CN-121530757-B - Network security operation method, device, equipment and storage medium

Abstract

The disclosure relates to the technical field of computers, and in particular relates to a network security operation method, device, equipment and storage medium, which are used for providing a network security operation scheme which can consider efficiency and precision and adapt to the current dynamically evolving network threat environment. The method comprises the steps of obtaining operation data to be processed, wherein the operation data are obtained by preprocessing network flow data and log data, processing the operation data by utilizing a lightweight model to generate initial alarm data, based on the initial alarm data, carrying out alarm authenticity discrimination and threat level judgment through a heavy model, outputting confirmed threat event information, wherein the threat event information indicates alarm data and threat level corresponding to threat events confirmed by the heavy model, based on the threat event information, executing risk disposal, obtaining affected asset information, matching with a tracing evidence obtaining tool to generate a standardized evidence obtaining report, and based on the standardized evidence obtaining report, executing bug repair.

Inventors

• ZOU CHUJIAN
• WANG TAO
• WU DONGSHENG
• SUN YUHANG
• ZHANG LIN
• Pan Lerong

Assignees

• 杭州迪普科技股份有限公司

Dates

Publication Date

20260508

Application Date

20260114

Claims (12)

1. 1. A network security operation method is characterized by comprising the following steps: Acquiring operation data to be processed, wherein the operation data is obtained by preprocessing network flow data and log data; Processing the operation data by using a lightweight model to generate initial alarm data; based on the initial alarm data, carrying out alarm authenticity discrimination and threat level judgment through a heavy model, and outputting confirmed threat event information, wherein the threat event information indicates alarm data and threat level corresponding to a threat event confirmed by the heavy model; based on the threat event information, performing risk treatment, acquiring affected asset information and matching a tracing evidence obtaining tool, and generating a standardized evidence obtaining report; Performing vulnerability restoration based on the standardized forensic report; the method for obtaining the affected asset information and matching the traceability evidence obtaining tool to generate a standardized evidence obtaining report comprises the following steps: acquiring IP addresses, operating systems, deployment positions and affiliated business line information of affected assets based on the threat event information; Based on the IP address, the operating system, the deployment position, the affiliated business line information and the threat characteristics corresponding to the alarm data in the threat event information of the affected asset, matching an internal memory evidence obtaining tool and/or a file integrity monitoring tool and issuing the internal memory evidence obtaining tool and/or the file integrity monitoring tool to the affected asset to generate evidence obtaining data; Based on the evidence obtaining data, carrying out clue association and attack path restoration through a heavy model to generate the standardized evidence obtaining report; extracting a common vulnerability disclosure CVE number and a repair suggestion aiming at vulnerability information in the standardized evidence report, generating a vulnerability repair task based on the CVE number and the repair suggestion, and issuing the vulnerability repair task to execute vulnerability repair operation; The generating the standardized evidence obtaining report by carrying out clue association and attack path restoration through the heavy model comprises the following steps: extracting process information, network connection information, file modification records and registry modification records based on the evidence obtaining data to generate an evidence obtaining element set; Based on the evidence obtaining element set, analyzing a transverse moving path and a right lifting process of an attacker through a heavy model to generate an attack time line; And integrating attack entrance, damage range and residual trace information based on the attack time line, and generating the standardized evidence obtaining report.
2. 2. The method of claim 1, wherein obtaining operational data to be processed comprises: Collecting Transmission Control Protocol (TCP) flow, user Datagram Protocol (UDP) flow and hypertext transfer protocol (HTTP) session data through a full-flow probe to generate network layer original data, and collecting system logs, application logs and equipment alarm logs through a log collecting probe to generate host layer original data; and based on the network layer original data and the host layer original data, performing data format standardization processing and field mapping to obtain preprocessed operation data.
3. 3. The method of claim 1, wherein processing the operational data using a lightweight model to generate initial alert data comprises: based on the operation data, extracting threat features and performing incremental learning to generate threat classification results and variant recognition results; based on the threat classification result and the variant identification result, false alarm filtering and repeated alarm rejection are carried out, and alarm data after preliminary noise reduction is generated; and executing multi-source log association analysis based on the primarily noise-reduced alarm data to obtain the initial alarm data.
4. 4. A method according to claim 3, wherein extracting threat features and performing incremental learning based on the operational data to generate threat classification results and variant identification results comprises: Based on the operation data, extracting attack load characteristics, flow statistics characteristics and time sequence behavior characteristics, and generating a high-dimensional characteristic vector; Inputting the high-dimensional feature vector into a pre-trained lightweight model, and determining a known threat classification result and a sample to be confirmed; and acquiring a variety identification result corresponding to the sample to be confirmed, and updating the lightweight model parameters through incremental learning based on the variety identification result corresponding to the sample to be confirmed.
