Search

CN-122027329-A - Depth threat perception system based on network security

CN122027329ACN 122027329 ACN122027329 ACN 122027329ACN-122027329-A

Abstract

The invention discloses a deep threat perception system based on network security, which is applied to a security operation platform system and is characterized by comprising a threat perception module, a correlation analysis module, an emergency disposal module and a response atom operation and response object intelligent recommendation module, wherein the threat perception module is used for respectively carrying out threat detection on the capabilities of a terminal side, a network side and a platform side, the correlation analysis module is used for realizing complex CEP semantics based on a CEP complex event processing engine and combining a plurality of correlation rule templates, carrying out time line correlation and causal inference on data collected by the terminal side and the network side and cloud factors to generate a platform side correlation event, and the emergency disposal module is used for configuring response atom operation and response object intelligent recommendation, carrying out role division on response objects and intelligently recommending different disposal modes for different roles. The scheme brings the value of complete safety closed loop facing various safety scenes, improves the safety operation efficiency, reduces the threshold of operators, and provides omnibearing network safety protection for enterprises and individuals in the safety operation system.

Inventors

  • GAO DALEI
  • ZHANG ZHAO
  • HAN HUI
  • ZHANG MINTAO
  • XING SHENGCHAO
  • Lai Zhide

Assignees

  • 唐山市盾石信息技术有限公司

Dates

Publication Date
20260512
Application Date
20260318

Claims (9)

  1. 1. A depth threat perception system based on network security, applied to a security operation platform system, comprising: Threat perception module, which is used to detect threat to the capability of terminal side, network side and platform side; The association analysis module is used for realizing complex CEP semantics by combining a plurality of association rule templates based on a CEP complex event processing engine, carrying out time line association and causal inference on data collected by a terminal side and a network side and cloud factors, and generating an association event of a platform side; And the emergency disposal module is used for configuring response atom operation and intelligent recommendation of response objects, dividing roles of the response objects and intelligently recommending different disposal modes for different roles.
  2. 2. The deep threat awareness system of claim 1, wherein threat detection of terminal-side capabilities in the threat awareness module comprises: The method comprises the steps of collecting data at a terminal side, including terminal, user, file, process and behavior data, layering the collected data locally, uploading the collected data to a system after valid data are aggregated, and performing up-down Wen Jiang association analysis by combining with the real environment of the user; The behavior detection is carried out based on a multi-event complex association rule matching algorithm, the known and unknown advanced threat attack detection capability is improved by adopting an IOA generalized behavior rule, the blank in the complex behavior association detection field is supplemented, and a behavior detection defense level is constructed.
  3. 3. The network security-based deep threat awareness system of claim 2, wherein the behavioral detection defense hierarchy employs a three-level detection mechanism, in the form of a funnel, in turn: the first stage is single terminal event detection, based on the obvious attack behavior detection of a single terminal, output analysis; The second stage is multi-alarm association detection, which is to carry out depth detection based on a large amount of association data and restrain false alarm; and thirdly, cross-terminal multi-source detection, wherein attack scenes are reappeared based on the mutual correlation of the multi-terminal and the multi-source data.
  4. 4. A network security based deep threat awareness system in accordance with claim 2, wherein the multiple event complex association rule matching algorithm comprises: The reasoning algorithm comprises a logic reasoning algorithm, a Bayesian reasoning algorithm, a neural network reasoning algorithm and a genetic algorithm, wherein the logic reasoning algorithm is used for reasoning possible attack paths based on a logic rule and a knowledge base and verifying and correcting the attack paths; And training a known attack link, and predicting and completing an unknown attack link.
  5. 5. A network security based deep threat awareness system in accordance with claim 4, wherein the machine learning algorithm comprises: The attack intention restoration based on the high-level scene graph is to introduce the high-level scene graph to understand the attack target intention of the attacker, and generate the high-level attack graph to describe the behavior of the attacker; the attack process based on the threat map is restored, wherein the detection is carried out on the basis of the data related to the original on the basis of a unified data model, and the unified normalization is carried out by adopting the threat map; Threat research and judgment visualization, namely based on alarm statistics, time sequence, semantics, intelligence and associated dimension context, combining successful detection of attacks, accurately judging whether to be won or not, and displaying the attacks on a page.
  6. 6. The network security based deep threat awareness system of claim 1, wherein threat detection of network side capabilities in the threat awareness module comprises: based on flow collection and log collection, setting four rules for preliminary analysis, carrying out data marking and feature detection, and matching by combining with an AI basic threat detection model to locate scene threats; detecting complex combined threat attack means based on the whole session flow, carrying out complete backtracking association on request backdisplaying, characteristic abnormal association, abnormal behavior utilization and multi-stage attack utilization behaviors of the flow, and positioning abnormal risks; And (3) based on an optimization algorithm model, performing optimization detection by utilizing the characteristics.
  7. 7. The deep threat awareness system of claim 1, wherein threat detection of platform-side capabilities in the threat awareness module comprises: carrying out story line association on the terminal, the network and the cloud telemetry data to construct a complete high-quality scene data chain; based on cloud capacity energization, threat information and expert capacity of the cloud are issued to a user network and a terminal; and configuring the capability of security event retrace and custom rules, and researching and judging an attack influence surface from a larger time line dimension when coping with APT attack, so as to support a user to write custom detection rules according to own service characteristics.
  8. 8. The deep threat awareness system of claim 1, wherein the association analysis module generates an association event association comprising: Performing strong correlation analysis on strong signals uploaded by the components, and providing visualization and high visibility and treatment response suggestions; When the uploading signal of the component is weak or strong, the detection precision is improved through multi-factor association, and the network and terminal data are mutually verified; And carrying out unified integration on a plurality of weak signals uploaded by the component.
  9. 9. A network security based deep threat awareness system in accordance with claim 8, wherein the strong association comprises: The command execution association is that based on a command execution association engine, when suspicious commands executed through web services are detected, the commands are associated with command injection flow requests in network flow; When the terminal side detects the alarm related to the suspicious file, the matching network side has attack of the same file name, if so, the correlation is carried out; When the network side detects the external connection related alarm, the IP or domain name corresponding to the external connection is used for matching the alarm of the terminal side to carry out the association; the attack type association is carried out when the network side and the terminal side detect alarms belonging to the same type; and (3) carrying out logic association, namely carrying out association on understanding of the attack and defense scene stage through the causal relationship and attack stage relationship generated by the network terminal.

