence data that collides with, how to accept it is also an important issue. important question. In the prior art, the dynamic evaluation of the network security threat intelligence IOC is computationally intensive, time-consuming, and cost-effective, and the final effect may lead to different conclusions due to differences in the network environment.

为此，本申请提供了一种网络攻击检测方案，能够对任意的情报源提供的网络安全威胁情报IOC数据，快速有效、科学的基于其可信度实现网络攻击的检测，以便于在后续的网络安全业务中使用该情报IOC。Therefore, the present application provides a network attack detection solution, which can quickly, effectively and scientifically realize network attack detection based on the reliability of the network security threat intelligence IOC data provided by any intelligence source, so as to facilitate the subsequent detection of network attacks. The intelligence IOC is used in the cybersecurity business.

本发明实施例公开了一种网络攻击检测方法，参见图1所示，该方法包括：An embodiment of the present invention discloses a network attack detection method, as shown in FIG. 1 , the method includes:

步骤S11：获取网络安全威胁情报IOC的上下文，并提取所述网络安全威胁情报IOC的上下文中的证据链完整性特征、标准化特征和时效性特征。Step S11: Obtain the context of the network security threat intelligence IOC, and extract the evidence chain integrity features, standardized features and timeliness features in the context of the network security threat intelligence IOC.

本申请实施例中，为了实现对网络攻击进行简单、高效的检测，需要对情报的可信度进行检测。情报可信度有两层概念和意义，一个是情报源中的具体某一条情报IOC的可信度，另一个是整个情报源的可信度。本申请实施例中以网络安全威胁情报IOC为例，获取网络安全威胁情报IOC的上下文，并提取所述网络安全威胁情报IOC的上下文中的证据链完整性特征、标准化特征和时效性特征。In this embodiment of the present application, in order to implement simple and efficient detection of network attacks, it is necessary to detect the reliability of intelligence. Intelligence credibility has two concepts and meanings, one is the credibility of a specific piece of intelligence IOC in the intelligence source, and the other is the credibility of the entire intelligence source. In the embodiment of the present application, the network security threat intelligence IOC is taken as an example, the context of the network security threat intelligence IOC is obtained, and the evidence chain integrity features, standardized features and timeliness features in the context of the network security threat intelligence IOC are extracted.

可以理解的是，证据链完整性特征是检测网络安全威胁情报IOC可信度非常重要的指标。容易使用的情报，必须具备威胁实体、威胁手法、威胁动机、威胁目标、处置建议，证据链完整性特征的检测本质上是对情报的场景化检测，一个事情发生了，必然包括发生时间、发生地点、相关人物、事件进展、相关方情况，所以默认证据链涉及的维度越多，情报就越可信；标准化特征是网络安全威胁情报IOC上下文中包含了威胁情报模型相关数据的特征，当标准化特征中存在可以进行网络攻击检测的威胁情报模型时，可以对其可信度进行检测；时效性特征表示情报的生产、启用、静默、退役这些状态，健全的时效性表示情报的生产流程完善、清晰且有退出机制，具备独立自主的情报生产能力，所以提取网络安全威胁情报IOC的上下文中的时效性特征可以实现对情报IOC的检测。It is understandable that the integrity feature of the evidence chain is a very important indicator for detecting the credibility of the IOC of cybersecurity threat intelligence. Easy-to-use intelligence must have threat entities, threat tactics, threat motives, threat targets, and disposal suggestions. The detection of the integrity of the evidence chain is essentially a scenario-based detection of intelligence. When an event occurs, it must include the time and occurrence of the occurrence. Location, related persons, event progress, and situation of related parties, so the more dimensions involved in the default evidence chain, the more credible the intelligence; standardized features are the features of threat intelligence model-related data contained in the context of cybersecurity threat intelligence IOC, when standardized When there is a threat intelligence model that can detect network attacks in the feature, its credibility can be detected; the timeliness feature indicates the production, activation, silence, and decommissioning states of intelligence, and sound timeliness indicates that the production process of intelligence is complete, It is clear and has an exit mechanism, and has independent intelligence production capabilities, so extracting the timeliness features in the context of cybersecurity threat intelligence IOC can realize the detection of intelligence IOC.

步骤S12：利用预设可信度衡量规则检测所述证据链完整性特征、所述标准化特征和所述时效性特征各自对应的可信度。Step S12: Detecting the respective reliability of the integrity feature of the evidence chain, the standardized feature, and the timeliness feature by using a preset reliability measurement rule.

本申请实施例中，当提取完所述网络安全威胁情报IOC的上下文中的证据链完整性特征、标准化特征和时效性特征之后，可以利用预设可信度衡量规则对所述证据链完整性特征、所述标准化特征和所述时效性特征检测各自对应的可信度。In the embodiment of the present application, after the evidence chain integrity features, standardized features, and timeliness features in the context of the network security threat intelligence IOC are extracted, the integrity of the evidence chain can be assessed by using preset credibility measurement rules. The features, the standardized features, and the time-sensitive features detect their corresponding reliability.

