Search

CN-122001684-A - Security threat detection and analysis method, device, equipment and medium

CN122001684ACN 122001684 ACN122001684 ACN 122001684ACN-122001684-A

Abstract

The invention discloses a security threat detection and analysis method, a device, equipment and a medium, wherein the method comprises the steps of receiving alarm data from a plurality of security data sources, and respectively carrying out multi-source association analysis and abnormal behavior detection on the alarm data to generate an association analysis result; the method comprises the steps of carrying out machine attack link analysis based on the association analysis result to generate an attack link analysis result, carrying out user behavior time sequence analysis based on the alarm data to generate a behavior time sequence analysis result, carrying out intelligent comprehensive analysis based on the association analysis result, the attack link analysis result and the behavior time sequence analysis result to generate an intelligent analysis result, and generating and outputting a security threat report based on the intelligent analysis result. The invention improves the accuracy of security threat detection and analysis.

Inventors

  • YAN HAN

Assignees

  • 深圳市和讯华谷信息技术有限公司

Dates

Publication Date
20260508
Application Date
20260408

Claims (10)

  1. 1. A security threat detection and analysis method, comprising: Receiving alarm data from a plurality of safety data sources, and respectively carrying out multi-source association analysis and abnormal behavior detection on the alarm data to generate association analysis results; Performing machine attack link analysis based on the association analysis result to generate an attack link analysis result; performing user behavior time sequence analysis based on the alarm data to generate a behavior time sequence analysis result; performing intelligent comprehensive analysis based on the association analysis result, the attack link analysis result and the behavior time sequence analysis result to generate an intelligent analysis result; And generating and outputting a security threat report based on the intelligent analysis result.
  2. 2. The method of claim 1, wherein the steps of performing multi-source correlation analysis and abnormal behavior detection on the alarm data, respectively, and generating correlation analysis results comprise: Carrying out multi-source association analysis on the alarm data to identify the association of the alarm data on time, space and logic cause and effect so as to obtain an initial association analysis result; Detecting abnormal behaviors of the alarm data in parallel to identify a preset abnormal behavior mode; And generating the association analysis result according to the initial association analysis result and the abnormal behavior mode.
  3. 3. The method of claim 2, wherein the initial correlation analysis results include the temporal correlation analysis results, the spatial correlation analysis results, and the causal correlation analysis results, wherein the step of performing a multi-source correlation analysis on the alarm data to identify their relevance in time, space, and logical causal terms, to obtain the initial correlation analysis results, comprises: Performing time-associated analysis on the alarm data in a preset sliding time window to detect an alarm aggregation phenomenon and generate a time-associated analysis result; carrying out space association analysis on the alarm data belonging to the same target asset to form a space association cluster, and generating a space association analysis result; Based on a predefined causal relation pattern library, performing causal relation analysis on the alarm data with time sequence to identify logic causal relation on an attack logic chain, and generating a causal relation analysis result; And taking the time correlation analysis result, the space correlation analysis result and the causal correlation analysis result as the initial correlation analysis result.
  4. 4. The method of claim 1, wherein the step of performing machine attack link analysis based on the correlation analysis results to generate attack link analysis results comprises: Mapping the alarm type in the association analysis result to an attack stage under a preset attack frame; Calculating the risk score of the target machine according to the number and the type of the attack phases; And reconstructing a time line of the attack event according to the risk score and the time association and causal association information in the association analysis result, and generating an attack link analysis result comprising a multi-stage attack link.
  5. 5. The method of claim 1, wherein the step of performing a user behavior time sequence analysis based on the alert data, generating a behavior time sequence analysis result, comprises: analyzing a login and operation event sequence of a user based on the alarm data so as to identify a plurality of preset suspicious behavior patterns; Calculating suspicious scores of the corresponding users based on the number of the suspicious behavior patterns and the preset severity level thereof; and generating the behavior time sequence analysis result comprising user risk sequencing and key abnormality discovery according to the suspicious scores of the user behaviors.
  6. 6. The method of claim 1, wherein the step of performing intelligent comprehensive analysis based on the association analysis result, the attack link analysis result, and the behavior timing analysis result, and generating an intelligent analysis result comprises: integrating the association analysis result, the attack link analysis result and the behavior time sequence analysis result to generate comprehensive analysis abstract text containing multidimensional threat information; formatting the comprehensive analysis abstract text to generate structured prompt information; Processing the structured prompt information to obtain an initial evaluation result containing natural language description and structured data; analyzing the initial evaluation result, extracting key threats, attack vectors, risk levels and treatment suggestions from the initial evaluation result, and generating the intelligent analysis result with uniform format.
  7. 7. The method of any of claims 1-6, wherein the step of generating and outputting a security threat report based on the intelligent analysis results comprises: formatting the intelligent analysis result according to a preset format to generate the security threat report; After the step of generating and outputting the security threat report based on the intelligent analysis result, the method further comprises: transmitting the security threat report to a designated receiving terminal based on a preset strategy; and archiving and managing the security threat report.
  8. 8. A security threat detection and analysis apparatus, comprising: the analysis detection unit is used for receiving alarm data from a plurality of safety data sources, and respectively carrying out multi-source association analysis and abnormal behavior detection on the alarm data to generate association analysis results; The first analysis unit is used for carrying out machine attack link analysis based on the association analysis result and generating an attack link analysis result; the second analysis unit is used for carrying out user behavior time sequence analysis based on the alarm data and generating a behavior time sequence analysis result; the third analysis unit is used for performing intelligent comprehensive analysis based on the association analysis result, the attack link analysis result and the behavior time sequence analysis result to generate an intelligent analysis result; and the generating unit is used for generating and outputting a security threat report based on the intelligent analysis result.
  9. 9. A security threat detection analysis apparatus comprising a memory having a computer program stored thereon and a processor that when executing the computer program implements the method of any of claims 1-7.
  10. 10. A computer readable storage medium, characterized in that the storage medium stores a computer program which, when executed by a processor, implements the method according to any of claims 1-7.