Description

Depth threat perception system based on network security Technical Field The invention relates to the technical field of network security operation, in particular to a deep threat perception system based on network security. Background The threat perception platform is a security protection system based on big data and artificial intelligence technology, has strong threat detection and defense capability, and can help enterprises and individuals to identify and cope with various network threats. In the age of information explosion, the network security problem is increasingly prominent, and the appearance of threat perception platforms provides powerful support for protecting personal privacy and enterprise information security. In a safe operation system, the configuration of a threat perception system for auxiliary collaboration is one of the necessary technical schemes, and under the view of actual combat attack and defense, attack with obvious characteristics is started, and along with the aggravation of the countermeasure, the trend of weak characteristics, even attack methods combined utilization and systemization is gradually developed. Weak feature advanced threats are often more concealed and difficult to detect and guard against, and existing threat awareness systems cannot cope with such concealed attacks. Meanwhile, 0-day, encryption threat, logic loopholes and high-resistance loopholes are rapidly increased, the utilization speed is increased, and logic loopholes are gradually increased (such as unauthorized access loopholes and the like) in a service layer. Aiming at encryption threat, the traditional technology can not effectively detect the encryption webshell, the encryption C2/encryption tunnel and the like, because the attack features are encrypted and hidden, the relevant rule features can not be extracted. Disclosure of Invention Aiming at the technical problems, the invention provides a deep threat perception system based on network security, which is applied to a security operation system. The invention is realized by adopting the following technical scheme: A network security based deep threat awareness system comprising: Threat perception module, which is used to detect threat to the capability of terminal side, network side and platform side; The association analysis module is used for realizing complex CEP semantics by combining a plurality of association rule templates based on a CEP complex event processing engine, carrying out time line association and causal inference on data collected by a terminal side and a network side and cloud factors, and generating an association event of a platform side; And the emergency disposal module is used for configuring response atom operation and intelligent recommendation of response objects, dividing roles of the response objects and intelligently recommending different disposal modes for different roles. Specifically, threat detection of terminal side capability in the threat awareness module specifically includes: The method comprises the steps of collecting data at a terminal side, including terminal, user, file, process and behavior data, layering the collected data locally, uploading the collected data to a system after valid data are aggregated, and performing up-down Wen Jiang association analysis by combining with the real environment of the user; The behavior detection is carried out based on a multi-event complex association rule matching algorithm, the known and unknown advanced threat attack detection capability is improved by adopting an IOA generalized behavior rule, the blank in the complex behavior association detection field is supplemented, and a behavior detection defense level is constructed. Specifically, the behavior detection defense level adopts a three-level detection mechanism, is funnel-shaped and sequentially comprises: the first stage is single terminal event detection, based on the obvious attack behavior detection of a single terminal, output analysis; The second stage is multi-alarm association detection, which is to carry out depth detection based on a large amount of association data and restrain false alarm; and thirdly, cross-terminal multi-source detection, wherein attack scenes are reappeared based on the mutual correlation of the multi-terminal and the multi-source data. Specifically, the multi-event complex association rule matching algorithm includes: The reasoning algorithm comprises a logic reasoning algorithm, a Bayesian reasoning algorithm, a neural network reasoning algorithm and a genetic algorithm, wherein the logic reasoning algorithm is used for reasoning possible attack paths based on a logic rule and a knowledge base and verifying and correcting the attack paths; And training a known attack link, and predicting and completing an unknown attack link. Specifically, the machine learning algorithm specifically includes: The attack intention restoration based on the high-level scene graph is to