[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN118677661A - Threat information detection method and device, electronic equipment and storage medium - Google Patents

Threat information detection method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN118677661A
CN118677661A CN202410740880.XA CN202410740880A CN118677661A CN 118677661 A CN118677661 A CN 118677661A CN 202410740880 A CN202410740880 A CN 202410740880A CN 118677661 A CN118677661 A CN 118677661A
Authority
CN
China
Prior art keywords
threat
target
information data
hash
hash value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410740880.XA
Other languages
Chinese (zh)
Inventor
崔维亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Volcano Engine Technology Co Ltd
Original Assignee
Beijing Volcano Engine Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Volcano Engine Technology Co Ltd filed Critical Beijing Volcano Engine Technology Co Ltd
Priority to CN202410740880.XA priority Critical patent/CN118677661A/en
Publication of CN118677661A publication Critical patent/CN118677661A/en
Pending legal-status Critical Current

Links

Landscapes

  • Computer And Data Communications (AREA)

Abstract

The application relates to the field of network security, in particular to a method and a device for detecting threat information, electronic equipment and a storage medium. The application can quickly determine whether the target information data is threat information or not by pre-calculating the hash value of the target information data and matching with the pre-constructed threat information sample set. Compared with the traditional antivirus software detection mode, the method can reduce the time and the computing resources required by detection. Secondly, by calculating hash value combinations of threat information samples in the threat information sample set and constructing N groups by utilizing the hash value combinations, threat types of target information data can be accurately identified. The method is beneficial to helping enterprises to identify and cope with different types of network threats in time and improves network security.