在第一种具体实施方式中，对所述证据链完整性特征的可信度进行检测。若所述证据链完整性特征中存在所述攻击者信息、所述安全事件信息和所述标签信息，则判定证据链完整，可以按照一定的衡量规则对其可信度进行检测。进一步的，利用第一预设可信度衡量规则检测所述证据链完整性特征中的攻击者信息的可信度、安全事件信息的可信度和标签信息的可信度。In a first specific implementation manner, the reliability of the integrity feature of the evidence chain is detected. If the attacker information, the security event information and the label information exist in the integrity feature of the evidence chain, it is determined that the evidence chain is complete, and its credibility can be detected according to certain measurement rules. Further, the credibility of the attacker information, the credibility of the security event information and the credibility of the label information in the integrity feature of the evidence chain are detected by using the first preset credibility measurement rule.

在第二种具体实施方式中，对所述标准化特征的可信度进行检测。具体的，利用第二预设可信度衡量规则检测所述标准化特征中威胁模型的相关数据的可信度。例如，如果网络安全威胁情报IOC上下文中包含了威胁情报模型相关数据，如包括ATT&CK(Adversarial Tactics Techniques and Common Knowledge)模型、Kill Chain(杀伤链)模型，则按照一定的衡量规则检测其可信度。本实施例中对威胁情报模型不做具体限定。In a second specific embodiment, the reliability of the standardized features is detected. Specifically, the second preset credibility measurement rule is used to detect the credibility of the data related to the threat model in the standardized features. For example, if the cybersecurity threat intelligence IOC context contains threat intelligence model-related data, such as the ATT&CK (Adversarial Tactics Techniques and Common Knowledge) model and the Kill Chain (kill chain) model, its credibility is checked according to certain measurement rules . The threat intelligence model is not specifically limited in this embodiment.

在第三种具体实施方式中，对所述时效性特征的可信度进行检测。判断网络安全威胁情报IOC上下文是否包括时间数据，包括情报的首次出现时间、情报的更新时间和情报的时间跨度，按照一定的衡量规则检测其可信度。具体的，确定所述网络安全威胁情报IOC首次出现的时间、所述网络安全威胁情报IOC的更新时间；基于所述首次出现的时间和所述更新时间确定出所述网络安全威胁情报IOC的时间跨度，并利用第三预设可信度衡量规则检测所述时间跨度的可信度。例如，最新更新时间越近，表示情报最近更新，可信度高。In a third specific implementation manner, the reliability of the time-sensitive feature is detected. Determine whether the IOC context of cybersecurity threat intelligence includes time data, including the first appearance time of the intelligence, the update time of the intelligence, and the time span of the intelligence, and check its credibility according to certain measurement rules. Specifically, determining the time when the network security threat intelligence IOC first appeared and the update time of the network security threat intelligence IOC; determining the time of the network security threat intelligence IOC based on the first appearing time and the update time span, and use the third preset credibility measurement rule to detect the credibility of the time span. For example, the closer the latest update time is, the more recent the information is updated and the higher the credibility.

步骤S13：基于所述证据链完整性特征、所述标准化特征和所述时效性特征各自对应的可信度确定出所述网络安全威胁情报IOC的可信度，并基于所述网络安全威胁情报IOC的可信度进行相应的网络攻击检测。Step S13: Determine the credibility of the network security threat intelligence IOC based on the respective credibility of the evidence chain integrity feature, the standardized feature, and the timeliness feature, and based on the network security threat intelligence Corresponding network attack detection is carried out on the credibility of the IOC.

本申请实施例中，当检测出所述证据链完整性特征、所述标准化特征和所述时效性特征各自对应的可信度之后，就可以确定出网络安全威胁情报IOC的可信度。In this embodiment of the present application, after detecting the respective reliability levels of the evidence chain integrity feature, the standardized feature, and the timeliness feature, the reliability of the network security threat intelligence IOC can be determined.

如图2所示，对本实施例进行网络攻击检测的流程进行具体的说明。流程开始后，获取一条待检测情报IOC的上下文，然后提取证据链完整性特征、标准化特征、时效性特征并对其进行可信度的检测，当检测出各自对应的可信度后就可以确定出待检测情报IOC的可信度，最后流程结束。As shown in FIG. 2 , the flow of network attack detection in this embodiment is specifically described. After the process starts, obtain a context of the intelligence IOC to be detected, and then extract the integrity features, standardized features, and timeliness features of the evidence chain, and test their credibility. When the respective credibility is detected, it can be determined. The reliability of the IOC of the intelligence to be detected is determined, and the final process ends.

