CN115967566A - Method, device, electronic device and storage medium for processing network threat information - Google Patents

Abstract

Translated fromChinese

本发明实施例公开一种网络威胁信息的处理方法、装置、电子设备及存储介质，涉及网络安全技术领域。为解决对网络威胁信息的溯源分析的不准确的问题而发明。网络威胁信息的处理方法，包括：对网络流量数据进行解析和检测，确定出基础威胁事件，并对基础威胁事件的流量进行全要素数据存储；对基础威胁事件进行筛选，识别出关键威胁事件；基于预设攻击链模型，确定关键威胁事件的攻击链；通过关键威胁事件所带的信息，建立网络实体行为关系图谱；基于预设攻击链模型，确定关键威胁事件的攻击链；基于攻击链关键威胁事件和全要素数据，对关键威胁事件的攻击组织进行画像。适用于需要提高对网络威胁信息的溯源分析的准确性的应用场景。

The embodiment of the invention discloses a processing method, device, electronic equipment and storage medium of network threat information, and relates to the technical field of network security. Invented to solve the inaccurate problem of traceability analysis of network threat information. The processing method of network threat information includes: analyzing and detecting network traffic data, determining basic threat events, and storing all-element data of the flow of basic threat events; screening basic threat events, and identifying key threat events; Based on the preset attack chain model, determine the attack chain of key threat events; through the information brought by key threat events, establish a network entity behavior relationship graph; based on the preset attack chain model, determine the attack chain of key threat events; Threat events and full-element data provide portraits of attacking organizations for key threat events. Applicable to application scenarios that need to improve the accuracy of traceability analysis of network threat information.

Description

Translated fromChinese

网络威胁信息的处理方法、装置、电子设备及存储介质Method, device, electronic device and storage medium for processing network threat information

技术领域technical field

本发明涉及网络安全技术领域。尤其是涉及一种网络威胁信息的处理方法、装置、电子设备及存储介质。The invention relates to the technical field of network security. In particular, it relates to a processing method, device, electronic equipment and storage medium for network threat information.

背景技术Background technique

随着现代网络结构的复杂化，如复杂的网络分区、云网络、新型网络设备等，安全设备的告警量与日剧增，而在处理告警数据时，主要由人工采用告警相关性分析从告警数据中寻找高威胁的告警事件，并基于经验对找到的高威胁的告警事件进行溯源分析，存在因疏漏而导致溯源分析结果不准确的问题。With the complexity of modern network structures, such as complex network partitions, cloud networks, and new network devices, the number of alarms from security devices is increasing day by day. Searching for high-threat alarm events in the data, and conducting traceability analysis on the found high-threat alarm events based on experience, there is a problem that the traceability analysis results are inaccurate due to omissions.

发明内容Contents of the invention

有鉴于此，本发明实施例提供一种网络威胁信息的处理方法、装置、电子设备及存储介质，能够提高对网络威胁信息的溯源分析的准确性。In view of this, embodiments of the present invention provide a method, device, electronic device, and storage medium for processing network threat information, which can improve the accuracy of traceability and analysis of network threat information.

为达到上述目的，本发明的实施例采用如下技术方案：In order to achieve the above object, embodiments of the present invention adopt the following technical solutions:

第一方面，本发明实施例提供一种网络威胁信息的处理方法，包括：对网络流量数据进行解析和检测，确定出基础威胁事件，并对基础威胁事件的流量进行全要素数据存储；对所述基础威胁事件进行筛选，识别出关键威胁事件；通过所述关键威胁事件所带的信息，建立网络实体行为关系图谱；基于预设攻击链模型，确定所述关键威胁事件的攻击链；基于所述攻击链和所述全要素数据，对所述关键威胁事件的攻击组织进行画像。In the first aspect, the embodiment of the present invention provides a method for processing network threat information, including: analyzing and detecting network traffic data, determining basic threat events, and storing all-element data of the traffic of basic threat events; Screen the above basic threat events to identify key threat events; establish a network entity behavior relationship graph based on the information carried by the key threat events; determine the attack chain of the key threat events based on the preset attack chain model; The attack chain and the full element data are used to profile the attacking organization of the key threat event.

根据本发明实施例的一种具体实现方式，所述对基础威胁事件进行筛选，识别出关键威胁事件，包括：对基础威胁事件进行聚合筛选，识别出关键威胁事件。According to a specific implementation manner of an embodiment of the present invention, the screening of basic threat events to identify key threat events includes: performing aggregate screening of basic threat events to identify key threat events.

根据本发明实施例的一种具体实现方式，所述基于预设攻击链模型，确定所述关键威胁事件的攻击链，包括：基于预设长短攻击链模型，以及给定的链长，自动推导出关键威胁事件的攻击链。According to a specific implementation of the embodiment of the present invention, the determining the attack chain of the key threat event based on the preset attack chain model includes: automatically deriving the attack chain model based on the preset length of the attack chain model and the given chain length The attack chain of key threat events.

根据本发明实施例的一种具体实现方式，在对所述基础威胁事件进行筛选，识别出关键威胁事件之前，所述方法还包括：对所述基础威胁事件进行攻击确认。According to a specific implementation manner of an embodiment of the present invention, before screening the basic threat event to identify a key threat event, the method further includes: confirming an attack on the basic threat event.

根据本发明实施例的一种具体实现方式，所述对所述基础威胁事件进行攻击确认，包括：针对基础威胁事件中是否存在SQL注入、和/或XSS攻击、和/或上传漏洞进行攻击确认；针对基础威胁事件中是否存在Struts2远程代码执行漏洞、和/或反序列化远程代码执行漏洞进行攻击确认；通过对告警信息以及会话流进行分析，验证基础威胁事件中是否存在WEBSHELL，或者是否存在上传成功的WEBSHELL文件。According to a specific implementation of the embodiment of the present invention, the attack confirmation on the basic threat event includes: performing attack confirmation on whether there is SQL injection, and/or XSS attack, and/or upload vulnerability in the basic threat event ;Confirm whether there is a Struts2 remote code execution vulnerability and/or deserialization remote code execution vulnerability in the basic threat event; verify whether there is WEBSHELL in the basic threat event by analyzing the alarm information and session flow, or whether there is The successfully uploaded WEBSHELL file.

根据本发明实施例的一种具体实现方式，所述通过所述关键威胁事件所带的信息，建立网络实体行为关系图谱，包括：从所述关键威胁事件所带的信息中提取所述关键威胁事件中行为及行为之间的关系；基于所述关键威胁事件中行为及行为之间的关系，建立所述关键威胁事件的所述网络实体行为关系图谱。According to a specific implementation manner of an embodiment of the present invention, the establishment of the network entity behavior relationship map through the information carried by the key threat event includes: extracting the key threat from the information carried by the key threat event Behaviors in the event and relationships between the behaviors; based on the behaviors in the key threat events and the relationship between the behaviors, establish the network entity behavior relationship graph of the key threat events.