Description

Threat information detection method and device, electronic equipment and storage medium
Technical Field
The invention relates to the field of network security, in particular to a method and a device for detecting threat information, electronic equipment and a storage medium.
Background
In an enterprise office scenario, an operator may inadvertently trigger running a malicious program or accessing a malicious website while working with a terminal device in an enterprise office network, for example: unsafe downloads and installs on malicious websites, or clicks on malicious links, etc. Thereby causing the office equipment of the enterprise to be potentially exposed to security threats. The traditional mode is that the terminal equipment needs to install antivirus software so as to prevent the running of malicious programs or access malicious websites.
However, conventional antivirus software requires analysis and feature extraction of the cyber threat to update the antivirus engine. This process typically requires specialized security researchers and powerful computing resources to support, not only is time consuming, but also does not allow for accurate detection of the type of threat intelligence generated by a network threat.
Disclosure of Invention
In view of the above, the embodiments of the present invention provide a method, an apparatus, an electronic device, and a storage medium for detecting threat information, so as to solve the problems that the traditional antivirus software consumes long time when detecting the network threat, and cannot accurately detect the type of threat information generated by the network threat.
In a first aspect, an embodiment of the present invention provides a method for detecting threat intelligence, where the method includes:
Acquiring target information data to be detected in a current client;
Acquiring a target hash value combination corresponding to the target information data;
Matching the target hash value combination with a pre-constructed hash array to obtain a target array hit by each hash value in the hash value combination, wherein the hash array is constructed based on hash value combinations of information data of different threat types;
And determining a target threat type corresponding to the target information data according to the position information of the target array in the hash array.
In a second aspect, an embodiment of the present invention provides a threat intelligence detection apparatus, including:
the first acquisition module is used for acquiring target information data to be detected;
The second acquisition module is used for acquiring a target hash value combination corresponding to the target information data; the target hash value combination comprises k hash values obtained by calculating the target information data based on a preset algorithm, wherein k is a natural number;
the matching module is used for respectively matching the target hash value combination with N numbers constructed in advance to obtain a matching result; the N arrays are constructed based on hash value combinations of threat information sample sets, each array comprises k element groups, N is a natural number and is determined based on the number of threat types in the threat information sample sets;
and the determining module is used for judging whether the target information data is threat information according to the matching result and determining the threat type under the condition that the target information data is threat information.
In a third aspect, an embodiment of the present invention provides an electronic device, including: the memory and the processor are in communication connection, the memory stores computer instructions, and the processor executes the computer instructions to perform the method of the first aspect or any implementation manner corresponding to the first aspect.
In a fourth aspect, an embodiment of the present invention provides a computer readable storage medium having stored thereon computer instructions for causing a computer to perform the method of the first aspect or any of its corresponding embodiments.
The application can quickly determine whether the target information data is threat information or not by pre-calculating the hash value of the target information data and matching with the pre-constructed threat information sample set. Compared with the traditional antivirus software detection mode, the method can greatly reduce the time and the computing resources required by detection. Secondly, by calculating hash value combinations of threat information samples in the threat information sample set and constructing N groups by utilizing the hash value combinations, threat types of target information data can be accurately identified. The method is beneficial to helping enterprises to identify and cope with different types of network threats in time and improves network security.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the present invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a system framework according to some embodiments of the invention;
FIG. 2 is a flow chart of a method of detecting threat intelligence in accordance with some embodiments of the invention;
FIG. 3 is a flow chart of a method of detecting threat intelligence in accordance with some embodiments of the invention;
FIG. 4 is a flow chart of a method of detecting threat intelligence in accordance with some embodiments of the invention;
FIG. 5 is a flow chart of a method of detecting threat intelligence in accordance with some embodiments of the invention;
FIG. 6 is a block diagram of a threat intelligence detection apparatus in accordance with an embodiment of the invention;
fig. 7 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present invention.
Detailed Description
Embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While certain embodiments of the present disclosure have been illustrated in the accompanying drawings, it is to be understood that the present disclosure may be embodied in various forms and should not be construed as limited to the embodiments set forth herein, but rather, these embodiments are provided so that this disclosure will be more thorough and complete. It should be understood that the drawings and embodiments of the present disclosure are for illustration purposes only and are not intended to limit the scope of the present disclosure.
In describing embodiments of the present disclosure, the term "comprising" and its like should be taken to be open-ended, i.e., including, but not limited to. The term "based on" should be understood as "based at least in part on". The term "one embodiment" or "the embodiment" should be understood as "at least one embodiment". The term "some embodiments" should be understood as "at least some embodiments". Other explicit and implicit definitions are also possible below.
In this context, unless explicitly stated otherwise, performing a step "in response to a" does not mean that the step is performed immediately after "a", but may include one or more intermediate steps.
It will be appreciated that the data (including but not limited to the data itself, the acquisition, use, storage or deletion of the data) involved in the present technical solution should comply with the corresponding legal regulations and the requirements of the relevant regulations.
It will be appreciated that prior to using the technical solutions disclosed in the embodiments of the present disclosure, the relevant users, which may include any type of rights subjects, such as individuals, enterprises, groups, etc., should be informed and authorized by appropriate means of the types of information, usage ranges, usage scenarios, etc. involved in the present disclosure according to relevant legal regulations.
For example, in response to receiving an active request from a user, prompt information is sent to the relevant user to explicitly prompt the relevant user that the operation requested to be performed will need to obtain and use information to the relevant user, so that the relevant user may autonomously select whether to provide information to software or hardware such as an electronic device, an application program, a server, or a storage medium that performs the operation of the technical solution of the present disclosure according to the prompt information.
As an alternative but non-limiting implementation manner, in response to receiving an active request from a relevant user, the prompt information may be sent to the relevant user, for example, in a popup window, where the prompt information may be presented in a text manner. In addition, a selection control for the user to select to provide information to the electronic device in a 'consent' or 'disagreement' manner can be carried in the popup window.
It will be appreciated that the above-described notification and user authorization process is merely illustrative and not limiting of the implementations of the present disclosure, and that other ways of satisfying relevant legal regulations may be applied to the implementations of the present disclosure.
Office security generally relates to security management of networks, identities and terminals, and digital office is safer, more efficient and easier to use by realizing private network networking, access control, management of terminals in the private network and information security protection. The security management at the network level can ensure that private networks such as office networks and the like can safely and efficiently operate, and further ensure that business data can be safely transmitted and stored. The safety management of the identity layer can improve the identity authentication efficiency and safety of the user accessing the private network. The security management of the terminal layer can realize the unified management of terminal equipment in a private network, data leakage prevention and terminal threat protection, thereby ensuring the security of enterprise data.
In practical application, the security management of the network, the identity and the terminal can be technically associated with a plurality of technical branches such as networking strategy, network access and control, remote access, unified terminal management, terminal detection and response, enterprise data leakage prevention, identity authentication management and the like, so that digital office is simpler, more efficient and easier to fall to the ground.
In an enterprise office scenario, office equipment of an enterprise includes a computer, a notebook, and other terminal devices, which are typically connected to the internet and perform office work by an operator using various software and a browser. However, operators may inadvertently run malicious programs or access malicious websites, causing the business' office equipment to face threat intelligence. Among other things, malicious programs may be viruses, trojans, worms, etc., which may be embedded in email attachments, downloaded files, unsafe websites, or entice operators to click through social engineering means. Once malicious programs run on the terminal device, they may steal user information, damage the file system, acquire user activity, or uncontrollably propagate to other devices. Meanwhile, a malicious website refers to a website controlled by a hacker or criminal organization, which may contain malware, phishing links, or other fraudulent activities. When operators visit these websites, their computers may become infected, resulting in data leakage, account theft, or other malicious activity.
Meanwhile, threat intelligence usually contains a large amount of information, which is usually required to be stored in a server side and provide an API for querying the server side at a terminal device side. However, when the amount of the query requests is large, the API of the server becomes a bottleneck to affect the query efficiency, especially in the privately deployed environment of the security management software, the client may not directly access the internet, or the privately deployed server may not be able to carry a large number of query requests, which results in failure to identify threat information and affects the network security of the enterprise office equipment.