5. 5. The method of claim 3, wherein performing a multi-source log correlation analysis based on the preliminary denoised alert data to obtain the preliminary alert data comprises: Extracting a source IP address, a destination IP address and time window information related to the alarm based on the primarily noise-reduced alarm data, and generating an associated query condition; Based on the association query condition, retrieving related log records from the network layer original data and the host layer original data to generate an association log set; And analyzing the behavior sequences before and after the alarm based on the association log set, and eliminating the isolated alarm to obtain the initial alarm data.
6. 6. The method of claim 1, wherein the alarm authenticity and threat level determination is performed by a heavy model, and the outputting of the confirmed threat event information comprises performing the following process by the heavy model: generating alarm semantic features by analyzing alarm context information based on the alarm data; Judging the integrity of an attack chain, the importance of assets and the matching degree of the historical attack mode based on the alarm semantic features and the stored historical attack mode, and generating an alarm authenticity assessment result; and removing redundant information, determining threat level and outputting threat event information based on the alarm authenticity evaluation result.
7. 7. The method of claim 6, wherein the heavy model, when performing alarm authenticity discrimination and threat level determination, employs a successive analysis progressive call mechanism, comprising: Based on the alarm data, executing a first heavy model call, and outputting a list of information to be supplemented; based on the to-be-supplemented information list, supplementing corresponding information from an asset database, a threat information database and a historical event database, and executing secondary heavy model call to generate a primary research and judgment result and suspicious point information; and based on the suspicious point information, iteratively executing information supplement and heavy model call until the threat event information is output when the iteration termination condition is met.
8. 8. The method of claim 1, wherein performing risk disposition comprises invoking a response tool to perform firewall policy adjustment, terminal quarantine, or malicious file killing based on the threat event information, generating a disposition execution result.
9. 9. The method of claim 8, wherein the method further comprises: Generating a verification feasibility verification prototype POC code through a heavy model based on a repairing scheme of the completion of the vulnerability repairing task; Calling a penetration testing tool to simulate an attack scene based on the POC code, and generating a test execution result; and determining a repair effect based on the test execution result, and returning to re-execute the bug repair operation when the repair effect indicates that the residual risk exists.
10. 10. A network security operation device is characterized by comprising: The data acquisition module is used for acquiring operation data to be processed, wherein the operation data is obtained by preprocessing network flow data and log data; The lightweight model operation module is used for processing the operation data by using the lightweight model and generating initial alarm data; the heavy model operation module is used for carrying out alarm authenticity discrimination and threat level judgment through a heavy model based on the initial alarm data and outputting confirmed threat event information, wherein the threat event information indicates the alarm data and the threat level corresponding to the threat event confirmed by the heavy model; The report generation module is used for executing risk treatment based on the threat event information, acquiring the affected asset information, matching with a tracing evidence obtaining tool and generating a standardized evidence obtaining report; the report generation module is used for acquiring the IP address, the operating system, the deployment position and the affiliated service line information of the affected asset based on the threat event information, matching the internal memory evidence obtaining tool and/or the file integrity monitoring tool and issuing the threat characteristic corresponding to the alarm data in the threat event information to the affected asset to generate evidence obtaining data, carrying out clue association and attack path restoration through a heavy model based on the evidence obtaining data to generate the standardized evidence obtaining report, and when the standardized evidence obtaining report is generated through clue association and attack path restoration through the heavy model, extracting process information, network connection information, file modification records and registry modification records based on the evidence obtaining data to generate a evidence obtaining element set; The system comprises a standardized evidence report, a repair module, a vulnerability restoration module and a vulnerability restoration module, wherein the standardized evidence report is used for acquiring a common vulnerability disclosure CVE number and a restoration suggestion aiming at vulnerability information in the standardized evidence report when the vulnerability restoration is executed, generating a vulnerability restoration task based on the CVE number and the restoration suggestion, and issuing the vulnerability restoration task to execute vulnerability restoration operation.
11. 11. An electronic device comprising a processor, a memory storing machine-readable instructions executable by the processor, the processor for executing the machine-readable instructions stored in the memory, the machine-readable instructions when executed by the processor, the processor performing the steps of the network security operation method of any of claims 1 to 9.
12. 12. A computer readable storage medium comprising instructions stored thereon, wherein the instructions, when executed by a processor, are executed by a network security operation method according to any of claims 1-9.