本申请中，首先获取网络安全威胁情报IOC的上下文，并提取所述网络安全威胁情报IOC的上下文中的证据链完整性特征、标准化特征和时效性特征；然后利用预设可信度衡量规则检测所述证据链完整性特征、所述标准化特征和所述时效性特征各自对应的可信度；最后基于所述证据链完整性特征、所述标准化特征和所述时效性特征各自对应的可信度确定出所述网络安全威胁情报IOC的可信度，并基于所述网络安全威胁情报IOC的可信度进行相应的网络攻击检测。可见，可信度高的情报一定是来自于情报生产流程规范化、标准化的厂商，所以从网络安全威胁情报的上下文来甄别情报的数据结构，可以实现有效的根据情报可信度进行相应的网络攻击检测。也即，通过对网络安全威胁情报IOC的上下文中的证据链完整性特征、标准化特征和时效性特征检测各自对应的可信度，并利用各自对应的可信度确定出网络安全威胁情报IOC的可信度，进而基于网络安全威胁情报IOC的可信度进行相应的网络攻击检测，如此一来，对于多源情报的接入、聚合、分析提供帮助，能够简单、高效的评估网络安全威胁情报IOC的可信度，快速有效、科学的基于其可信度实现网络攻击的检测，以便于在后续的网络安全业务中使用该情报IOC。In this application, the context of the network security threat intelligence IOC is first obtained, and the integrity features, standardized features and timeliness features of the evidence chain in the context of the network security threat intelligence IOC are extracted; then, the preset credibility measurement rules are used to detect the corresponding credibility of the integrity feature of the evidence chain, the standardized feature, and the timeliness feature; finally, based on the respective credibility of the integrity feature of the evidence chain, the standardized feature, and the timeliness feature Determine the credibility of the network security threat intelligence IOC, and perform corresponding network attack detection based on the credibility of the network security threat intelligence IOC. It can be seen that the intelligence with high credibility must come from manufacturers that standardize and standardize the intelligence production process. Therefore, identifying the data structure of intelligence from the context of cybersecurity threat intelligence can effectively carry out corresponding network attacks based on intelligence credibility. detection. That is, by detecting the corresponding credibility of the evidence chain integrity features, standardized features and timeliness features in the context of the network security threat intelligence IOC, and using the respective corresponding credibility to determine the network security threat intelligence IOC. The reliability of the network security threat intelligence IOC can be used to detect the corresponding network attacks. In this way, it can provide assistance for the access, aggregation and analysis of multi-source intelligence, and can easily and efficiently evaluate network security threat intelligence. The credibility of the IOC, quickly, effectively and scientifically realize the detection of network attacks based on its credibility, so that the intelligence IOC can be used in the subsequent network security business.

本申请实施例公开了一种具体的网络攻击检测方法，参见图3所示，该方法包括：The embodiment of the present application discloses a specific network attack detection method, as shown in FIG. 3 , the method includes:

步骤S21：获取网络安全威胁情报IOC的上下文，并提取所述网络安全威胁情报IOC的上下文中的证据链完整性特征、标准化特征和时效性特征。Step S21: Acquire the context of the network security threat intelligence IOC, and extract the evidence chain integrity features, standardized features and timeliness features in the context of the network security threat intelligence IOC.

其中，关于上述步骤S21更加具体的处理过程可以参考前述实施例中公开的相应内容，在此不再进行赘述。For more specific processing procedures of the above-mentioned step S21, reference may be made to the corresponding content disclosed in the foregoing embodiments, which will not be repeated here.

步骤S22：对所述证据链完整性特征、所述标准化特征和所述时效性特征中存在有效值的相关数据赋予各自对应的可信度。Step S22 : assigning corresponding credibility to the relevant data with valid values in the evidence chain integrity feature, the standardized feature, and the timeliness feature.

本申请实施例中，在检测所述证据链完整性特征、所述标准化特征和所述时效性特征的可信度时，对其中存在有效值的数据赋予各自对应的可信度，如此一来，就可以根据每个特征中赋予了各自对应可信度的有效值，确定出所述证据链完整性特征、所述标准化特征和所述时效性特征各自对应的可信度。In the embodiment of the present application, when detecting the credibility of the integrity feature of the evidence chain, the standardized feature, and the timeliness feature, each corresponding credibility is assigned to the data in which there are valid values, so that , the respective reliability corresponding to the integrity feature of the evidence chain, the standardized feature and the timeliness feature can be determined according to the effective value of the corresponding reliability assigned to each feature.