Thus, in an enterprise office scenario, protection against and coping with threat intelligence of malicious programs and malicious websites is of paramount importance. The present application provides a system architecture, referring to fig. 1 in combination, the architecture includes: a server 101 and a plurality of terminal devices 102. And each terminal device is provided with a client corresponding to the security management software, and the client is used for detecting threat information existing on the terminal device. Specifically, the server 101 is configured to run a server of security management software, where the server is configured to collect threat information samples, and construct N arrays according to the threat information samples and threat types of the threat information samples. And then, the constructed N groups are deployed on the client side of each terminal device 102, so that the client side can detect threat information on the terminal device according to the N groups in an offline state, and determine the threat type of the threat information.
In this embodiment, a method for detecting threat information is provided, and the method is applied to a client of security management software deployed on a terminal device in the system architecture. Fig. 2 is a flowchart of a method for detecting threat intelligence according to an embodiment of the invention, as shown in fig. 2, the flowchart includes the steps of:
Step S11, obtaining target information data to be detected.
In the embodiment of the disclosure, the client of the security management software can acquire various threat information data on the terminal equipment by scanning and detecting the terminal equipment at multiple layers, including information on an operating system, application software, malicious software, network connection, user behavior and the like, so as to help enterprises identify and cope with potential security threats. Specifically, the client may scan the operating system of the terminal device and related information thereof to obtain information data, where the related information includes an operating system type, a version number, a patch level, and the like. The client may scan the applications installed on the terminal device and obtain their version information. By comparing known vulnerability databases, intelligence data can be obtained. The client can scan files and processes on the terminal equipment to detect whether malicious activities such as viruses, malicious software, spyware and the like exist or not, and information data is obtained. In addition, the client can record the behavior of the user on the terminal equipment, such as login records, file operation records, web browsing records and the like, so as to obtain threat information.
Step S12, obtaining a target hash value combination corresponding to target information data; the target hash value combination comprises k hash values obtained by calculating the target information data based on a preset algorithm, wherein k is a natural number.
In the embodiment of the present disclosure, before obtaining the target hash value combination corresponding to the target intelligence data, the method further includes: acquiring a white list sent by a server, wherein the white list comprises a plurality of preset information data; matching the target informative data with a plurality of informative data in the white list; if the information data matched with the target information data exists in the white list, determining that the target information data is normal information; or if the white list does not have the information data matched with the target information data, detecting the target information data.
Specifically, the client may obtain the whitelist by establishing a connection with the server and sending a request. The server responds to the client's request and sends white list data to the client. The white list is a collection containing a plurality of preset informative data. The preset informative data are informative data which belong to threat types and are detected by other clients and are not matched with the hash array set in the server.
The client compares the target information data to be detected with a plurality of information data in the white list. The target intelligence data may be a file, process, network traffic, or the like. If the target intelligence data can find matching intelligence data in the whitelist, the client can determine that the target intelligence data is normal, secure data, because the intelligence data in the whitelist is defined as non-threat data that does not match the set of hash arrays in the server. If the target intelligence data does not have data matching it in the whitelist, the client needs to perform further detection of the target intelligence data.
Through the steps, the client can use the white list to perform preliminary judgment on the target information data, treat the information data identified as normal information in the white list, and further detect unmatched information to identify potential threats. Thus, repeated detection of known normal data can be reduced, and detection efficiency is improved.
In the embodiment of the disclosure, obtaining a target hash value combination corresponding to target information data includes the following steps A1-A3:
A1, carrying out hash calculation on target information data by using a preset hash algorithm to obtain a first target hash value and a second target hash value;
In one embodiment of the present disclosure, the hash algorithm used is murmur algorithm, with which the intelligence data is calculated, which results in two target hash values, namely a first target hash value hash1 and a second target hash value hash2.murmur3 is a non-encrypted hash function with fast computation and low collision rate. The specific calculation steps are as follows: the target intelligence data is passed as input to murmur algorithm. The murmur algorithm processes and computes the input data to generate a 32-bit target hash value. This 32-bit target hash value is assigned to variable hash1, the first target hash value. The input data is again processed and calculated to generate another 32-bit target hash value. This 32-bit target hash value is assigned to variable hash2, the second target hash value.
A2, calculating w other target hash values by using the first target hash value and the second target hash value, wherein w is a natural number;
Specifically, the calculation formula is: hash_i=hash 1+i×hash2, where i denotes the sequence number of the target hash value, and increases from 3 until the number k of target hash values is reached. For example: when the number of the target hash values is 3, the other target hash values include a third target hash value, where the third target hash value is: hash_3=hash 1+3×hash2. When the number of the target hash values is 4, the other target hash values include a third target hash value and a fourth target hash value, and the third target hash value is: hash_3=hash 1+3×hash2. The fourth target hash value is: hash_4=hash 1 +4Xhash 2. Until hash_w is calculated according to the above formula. It will be appreciated that the relationship between w and k is: w+2=k.
And A3, constructing k target hash values of the target information data based on the first target hash value, the second target hash value and w other target hash values.
Specifically, after the first target hash value, the second target hash value, and the other target hash values are obtained, a target hash value combination of the target information data may be constructed based on the first target hash value, the second target hash value, and w other target hash values.
According to the embodiment of the disclosure, different numbers of target hash values can be obtained according to different threat types and coding digits, so that different types of threats can be handled more flexibly. Meanwhile, other target hash values are calculated by using the first target hash value and the second target hash value. By the method, more different target hash values can be obtained on the premise of ensuring the data integrity, and the threat identification and matching capacity is improved. Finally, a target hash value combination is constructed based on the first target hash value, the second target hash value, and other target hash values. Therefore, different target hash values can be combined to form a more comprehensive and comprehensive target hash value combination, and the threat identification and matching accuracy is improved.
Step S13, matching the target hash value combination with N number groups constructed in advance respectively to obtain a matching result; the N arrays are constructed based on hash value combinations of threat information sample sets, each array comprises k element groups, N is a natural number and N is determined based on the number of threat types in the threat information sample sets.
In the embodiment of the application, given a threat information sample set, the threat type number t can be obtained by counting the number of threat samples of different types in the set. Each of the different threat types corresponds to a unique number ranging from 1 to t. The number of threat types t may be converted to a binary form and the number of bits N encoded is determined. For example, if t=4, then n=3, because the binary of 4 is 100, it can be represented by at least a 3-bit binary. I.e. if 001, 010, 011, 100 are respectively used as the corresponding binary codes for the 4 threat types respectively, n=3. The code corresponding to t threat intelligence types is obtained by converting the number of each threat type into a corresponding N-bit binary code. After the N-bit binary code is determined, a corresponding array may be created based on the value (0 or 1) of each binary bit. For example, for 3-bit binary encoding, three arrays may be created. Each array includes k element groups, N is a natural number and N is determined based on the number of threat types in the threat intelligence sample set. k element groups correspond to k hash values.
In the embodiment of the application, the target hash value combination is matched with N numbers constructed in advance respectively, and the binary code of N bits is determined according to the matching result, comprising the following steps of B1-B2:
and B1, matching k hash values in the target hash value combination with k element groups in each of the N arrays one by one to obtain a corresponding target element of each hash value in the corresponding element group.
For each array in N arrays, matching k hash values in the target hash value combination with k element groups in the array to obtain corresponding target elements of each hash value in the corresponding element groups;
Specifically, since the number of the target hash value combination and the number of the element groups are k, the element group corresponding to the k element groups in each array is determined according to k hash values in the target hash value combination, and the corresponding target element is found from the element groups corresponding to the k element groups. For example: assuming that the target hash value combination includes hash_1, hash_2 and hash3, the array includes 3 element groups, i.e., element group 1, element group 2 and element group 3, and each element group includes q elements, it may be determined that hash_1 corresponds to element group 1, hash_2 corresponds to element group 2 and hash_3 corresponds to element group 3. And then taking the numerical value corresponding to each hash value as an index, determining a target element from the corresponding element group, specifically, acquiring the target element position hit by the hash value from the element group, and taking the element corresponding to the target element position as the target element. Let hash_1=5, hash_2=7, and hash_3=9. The 5 th element in the element group 1 is used as a target element corresponding to the hash_1, the 7 th element in the element group 2 is used as a target element corresponding to the hash_2, and the 9 th element in the element group 3 is used as a target element corresponding to the hash_3.
And step B2, determining the coding value corresponding to each array according to the element value of the target element in the array.
Specifically, the element value of each target element in each array is obtained, the coding value of the current array is determined according to the element value of each target element, and finally N-bit binary codes are obtained according to N coding values corresponding to N arrays. For example: let N be 3. hash_1=5, hash_2=7, and hash_3=9. Taking the 5 th element H1 in the element group 1 as a target element corresponding to the hash_1, taking the 7 th element H7 in the element group 2 as a target element corresponding to the hash_2, and taking the 9 th element H9 in the element group 3 as a target element corresponding to the hash_3.