Description

Network security operation method, device, equipment and storage medium Technical Field The disclosure relates to the field of computer technology, and in particular, to a network security operation method, device, equipment and storage medium. Background Along with the advancement of the digital process, the network security environment is more complex, the attack means presents diversified and dynamic characteristics, the novel attack variant generation period is shortened to an hour level, and extremely high requirements are provided for the real-time performance, the accuracy and the automation of the security operation. The traditional safe operation mode has the problem of high manual dependency, and the existing network safe operation scheme in the industry also adopts a threat detection system based on a model, but has the problems of high alarm quantity and high false alarm rate, and the efficiency and the precision are difficult to be considered. Therefore, the existing network security operation scheme cannot adapt to the current dynamically evolving network threat environment, and there is a need for a network security operation scheme capable of systematically solving the above problems. Disclosure of Invention In view of this, the present disclosure provides a network security operation method, device, apparatus and storage medium, which are used to provide a network security operation scheme capable of considering efficiency and precision. A first aspect provides a network security operation method, which comprises the steps of obtaining operation data to be processed, wherein the operation data are obtained by preprocessing network flow data and log data, processing the operation data by a lightweight model to generate initial alarm data, judging whether an alarm is true or false or not and threat level according to a heavy model based on the initial alarm data, outputting confirmed threat event information, indicating alarm data and threat level corresponding to the threat event confirmed by the heavy model, executing risk treatment based on the threat event information, obtaining affected asset information and matching tracing evidence obtaining tools to generate a standardized evidence obtaining report, and executing vulnerability restoration based on the standardized evidence obtaining report. In one embodiment, acquiring operation data to be processed comprises acquiring Transmission Control Protocol (TCP) traffic, user Datagram Protocol (UDP) traffic and hypertext transfer protocol (HTTP) session data through a full-traffic probe, generating network layer original data, acquiring system logs, application logs and equipment alarm logs through a log acquisition probe, generating host layer original data, and executing data format standardization processing and field mapping based on the network layer original data and the host layer original data to obtain preprocessed operation data. In one embodiment, the operation data is processed by a lightweight model to generate initial alarm data, and the method comprises the steps of extracting threat features based on the operation data, performing incremental learning to generate threat classification results and variant recognition results, performing false alarm filtering and repeated alarm rejection based on the threat classification results and the variant recognition results to generate primarily denoised alarm data, and performing multi-source log correlation analysis based on the primarily denoised alarm data to obtain the initial alarm data. In one embodiment, threat features are extracted and incremental learning is performed based on the operation data, threat classification results and variant recognition results are generated, and the method comprises the steps of extracting attack load features, flow statistics features and time sequence behavior features based on the operation data, generating high-dimensional feature vectors, inputting the high-dimensional feature vectors into a pre-trained lightweight model, determining known threat classification results and samples to be confirmed, obtaining variant recognition results corresponding to the samples to be confirmed, and updating lightweight model parameters through incremental learning based on variant recognition results corresponding to the samples to be confirmed. In one embodiment, based on the primarily denoised alarm data, performing multi-source log association analysis to obtain the initial alarm data, wherein the method comprises the steps of extracting a source IP address, a destination IP address and time window information related to an alarm based on the primarily denoised alarm data, generating association query conditions, retrieving related log records from network layer original data and host layer original data based on the association query conditions, generating an association log set, analyzing a behavior sequence before and after the alarm based on the ass