根据本发明实施例的一种具体实现方式，所述基于所述攻击链和所述全要素数据，对所述关键威胁事件的攻击组织进行画像，包括：从所述全要素数据中提取所述攻击链的行为元素数据及与所述攻击链的代码，以对所述关键威胁事件的攻击组织进行画像。According to a specific implementation manner of an embodiment of the present invention, the profiling of the attacking organization of the key threat event based on the attack chain and the full-factor data includes: extracting the The behavior element data of the attack chain and the code of the attack chain are used to profile the attack organization of the key threat event.

第二方面，本发明实施例提供一种网络威胁信息的处理装置，包括：基础威胁事件检测模块，用于对网络流量数据进行解析和检测，确定出基础威胁事件，并对基础威胁事件的流量进行全要素数据存储；关键威胁事件识别模块，用于对所述基础威胁事件进行筛选，识别出关键威胁事件；网络实体行为关系图谱生成模块，用于通过所述关键威胁事件所带的信息，建立网络实体行为关系图谱；攻击链识别模块，用于基于预设攻击链模型，确定所述关键威胁事件的攻击链；画像模块，用于基于所述攻击链和所述全要素数据，对所述关键威胁事件的攻击组织进行画像。In the second aspect, the embodiment of the present invention provides a network threat information processing device, including: a basic threat event detection module, which is used to analyze and detect network traffic data, determine the basic threat event, and analyze the flow rate of the basic threat event Carrying out all-element data storage; the key threat event identification module is used to screen the basic threat events to identify key threat events; the network entity behavior relationship map generation module is used to pass the information carried by the key threat events, Establishing a network entity behavior relationship map; an attack chain identification module, used to determine the attack chain of the key threat event based on a preset attack chain model; a portrait module, used to identify all The attack organization of the key threat events mentioned above is profiled.

根据本发明实施例的一种具体实现方式，所述关键威胁事件识别模块，具体用于：对基础威胁事件进行聚合筛选，识别出关键威胁事件。According to a specific implementation manner of an embodiment of the present invention, the key threat event identification module is specifically configured to: aggregate and screen basic threat events to identify key threat events.

根据本发明实施例的一种具体实现方式，所述攻击链识别模块，具体用于：According to a specific implementation of the embodiment of the present invention, the attack chain identification module is specifically used for:

基于预设长短攻击链模型，以及给定的链长，自动推导出关键威胁事件的攻击5链。Based on the preset long and short attack chain models and the given chain length, the five attack chains of key threat events are automatically derived.

根据本发明实施例的一种具体实现方式，还包括攻击确认模块，用于对所述基础威胁事件进行攻击确认。According to a specific implementation manner of the embodiment of the present invention, an attack confirmation module is further included, configured to perform attack confirmation on the basic threat event.

根据本发明实施例的一种具体实现方式，所述攻击确认模块，具体用于:针对SQL注入、XSS攻击、上传漏洞进行攻击确认；针对Struts2远程代码执行漏0洞、反序列化远程代码执行漏洞进行攻击确认；通过对告警信息以及会话流进行分析，验证WEBSHELL是否存在，或者WEBSHELL文件是否上传成功。According to a specific implementation of the embodiments of the present invention, the attack confirmation module is specifically used to: confirm attacks against SQL injection, XSS attacks, and upload vulnerabilities; Vulnerabilities are attacked and confirmed; by analyzing the alarm information and session flow, verify whether WEBSHELL exists, or whether the WEBSHELL file is uploaded successfully.

根据本发明实施例的一种具体实现方式，所述网络实体行为关系图谱生成模块，具体用于：从所述关键威胁事件所带的信息中提取所述关键威胁事件的行为及行为之间的关系；基于所述关键威胁事件的行为及行为之间的关系，建5立所述关键威胁事件的所述网络实体行为关系图谱。According to a specific implementation manner of an embodiment of the present invention, the network entity behavior relationship graph generation module is specifically configured to: extract the behavior of the key threat event and the relationship between the behaviors from the information carried by the key threat event Relationship: Establishing the network entity behavior relationship graph of the key threat event based on the behavior of the key threat event and the relationship between the behaviors.

根据本发明实施例的一种具体实现方式，所述画像模块，具体用于：从所述全要素数据中提取所述攻击链的行为元素数据及与所述攻击链的代码，以对所述关键威胁事件的攻击组织进行画像。According to a specific implementation of the embodiment of the present invention, the portrait module is specifically configured to: extract the behavior element data of the attack chain and the code of the attack chain from the full element data, so as to The attack organization of key threat events is profiled.

第三方面，本发明实施例提供一种电子设备，所述电子设备包括：壳体、0处理器、存储器、电路板和电源电路，其中，电路板安置在壳体围成的空间内部，处理器和存储器设置在电路板上；电源电路，用于为上述电子设备的各个电路或器件供电；存储器用于存储可执行程序代码；处理器通过读取存储器中存储的可执行程序代码来运行与可执行程序代码对应的程序，用于执行前述第一方面中任一所述的网络威胁信息的处理方法。In a third aspect, an embodiment of the present invention provides an electronic device, the electronic device includes: a casing, an O processor, a memory, a circuit board, and a power supply circuit, wherein the circuit board is placed inside the space enclosed by the casing, and the processing The device and the memory are arranged on the circuit board; the power supply circuit is used to supply power to each circuit or device of the above-mentioned electronic equipment; the memory is used to store the executable program code; the processor reads the executable program code stored in the memory to run and A program corresponding to the executable program code, configured to execute the method for processing network threat information described in any one of the foregoing first aspects.

5第四方面，本发明实施例提供一种计算机可读存储介质，所述计算机可读存储介质存储有一个或者多个程序，所述一个或者多个程序可被一个或者多个处理器执行，以实现前述第一方面中任一所述的网络威胁信息的处理方法。5 In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, the computer-readable storage medium stores one or more programs, and the one or more programs can be executed by one or more processors, In order to realize the method for processing network threat information described in any one of the foregoing first aspects.

本发明实施例提供的网络威胁信息的处理方法、装置、电子设备及存储介质，包括对网络流量数据进行解析和检测，确定出基础威胁事件，并对基础威胁事件的流量进行全要素数据存储；对所述基础威胁事件进行筛选，识别出关键威胁事件；基于预设攻击链模型，确定所述关键威胁事件的攻击链；通过所述关键威胁事件所带的信息，建立网络实体行为关系图谱；基于所述攻击链和所述全要素数据，对所述关键威胁事件的攻击组织进行画像。这样，能够通过网络威胁信息中的关键威胁事件的网络实体行为关系图谱及其攻击组织的画像对网络威胁信息进行溯源分析，以提高对网络威胁信息的溯源分析的准确性。The network threat information processing method, device, electronic equipment, and storage medium provided by the embodiments of the present invention include analyzing and detecting network traffic data, determining the basic threat event, and storing all elements of the flow of the basic threat event; Screening the basic threat events to identify key threat events; determining the attack chain of the key threat events based on a preset attack chain model; establishing a network entity behavior relationship graph through the information carried by the key threat events; Based on the attack chain and the full element data, the attack organization of the key threat event is profiled. In this way, the network threat information can be traced and analyzed through the network entity behavior relationship graph of key threat events in the network threat information and the portrait of the attacking organization, so as to improve the accuracy of the network threat information traceability analysis.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案，下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍，显而易见地，下面描述中的附图仅仅是本发明的一些实施例，对于本领域普通技术人员来讲，在不付出创造性劳动的前提下，还可以根据这些附图获得其它的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only These are some embodiments of the present invention. Those skilled in the art can also obtain other drawings based on these drawings without creative work.