First, it is determined whether H5 in element group 1 in the first array is 1, whether H7 in element group 2 in the first array is 1, and whether H9 in element group 3 in the first array is 1, i.e., if all of the H5, H7, and H9 in the first array are 1, the target hash value combination matches the first array, and the encoding value of the first array is 1. Next, for the second array, it is determined whether H5 in element group 1 is 1, H7 in element group 2 is 1, H59 in element group 3 is 1, and if at least one of said H5, H7 and H9 in the second array is 0, the target hash value combination does not match the second array, and the encoded value of the second array is 0. Finally, determining whether H5 in element group 1 in the third array is 1, whether H7 in element group 2 in the third array is 1, whether H9 in element group 3 in the third array is 1, and if at least one of H5, H7 and H9 in the third element group is 0, the target hash value combination does not match the third array, and the encoding value of the third array is 0. Thus, binary code 100 is obtained.
And B3, constructing N-bit binary codes according to the code values corresponding to each of the N arrays, and taking the N-bit binary codes as a matching result.
Specifically, at this time, an N-bit binary code may be directly constructed according to the code value corresponding to each of the N arrays of the root, and the N-bit binary code is used as the matching result.
The following is a complete example: assume that there are 3 arrays, each array contains k=3 element groups, each element group includes q=5 elements, and the value of the element is 0 or 1. The target hash value combination includes: hash_1=2, hash_2=4, and hash_3=1, three sets of numbers are as follows:
Array 1: [ (1,1,1,0,1), (0,1,0,1,0), (1,1,0,1,0) ]
Array 2: [ (0,0,0,1,0), (1,0,1,0,1), (0,1,0,1,0) ]
Array 3: [ (0,0,0,0,0), (1,0,0,0,0), (0,0,0,0,0) ]
At this time, the corresponding target element of hash_1, i.e. the 2 nd element in the first element group, may be determined from the first element group in the array 1, where the element value is "1". The hash_2 corresponding target element, namely the 4 th element in the second element group, is determined from the second element group in the array 1, and the element value is 1. The hash_3 corresponds to the target element, namely, the 1 st element in the third element group is determined from the third element group in the array 1, and the element value of the target element in the array 1 can be determined to be "1" at the moment, so that the encoding value of the array 1 is "1". According to the scheme, the element values of the target elements are all determined to be 0 from the array 2. And determining the element values of the target elements from the array 3 to be 0. The binary code is finally determined to be "100".
In the above embodiment, the hash value may be set to a natural number of 1 to q.
In one embodiment of the present invention, if the target element value of the target element in a certain array has both "1" and "0", the encoding value of the array may be determined to be "1", and because there may be a false alarm condition and a missed detection condition in the actual detection process of threat information, the encoding value is recorded as threat information when the element value of the target element in a certain array has both "1" and "0". The subsequent clients send such informative data to the server, which detects the type of such informative data.
According to the embodiment of the application, the target hash value is matched with the elements in the array, so that the target element corresponding to each hash value can be rapidly and accurately determined. Thus, the whole array can be prevented from being traversed, and the matching efficiency is improved. And secondly, determining corresponding coding values according to the element values of the target elements in each array, and simplifying a plurality of element values in a plurality of arrays into unique coding values. The complexity of encoding and the space for storage can be reduced.
And step S14, judging whether the target information data is threat information according to the matching result, and determining the threat type under the condition that the target information data is threat information.
In the embodiment of the application, judging whether the target information data is threat information according to the matching result, and determining the threat type under the condition that the target information data is threat information, comprises the following steps: acquiring a corresponding relation between a preset N-bit binary code and a preset threat type, and determining whether a preset binary code consistent with the N-bit binary code exists or not based on the corresponding relation; if the target information data exists, determining that the target information data belongs to threat information, and taking a preset threat type corresponding to the N-bit binary code as the threat type of the target information data.
Specifically, a value range of a preset N-bit binary code is determined. For example, if N is 3 bits, the binary encoding may be one or more of 001, 010, 011, 100, 101, 110, or 111. Then, a correspondence between each preset N-bit binary code and a preset threat type needs to be determined. This may be achieved by a mapping table or a dictionary. For example, a mapping table may be established with the following correspondence: 001-threat type 1, 010-threat type 2, 011-threat type 3, 100-threat type 4, then the N-bit binary code of the target intelligence data can be compared with a preset N-bit binary code to determine if there is a matching preset binary code.
The application can quickly determine whether the target information data is threat information or not by pre-calculating the hash value of the target information data and matching with the pre-constructed threat information sample set. Compared with the traditional antivirus software detection mode, the method can greatly reduce the time and the computing resources required by detection. Secondly, by calculating hash value combinations of threat information samples in the threat information sample set and constructing N groups by utilizing the hash value combinations, threat types of target information data can be accurately identified. The method is beneficial to helping enterprises to identify and cope with different types of network threats in time and improves network security. In addition, N pre-constructed arrays are deployed on the client, so that real-time threat identification of target information data in a privately deployed environment is realized, and no response of an external server is required to be waited. The client is not required to directly access the Internet, so that dependence on an external network is reduced, the possibility of being attacked is also reduced, and the safety of the client is ensured. The security problem caused by the fact that the client cannot be connected with the Internet under the privately-arranged environment is solved.
In the embodiment of the application, N arrays are constructed based on the hash value combination of the threat information sample set, as shown in fig. 3, the method comprises the following steps:
Step S21, initializing elements in N arrays to a first preset value, wherein each of the N arrays comprises k element groups, each element group comprises q elements, and q is a natural number.
In the embodiment of the application, the elements in the N arrays are initialized to a first preset value, wherein the first preset value is 0, namely, each element in the N arrays is set to 0. Wherein the N arrays comprise k element groups, which means that there are N arrays, each array comprising k elements. For example, if n=3, k=4, there are 3 arrays, each array containing 4 elements. Each element group includes q elements, meaning that each element in the array is a tuple containing q elements. For example, if q=2, each tuple consists of 2 elements.
For example: there are n=3 arrays, each array contains k=3 element groups, each element group includes q=5 elements, at this time, the values of all elements in each array are initialized to 0, and the initialized 3 groups are as follows:
Array 1: [ (0,0,0,0,0), (0,0,0,0,0), (0,0,0,0,0) ].
Array 2: [ (0,0,0,1,0), (0,0,0,0,0), (0,0,0,0,0) ].
Array 3: [ (0,0,0,0,0), (0,0,0,0,0), (0,0,0,0,0) ].
In the actual detection of threat information, false alarms (false positives) may occur. Even if all bits are 1, it may be coincidental, resulting in a false positive that the key is present in the target set, but in fact the key is not in the target array. The collision probability has a relationship with the stored binary digits m=k×q, the number of threat intelligence samples v (typically on the order of millions) in the threat intelligence sample set, and the probability epsilon of the hit array as follows:
The number of the element groups which are optimal at present is calculated based on the probability of the hit array, and the calculation formula is as follows: Where k is the number of element groups. And finally, obtaining the number q of the elements in each element group according to the ratio of the number of the threat information samples in the threat information sample set to the number k of the element groups.
Step S22, for each threat information sample in the threat information sample set, determining at least one target array from N arrays based on the threat type of the threat information sample, and calculating k hash values of the threat information sample based on a preset algorithm.
In an embodiment of the application, a set of threat intelligence samples is obtained, in one embodiment 600 tens of thousands of threat intelligence samples in the set. The size of the array can be reduced to some extent by selecting threat intelligence for the nearest hits. Therefore, the storage and query loads of the client to the array can be reduced, and the overall performance and efficiency are improved. Secondly, threat information data which is hit recently is selected to construct a plurality of arrays, so that the hit rate of the arrays can be improved. Because the recently hit data is more likely to reappear in a short time, building the data preferentially into arrays can more accurately filter out malicious programs and domain names. The false alarm condition is reduced, and the accuracy and reliability of the system are improved.
In the embodiment of the application, N is a natural number, and the determining of N based on the number of threat types in the threat intelligence sample set comprises: acquiring the number t of threat types in a threat information sample set, wherein t is a natural number; setting t different binary codes corresponding to t threat information types one by one, wherein the bit numbers of the t different binary codes are the same and N; the number of arrays is determined as N.
Specifically, based on the current threat intelligence sample set, the threat type number t can be obtained by counting the number of threat samples of different types in the set. Each of the different threat types corresponds to a unique number, ranging from 1 to t, which can be converted into a binary form and determine the number of bits N of the code. For example, if t=4, then n=3, since the binary of 4 is 100, 3 bits are required to represent. And converting the number of each threat type into a corresponding N-bit binary code to obtain codes corresponding to t threat information types. After the N-bit binary code is determined, a corresponding array may be created based on the value (0 or 1) of each binary bit. For example, for 3-bit binary encoding, three arrays may be created. Each array includes k element groups, N is a natural number and N is determined based on the number of threat types in the threat intelligence sample set. k element groups correspond to k hash values.
In the embodiment of the application, k hash values of the threat intelligence sample are calculated based on a preset algorithm, and the method comprises the following steps: carrying out hash calculation on the threat information sample by using a preset hash algorithm to obtain a first hash value and a second hash value; utilizing the first hash value, the second hash value and w other hash values, wherein w is a natural number; k hash values of the threat intelligence sample are constructed based on the first hash value, the second hash value, and w other hash values.