示例性的，如图4所示为一条网络安全威胁情报IOC的数据，其数据结构使用JSON结构来表示。提取其相关上下文数据，然后检测所述证据链完整性特征、所述标准化特征和所述时效性特征各自对应的可信度。首先在证据链完整性特征中，情报IOC上下文中包含攻击者信息字段organization_ids或family_ids、事件信息字段event_names、标签信息字段tags，按照存在有效值可信度赋予2分，不存在不得分，则证据链完整性特征维度可信度为2分；在标准化特征中，存在标准化威胁模型的字段kill_chain_phases，且存在有效值，按照存在有效值可信度赋予2分，不存在得0分，该情报IOC标准化特征维度可信度为2分；在时效性特征中，按图4中存在创建时间(create_time)、更新时间(update_time)，且更新时间2021-07-09 03:30:38(1625772638474换算后)距离预设时间范围小于3个月，所以得1+1＝2分，该情报IOC时效性特征维度可信度为2分。其中预设的时间可以是当前时间，也可以是任意设置的一个时间点，在此不做具体限定。Exemplarily, as shown in Figure 4, the data of a piece of network security threat intelligence IOC is represented by a JSON structure. Extract its relevant context data, and then detect the respective credibility of the integrity feature of the evidence chain, the standardized feature, and the timeliness feature. First of all, in the integrity feature of the evidence chain, the intelligence IOC context contains the attacker information field organization_ids or family_ids, the event information field event_names, and the tag information field tags. According to the credibility of the existence of the valid value, 2 points are given, if there is no point, the evidence The reliability of the chain integrity feature dimension is 2 points; in the standardized features, there is the field kill_chain_phases of the standardized threat model, and there is a valid value, 2 points are given according to the credibility of the existence of valid values, and 0 points are given for non-existence, the intelligence IOC The reliability of the standardized feature dimension is 2 points; in the timeliness feature, there are creation time (create_time) and update time (update_time) in Figure 4, and the update time is 2021-07-09 03:30:38 (1625772638474 after conversion ) is less than 3 months away from the preset time range, so 1+1=2 points, and the reliability of the intelligence IOC timeliness feature dimension is 2 points. The preset time may be the current time, or may be an arbitrarily set time point, which is not specifically limited here.

步骤S23：利用预设加权规则为所述证据链完整性特征、所述标准化特征和所述时效性特征各自对应的可信度分配不同的权重比例，以得到各自分配后的对应的可信度。Step S23: Using a preset weighting rule to assign different weight ratios to the respective credibility of the integrity feature of the evidence chain, the standardized feature, and the timeliness feature, so as to obtain the respective assigned credibility. .

本申请实施例中，可以利用预设加权规则对得到的证据链完整性特征、标准化特征和时效性特征各自对应的可信度分配不同的权重比例，其中可以根据实际场景的不同设置不同的权重比例，当对每个特征分配不同的权重比例后可以得到分配后的各自对应的可信度。In this embodiment of the present application, preset weighting rules can be used to assign different weight ratios to the respective reliability of the obtained evidence chain integrity feature, standardized feature, and timeliness feature, and different weights can be set according to different actual scenarios. Proportion, when each feature is assigned a different weight ratio, the assigned respective corresponding credibility can be obtained.

示例性的，如果根据图4所示的情报IOC中，证据链完整性特征可信度、标准化特征可信度和时效性特征可信度的权重比例都是1，则证据链完整性特征维度可信度为2分、该情报IOC标准化特征维度可信度为2分、该情报IOC时效性特征维度可信度为2分。Exemplarily, if according to the intelligence IOC shown in Figure 4, the weight ratio of the integrity feature reliability of the evidence chain, the standardized feature reliability, and the timeliness feature reliability are all 1, then the evidence chain integrity feature dimension is The reliability is 2 points, the reliability of the intelligence IOC standardized feature dimension is 2 points, and the reliability of the intelligence IOC timeliness feature dimension is 2 points.

步骤S24：将所述分配后的对应的可信度进行求和，以得到所述网络安全威胁情报IOC的可信度。Step S24 : Summing the assigned corresponding credibility to obtain the credibility of the network security threat intelligence IOC.

本申请实施例中，将所述分配后的对应的可信度进行求和可以得到所述网络安全威胁情报IOC的可信度，然后基于所述网络安全威胁情报IOC的可信度进行相应的网络攻击检测。In the embodiment of the present application, the credibility of the network security threat intelligence IOC can be obtained by summing the assigned corresponding credibility, and then based on the credibility of the network security threat intelligence IOC, corresponding Network attack detection.