图1为本发明一实施例网络威胁信息的处理方法的流程示意图；FIG. 1 is a schematic flowchart of a method for processing network threat information according to an embodiment of the present invention;

图2为本发明一实施例网络威胁信息的处理装置的模块示意图；FIG. 2 is a block diagram of a device for processing network threat information according to an embodiment of the present invention;

图3为本发明一实施例电子设备的模块示意图。FIG. 3 is a block diagram of an electronic device according to an embodiment of the present invention.

具体实施方式Detailed ways

下面结合附图对本发明实施例进行详细描述。Embodiments of the present invention will be described in detail below in conjunction with the accompanying drawings.

应当明确，所描述的实施例仅仅是本发明一部分实施例，而不是全部的实施例。基于本发明中的实施例，本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其它实施例，都属于本发明保护的范围。It should be clear that the described embodiments are only some of the embodiments of the present invention, not all of them. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without creative efforts fall within the protection scope of the present invention.

参看图1所示，本发明实施例提供的网络威胁信息的处理方法，包括：Referring to Fig. 1, the method for processing network threat information provided by the embodiment of the present invention includes:

S101、对网络流量数据进行解析和检测，确定出基础威胁事件，并对基础威胁事件的流量进行全要素数据存储。S101. Analyzing and detecting network traffic data, determining a basic threat event, and storing all-element data of the traffic of the basic threat event.

网络流量数据可为客户端与服务器端之间的流量数据，以串行或者旁路的方式从客户端与服务器端之间的交换机中获取。在获得网络流量数据以后，可通过数据包分析技术对网络流量数据进行解析和检测，提取流量链路层、网络层、应用层的信息，以获取网络流量数据中一事件的协议和样本信息等，并上传至威胁检测引擎中，威胁检测引擎可通过该事件的威胁程度，确定该事件是否为基础威胁事件。The network flow data may be flow data between the client and the server, and is obtained from a switch between the client and the server in a serial or bypass manner. After the network traffic data is obtained, the network traffic data can be analyzed and detected through the data packet analysis technology, and the information of the traffic link layer, network layer and application layer can be extracted to obtain the protocol and sample information of an event in the network traffic data, etc. , and uploaded to the threat detection engine, the threat detection engine can determine whether the event is a basic threat event based on the threat level of the event.

全要素数据存储，也可称之为全流量数据存储，是指将所有的数据集中存储到一处，而不是将数据分散存储在多处。这样，可以统一管理数据，方便数据查询和分析，同时也可以更好地保证数据完整性和一致性。Full-factor data storage, also known as full-flow data storage, refers to storing all data in one place instead of scattered data in multiple places. In this way, data can be managed in a unified manner, data query and analysis can be facilitated, and data integrity and consistency can be better ensured.

S102、对所述基础威胁事件进行筛选，识别出关键威胁事件。S102. Screen the basic threat events to identify key threat events.

其中，基础威胁事件，也可称之为低威胁事件、灰度事件等，关键威胁事件，也可称之为高威胁事件。相比于基础威胁事件，关键威胁事件中包含更多的攻击者或者攻击组织的特征。Among them, the basic threat events may also be called low-threat events, grayscale events, etc., and the key threat events may also be called high-threat events. Compared with basic threat events, key threat events contain more characteristics of attackers or attacking organizations.

如前述，可通过威胁检测引擎确定一事件是否为基础威胁事件，但是检测过程中，一些威胁特征不明显的关键威胁事件会被判定为威胁程度低，从而将该事件确定为基础威胁事件，因此需要对基础威胁事件作进一步筛选，识别出关键威胁事件，以提高对网络威胁信息的溯源分析的准确性。As mentioned above, the threat detection engine can be used to determine whether an event is a basic threat event, but during the detection process, some key threat events with no obvious threat characteristics will be judged as low-level threats, so that the event can be determined as a basic threat event. It is necessary to further screen basic threat events and identify key threat events to improve the accuracy of traceability analysis of network threat information.

S103、通过所述关键威胁事件所带的信息，建立网络实体行为关系图谱。S103. Based on the information carried by the key threat events, establish a network entity behavior relationship graph.

网络实体行为关系图谱是关键威胁事件的知识图谱，可直观的显示关键威胁事件的组成部分以及各部分之间的关系。The network entity behavior relationship graph is a knowledge graph of key threat events, which can visually display the components of key threat events and the relationship between each part.

在建立网络实体行为关系图谱时，可由人工分析关键威胁事件所带的信息，梳理关键威胁事件的组成部分以及各部分之间的关系，以建立网络实体行为关系图谱；也可将关键威胁事件所带的信息传递至预设网络实体行为本体模型中，以建立网络实体行为关系图谱。When establishing the network entity behavior relationship graph, the information brought by the key threat events can be manually analyzed, and the components of the key threat events and the relationship between each part can be sorted out to establish the network entity behavior relationship graph; The information in the belt is transmitted to the preset network entity behavior ontology model to establish a network entity behavior relationship graph.

S104、基于预设攻击链模型，确定所述关键威胁事件的攻击链。S104. Determine an attack chain of the key threat event based on a preset attack chain model.

攻击链是指攻击者入侵过程中，侦察目标(Reconnaissance)、制作工具(Weaponization)、投递工具(Delivery)、触发工具(Exploitation)、安装木马(lnstallation)、建立连接(Command&Contro)和执行攻击(Acions on Objective)七个阶段。The attack chain refers to the process of the attacker's intrusion, reconnaissance target (Reconnaissance), production tool (Weaponization), delivery tool (Delivery), trigger tool (Exploitation), installation of Trojan horse (Installation), establishment of connection (Command&Control) and execution of attack (Acions on Objective) seven stages.

S105、基于所述攻击链和所述全要素数据，对所述关键威胁事件的攻击组织进行画像。S105. Based on the attack chain and the full-factor data, profile the attacking organization of the key threat event.

由此获得的攻击组织画像，是一个标签化系统，因此其可能是已知存在的攻击组织，也可能是未知的攻击组织。The resulting portrait of the attacking organization is a labeling system, so it may be a known attacking organization or an unknown attacking organization.

类似于建立关键威胁事件的网络实体行为关系图谱，也可通过人工或者预设画像模型对关键威胁事件的攻击组织进行画像。Similar to establishing a network entity behavior relationship map of key threat events, it is also possible to profile the attacking organization of key threat events through manual or preset portrait models.