Specifically, a first hash value hash1 is calculated: the input data is applied Murmur's algorithm to obtain a 32-bit integer value as hash1. Calculating a second hash value hash2: the input data is applied Murmur's algorithm, again resulting in a 32-bit integer value as hash2. Definition k: indicating the number of hash values that need to be calculated. Other hash values are calculated: for i from 1 to n-1, hash_i=hash 1+i×hash2 is calculated sequentially. 7. Obtaining a set of hash values: hash_1, hash_2, hash_n, i.e. a set of hash values calculated from the recorded data.
In one embodiment of the present disclosure, if the binary code corresponding to the threat type of the threat intelligence sample is 100, the first of the three arrays is the target array. If the binary code corresponding to the threat type of the threat intelligence sample is 011, then the second and third of the three arrays are target arrays.
Step S23, for each target array, setting the value of the corresponding element in the k element groups in the target array as a second preset value based on the k hash values of the threat intelligence sample.
In the embodiment of the application, since the hash value combination corresponding to the threat information sample and the number of the element groups are k, the element group corresponding to the hash value combination is determined from k element groups in each target array according to k hash values in the hash value combination, and the corresponding target element is found from the element groups corresponding to the hash value combination. For example: assuming that the hash value combination of the threat information sample includes hash_1, hash_2 and hash3, the array includes 3 element groups, i.e., element group 1, element group 2 and element group 3, and each element group includes q elements, at this time, it may be determined that the hash_1 corresponds to element group 1, the hash_2 corresponds to element group 2 and the hash_3 corresponds to element group 3. And then taking the numerical value corresponding to each hash value as an index, and determining the corresponding element from the corresponding element group.
Specifically, the element position hit by the hash value is obtained from the element group, and the element corresponding to the element position is used as the target element corresponding to the hash value. Let hash_1=2, hash_2=3, and hash_3=4. The element at the 2 nd bit in the element group 1 is used as the element corresponding to the hash_1, the element at the 3 rd bit in the element group 2 is used as the element corresponding to the hash_2, and the element at the 4 th bit in the element group 3 is used as the element corresponding to the hash_3. Then, binary codes corresponding to threat types are acquired, the threat information samples are assumed to be 'Trojan' and the binary codes corresponding to the threat types are assumed to be '011', at this time, the element value of the 2 nd element in the element group 1 in the second array is set to be '1', the element value of the 3 rd element in the element group 2 is set to be '1', and the element value of the 4 th element in the element group 3 is set to be '1'. And setting the element value of the 2 nd element in the element group 1 in the third array to "1", setting the element value of the 3 rd element in the element group 2 to "1", and setting the element value of the 4 th element in the element group 3 to "1". Since the binary code is "011", the updated array with the element value of the target element in the first array still maintained at "0" is as follows:
Array 1: [ (0,0,0,0,0), (0,0,0,0,0), (0,0,0,0,0) ].
Array 2: [ (0,1,0,0,0), (0,0,1,0,0), (0,0,0,1,0) ].
Array 3: [ (0,1,0,0,0), (0,0,1,0,0), (0,0,0,1,0) ].
And then sequentially updating the N arrays according to hash value combinations corresponding to threat information data of each threat type in the threat information sample until the N arrays are updated by using the hash value combinations of all threat information in the threat information sample set, so as to obtain final N arrays, and the final N arrays are assumed to be as follows:
Array 1: [ (0,0,0,0,0), (1,0,0,0,0), (0,0,0,0,0) ].
Array 2: [ (1,1,1,0,1), (0,1,0,1,0), (1,1,0,1,0) ].
Array 3: [ (0,1,0,1,0), (1,0,1,0,1), (0,1,0,1,1) ].
It should be noted that, after the server constructs the hash array, the constructed hash array is deployed to the client, so that the client can locally complete the detection of threat information. In addition, the server can optimize binary codes of threat types, so that the hash array is updated, and the specific operation can be performed through the quantity distribution of each threat information of actual statistics. For example, if the number of a certain threat type occupies a large proportion, the binary bits of that type may be made more diffuse by recoding. In addition, the size of the bit array and the number of the hash functions can be adjusted according to actual conditions so as to adapt to the conditions of different types of distribution, and the grouping strategy of the hash array is further optimized. Thus, the performance and accuracy of the hash array can be improved, and the hash array is more suitable for the quantity distribution of actual threat information.
In an embodiment of the present disclosure, as shown in fig. 4, after determining, according to the location information of the target array in the hash array, the target threat type corresponding to the target intelligence data, the method further includes:
Step S31, the target information data and the target threat type are sent to a server, wherein the server is used for verifying the target information data, and if the target information data is not matched with the hash array in the hash array set, a white list updating instruction is sent to the client.
Specifically, the target intelligence data and the target threat type are sent to the server. The target intelligence data includes key information and descriptions of the target, and may also send a server of the target threat type. And after receiving the target information data, the server verifies the key information in the target information data. In this scenario, the server calculates a target hash value combination corresponding to the target intelligence data, and matches the hash value combination with each hash array in the hash array set maintained by the server. If the hash value of the target information data is not matched with any hash array in the hash array set, the target information data is not in a threat type, and the white list needs to be updated. The server may send a whitelist update instruction to the client, and inform the client to perform a corresponding operation, for example, update the content of the whitelist.
Step S32, receiving a white list updating instruction sent by the server.
Specifically, the client needs to ensure that the white list update instruction sent by the server is successfully received.
Step S33, updating the target information data to the white list based on the white list updating instruction.
Specifically, the client needs to parse the instruction sent by the server to understand the updated content and operation. And according to the analyzed instruction content, the client executes corresponding operation to update the white list. For example: including adding targeted intelligence data to a whitelist deployed locally at the client. After the update operation is completed, the client should send a confirmation message to the server to ensure that the whitelist update operation is successfully performed.
The method provided by the embodiment of the disclosure sends the target information data to the server for verification, so that the validity and the integrity of the data can be ensured. By matching the hash arrays to the target intelligence data, it can be quickly determined whether the data belongs to a known threat type. If the target information data does not match any hash array, the server sends a white list update instruction to the client. Therefore, the client can update the white list in time, and add new target information data into the white list, so that the identification and protection of new threats are ensured. By uploading the target intelligence data to the server for verification, unverified data can be prevented from entering the client. Only the data that is verified and stored in the whitelist can be considered trusted, thereby improving the security of the network.
In an embodiment of the present disclosure, as shown in fig. 5, after determining the threat type, the method further comprises:
Step S41, acquiring an information processing strategy corresponding to the target threat type. After determining the threat type, the method further comprises:
specifically, a processing policy corresponding to each threat type may be preconfigured at the client, for example: viral intelligence processing strategy: aiming at the virus threat, the latest antivirus software needs to be updated and used in time, virus scanning and system inspection are carried out regularly, and infected files and devices are repaired and isolated in time. Trojan information processing strategy: aiming at Trojan threat, network security protection needs to be enhanced, and a firewall and an intrusion detection system are used for periodically checking and cleaning infected computers, so that user education and security awareness are enhanced.
Worm intelligence processing strategy: for worm threats, latest operating systems and application patches need to be updated and used in time, configuration and management of network security devices are enhanced, and infected devices are periodically checked and cleaned.
And step S42, processing the target information data according to the information processing strategy to obtain processed target information data.
Specifically, for virus data, characteristics and transmission modes of viruses, such as virus codes, infection file types, transmission paths and the like, can be extracted and analyzed. For Trojan data, the behavior and functionality of the Trojan may be analyzed, such as data theft, remote control, etc., and the infected device and affected data determined. For worm data, the propagation path and the infection range of worms can be analyzed, infected devices are identified, and isolation and repair measures are timely taken.
Step S43, detecting the processed target information data and determining the threat level of the processed target information data to the client.
Specifically, threat intelligence detection tools or systems are used to analyze and detect processed target intelligence data. Such tools may include threat intelligence platforms, security Information and Event Management Systems (SIEMs), intrusion Detection Systems (IDS), intrusion Prevention Systems (IPS), and the like. And determining the threat level of the detected threat information data according to the characteristics, sources, influence ranges and other factors of the threat information data. Threat levels include low, medium, and high levels, and finer classification may also be performed as appropriate.
And S44, carrying out security processing on the processed target information data according to security measures corresponding to the threat level.
Specifically, according to the determined threat level, corresponding security measures are formulated to deal with the threat brought by the target information data. For example: for low-level threats, detection and warning measures can be taken, network security policies are enhanced, firewall rules are updated, and the like. For medium-level threats, it may be desirable to enhance intrusion detection and emergency response capabilities, repair or upgrade the system. For high-level threats, immediate emergency actions may be required, such as quarantining infected systems, suspending critical services, notifying interested parties, etc. And continuously detecting and evaluating the implementation effect of the safety measures, and timely adjusting and optimizing the safety strategy. Meanwhile, the detected threat information data is fed back to related teams for improving defensive measures and strengthening safety consciousness.