示例性的，将上述步骤中分配不同权重后的可信度进行求和，即最终网络安全威胁情报IOC的可信度＝证据链完整性特征维度可信度+标准化特征维度可信度+时效性特征维度可信度＝2+2+2＝6分，如此一来，通过对影响情报可信度的关键因子进行静态分析，从而确定出得分有效的情报IOC可信度。Exemplarily, sum the credibility of the different weights assigned in the above steps, that is, the credibility of the final network security threat intelligence IOC = the credibility of the integrity feature dimension of the evidence chain + the credibility of the standardized feature dimension + aging The reliability of sexual characteristics dimension = 2+2+2 = 6 points. In this way, through the static analysis of the key factors that affect the credibility of intelligence, the credibility of intelligence IOC with effective scores is determined.

本申请中，首先获取网络安全威胁情报IOC的上下文，并提取所述网络安全威胁情报IOC的上下文中的证据链完整性特征、标准化特征和时效性特征；然后对所述证据链完整性特征、所述标准化特征和所述时效性特征中存在有效值的相关数据赋予各自对应的可信度；最后利用预设加权规则为所述证据链完整性特征、所述标准化特征和所述时效性特征各自对应的可信度分配不同的权重比例，以得到各自分配后的对应的可信度；将所述分配后的对应的可信度进行求和，以得到所述网络安全威胁情报IOC的可信度。可见，可信度高的情报一定是来自于情报生产流程规范化、标准化的厂商，所以从网络安全威胁情报的上下文来甄别情报的数据结构，可以实现有效的根据情报可信度进行相应的网络攻击检测。也即，通过对所述证据链完整性特征、所述标准化特征和所述时效性特征中存在有效值的相关数据赋予各自对应的可信度，并利用各自对应的可信度确定出网络安全威胁情报IOC的可信度，进而基于网络安全威胁情报IOC的可信度进行相应的网络攻击检测，如此一来，对于多源情报的接入、聚合、分析提供帮助，能够简单、高效的评估网络安全威胁情报IOC的可信度，快速有效、科学的基于其可信度实现网络攻击的检测，以便于在后续的网络安全业务中使用该情报IOC。In this application, the context of the network security threat intelligence IOC is first obtained, and the evidence chain integrity features, standardized features and timeliness features in the context of the network security threat intelligence IOC are extracted; then the evidence chain integrity features, Relevant data with valid values in the standardized feature and the timeliness feature are assigned respective corresponding credibility; finally, a preset weighting rule is used for the integrity feature of the evidence chain, the standardized feature and the timeliness feature The corresponding credibility degrees are assigned different weight ratios to obtain the respective assigned credibility degrees; the assigned corresponding credibility degrees are summed to obtain the reliability of the network security threat intelligence IOC. reliability. It can be seen that the intelligence with high credibility must come from manufacturers that standardize and standardize the intelligence production process. Therefore, identifying the data structure of intelligence from the context of cybersecurity threat intelligence can effectively carry out corresponding network attacks based on intelligence credibility. detection. That is, by assigning respective corresponding credibility to the relevant data with valid values in the evidence chain integrity feature, the standardized feature and the timeliness feature, and using the respective corresponding credibility to determine the network security The credibility of the threat intelligence IOC, and then the corresponding network attack detection based on the credibility of the network security threat intelligence IOC. In this way, it provides assistance for the access, aggregation, and analysis of multi-source intelligence, and can be easily and efficiently evaluated. The credibility of the network security threat intelligence IOC, quickly, effectively and scientifically realize the detection of network attacks based on its credibility, so as to facilitate the use of the intelligence IOC in the subsequent network security business.

相应的，本申请实施例还公开了一种网络攻击检测装置，参见图5所示，该装置包括：Correspondingly, the embodiment of the present application also discloses a network attack detection device, as shown in FIG. 5 , the device includes:

特征提取模块11，用于获取网络安全威胁情报IOC的上下文，并提取所述网络安全威胁情报IOC的上下文中的证据链完整性特征、标准化特征和时效性特征；The feature extraction module 11 is used to obtain the context of the network security threat intelligence IOC, and extract the evidence chain integrity features, standardized features and timeliness features in the context of the network security threat intelligence IOC;

可信度检测模块12，用于利用预设可信度衡量规则检测所述证据链完整性特征、所述标准化特征和所述时效性特征各自对应的可信度；The credibility detection module 12 is used to detect the respective credibility of the integrity feature of the evidence chain, the standardized feature and the timeliness feature by using a preset credibility measurement rule;

网络攻击检测模块13，用于基于所述证据链完整性特征、所述标准化特征和所述时效性特征各自对应的可信度确定出所述网络安全威胁情报IOC的可信度，并基于所述网络安全威胁情报IOC的可信度进行相应的网络攻击检测。The network attack detection module 13 is configured to determine the credibility of the network security threat intelligence IOC based on the respective credibility of the integrity feature of the evidence chain, the standardized feature and the timeliness feature, and based on the Corresponding network attack detection is carried out according to the credibility of the above-mentioned network security threat intelligence IOC.

其中，关于上述各个模块更加具体的工作过程可以参考前述实施例中公开的相应内容，在此不再进行赘述。For more specific working processes of the above-mentioned modules, reference may be made to the corresponding contents disclosed in the foregoing embodiments, which will not be repeated here.

由此可见，通过本实施例的上述方案，首先获取网络安全威胁情报IOC的上下文，并提取所述网络安全威胁情报IOC的上下文中的证据链完整性特征、标准化特征和时效性特征；然后利用预设可信度衡量规则检测所述证据链完整性特征、所述标准化特征和所述时效性特征各自对应的可信度；最后基于所述证据链完整性特征、所述标准化特征和所述时效性特征各自对应的可信度确定出所述网络安全威胁情报IOC的可信度，并基于所述网络安全威胁情报IOC的可信度进行相应的网络攻击检测。可见，可信度高的情报一定是来自于情报生产流程规范化、标准化的厂商，所以从网络安全威胁情报的上下文来甄别情报的数据结构，可以实现有效的根据情报可信度进行相应的网络攻击检测。也即，通过对网络安全威胁情报IOC的上下文中的证据链完整性特征、标准化特征和时效性特征检测各自对应的可信度，并利用各自对应的可信度确定出网络安全威胁情报IOC的可信度，进而基于网络安全威胁情报IOC的可信度进行相应的网络攻击检测，如此一来，对于多源情报的接入、聚合、分析提供帮助，能够简单、高效的评估网络安全威胁情报IOC的可信度，快速有效、科学的基于其可信度实现网络攻击的检测，以便于在后续的网络安全业务中使用该情报IOC。It can be seen that, through the above solution of this embodiment, the context of the network security threat intelligence IOC is first obtained, and the integrity characteristics, standardized characteristics and timeliness characteristics of the evidence chain in the context of the network security threat intelligence IOC are extracted; The preset credibility measurement rule detects the respective credibility of the integrity feature of the evidence chain, the standardized feature, and the timeliness feature; finally, based on the integrity feature of the evidence chain, the standardized feature, and the The reliability corresponding to the timeliness features determines the reliability of the network security threat intelligence IOC, and performs corresponding network attack detection based on the reliability of the network security threat intelligence IOC. It can be seen that the intelligence with high credibility must come from manufacturers that standardize and standardize the intelligence production process. Therefore, identifying the data structure of intelligence from the context of cybersecurity threat intelligence can effectively carry out corresponding network attacks based on intelligence credibility. detection. That is, by detecting the corresponding credibility of the evidence chain integrity features, standardized features and timeliness features in the context of the network security threat intelligence IOC, and using the respective corresponding credibility to determine the network security threat intelligence IOC. The reliability of the network security threat intelligence IOC can be used to detect the corresponding network attacks. In this way, it can provide assistance for the access, aggregation and analysis of multi-source intelligence, and can easily and efficiently evaluate network security threat intelligence. The credibility of the IOC, quickly, effectively and scientifically realize the detection of network attacks based on its credibility, so that the intelligence IOC can be used in the subsequent network security business.

进一步的，本申请实施例还公开了一种电子设备，图6是根据一示例性实施例示出的电子设备20结构图，图中内容不能认为是对本申请的使用范围的任何限制。Further, the embodiment of the present application also discloses an electronic device. FIG. 6 is a structural diagram of theelectronic device 20 according to an exemplary embodiment, and the content in the figure should not be considered as any limitation on the scope of application of the present application.

图6为本申请实施例提供的一种电子设备20的结构示意图。该电子设备20，具体可以包括：至少一个处理器21、至少一个存储器22、电源23、通信接口24、输入输出接口25和通信总线26。其中，所述存储器22用于存储计算机程序，所述计算机程序由所述处理器21加载并执行，以实现前述任一实施例公开的网络攻击检测方法中的相关步骤。另外，本实施例中的电子设备20具体可以为计算机。FIG. 6 is a schematic structural diagram of anelectronic device 20 according to an embodiment of the present application. Theelectronic device 20 may specifically include: at least one processor 21 , at least one memory 22 , a power supply 23 , a communication interface 24 , an input and output interface 25 and a communication bus 26 . Wherein, the memory 22 is used for storing a computer program, and the computer program is loaded and executed by the processor 21 to implement the relevant steps in the network attack detection method disclosed in any of the foregoing embodiments. In addition, theelectronic device 20 in this embodiment may specifically be a computer.

本实施例中，电源23用于为电子设备20上的各硬件设备提供工作电压；通信接口24能够为电子设备20创建与外界设备之间的数据传输通道，其所遵循的通信协议是能够适用于本申请技术方案的任意通信协议，在此不对其进行具体限定；输入输出接口25，用于获取外界输入数据或向外界输出数据，其具体的接口类型可以根据具体应用需要进行选取，在此不进行具体限定。In this embodiment, the power supply 23 is used to provide working voltage for each hardware device on theelectronic device 20; the communication interface 24 can create a data transmission channel between theelectronic device 20 and external devices, and the communication protocol it follows is applicable Any communication protocol in the technical solution of the present application is not specifically limited here; the input and output interface 25 is used to obtain external input data or output data to the outside world, and its specific interface type can be selected according to specific application needs, here No specific limitation is made.

另外，存储器22作为资源存储的载体，可以是只读存储器、随机存储器、磁盘或者光盘等，其上所存储的资源可以包括操作系统221、计算机程序222及数据223等，数据223可以包括各种各样的数据。存储方式可以是短暂存储或者永久存储。In addition, the memory 22, as a carrier for resource storage, can be a read-only memory, a random access memory, a magnetic disk or an optical disk, etc., and the resources stored thereon can include an operating system 221, a computer program 222, and data 223, etc., and the data 223 can include various various data. The storage method can be short-term storage or permanent storage.

其中，操作系统221用于管理与控制电子设备20上的各硬件设备以及计算机程序222，其可以是Windows Server、Netware、Unix、Linux等。计算机程序222除了包括能够用于完成前述任一实施例公开的由电子设备20执行的网络攻击检测方法的计算机程序之外，还可以进一步包括能够用于完成其他特定工作的计算机程序。The operating system 221 is used to manage and control various hardware devices and computer programs 222 on theelectronic device 20, which may be Windows Server, Netware, Unix, Linux, and the like. The computer program 222 may further include a computer program that can be used to complete other specific tasks in addition to the computer program that can be used to complete the network attack detection method performed by theelectronic device 20 disclosed in any of the foregoing embodiments.

进一步的，本申请实施例还公开了一种计算机可读存储介质，这里所说的计算机可读存储介质包括随机存取存储器(Random Access Memory，RAM)、内存、只读存储器(Read-Only Memory，ROM)、电可编程ROM、电可擦除可编程ROM、寄存器、硬盘、磁碟或者光盘或技术领域内所公知的任意其他形式的存储介质。其中，所述计算机程序被处理器执行时实现前述网络攻击检测方法。关于该方法的具体步骤可以参考前述实施例中公开的相应内容，在此不再进行赘述。Further, the embodiment of the present application also discloses a computer-readable storage medium, and the computer-readable storage medium mentioned here includes random access memory (Random Access Memory, RAM), internal memory, read-only memory (Read-Only Memory) , ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, magnetic disk or optical disk or any other form of storage medium known in the art. Wherein, when the computer program is executed by the processor, the foregoing network attack detection method is implemented. For the specific steps of the method, reference may be made to the corresponding content disclosed in the foregoing embodiments, which will not be repeated here.

本说明书中各个实施例采用递进的方式描述，每个实施例重点说明的都是与其它实施例的不同之处，各个实施例之间相同或相似部分互相参见即可。对于实施例公开的装置而言，由于其与实施例公开的方法相对应，所以描述的比较简单，相关之处参见方法部分说明即可。The various embodiments in this specification are described in a progressive manner, and each embodiment focuses on the differences from other embodiments, and the same or similar parts between the various embodiments may be referred to each other. As for the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant part can be referred to the description of the method.

结合本文中所公开的实施例描述的网络攻击检测或算法的步骤可以直接用硬件、处理器执行的软件模块，或者二者的结合来实施。软件模块可以置于随机存储器(RAM)、内存、只读存储器(ROM)、电可编程ROM、电可擦除可编程ROM、寄存器、硬盘、可移动磁盘、CD-ROM、或技术领域内所公知的任意其它形式的存储介质中。The steps of network attack detection or algorithm described in conjunction with the embodiments disclosed herein may be directly implemented in hardware, a software module executed by a processor, or a combination of the two. A software module can be placed in random access memory (RAM), internal memory, read only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, removable disk, CD-ROM, or any other in the technical field. in any other known form of storage medium.

最后，还需要说明的是，在本文中，诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来，而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且，术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含，从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素，而且还包括没有明确列出的其他要素，或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下，由语句“包括一个……”限定的要素，并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同要素。Finally, it should also be noted that in this document, relational terms such as first and second are used only to distinguish one entity or operation from another, and do not necessarily require or imply these entities or that there is any such actual relationship or sequence between operations. Moreover, the terms "comprising", "comprising" or any other variation thereof are intended to encompass a non-exclusive inclusion such that a process, method, article or device that includes a list of elements includes not only those elements, but also includes not explicitly listed or other elements inherent to such a process, method, article or apparatus. Without further limitation, an element qualified by the phrase "comprising a..." does not preclude the presence of additional identical elements in a process, method, article or apparatus that includes the element.

以上对本发明所提供的一种网络攻击检测方法、装置、设备及存储介质进行了详细介绍，本文中应用了具体个例对本发明的原理及实施方式进行了阐述，以上实施例的说明只是用于帮助理解本发明的方法及其核心思想；同时，对于本领域的一般技术人员，依据本发明的思想，在具体实施方式及应用范围上均会有改变之处，综上所述，本说明书内容不应理解为对本发明的限制。A network attack detection method, device, device and storage medium provided by the present invention have been described in detail above. Specific examples are used in this paper to illustrate the principles and implementations of the present invention. The descriptions of the above embodiments are only used for Help to understand the method of the present invention and its core idea; at the same time, for those skilled in the art, according to the idea of the present invention, there will be changes in the specific implementation and application scope. In summary, the content of this specification It should not be construed as a limitation of the present invention.

Claims (10)

1. A network attack detection method, comprising:

obtaining the context of the IOC, and extracting the evidence chain integrity characteristic, the standardization characteristic and the timeliness characteristic in the context of the IOC;

detecting the respective corresponding credibility of the integrity characteristic, the standardization characteristic and the timeliness characteristic of the evidence chain by using a preset credibility measurement rule;

and determining the credibility of the IOC based on the credibility corresponding to the integrity characteristic, the standardization characteristic and the timeliness characteristic of the evidence chain, and carrying out corresponding network attack detection based on the credibility of the IOC.

2. The network attack detection method according to claim 1, wherein the detecting the credibility of the integrity feature of the evidence chain by using a preset credibility measurement rule comprises:

and detecting the credibility of the attacker information, the credibility of the security event information and the credibility of the tag information in the integrity characteristics of the evidence chain by using a first preset credibility measurement rule.

3. The network attack detection method according to claim 2, wherein before detecting the credibility of the attacker information, the credibility of the security event information, and the credibility of the tag information in the integrity feature of the evidence chain by using the first preset credibility measurement rule, the method further comprises:

if the attacker information, the security event information and the tag information exist in the evidence chain integrity feature, judging that the evidence chain is complete, and triggering the step of detecting the credibility of the attacker information, the security event information and the tag information in the evidence chain integrity feature by using a first preset credibility measurement rule.

4. The network attack detection method according to claim 1, wherein detecting the credibility of the standardized features by using a preset credibility measurement rule comprises:

and detecting the credibility of the relevant data of the threat model in the standardized characteristics by using a second preset credibility measuring rule.

5. The network attack detection method according to claim 1, wherein detecting the credibility of the timeliness feature by using a preset credibility measurement rule comprises:

determining the first occurrence time of the IOC and the updating time of the IOC;

and determining the time span of the IOC based on the first occurrence time and the updating time, and detecting the credibility of the time span by using a third preset credibility measurement rule.

6. The network attack detection method according to claim 1, wherein the determining the credibility of the cyber security threat intelligence IOC based on the credibility corresponding to each of the evidence chain integrity feature, the standardization feature and the timeliness feature comprises:

distributing different weight proportions to the credibility corresponding to the integrity characteristic, the standardization characteristic and the timeliness characteristic of the evidence chain by using a preset weighting rule so as to obtain the corresponding credibility after respective distribution;

and summing the distributed corresponding credibility to obtain the credibility of the IOC.

7. The network attack detection method according to any one of claims 1 to 6, wherein the detecting the credibility corresponding to each of the evidence chain integrity feature, the standardization feature and the timeliness feature by using a preset credibility measurement rule comprises:

and assigning corresponding credibility to the related data with valid values in the evidence chain integrity characteristic, the standardization characteristic and the timeliness characteristic.

8. A cyber attack detecting apparatus, comprising:

the system comprises a characteristic extraction module, a data processing module and a data processing module, wherein the characteristic extraction module is used for acquiring the context of the IOC and extracting the evidence chain integrity characteristic, the standardization characteristic and the timeliness characteristic in the context of the IOC;

the credibility detection module is used for detecting the credibility corresponding to the integrity characteristic, the standardization characteristic and the timeliness characteristic of the evidence chain by using a preset credibility measurement rule;

and the network attack detection module is used for determining the credibility of the network security threat intelligence IOC based on the credibility corresponding to the integrity characteristic, the standardization characteristic and the timeliness characteristic of the evidence chain and carrying out corresponding network attack detection based on the credibility of the network security threat intelligence IOC.

9. An electronic device, comprising a processor and a memory; wherein the memory is used for storing a computer program which is loaded and executed by the processor to implement the network attack detection method according to any one of claims 1 to 7.

10. A computer-readable storage medium for storing a computer program; wherein the computer program, when executed by a processor, implements the network attack detection method of any one of claims 1 to 7.

Images