本发明实施例提供的网络威胁信息的处理方法，包括对网络流量数据进行解析和检测，确定出基础威胁事件，并对基础威胁事件的流量进行全要素数据存储；对所述基础威胁事件进行筛选，识别出关键威胁事件；基于预设攻击链模型，确定所述关键威胁事件的攻击链；通过所述关键威胁事件所带的信息，建立网络实体行为关系图谱；基于所述攻击链和所述全要素数据，对所述关键威胁事件的攻击组织进行画像。这样，能够通过网络威胁信息中的关键威胁事件的网络实体行为关系图谱及其攻击组织的画像对网络威胁信息进行溯源分析，以提高对网络威胁信息的溯源分析的准确性。The method for processing network threat information provided by an embodiment of the present invention includes analyzing and detecting network traffic data, determining a basic threat event, and storing all elements of the traffic of the basic threat event; and screening the basic threat event , identify key threat events; determine the attack chain of the key threat event based on the preset attack chain model; establish a network entity behavior relationship map based on the information carried by the key threat event; based on the attack chain and the All-element data to profile the attacking organization of the key threat event. In this way, the network threat information can be traced and analyzed through the network entity behavior relationship graph of key threat events in the network threat information and the portrait of the attacking organization, so as to improve the accuracy of the network threat information traceability analysis.

在一实施例中，所述对基础威胁事件进行筛选，识别出关键威胁事件，包括：对基础威胁事件进行聚合筛选，识别出关键威胁事件。In an embodiment, the screening of basic threat events to identify key threat events includes: performing aggregate screening of basic threat events to identify key threat events.

在对基础威胁事件进行聚合筛选时，可将基础威胁事件传递至预设事件筛选模型中，通过预设事件筛选模型进行聚合筛选的过程。这样，可帮助威胁分析人员快速从基础威胁事件中获取关键威胁事件，且通过事件筛选模型进行聚合筛选易于维护和扩展，例如增加新的维度或修改聚合筛选规则。When performing aggregation and filtering on basic threat events, the basic threat events can be passed to a preset event filtering model, and the process of aggregation and filtering is performed through the preset event filtering model. In this way, threat analysts can quickly obtain key threat events from basic threat events, and the aggregation filtering through the event filtering model is easy to maintain and expand, such as adding new dimensions or modifying aggregation filtering rules.

具体的，预设事件筛选模型可提取基础威胁事件中的特征的特征值，例如预设事件筛选模型可使用隐马尔可夫模型提取基础威胁事件中与包长和时间的变化相关的特征的特征值，并基于提取基础威胁事件的特征的特征值构建基础威胁事件的矩阵。其中，相同特征在不同基础威胁事件的矩阵中位置相同。Specifically, the preset event screening model can extract the feature values of the features in the basic threat event, for example, the preset event screening model can use the hidden Markov model to extract the features of the features related to the change of packet length and time in the basic threat event value, and construct a matrix of basic threat events based on the eigenvalues of the features extracted from the basic threat events. Among them, the same feature has the same position in the matrix of different basic threat events.

在一个例子中，用于构建基础威胁事件的矩阵的特征包括：源端口、目的端口、入流量、出流量、入包数、出包数、持续时间、报文长度变化矩阵、报文时间变化矩阵、字节分布、HTTP请求头威胁等级、IP(Internet Protocol，网际互连协议)威胁等级、解码内容威胁等级、JA3威胁等级等。In one example, the characteristics of the matrix used to construct the basic threat event include: source port, destination port, inbound traffic, outbound traffic, number of incoming packets, number of outgoing packets, duration, packet length change matrix, packet time change Matrix, byte distribution, HTTP request header threat level, IP (Internet Protocol, Internet Interconnection Protocol) threat level, decoded content threat level, JA3 threat level, etc.

在获得基础威胁事件的矩阵以后，预设事件筛选模型可使用无监督学习处理基础威胁事件的矩阵，例如使用聚类算法处理基础威胁事件的矩阵，以从基础威胁事件的矩阵中获得异常矩阵。与异常矩阵相对应的基础威胁事件即为关键威胁事件。其中，在使用无监督学习处理基础威胁事件的矩阵时，可使用Apriori算法挖掘基础威胁事件的矩阵之间的关联关系，以增强非监督学习。After obtaining the matrix of basic threat events, the default event screening model can use unsupervised learning to process the matrix of basic threat events, for example, use a clustering algorithm to process the matrix of basic threat events, so as to obtain anomalies from the matrix of basic threat events. The basic threat event corresponding to the anomaly matrix is the key threat event. Among them, when using unsupervised learning to process the matrix of basic threat events, the Apriori algorithm can be used to mine the correlation between the matrices of basic threat events to enhance unsupervised learning.

在一实施例中，所述基于预设攻击链模型，确定所述关键威胁事件的攻击链，包括：基于预设长短攻击链模型，以及给定的链长，自动推导出关键威胁事件的攻击链。In an embodiment, the determining the attack chain of the key threat event based on the preset attack chain model includes: automatically deriving the attack chain of the key threat event based on the preset length attack chain model and a given chain length chain.

在给定链长以后，预设长短攻击链模型可通过隐马尔可夫模型、Apriori算法等时序/关联算法自动推导出关键威胁事件的攻击链，解决人工还原攻击链时因疏漏导致的攻击链不完整问题。After the chain length is given, the preset long and short attack chain model can automatically derive the attack chain of key threat events through timing/association algorithms such as hidden Markov model and Apriori algorithm, so as to solve the attack chain caused by omissions when manually restoring the attack chain Incomplete question.

在一实施例中，在对所述基础威胁事件进行筛选，识别出关键威胁事件之前，所述方法还包括：对所述基础威胁事件进行攻击确认。攻击确认是指确认基础威胁事件中的攻击是否成功，对所述基础威胁事件进行攻击确认是为了降低误报概率，使建立的关系图谱更准确。In an embodiment, before screening the basic threat events to identify key threat events, the method further includes: performing attack confirmation on the basic threat events. Attack confirmation refers to confirming whether the attack in the basic threat event is successful, and the purpose of attack confirmation for the basic threat event is to reduce the probability of false positives and make the established relationship graph more accurate.

可基于存储的基础威胁事件的全要素数据，确认基础威胁事件能否攻击成功。例如将基础威胁事件的IP、URL(Universal Resource Locator，统一资源定位符)、DNS(Domain Name System，域名系统)等IoC(Indicators of Compromise)信息，传递至文件下载类木马攻击检测与确认模型、邮件附件木马攻击检测与确认模型等中，通过模型确认基础威胁事件能否成功。Based on the stored full-element data of basic threat events, it can be confirmed whether the basic threat events can be successfully attacked. For example, IoC (Indicators of Compromise) information such as IP, URL (Universal Resource Locator, Uniform Resource Locator), DNS (Domain Name System, Domain Name System) of the basic threat event is passed to the file downloading Trojan attack detection and confirmation model, In the email attachment Trojan attack detection and confirmation model, etc., the model is used to confirm whether the basic threat event is successful.

在确认基础威胁事件能攻击成功以后，可将该事件认定为关键威胁事件，并通过前述步骤S103-S105处理该威胁事件。After confirming that the basic threat event can be successfully attacked, the event can be identified as a key threat event, and the threat event can be processed through the aforementioned steps S103-S105.

进一步的，在确认基础威胁事件是攻击成功的事件以后，可根据预先配置，通知防火墙对该事件的互联网协议地址(也称IP地址)进行截断，保证用户安全。Further, after confirming that the basic threat event is a successful attack event, the firewall may be notified to truncate the Internet Protocol address (also called IP address) of the event according to the pre-configuration to ensure user security.

在一实施例中，所述对所述基础威胁事件进行攻击确认，包括：针对基础威胁事件中是否存在SQL注入、和/或XSS攻击、和/或上传漏洞进行攻击确认；针对基础威胁事件中是否存在Struts2远程代码执行漏洞、和/或反序列化远程代码执行漏洞进行攻击确认；通过对告警信息以及会话流进行分析，验证基础威胁事件中是否存在WEBSHELL，或者是否存在上传成功的WEBSHELL文件。In one embodiment, the attack confirmation on the basic threat event includes: confirming the attack on whether there is SQL injection, and/or XSS attack, and/or upload vulnerability in the basic threat event; Whether there is a Struts2 remote code execution vulnerability, and/or deserialization remote code execution vulnerability to confirm the attack; by analyzing the alarm information and session flow, verify whether there is WEBSHELL in the basic threat event, or whether there is a successfully uploaded WEBSHELL file.

其中，SQL注入、XSS攻击、上传漏洞均是重要通用漏洞，Struts2远程代码执行漏洞、反序列化远程代码执行漏洞均是重要热点漏洞，WEBSHELL是网络威胁中常见的一种恶意脚本，这样，通过对重要通用漏洞、重要热点漏洞以及WEBSHELL做攻击确认，而不是对所有漏洞采用通用的方式进行攻击确认，可以避免对新出现的漏洞的漏检，提高攻击确认的准确性。Among them, SQL injection, XSS attack, and upload vulnerability are all important general vulnerabilities, Struts2 remote code execution vulnerability and deserialization remote code execution vulnerability are important hotspot vulnerabilities, WEBSHELL is a common malicious script in network threats, so, through Attack confirmation is performed on important general vulnerabilities, important hotspot vulnerabilities, and WEBSHELL, instead of using a common method for attack confirmation on all vulnerabilities, which can avoid missed detection of emerging vulnerabilities and improve the accuracy of attack confirmation.

进一步的，本实施例中对基础威胁事件进行攻击确认还可以包括：攻击样本成功性确认：样本IoC信息(IP、URL、DNS)与外部流量检测信息关联确认。比如通过文件下载类木马攻击检测与确认模型、邮件附件木马攻击检测与确认模型对文件或邮件数据与木马样本进行关联确认，识别是否存在文件下载类木马和/或邮件附件木马攻击成功。Further, in this embodiment, the confirmation of the attack on the basic threat event may also include: confirmation of the success of the attack sample: confirmation of association between the IoC information (IP, URL, DNS) of the sample and the external traffic detection information. For example, through the file download Trojan attack detection and confirmation model and the email attachment Trojan attack detection and confirmation model, file or email data and Trojan samples are associated and confirmed to identify whether there is a file download Trojan and/or email attachment Trojan attack is successful.

优选的，本实施例中在对所述基础威胁事件进行攻击确认时，除了确认基础威胁事件是否为攻击成功的事件，还会判定攻击造成的后果，比如判定SQL注入是否有拖库的行为，以便通知防火墙对SQL注入导致的拖库行为进行针对性截断，保证用户安全。Preferably, in this embodiment, when confirming the attack on the basic threat event, in addition to confirming whether the basic threat event is a successful attack event, the consequences of the attack will also be determined, such as determining whether the SQL injection has the behavior of dragging the database, In order to notify the firewall to carry out targeted truncation of the dragging behavior caused by SQL injection to ensure user security.

在一实施例中，所述通过所述关键威胁事件所带的信息，建立网络实体行为关系图谱，包括：从所述关键威胁事件所带的信息中提取所述关键威胁事件中行为及行为之间的关系；基于所述关键威胁事件中行为及行为之间的关系，建立所述关键威胁事件的所述网络实体行为关系图谱。In one embodiment, the establishment of the network entity behavior relationship map through the information carried by the key threat event includes: extracting the behavior in the key threat event and the relationship between the behaviors in the key threat event from the information carried by the key threat event. relationship among them; based on the behavior in the key threat event and the relationship between the behaviors, establishing the network entity behavior relationship graph of the key threat event.

在通过所述关键威胁事件所带的信息，建立网络实体行为关系图谱之前，可对确认攻击成功的事件或者预先收集的攻击事件进行分析，确定这些事件之间的共同特征，例如IP、木马文件、C2域名、下载地址等，以及通过对这些事件进行同源性分析，确定这些共同特征之间的关系，例如某两个共同特征之间的关系为：IP1传递的木马文件1回连到下载地址www.a.html等。Before the information carried by the key threat events is used to establish the network entity behavior relationship map, the events that confirm the success of the attack or the pre-collected attack events can be analyzed to determine the common features between these events, such as IP, Trojan horse files , C2 domain name, download address, etc., and through the homology analysis of these events, the relationship between these common features is determined. For example, the relationship between two common features is: the Trojan horse file delivered by IP1 is connected to the download Address www.a.html etc.

在获取共同特征及共同特征之间的关系以后，可基于共同特征及共同特征之间的关系建立第一实体行为本体模型。After obtaining the common features and the relationship between the common features, the first entity behavior ontology model can be established based on the common features and the relationship between the common features.

其中，具有共同特征的攻击事件可认定为同一攻击者进行的攻击事件，不同攻击者进行的攻击事件具有不同的共同特征，由此基于确认攻击成功的事件或者预先收集的攻击事件还可建立第二实体行为本体模型、第三实体行为本体模型等。其中，第一实体行为本体模型、第二实体行为本体模型、第三实体行为本体模型分别与不同的攻击者相对应。Among them, the attack events with common characteristics can be identified as the attack events carried out by the same attacker, and the attack events carried out by different attackers have different common characteristics, so based on the confirmed successful attack events or the pre-collected attack events, the first attack event can be established. Two-entity behavior ontology model, third-entity behavior ontology model, etc. Wherein, the first entity behavior ontology model, the second entity behavior ontology model, and the third entity behavior ontology model respectively correspond to different attackers.

在建立一系列实体行为本体模型以后，还可对该一系列实体行为本体模型进行机器学习，获得预设网络实体行为本体模型。After a series of entity behavior ontology models are established, machine learning can also be performed on the series of entity behavior ontology models to obtain a preset network entity behavior ontology model.

在建立预设网络实体行为本体模型以后，可将关键威胁事件所带的信息传递至预设网络实体行为本体模型中，由预设网络实体行为本体模型判断该关键威胁事件适用于哪一个实体行为本体模型，并基于相适应的实体行为本体模型提取该关键威胁事件的行为及行为之间的关系，建立关键威胁事件的网络实体行为关系图谱，进而可以基于网络实体行为关系图谱判断此次网络流量数据所属的攻击组织。After the preset network entity behavior ontology model is established, the information carried by the key threat event can be transferred to the preset network entity behavior ontology model, and the preset network entity behavior ontology model can determine which entity behavior the key threat event applies to Ontology model, and based on the adapted entity behavior ontology model to extract the behavior of the key threat event and the relationship between behaviors, establish a network entity behavior relationship map of key threat events, and then judge the network traffic based on the network entity behavior relationship map The attacking group to which the data belongs.

在通过所述关键威胁事件所带的信息，建立网络实体行为关系图谱之前，还可获取关键威胁事件的行为元素(用于描述样本行为的特定因素)，例如代码结构、功能、攻击载荷等，以确定该关键威胁事件是否与已知的恶意软件具有相似的特征，具体可体现为两者是否释放相同文件、回连相同C2域名、修改相同注册表等。通过对这些事件进行样本同源性分析，确定其是否为已知的恶意软件。Before establishing the network entity behavior relationship map through the information carried by the key threat events, the behavior elements (specific factors used to describe the sample behavior) of the key threat events, such as code structure, function, attack load, etc., can also be obtained, To determine whether the key threat event has similar characteristics to known malware, specifically, whether the two release the same file, connect back to the same C2 domain name, modify the same registry, etc. By performing sample homology analysis on these events, it is determined whether they are known malware.

在通过所述关键威胁事件所带的信息，建立网络实体行为关系图谱之前，还可使用代码相似度分析工具来比较确认攻击成功的事件或者预先收集的攻击事件的代码，与已知恶意代码家族中的恶意软件的代码，确定它们之间的相似度。也可使用安全保护软件实现上述过程，安全保护软件通常会将恶意软件分为不同的家族，并对每个家族中的恶意软件进行分类。通过安全保护软件对关键威胁事件进行检测，可以确定其是否属于一恶意软件家族。Before using the information carried by the key threat events to establish a network entity behavior relationship map, a code similarity analysis tool can also be used to compare the codes of events that confirm successful attacks or pre-collected attack events with known malicious code families code of malware in , and determine the similarity between them. The above process can also be implemented using security protection software, which usually divides malware into different families and classifies the malware in each family. By detecting key threat events through security protection software, it can be determined whether they belong to a malware family.

可基于其是否为已知的恶意软件、是否属于一恶意软件家族判断此次网络流量数据所属的攻击组织。The attack organization to which the network traffic data belongs can be judged based on whether it is known malware and whether it belongs to a malware family.

此外，还可提供关键威胁事件的溯源数据，例如日志数据、PCAP数据、全流量数据、协议元数据和威胁情报数据等，供人工结合攻击阶段、时间、事件关联关系构建攻击路径图，以进行溯源分析。In addition, traceability data of key threat events can be provided, such as log data, PCAP data, full flow data, protocol metadata and threat intelligence data, etc., which can be manually combined with attack stage, time, and event correlation to build an attack path map for Traceability analysis.

在一实施例中，所述基于所述攻击链和所述全要素数据，对所述关键威胁事件的攻击组织进行画像，包括：从所述全要素数据中提取所述攻击链的行为元素数据及与所述攻击链的代码，以对所述关键威胁事件的攻击组织进行画像。In an embodiment, the profiling of the attack organization of the key threat event based on the attack chain and the full-element data includes: extracting the behavior element data of the attack chain from the full-element data and the code of the attack chain to profile the attacking organization of the key threat event.

在对关键威胁事件的攻击组织进行画像之前，可先对已知的攻击组织进行画像获得相应的画像系统。由于攻击组织有多个判断，因此画像系统相应的有多个，通过前述步骤可获得一系列画像系统。在获得一系列画像系统以后，可对该一系列画像系统进行机器学习，获得预画像模型。Before profiling the attacking organizations of key threat events, we can first profile the known attacking organizations to obtain the corresponding profiling system. Since the attacking organization has multiple judgments, there are correspondingly multiple portrait systems, and a series of portrait systems can be obtained through the aforementioned steps. After obtaining a series of portrait systems, machine learning can be performed on the series of portrait systems to obtain a pre-portrait model.

在获得画像模型以后，可将全要素数据传递至画像模型中，由画像模型判断该攻击链适用于哪一个画像系统，并基于相适应的画像系统对该攻击链对应的关键威胁事件的攻击组织进行画像。After the portrait model is obtained, the full-element data can be transferred to the portrait model, and the portrait model can judge which portrait system the attack chain is applicable to, and based on the suitable portrait system, the attack organization of the key threat event corresponding to the attack chain Make a portrait.

在获得关键威胁事件的网络实体行为关系图谱和攻击组织的画像以后，可结合攻击者技战术，例如慢速分散侦查探测、慢速扫描、隐蔽信道、域名生成算法和停靠域名等，对与关键威胁事件的目标相关联的资产进行分析，确定后续被攻击概率较大的资产及采用的攻击技术，以进一步保护用户安全。After obtaining the network entity behavior relationship map and the portrait of the attacking organization of key threat events, attackers' tactics can be combined, such as slow scattered detection and detection, slow scanning, covert channels, domain name generation algorithms and docked domain names, etc. The assets associated with the target of the threat event are analyzed to determine the assets with a higher probability of being attacked and the attack techniques used to further protect user security.

第二方面，参看图2，本发明实施例提供一种网络威胁信息的处理装置，包括：基础威胁事件检测模块201，用于对网络流量数据进行解析和检测，确定出基础威胁事件，并对基础威胁事件的流量进行全要素数据存储；关键威胁事件识别模块202，用于对所述基础威胁事件进行筛选，识别出关键威胁事件；网络实体行为关系图谱生成模块203，用于通过所述关键威胁事件所带的信息，建立网络实体行为关系图谱；攻击链识别模块204，用于基于预设攻击链模型，确定所述关键威胁事件的攻击链；画像模块205，用于基于所述攻击链和所述全要素数据，对所述关键威胁事件的攻击组织进行画像。In the second aspect, referring to FIG. 2 , an embodiment of the present invention provides a processing device for network threat information, including: a basic threatevent detection module 201, configured to analyze and detect network traffic data, determine a basic threat event, and The flow of the basic threat event is stored in all-element data; the key threatevent identification module 202 is used to screen the basic threat event to identify the key threat event; the network entity behavior relationshipmap generation module 203 is used to pass the key threat event The information carried by the threat event is used to establish a network entity behavior relationship map; the attackchain identification module 204 is used to determine the attack chain of the key threat event based on the preset attack chain model; theportrait module 205 is used to determine the attack chain based on the attack chain and the full-element data to profile the attacking organization of the key threat event.

在一实施例中，所述关键威胁事件识别模块202，具体用于：对基础威胁事件进行聚合筛选，识别出关键威胁事件。In an embodiment, the key threatevent identification module 202 is specifically configured to: aggregate and screen basic threat events to identify key threat events.

在一实施例中，所述攻击链识别模块204，具体用于：基于预设长短攻击链模型，以及给定的链长，自动推导出关键威胁事件的攻击链。In an embodiment, the attackchain identification module 204 is specifically configured to: automatically deduce the attack chain of a key threat event based on a preset length attack chain model and a given chain length.

在一实施例中，还包括攻击确认模块，用于对所述基础威胁事件进行攻击确认。In an embodiment, an attack confirmation module is also included, configured to perform attack confirmation on the basic threat event.

在一实施例中，所述攻击确认模块，具体用于:针对SQL注入、XSS攻击、上传漏洞进行攻击确认；针对Struts2远程代码执行漏洞、反序列化远程代码执行漏洞进行攻击确认；通过对告警信息以及会话流进行分析，验证WEBSHELL是否存在，或者WEBSHELL文件是否上传成功。In one embodiment, the attack confirmation module is specifically used for: confirming attacks against SQL injection, XSS attacks, and upload vulnerabilities; confirming attacks against Struts2 remote code execution vulnerabilities and deserialization remote code execution vulnerabilities; Analyze the information and session flow to verify whether the WEBSHELL exists or whether the WEBSHELL file is uploaded successfully.

在一实施例中，所述网络实体行为关系图谱生成模块203，具体用于：从所述关键威胁事件所带的信息中提取所述关键威胁事件的行为及行为之间的关系；基于所述关键威胁事件的行为及行为之间的关系，建立所述关键威胁事件的所述网络实体行为关系图谱。In one embodiment, the network entity behavior relationshipgraph generation module 203 is specifically configured to: extract the behavior of the key threat event and the relationship between the behaviors from the information carried by the key threat event; Behaviors of key threat events and relationships between the behaviors, establishing a behavioral graph of the network entity behavior of the key threat events.

在一实施例中，所述画像模块205，具体用于：从所述全要素数据中提取所述攻击链的行为元素数据及与所述攻击链的代码，以对所述关键威胁事件的攻击组织进行画像。In an embodiment, theportrait module 205 is specifically configured to: extract the behavior element data of the attack chain and the code of the attack chain from the full element data, so as to attack the key threat event Organize portraits.

本实施例的装置，可以用于执行第一方面实施例的技术方案，其实现原理和技术效果类似，此处不再赘述。The device of this embodiment can be used to implement the technical solution of the embodiment of the first aspect, and its implementation principle and technical effect are similar, and will not be repeated here.

第三方面，参看图3，本发明实施例提供一种电子设备，所述电子设备包括：壳体301、处理器302、存储器303、电路板304和电源电路305，其中，电路板304安置在壳体301围成的空间内部，处理器302和存储器303设置在电路板304上；电源电路305，用于为上述电子设备的各个电路或器件供电；存储器303用于存储可执行程序代码；处理器302通过读取存储器303中存储的可执行程序代码来运行与可执行程序代码对应的程序，用于执行前述实施例一中任一所述的系统屏幕保护壁纸的显示方法。In the third aspect, referring to FIG. 3 , an embodiment of the present invention provides an electronic device, which includes: ahousing 301, aprocessor 302, amemory 303, acircuit board 304, and apower supply circuit 305, wherein thecircuit board 304 is placed on Inside the space enclosed by thecasing 301, theprocessor 302 and thememory 303 are arranged on thecircuit board 304; thepower supply circuit 305 is used to supply power to each circuit or device of the above-mentioned electronic equipment; thememory 303 is used to store executable program codes; Thedevice 302 executes the program corresponding to the executable program code by reading the executable program code stored in thememory 303, so as to execute the method for displaying the system screen saver wallpaper described in any one of the foregoing embodiments.

处理器302对上述步骤的具体执行过程以及处理器302通过运行可执行程序代码来进一步执行的步骤，可以参见前述实施例的描述，在此不再赘述。For the specific execution process of the above steps by theprocessor 302 and the further steps executed by theprocessor 302 by running the executable program code, reference may be made to the description of the foregoing embodiments, and details are not repeated here.

上述电子设备以多种形式存在，包括但不限于：The aforementioned electronic devices exist in many forms, including but not limited to:

(1)移动通信设备：这类设备的特点是具备移动通信功能，并且以提供话音、数据通信为主要目标。这类终端包括：智能手机(例如iPhone)、多媒体手机、功能性手机，以及低端手机等。(1) Mobile communication equipment: This type of equipment is characterized by mobile communication functions, and its main goal is to provide voice and data communication. Such terminals include: smart phones (such as iPhone), multimedia phones, feature phones, and low-end phones.

(2)超移动个人计算机设备：这类设备属于个人计算机的范畴，有计算和处理功能，一般也具备移动上网特性。这类终端包括：PDA、MID和UMPC设备等，例如iPad。(2) Ultra-mobile personal computer equipment: This type of equipment belongs to the category of personal computers, with computing and processing functions, and generally also has the characteristics of mobile Internet access. Such terminals include: PDA, MID and UMPC equipment, such as iPad.

(3)便携式娱乐设备：这类设备可以显示和播放多媒体内容。该类设备包括：音频、视频播放器(例如iPod)，掌上游戏机，电子书，以及智能玩具和便携式车载导航设备。(3) Portable entertainment equipment: This type of equipment can display and play multimedia content. Such devices include: audio and video players (such as iPod), handheld game consoles, e-books, as well as smart toys and portable car navigation devices.

(4)服务器：提供计算服务的设备，服务器的构成包括处理器302、硬盘、内存、系统总线等，服务器和通用的计算机架构类似，但是由于需要提供高可靠的服务，因此在处理能力、稳定性、可靠性、安全性、可扩展性、可管理性等方面要求较高。(4) Server: a device that provides computing services. The composition of the server includes aprocessor 302, hard disk, memory, system bus, etc. The server is similar to a general computer architecture, but due to the need to provide highly reliable services, it is important in terms of processing capacity, stability It has high requirements in terms of performance, reliability, security, scalability, and manageability.

(5)其他具有数据交互功能的电子设备。(5) Other electronic devices with data interaction functions.

第四方面，本发明实施例提供一种计算机可读存储介质，所述计算机可读存储介质存储有一个或者多个程序，所述一个或者多个程序可被一个或者多个处理器执行，以实现前述实施例一中任一所述的系统屏幕保护壁纸的显示方法,因此也能实现相应的技术效果，前文已经进行了详细说明，此处不再赘述。In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, the computer-readable storage medium stores one or more programs, and the one or more programs can be executed by one or more processors to The method for displaying the system screen saver wallpaper described in any one of the foregoing first embodiments can be realized, so corresponding technical effects can also be achieved, which has been described in detail above and will not be repeated here.

需要说明的是，在本文中，各个实施例之间描述的方案的侧重点不同，但是各个实施例又存在某种相互关联的关系，在理解本发明方案时，各个实施例之间可相互参照；另外，诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来，而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且，术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含，从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素，而且还包括没有明确列出的其他要素，或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下，由语句“包括一个……”限定的要素，并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同要素。It should be noted that, in this article, the emphases of the solutions described in the various embodiments are different, but there is a certain interrelated relationship between the various embodiments. When understanding the solutions of the present invention, the various embodiments can be referred to each other ; Additionally, relational terms such as first and second, etc., are used only to distinguish one entity or operation from another without necessarily requiring or implying any such actual existence between the entities or operations relationship or sequence. Furthermore, the term "comprises", "comprises" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article, or apparatus comprising a set of elements includes not only those elements, but also includes elements not expressly listed. other elements of or also include elements inherent in such a process, method, article, or device. Without further limitations, an element defined by the phrase "comprising a ..." does not exclude the presence of additional identical elements in the process, method, article or apparatus comprising said element.

以上所述，仅为本发明的具体实施方式，但本发明的保护范围并不局限于此，任何熟悉本技术领域的技术人员在本发明揭露的技术范围内，可轻易想到的变化或替换，都应涵盖在本发明的保护范围之内。因此，本发明的保护范围应以权利要求的保护范围为准。The above is only a specific embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Anyone skilled in the art can easily think of changes or substitutions within the technical scope disclosed in the present invention. All should be covered within the protection scope of the present invention. Therefore, the protection scope of the present invention should be based on the protection scope of the claims.

Claims (10)

Translated fromChinese

1.一种网络威胁信息的处理方法，其特征在于，包括：1. A method for processing network threat information, comprising:对网络流量数据进行解析和检测，确定出基础威胁事件，并对基础威胁事件的流量进行全要素数据存储；Analyze and detect network traffic data, determine basic threat events, and store all-factor data on the traffic of basic threat events;对所述基础威胁事件进行筛选，识别出关键威胁事件；Screening the basic threat events to identify key threat events;通过所述关键威胁事件所带的信息，建立网络实体行为关系图谱；Establishing a network entity behavior relationship map through the information carried by the key threat events;基于预设攻击链模型，确定所述关键威胁事件的攻击链；determining the attack chain of the critical threat event based on a preset attack chain model;基于所述攻击链和所述全要素数据，对所述关键威胁事件的攻击组织进行画像。Based on the attack chain and the full element data, the attack organization of the key threat event is profiled.2.根据权利要求1所述的网络威胁信息的处理方法，其特征在于，所述对基础威胁事件进行筛选，识别出关键威胁事件，包括：2. The method for processing network threat information according to claim 1, wherein the screening of basic threat events to identify key threat events includes:对基础威胁事件进行聚合筛选，识别出关键威胁事件。Aggregate and filter basic threat events to identify key threat events.3.根据权利要求1所述的网络威胁信息的处理方法，其特征在于，所述基于预设攻击链模型，确定所述关键威胁事件的攻击链，包括：3. The method for processing network threat information according to claim 1, wherein the determining the attack chain of the key threat event based on the preset attack chain model includes:基于预设长短攻击链模型，以及给定的链长，自动推导出关键威胁事件的攻击链。Based on the preset length attack chain model and the given chain length, the attack chain of key threat events is automatically derived.4.根据权利要求1所述的网络威胁信息的处理方法，其特征在于，在对所述基础威胁事件进行筛选，识别出关键威胁事件之前，所述方法还包括：4. The method for processing network threat information according to claim 1, wherein before screening the basic threat events and identifying key threat events, the method further comprises:对所述基础威胁事件进行攻击确认。An attack confirmation is performed on the basic threat event.5.根据权利要求4所述的网络威胁信息的处理方法，其特征在于，所述对所述基础威胁事件进行攻击确认，包括：5. The method for processing network threat information according to claim 4, wherein the attack confirmation on the basic threat event comprises:针对基础威胁事件中是否存在SQL注入、和/或XSS攻击、和/或上传漏洞进行攻击确认；Attack confirmation on whether there is SQL injection, and/or XSS attack, and/or upload vulnerability in the basic threat event;针对基础威胁事件中是否存在Struts2远程代码执行漏洞、和/或反序列化远程代码执行漏洞进行攻击确认；Attack confirmation on whether there are Struts2 remote code execution vulnerabilities and/or deserialization remote code execution vulnerabilities in the basic threat events;通过对告警信息以及会话流进行分析，验证基础威胁事件中是否存在WEBSHELL，或者是否存在上传成功的WEBSHELL文件。By analyzing the alarm information and session flow, verify whether there is WEBSHELL in the basic threat event, or whether there is a successfully uploaded WEBSHELL file.6.根据权利要求1所述的网络威胁信息的处理方法，其特征在于，所述通过所述关键威胁事件所带的信息，建立网络实体行为关系图谱，包括：6. The method for processing network threat information according to claim 1, wherein the establishment of a network entity behavior relationship map through the information carried by the key threat event includes:从所述关键威胁事件所带的信息中提取所述关键威胁事件中行为及行为之间的关系；extracting behaviors in the key threat events and relationships between the behaviors from the information carried by the key threat events;基于所述关键威胁事件中行为及行为之间的关系，建立所述关键威胁事件的所述网络实体行为关系图谱。Based on the behavior in the key threat event and the relationship between the behaviors, the network entity behavior relationship graph of the key threat event is established.7.根据权利要求1所述的网络威胁信息的处理方法，其特征在于，所述基于所述攻击链和所述全要素数据，对所述关键威胁事件的攻击组织进行画像，包括：7. The method for processing network threat information according to claim 1, wherein the profiling of the attacking organization of the key threat event based on the attack chain and the full-factor data includes:从所述全要素数据中提取所述攻击链的行为元素数据及与所述攻击链的代码，以对所述关键威胁事件的攻击组织进行画像。The behavioral element data of the attack chain and the code of the attack chain are extracted from the full element data, so as to profile the attack organization of the key threat event.8.一种网络威胁信息的处理装置，其特征在于，包括：8. A processing device for network threat information, comprising:基础威胁事件检测模块，用于对网络流量数据进行解析和检测，确定出基础威胁事件，并对基础威胁事件的流量进行全要素数据存储；The basic threat event detection module is used to analyze and detect the network traffic data, determine the basic threat event, and store the full element data of the flow of the basic threat event;关键威胁事件识别模块，用于对所述基础威胁事件进行筛选，识别出关键威胁事件；A key threat event identification module, configured to screen the basic threat events and identify key threat events;网络实体行为关系图谱生成模块，用于通过所述关键威胁事件所带的信息，建立网络实体行为关系图谱；A network entity behavior relationship graph generation module, used to establish a network entity behavior relationship graph through the information carried by the key threat events;攻击链识别模块，用于基于预设攻击链模型，确定所述关键威胁事件的攻击链；An attack chain identification module, configured to determine the attack chain of the key threat event based on a preset attack chain model;画像模块，用于基于所述攻击链和所述全要素数据，对所述关键威胁事件的攻击组织进行画像。A profile module, configured to profile the attacking organization of the key threat event based on the attack chain and the full element data.9.一种电子设备，其特征在于，所述电子设备包括：壳体、处理器、存储器、电路板和电源电路，其中，电路板安置在壳体围成的空间内部，处理器和存储器设置在电路板上；电源电路，用于为上述电子设备的各个电路或器件供电；5存储器用于存储可执行程序代码；处理器通过读取存储器中存储的可执行程序代码来运行与可执行程序代码对应的程序，用于执行所述权利要求1-7中任一所述的网络威胁信息的处理方法。9. An electronic device, characterized in that the electronic device comprises: a housing, a processor, a memory, a circuit board and a power supply circuit, wherein the circuit board is placed inside the space surrounded by the housing, and the processor and the memory are arranged On the circuit board; the power supply circuit is used to supply power to each circuit or device of the above-mentioned electronic equipment; 5. The memory is used to store the executable program code; the processor runs and executes the program by reading the executable program code stored in the memory The program corresponding to the code is used to execute the method for processing network threat information described in any one of claims 1-7.10.一种计算机可读存储介质，其特征在于，所述计算机可读存储介质存储有一个或者多个程序，所述一个或者多个程序可被一个或者多个处理器执行，0以实现所述权利要求1-7中任一所述的网络威胁信息的处理方法。10. A computer-readable storage medium, characterized in that, the computer-readable storage medium stores one or more programs, and the one or more programs can be executed by one or more processors, 0 to realize the The method for processing network threat information described in any one of claims 1-7.

Images