According to the embodiment of the disclosure, different information processing strategies can be formulated in a targeted manner according to the type of the target threat so as to cope with various threats. Thereby ensuring that different types of threats are processed pertinently and improving the processing efficiency and accuracy. And then processing the target information data according to the formulated information processing strategy, and effectively filtering, cleaning or processing the data to enable the data to meet the requirements and the safety standards of the client. The method is beneficial to improving the processing efficiency and reducing the false alarm rate. The threat level of the processed target information data to the client can be estimated more accurately by detecting the processed target information data. Meanwhile, the threat level can be more accurately determined by comprehensively considering the factors such as the processed data content, the source, the characteristics and the like, so that proper security measures are adopted. And finally, according to the security measures corresponding to the threat level, corresponding countermeasures can be adopted in a targeted manner. This includes, but is not limited to, blocking, quarantining, purging malicious code, enforcing authentication, and the like security measures to minimize potential risks and losses.
The embodiment also provides a threat information detection apparatus, which is used to implement the foregoing embodiments and preferred embodiments, and is not described in detail. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
The present embodiment provides a threat information detection apparatus, as shown in fig. 6, including:
a first acquiring module 61, configured to acquire target information data to be detected;
a second obtaining module 62, configured to obtain a target hash value combination corresponding to the target information data; the target hash value combination comprises k hash values obtained by calculating the target information data based on a preset algorithm, wherein k is a natural number;
A matching module 63, configured to match the target hash value combination with N number of pre-constructed groups respectively, obtaining a matching result; the N arrays are constructed based on hash value combinations of threat information sample sets, each array comprises k element groups, N is a natural number and is determined based on the number of threat types in the threat information sample sets;
A determining module 64, configured to determine whether the target information data is threat information according to the matching result, and determine a threat type if the target information data is threat information.
In the embodiment of the application, the device further comprises: the setting module is used for acquiring the number t of threat types in the threat information sample set, wherein t is a natural number; setting t different binary codes corresponding to t threat information types one by one, wherein the bit numbers of the t different binary codes are the same and N; the number of arrays is determined as N.
In the embodiment of the application, the device further comprises: a build module, comprising:
an initialization submodule, configured to initialize elements in N arrays to a first preset value, where each of the N arrays includes k element groups, each element group includes q elements, where q is a natural number;
The computing sub-module is used for determining at least one target array from N arrays based on the threat type of the threat information sample for each threat information sample in the threat information sample set, and computing k hash values of the threat information sample based on a preset algorithm;
and the setting submodule is used for setting the value of the corresponding element in the k element groups in each target array to be a second preset value based on the k hash values of the threat information sample.
In the embodiment of the application, a calculation sub-module is used for carrying out hash calculation on target information data by utilizing a preset hash algorithm to obtain a first hash value and a second hash value; utilizing the first hash value, the second hash value and w other hash values, wherein w is a natural number; k hash values of the threat intelligence sample are constructed based on the first hash value, the second hash value, and w other hash values.
In the embodiment of the present application, the matching module 63 is configured to match k hash values in the target hash value combination with k element groups in each of the N arrays, so as to obtain a target element corresponding to each hash value in the corresponding element group; determining a coding value corresponding to each array according to the element value of the target element in each array; and constructing N-bit binary codes according to the code values corresponding to each of the N arrays, and taking the N-bit binary codes as the matching result.
In the embodiment of the present application, the determining module 64 is configured to obtain a correspondence between a preset N-bit binary code and a preset threat type, and determine, based on the correspondence, whether a preset binary code consistent with the N-bit binary code exists; if the target information data exists, determining that the target information data belongs to threat information, and taking a preset threat type corresponding to the N-bit binary code as the threat type of the target information data.
In the embodiment of the application, the method is executed by the client, and the N pre-constructed arrays are deployed on the client.
In the embodiment of the application, the device further comprises: the verification module is used for acquiring a white list sent by the server; matching the target informative data with a plurality of informative data in the white list; if the information data matched with the target information data exists in the white list, determining that the target information data does not belong to threat information; or if the white list does not have the information data matched with the target information data, detecting the target information data.
In the embodiment of the application, the device further comprises: the updating module is used for sending the target information data and the target threat type to the server, wherein the server is used for verifying the target information data, and if the target information data is not matched with the hash array in the hash array set, a white list updating instruction is sent to the client; receiving a white list updating instruction sent by a server; and updating the target information data to the white list based on the white list updating instruction.
In the embodiment of the application, the device further comprises: the processing module is used for acquiring an information processing strategy corresponding to the target threat type; processing the target information data according to an information processing strategy to obtain processed target information data; detecting the processed target information data, and determining the threat level of the processed target information data to the client; and processing the target information data according to the security measures corresponding to the threat level.
The application can quickly determine whether the target information data is threat information or not by pre-calculating the hash value of the target information data and matching with the pre-constructed threat information sample set. Compared with the traditional antivirus software detection mode, the method can greatly reduce the time and the computing resources required by detection. Secondly, by calculating hash value combinations of threat information samples in the threat information sample set and constructing N groups by utilizing the hash value combinations, threat types of target information data can be accurately identified. The method is beneficial to helping enterprises to identify and cope with different types of network threats in time and improves network security. In addition, N pre-constructed arrays are deployed on the client, so that real-time threat identification of target information data in a privately deployed environment is realized, and no response of an external server is required to be waited. The client is not required to directly access the Internet, so that dependence on an external network is reduced, the possibility of being attacked is also reduced, and the safety of the client is ensured. The security problem caused by the fact that the client cannot be connected with the Internet under the privately-arranged environment is solved.
Referring to fig. 7, fig. 7 is a schematic structural diagram of an electronic device according to an alternative embodiment of the present invention, as shown in fig. 7, the electronic device includes: one or more processors 10, memory 20, and interfaces for connecting the various components, including high-speed interfaces and low-speed interfaces. The various components are communicatively coupled to each other using different buses and may be mounted on a common motherboard or in other manners as desired. The processor may process instructions executing within the electronic device, including instructions stored in or on memory to display graphical information of the GUI on an external input/output device, such as a display device coupled to the interface. In some alternative embodiments, multiple processors and/or multiple buses may be used, if desired, along with multiple memories and multiple memories. Also, multiple electronic devices may be connected, each providing a portion of the necessary operations (e.g., as a server array, a set of blade servers, or a multiprocessor system). One processor 10 is illustrated in fig. 7.
The processor 10 may be a central processor, a network processor, or a combination thereof. The processor 10 may further include a hardware chip, among others. The hardware chip may be an application specific integrated circuit, a programmable logic device, or a combination thereof. The programmable logic device may be a complex programmable logic device, a field programmable gate array, a general-purpose array logic, or any combination thereof.
Wherein the memory 20 stores instructions executable by the at least one processor 10 to cause the at least one processor 10 to perform the methods shown in implementing the above embodiments.
The memory 20 may include a storage program area that may store an operating system, at least one application program required for functions, and a storage data area; the storage data area may store data created from the use of the electronic device of the presentation of one applet landing page, and the like. In addition, the memory 20 may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid-state storage device. In some alternative embodiments, memory 20 may optionally include memory located remotely from processor 10, which may be connected to the electronic device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
Memory 20 may include volatile memory, such as random access memory; the memory may also include non-volatile memory, such as flash memory, hard disk, or solid state disk; the memory 20 may also comprise a combination of the above types of memories.
The electronic device also includes a communication interface 30 for the electronic device to communicate with other devices or communication networks.
The embodiments of the present invention also provide a computer readable storage medium, and the method according to the embodiments of the present invention described above may be implemented in hardware, firmware, or as a computer code which may be recorded on a storage medium, or as original stored in a remote storage medium or a non-transitory machine readable storage medium downloaded through a network and to be stored in a local storage medium, so that the method described herein may be stored on such software process on a storage medium using a general purpose computer, a special purpose processor, or programmable or special purpose hardware. The storage medium can be a magnetic disk, an optical disk, a read-only memory, a random access memory, a flash memory, a hard disk, a solid state disk or the like; further, the storage medium may also comprise a combination of memories of the kind described above. It will be appreciated that a computer, processor, microprocessor controller or programmable hardware includes a storage element that can store or receive software or computer code that, when accessed and executed by the computer, processor or hardware, implements the methods illustrated by the above embodiments.
Although embodiments of the present invention have been described in connection with the accompanying drawings, various modifications and variations may be made by those skilled in the art without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope of the invention as defined by the appended claims.