Description

Security threat detection and analysis method, device, equipment and medium Technical Field The embodiment of the invention relates to the technical field of security threat detection and analysis equipment, in particular to a security threat detection and analysis method, a device, equipment and a medium. Background With the rapid development of information technology, network security threats are increasingly complicated and hidden. When facing complex attacks such as advanced continuous threats, the traditional network security monitoring and analyzing method generally depends on single alarm sources or simple rule matching, so that a large amount of alarm information exists in isolation, a complete attack link cannot be identified, complex time sequence attack behaviors cannot be detected, and high false alarm and serious missing alarm are caused. In addition, the existing method relies on personal experience of safety operators to conduct analysis and research and judgment to a great extent, so that risk assessment results are strong in subjectivity and poor in consistency. In the face of massive alarm data, safety operators have to invest a lot of time for manual screening, clue series connection and report writing, the overall response speed is slow, and key threats are easy to miss under continuous high pressure. In general, most of the existing security tools still stay at the stage of passively displaying alarm information, the degree of intellectualization is insufficient, and the current automatic and large-scale network attack challenges are difficult to deal with. Therefore, the accuracy of existing security threat detection analysis remains to be improved. Disclosure of Invention The embodiment of the invention provides a method, a device, equipment and a medium for detecting and analyzing security threats, which aim to solve the problem of low accuracy of the existing security threat detection and analysis. In a first aspect, an embodiment of the present invention provides a security threat detection and analysis method, including: Receiving alarm data from a plurality of safety data sources, and respectively carrying out multi-source association analysis and abnormal behavior detection on the alarm data to generate association analysis results; Performing machine attack link analysis based on the association analysis result to generate an attack link analysis result; performing user behavior time sequence analysis based on the alarm data to generate a behavior time sequence analysis result; performing intelligent comprehensive analysis based on the association analysis result, the attack link analysis result and the behavior time sequence analysis result to generate an intelligent analysis result; And generating and outputting a security threat report based on the intelligent analysis result. In a second aspect, an embodiment of the present invention further provides a security threat detection and analysis apparatus, including: the analysis detection unit is used for receiving alarm data from a plurality of safety data sources, and respectively carrying out multi-source association analysis and abnormal behavior detection on the alarm data to generate association analysis results; The first analysis unit is used for carrying out machine attack link analysis based on the association analysis result and generating an attack link analysis result; the second analysis unit is used for carrying out user behavior time sequence analysis based on the alarm data and generating a behavior time sequence analysis result; the third analysis unit is used for performing intelligent comprehensive analysis based on the association analysis result, the attack link analysis result and the behavior time sequence analysis result to generate an intelligent analysis result; and the generating unit is used for generating and outputting a security threat report based on the intelligent analysis result. In a third aspect, an embodiment of the present invention further provides a security threat detection analysis apparatus, including a memory, and a processor, where the memory stores a computer program, and the processor implements the method when executing the computer program. In a fourth aspect, embodiments of the present invention also provide a computer readable storage medium storing a computer program which, when executed by a processor, implements the above method. The embodiment of the invention provides a security threat detection and analysis method, a security threat detection and analysis device, security threat detection and analysis equipment and a security threat detection and analysis medium. The method comprises the steps of receiving alarm data from a plurality of safety data sources, carrying out multi-source association analysis and abnormal behavior detection on the alarm data respectively to generate an association analysis result, carrying out machine attack link analysis based on the associa