Claims (13)

1. A threat intelligence detection method, the method comprising:
Acquiring target information data to be detected;
acquiring a target hash value combination corresponding to the target information data; the target hash value combination comprises k hash values obtained by calculating the target information data based on a preset algorithm, wherein k is a natural number;
Matching the target hash value combination with N number groups constructed in advance respectively to obtain a matching result; the N arrays are constructed based on hash value combinations of threat information sample sets, each array comprises k element groups, N is a natural number and is determined based on the number of threat types in the threat information sample sets;
Judging whether the target information data is threat information or not according to the matching result, and determining the threat type under the condition that the target information data is threat information.
2. The method of claim 1, wherein N is a natural number and wherein determining N based on the number of threat types in the threat intelligence sample set comprises:
acquiring the number t of threat types in the threat information sample set, wherein t is a natural number;
Setting t different binary codes corresponding to t threat information types one by one, wherein the bit numbers of the t different binary codes are the same and N;
The number of arrays is determined as N.
3. The method of claim 1 or 2, wherein constructing the N arrays based on hash value combinations of threat intelligence sample sets comprises:
initializing elements in N arrays to a first preset value, wherein each of the N arrays comprises k element groups, each element group comprises q elements, and q is a natural number;
For each threat information sample in the threat information sample set, determining at least one target array from the N arrays based on the threat type of the threat information sample, and calculating k hash values of the threat information sample based on the preset algorithm;
and setting the value of the corresponding element in the k element groups in the target array to be a second preset value based on the k hash values of the threat information sample for each target array.
4. A method according to claim 3, wherein said calculating k hash values of the threat intelligence sample based on said preset algorithm comprises:
carrying out hash calculation on the threat information sample by using a preset hash algorithm to obtain a first hash value and a second hash value;
Calculating w other hash values by using the first hash value and the second hash value, wherein w is a natural number;
and constructing k hash values of the threat intelligence sample based on the first hash value, the second hash value and w other hash values.
5. The method according to claim 2, wherein the matching the target hash value combination with the N number of pre-constructed N numbers respectively to obtain a matching result includes:
Matching k hash values in the target hash value combination with k element groups in each of N arrays to obtain corresponding target elements of each hash value in the corresponding element groups;
determining a coding value corresponding to each array according to the element value of the target element in each array;
and constructing N-bit binary codes according to the code values corresponding to each of the N arrays, and taking the N-bit binary codes as the matching result.
6. The method of claim 5, wherein the determining whether the target intelligence data is threat intelligence based on the matching result, and determining a threat type if the target intelligence data is threat intelligence, comprises:
Obtaining the corresponding relation between the preset N-bit binary codes and the preset threat types,
Determining whether a preset binary code consistent with the N-bit binary code exists or not based on the corresponding relation;
If the target information data exists, determining that the target information data belongs to threat information, and taking a preset threat type corresponding to the N-bit binary code as the threat type of the target information data.
7. The method of any of claims 1-6, wherein the method is performed by a client and the pre-built N number of arrays are deployed at the client.
8. The method of claim 7, wherein prior to obtaining the target hash value combination corresponding to the target intelligence data, the method further comprises:
acquiring a white list sent by a server;
matching the target information data with a plurality of information data in the white list;
If the information data matched with the target information data exists in the white list, determining that the target information data does not belong to threat information; or if the white list does not contain the information data matched with the target information data, detecting the target information data.
9. The method of claim 8, wherein the method further comprises:
the target information data and the target threat type are sent to the server, wherein the server is used for verifying the target information data, and if the target information data is not matched with the hash array in the hash array set, a white list update instruction is sent to the client;
receiving a white list updating instruction sent by the server;
and updating the target information data to the white list based on the white list updating instruction.
10. The method of claim 1, wherein after determining the threat type, the method further comprises:
Acquiring an information processing strategy corresponding to the threat type;
Processing the target information data according to the information processing strategy to obtain processed target information data;
Detecting the processed target information data, and determining the threat level of the processed target information data to the client;
and carrying out safety treatment on the processed target information data according to the safety measures corresponding to the threat level.
11. A threat intelligence detection apparatus, the apparatus comprising:
the first acquisition module is used for acquiring target information data to be detected;
The second acquisition module is used for acquiring a target hash value combination corresponding to the target information data; the target hash value combination comprises k hash values obtained by calculating the target information data based on a preset algorithm, wherein k is a natural number;
the matching module is used for respectively matching the target hash value combination with N numbers constructed in advance to obtain a matching result; the N arrays are constructed based on hash value combinations of threat information sample sets, each array comprises k element groups, N is a natural number and is determined based on the number of threat types in the threat information sample sets;
and the determining module is used for judging whether the target information data is threat information according to the matching result and determining the threat type under the condition that the target information data is threat information.
12. An electronic device, comprising:
A memory and a processor in communication with each other, the memory having stored therein computer instructions which, upon execution, cause the processor to perform the method of any of claims 1 to 10.
13. A computer readable storage medium having stored thereon computer instructions for causing a computer to perform the method of any one of claims 1 to 10.
CN202410740880.XA 2024-06-07 2024-06-07 Threat information detection method and device, electronic equipment and storage medium Pending CN118677661A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410740880.XA CN118677661A (en) 2024-06-07 2024-06-07 Threat information detection method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410740880.XA CN118677661A (en) 2024-06-07 2024-06-07 Threat information detection method and device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN118677661A true CN118677661A (en) 2024-09-20

Family

ID=92725820

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410740880.XA Pending CN118677661A (en) 2024-06-07 2024-06-07 Threat information detection method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN118677661A (en)

Similar Documents

Publication Publication Date Title
US11343280B2 (en) System and method for identifying and controlling polymorphic malware
US20220201042A1 (en) Ai-driven defensive penetration test analysis and recommendation system
CN108353079B (en) Detection of cyber threats against cloud-based applications
US8763071B2 (en) Systems and methods for mobile application security classification and enforcement
US8572750B2 (en) Web application exploit mitigation in an information technology environment
US8839435B1 (en) Event-based attack detection
US8286239B1 (en) Identifying and managing web risks
WO2019133451A1 (en) Platform and method for enhanced-cyber-attack detection and response employing a global data store
WO2019133453A1 (en) Platform and method for retroactive reclassification employing a cybersecurity-based global data store
CN113660224B (en) Situation awareness defense method, device and system based on network vulnerability scanning
JP2018530066A (en) Security incident detection due to unreliable security events
US20210021637A1 (en) Method and system for detecting and mitigating network breaches
US11785044B2 (en) System and method for detection of malicious interactions in a computer network
RU2762528C1 (en) Method for processing information security events prior to transmission for analysis
US20230353594A1 (en) Threat mitigation system and method
Hyun et al. Design and Analysis of Push Notification‐Based Malware on Android
US8266704B1 (en) Method and apparatus for securing sensitive data from misappropriation by malicious software
CN114726579B (en) Method, device, equipment, storage medium and program product for defending network attack
CN113824678B (en) System, method, and non-transitory computer readable medium for processing information security events
CN118677661A (en) Threat information detection method and device, electronic equipment and storage medium
Mehta et al. Model to prevent websites from xss vulnerabilities
US20240283818A1 (en) Using cross workloads signals to remediate password spraying attacks
US11934515B2 (en) Malware deterrence using computer environment indicators
RU2763115C1 (en) Method for adjusting the parameters of a machine learning model in order to identify false triggering and information security incidents
CN118157922A (en) Host security depth defense method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination