CN111651751B - Security event analysis report generation method and device, storage medium and equipment - Google Patents
Security event analysis report generation method and device, storage medium and equipment Download PDFInfo
- Publication number
- CN111651751B CN111651751B CN201910161352.8A CN201910161352A CN111651751B CN 111651751 B CN111651751 B CN 111651751B CN 201910161352 A CN201910161352 A CN 201910161352A CN 111651751 B CN111651751 B CN 111651751B
- Authority
- CN
- China
- Prior art keywords
- virus
- description information
- information
- security
- analysis report
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Computing Systems (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a method, a device, a storage medium and equipment for generating an analysis report of a security event, and belongs to the technical field of network security. The method comprises the following steps: acquiring an input sample queue, wherein the input sample queue comprises at least one virus sample; performing data query in a knowledge graph of an information acquisition system based on an input sample queue, and clustering the queried data to obtain primary relationship data of a virus group; calling a homology clustering server and a sandbox to expand the primary relationship data; performing data query in the knowledge graph based on the obtained expansion relation data to obtain first description information; placing the primary relational data and the extended relational data in a sandbox for execution to obtain second description information; acquiring a security suggestion matched with the virus group and a related intrusion index; and generating an analysis report of the virus group based on the first description information, the second description information, the security suggestion and the associated intrusion index. The report quality is controllable and the time consumption is short.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method, an apparatus, a storage medium, and a device for generating an analysis report of a security event.
Background
The rapid development of network technology brings great convenience to information propagation, but at the same time, people also face huge information security challenges. Because the information security problem is increasingly prominent, people pay more and more attention to the network security problem. For example, after a security event is discovered, a threat analysis report is typically generated for the security event to let the user learn about the security threat in detail and give relevant prompts or security suggestions.
The related art is all completed manually when generating a threat analysis report related to a security event, that is, after the security event is found, sample analysis and traceability analysis are performed manually, and then the threat analysis report is composed and output manually based on the obtained analysis result, and generally, the threat analysis report is analyzed and composed by one or more analysts.
Because manually analyzing security events is a very mental effort, it takes a long time to generate a threat analysis report, for example, if the time is fast, it takes more than one week if the time is slow; in addition, different analysts often use respective sets of methods or information resources during analysis or writing, because information is not shared, a large amount of repeated labor exists, and because technical levels of different analysts are different, quality of threat analysis reports generated according to subjectivity judgment of different analysts is difficult to control, so that the mode for generating threat analysis reports is poor in effect.
Disclosure of Invention
The embodiment of the invention provides a method, a device, a storage medium and equipment for generating an analysis report of a security event, and solves the problems that the time consumption for generating the report is long and the report quality is difficult to control in the related technology. The technical scheme is as follows:
in one aspect, a method for generating an analysis report of a security event is provided, where the method includes:
acquiring an input sample queue, wherein the input sample queue comprises at least one virus sample;
performing data query in a knowledge graph of an information acquisition system based on the input sample queue, and clustering the queried data to obtain primary relationship data of a virus group, wherein the primary relationship data gives an edge relationship between virus samples;
calling a homology clustering server and a sandbox to expand the primary relationship data;
performing data query in the knowledge graph based on the obtained expansion relation data to obtain first description information, wherein the first description information is used for introducing the virus group and a virus sample set used by the virus group;
placing the primary relationship data and the extended relationship data in the sandbox for execution to obtain second description information, wherein the second description information is used for analyzing the sample behavior of the virus sample set;
acquiring a security suggestion matched with the virus group and a related intrusion index;
generating an analysis report of the virus group based on the first description information, the second description information, the security recommendation and the associated intrusion indicator.
In another aspect, an analysis report generation apparatus for a security event is provided, the apparatus including:
the system comprises an acquisition module, a storage module and a processing module, wherein the acquisition module is used for acquiring an input sample queue, and the input sample queue comprises at least one virus sample;
the query module is used for performing data query in a knowledge graph of the information acquisition system based on the input sample queue, clustering the queried data to obtain primary relationship data of the virus group, wherein the primary relationship data gives out an edge relationship between the virus samples;
the extension module is used for calling the homology clustering server and the sandbox to extend the primary relationship data;
the query module is further configured to perform data query in the knowledge graph based on the obtained expansion relationship data to obtain first description information, where the first description information is used to introduce the virus group and a virus sample set used by the virus group;
the execution module is used for placing the primary relationship data and the extended relationship data in the sandbox for execution to obtain second description information, and the second description information is used for analyzing the sample behaviors of the virus sample set;
the acquisition module is further used for acquiring a security suggestion matched with the virus group and a relevant invasion index;
a generating module, configured to generate an analysis report of the virus group based on the first description information, the second description information, the security suggestion, and the associated intrusion indicator.
In a possible implementation manner, the query module is further configured to filter the input sample queue; and performing data query in the knowledge graph based on the filtered input sample queue.
In a possible implementation manner, the obtaining module is further configured to obtain a first type of keywords from the knowledge graph, where the first type of keywords are keywords facing to an organization; when the first-class keywords hit the first description information and the second description information, obtaining first-class safety suggestions matched with the first-class keywords from the knowledge graph; for any one safety suggestion in the first type of safety suggestions, acquiring a first keyword contained in the safety suggestion; and when the first keyword hits the first description information and the second description information, the security suggestion is used as a security suggestion matched with the virus group.
In a possible implementation manner, the obtaining module is further configured to obtain, from the knowledge graph, a second type of security suggestion matched with a second type of keyword when the first type of keyword misses the first description information and the second description information, where the second type of keyword is a user-oriented keyword; for any one safety suggestion in the second type of safety suggestions, acquiring a second keyword contained in the safety suggestion; and when the second keyword hits the first description information and the second description information, the security suggestion is used as a security suggestion matched with the virus group.
In one possible implementation, the analysis report includes at least: introduction information of the virus groups and the virus sample sets, knowledge maps of the virus groups, behavioral analysis information of virus samples, security recommendations, and intrusion indicators associated with the virus groups.
In another aspect, a storage medium is provided, where at least one instruction is stored, and the at least one instruction is loaded and executed by a processor to implement the method for generating an analysis report of a security event described above.
In another aspect, an apparatus for generating an analysis report of a security event is provided, the apparatus includes a processor and a memory, the memory stores at least one instruction, and the at least one instruction is loaded and executed by the processor to implement the analysis report of a security event generating method described above.
The technical scheme provided by the embodiment of the invention has the following beneficial effects:
based on an input sample queue, data query and data clustering are carried out in a knowledge graph, data expansion is carried out through a homology clustering server and a sandbox, character description is carried out on expanded data, a virus sample is placed in the sandbox to be executed so as to analyze the behavior of the virus sample, a safety suggestion and an associated intrusion index are output, and a threat analysis report is generated automatically. Because the mode of generating the threat analysis report in the whole course in the related technology in a manual mode is converted into a fully-automatic report generation mode, the time consumption for generating the threat analysis report is short, and the quality of the threat analysis report is convenient to control, so the mode for generating the threat analysis report has a good effect.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic diagram of an implementation environment related to a method for generating an analysis report of a security event according to an embodiment of the present invention;
fig. 2 is an architecture diagram of a method for generating an analysis report of a security event according to an embodiment of the present invention;
fig. 3 is a flowchart of an analysis report generation method for a security event according to an embodiment of the present invention;
FIG. 4 is a line graph of liveness information about a viral swarm provided by an embodiment of the invention;
FIG. 5 is a flow chart of outputting a security recommendation according to an embodiment of the present invention;
FIG. 6 is a schematic diagram of a first threat analysis report provided by an embodiment of the invention;
FIG. 7 is a schematic illustration of a second threat analysis report provided by an embodiment of the invention;
FIG. 8 is a schematic illustration of a third threat analysis report provided by an embodiment of the present invention;
FIG. 9 is a schematic illustration of a fourth threat analysis report provided by an embodiment of the present invention;
FIG. 10 is a schematic illustration of a fifth threat analysis report provided by an embodiment of the present invention;
fig. 11 is a schematic structural diagram of an analysis report generation apparatus for a security event according to an embodiment of the present invention;
fig. 12 is a schematic structural diagram of an apparatus for generating an analysis report of a security event according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be described in detail with reference to the accompanying drawings.
Before explaining the embodiments of the present invention in detail, some terms related to the embodiments of the present invention are explained.
Community discovery: the Community discovery algorithm is called Community Detection in English, is used for discovering a Community structure in a network, and can also be regarded as a clustering algorithm. Illustratively, the community discovery algorithm in the embodiment of the present invention is a Louvain algorithm.
Knowledge graph: in a narrow sense, the knowledge graph in the embodiment of the invention is a data platform for storing security-related information and an association graph.
In a broad sense, the knowledge map is also called a scientific knowledge map, is called knowledge domain visualization or knowledge domain mapping map in the book intelligence field, is a series of different graphs for displaying the relationship between the knowledge development process and the structure, describes knowledge resources and carriers thereof by using a visualization technology, and excavates, analyzes, constructs, draws and displays the mutual relationship between knowledge and knowledge.
In another expression, the knowledge-graph essentially aims to describe the semantic network of the objectively existing knowledge in the real world and the association relations between the knowledge and the like. Knowledge maps are currently divided into general knowledge maps and vertical knowledge maps (also known as industry knowledge maps) based on the application field of the knowledge maps. The generic knowledge graph is not domain specific and can be analogized to structured encyclopedia knowledge. Such knowledge maps contain a great deal of common sense knowledge, emphasizing the breadth of the knowledge. The vertical knowledge map is oriented to a specific field, is constructed based on industry knowledge and emphasizes the depth of the knowledge.
Intrusion indicator: in the embodiment of the present invention, the intrusion indicator may be md5(message-digest algorithm, fifth edition), domain name (domain), ip (internet protocol), or the like. Intrusion indicators may also be referred to herein as threat intelligence.
Sandbox: by means of the virtual machine technology, a safe user simulation environment is built, so that a sample (such as an executable file exe) runs in the environment, dynamic behaviors of the sample are observed, and the real user environment is not affected.
Group virus: in the embodiment of the present invention, a virus group may also be referred to as a virus group or a virus organization, and refers to a user who initiates a virus attack.
Family of viral samples: virus samples may have similar behaviors, and in the embodiment of the present invention, virus samples having similar behaviors are classified into the same virus sample family. The virus sample family is also referred to herein as a virus sample set.
Homology clustering server: the embodiment of the invention refers to a server which clusters virus samples belonging to the same virus sample family.
When the related technology generates a threat analysis report of a security event, the whole process is completed manually, and a fixed path and a template exist from the discovery of the security event to the output of the threat analysis report. The manual analysis of the security events is a work with mental activities, and each time a threat analysis report is generated, one day is needed at a fast speed, and more than one week is needed at a slow speed. Moreover, different analysts often use respective sets of methods or information resources during analysis or composition, because the information is not shared, a large amount of repeated labor exists, and because the technical levels of different analysts are different, the quality of threat analysis reports generated according to subjective judgment of different analysts is difficult to control.
In view of this, the embodiment of the present invention provides a method for automatically generating a threat analysis report based on a big data analysis technology, so as to realize normalization, flow and template of manual analysis experience, break through data islands of each system by integrating data such as a knowledge graph, a community discovery algorithm, sample clustering, a dynamic sandbox, and the like, connect a threat sensing system (also referred to as an input source), and automate the whole process from security event discovery to output of the threat analysis report, thereby significantly improving the output efficiency of the threat analysis report, and avoiding a large amount of repeated labor.
The following describes an implementation environment related to a method for generating an analysis report of a security event according to an embodiment of the present invention.
Referring to fig. 1, the implementation environment includes an asynchronous information acquisition system 11, a scheduling server 12, a sample server 13, a sandbox cluster 14, a behavior description library 15, and a behavior log library 16. The asynchronous information collecting system 11 includes a homology clustering server 111, a crawler server 112, a family clustering server 113, and a knowledge graph 114.
In the embodiment of the present invention, the execution subject is the scheduling server 12, and the scheduling server 12 is configured to process the input source, i.e., the input sample queue, and output the analysis report. The analysis report is also referred to as a threat analysis report in the embodiment of the present invention.
The homology clustering server 111 and the family clustering server 113 are used for clustering virus samples belonging to the same virus sample family.
The sample server 13 is used for storing massive virus samples for external downloading. The asynchronous information acquisition system 11 may be operable to download virus samples at the sample server 13 via the sample access shown in fig. 2. While the Simhash algorithm shown in fig. 2 is used by the family clustering server 113 to accomplish clustering together virus samples with similar behavior.
The behavior description library 15 is used for describing the dynamic behavior of the virus sample in words, and aims to convert the behavior of the virus sample into readable and easily understood text description.
It should be noted that, after the sandbox cluster 14 processes the virus samples, dynamic behavior sequences of the virus samples are generated, and at this time, the dynamic behavior sequences do not have readability and need to be converted into text descriptions. The behavior log library 16 is used to store a behavior log, and the behavior log is a dynamic behavior sequence of the virus sample.
In the embodiment of the invention, the asynchronous information acquisition system 11 plays a role of enriching threat analysis reports, and the knowledge graph 114 is a core database, so that the artificial safety experience is converted into a data form to exist, and the safety encyclopedia is provided.
As shown in fig. 2, the knowledge graph 114 includes four databases, namely a family base, a knowledge base, a security suggestion base, and a historical discovery partnership information base. The four databases are described below.
Wherein, the family library is a virus sample attribution classification database. In the present embodiment, a virus sample can be assigned to only one virus sample family, such as the virus family gh0 st. Through Louvain algorithm and manual operation, the virus sample family library is continuously expanded.
The knowledge base is used to describe and interpret nouns. The knowledge base is continuously expanded through web crawlers and manual combing by the crawler server 112.
The safety suggestion library is used for making professional suggestions for protection or killing of safety events. In addition, the security suggestion library collects security suggestions of threat analysis reports that have been generated, combs them, and refines keywords. The security suggestion library comprises two parts, namely a keyword of the ToB (facing to enterprises) and a specific security suggestion, wherein the keyword of the ToB is used for determining whether a threat analysis report is the ToB or toC (facing to users), and the content contained in an important field of the specific security suggestion includes but is not limited to: security recommendations, toB or toC identifiers, keywords, etc., which are not specifically limited by the embodiments of the present invention.
The historical discovery group information base is used for performing web crawler and manual combing through the crawler server 112, and combing the historical happening virus group attack events into a database, which is convenient for tracking the activity track of the virus group for a long time.
The following explains a method for generating an analysis report of a security event according to an embodiment of the present invention in detail with reference to the above-described implementation environment.
Fig. 3 is a flowchart of an analysis report generation method for a security event according to an embodiment of the present invention. The main execution body of the method is the scheduling server 12 in fig. 1, and referring to fig. 3, the method provided by the embodiment of the present invention includes:
301. an input sample queue is obtained, wherein the input sample queue comprises at least one virus sample.
In an embodiment of the invention, the input sample queue is from an input source. For example, referring to fig. 2, the input source may be a peripheral system, such as a threat awareness system, which is not specifically limited by the embodiment of the present invention. Wherein the input sample queue inputs at least one md5, domain, or ip as a virus sample.
302. And performing data query in a knowledge graph of the information acquisition system based on the input sample queue, and clustering the queried data to obtain primary relationship data of the virus group.
The information acquisition system refers to the asynchronous information acquisition system shown in fig. 1 and 2.
As shown in fig. 2, the whole process from the input source to the final output of the threat analysis report includes four steps: inputting a source, a primary relation, a rich relation and a yield report, wherein the step corresponds to the step of the primary relation.
In the embodiment of the invention, the primary relationship data gives the edge relationship between the virus samples, namely, the step gives the edge relationship between the virus group and the members (i.e. virus samples) included in the sample family used by the virus group, and forms a relationship graph. In another expression, in this step, an edge relationship (such as a parent-child relationship and a network relationship) is generated by a point (i.e., input md5, domain or ip) through big data query, and then community clustering is performed through a community discovery algorithm, so that a community, i.e., a virus group, is formed by clustering.
The community discovery algorithm used above may be a Louvain algorithm, which is not specifically limited in this embodiment of the present invention.
In fact, the data for clustering is queried from the asynchronous information acquisition system, that is, the big data query is specifically queried from the knowledge graph of the asynchronous information acquisition system, and the primary relationship data output in this step is the result of community clustering. In the embodiment of the invention, the asynchronous information acquisition system continuously performs clustering and relation cutting on the virus samples and then stores the virus samples for query, and the steps are all completed asynchronously, so that the scheduling server can directly perform data query on the asynchronous information acquisition system when generating the threat analysis report.
In a possible implementation manner, as shown in fig. 2, after the input sample queue is input to the scheduling server, in order to prevent the input source from inputting interference data, such as a white domain name, the embodiment of the present invention may first perform intelligence filtering to filter out the interference data. In another expression, the querying data in the knowledge-graph of the information acquisition system based on the input sample queue includes, but is not limited to, the following: filtering the input sample queue to filter out interference data; and then, based on the filtered input sample queue, performing data query in a knowledge graph of the information acquisition system.
It should be noted that the following steps 303 to 305 correspond to the rich relationship steps in fig. 2.
303. And calling a homology clustering server and a sandbox, expanding the primary relationship data, and inquiring data in a knowledge graph of the information acquisition system based on the obtained expanded relationship data to obtain first description information.
In the embodiment of the present invention, in order to enrich the content of the threat analysis report that is finally generated, the embodiment of the present invention further expands the obtained primary relationship data through a homology clustering system and a sandbox, so as to expand more relationships.
Then, the embodiment of the present invention performs data query in the knowledge graph of the information acquisition system based on the obtained expanded relationship data to describe the virus group and the virus sample family used by the virus group, and for convenience, these descriptions are referred to as first descriptions, that is, the first descriptions are used to introduce the virus group and the virus sample family used by the virus group.
The content included in the first description information includes, but is not limited to, a virus hazard, a transmission route, a disclosure time, a historical event, and the like, which is not specifically limited in this embodiment of the present invention.
304. And placing the primary relational data and the extended relational data in a sandbox for execution to obtain second description information.
In the embodiment of the present invention, the scheduling server further pushes the obtained primary relationship data and the obtained extended relationship data into a sandbox for execution, so as to analyze the behavior of the virus sample. After the sandbox processes the virus samples, behavior sequences of the virus samples are generated, and the behavior sequences are not readable and need to be converted into text descriptions. And the behavior description library shown in fig. 2 is used for performing text description on the virus sample behavior, so as to convert the virus sample behavior into readable and easily understood text description.
Namely, the behavior description library is responsible for converting the behavior sequence output by the sandbox into the literal description information. Alternatively, the second descriptor is used to analyze the sample behavior of the virus sample family.
305. And acquiring liveness information of the virus group, wherein the liveness information comprises heat information and breadth information of the virus group.
In the embodiment of the invention, the breadth information and the popularity information of the virus group every day are inquired through the intrusion index of the virus group, then the expansion factor is calculated according to the recent popularity information and the breadth information as well as the historical popularity information and the historical breadth information, and the corresponding text description and the line graph are generated.
The content of the text description includes, but is not limited to, a trend of decreasing activity, an active decrease, an abnormal activity, etc., the line graph is shown in fig. 4, and the text description information corresponding to the line graph of fig. 4 may be, for example: the recent activity of the virus group has a trend of decreasing by 0.84 times more commonly, and the activity is the highest in 2018-09-11 within three months, the heat is 133, and the breadth is 116. Wherein the upper broken line in fig. 4 represents heat information and the lower broken line represents breadth information.
306. And acquiring a security proposal matched with the virus group and an associated intrusion index.
In the embodiment of the present invention, when acquiring the security recommendation matching with the virus group, referring to fig. 5, the scheduling server first acquires the report text, that is, the text for describing the virus group, which corresponds to the aforementioned first description information and second description information.
Then, the scheduling server acquires a first type of keywords from the safety suggestion library, wherein the first type of keywords are organization-oriented keywords, namely the first type of keywords refer to toB keywords in the text; next, the scheduling server determines whether the toB keyword hits the report text content, and the following two cases are divided according to whether the report text content is hit:
first case, hit
When the first-class keywords hit the first description information and the second description information, namely when the toB keywords hit the report text content, the scheduling server obtains first-class safety suggestions matched with the toB keywords from the knowledge graph, wherein the first-class safety suggestions refer to all safety suggestions matched with the toB keywords.
Next, the scheduling server obtains a keyword included in any one of the first type of security suggestions, and for convenience of distinguishing, the keyword is referred to as a first keyword; and judging whether the first keyword hits the report text content, and if so, namely when the first keyword hits the first description information and the second description information, using the piece of safety suggestion as a piece of safety suggestion matched with the virus group, namely, the safety suggestion + 1.
And then, the scheduling server judges whether all the safety suggestions contained in the first type of safety suggestions are polled, if so, the processing flow is ended, and the safety suggestions are output.
Second case, miss
When the first category of keywords miss the first description information and the second description information, that is, when the toB keywords miss the report text content, the scheduling server obtains a second category of security suggestions matched with a second category of keywords from the knowledge graph, wherein the second category of keywords are user-oriented keywords, that is, the second category of keywords are referred to herein as toC keywords. Wherein the second type of security suggestion refers to all security suggestions that match the toC keyword.
Next, the scheduling server obtains a keyword included in any one of the second type of security suggestions, and for convenience of distinguishing, the keyword is referred to as a second keyword; and judging whether the second keyword hits the report text content, and if so, namely when the second keyword hits the first description information and the second description information, using the piece of safety suggestion as a piece of safety suggestion matched with the virus group.
And then, the scheduling server judges whether all the safety suggestions contained in the second type of safety suggestions are polled, if so, the processing flow is ended, and the safety suggestions are output.
The relevant intrusion index may be obtained based on the primary relationship data and the extended relationship data, which is not specifically limited in the embodiment of the present invention.
307. And generating an analysis report of the virus group based on the first description information, the second description information, the safety suggestion, the activity information and the associated intrusion index.
In the embodiment of the invention, a visualized threat analysis report is generated through a product template and a data visualization technology according to the above produced data, namely the first description information, the second description information, the safety suggestion, the liveness information and the associated intrusion index.
At the product side, the threat analysis report at least comprises: introduction information of virus groups and virus sample families, knowledge maps of the virus groups, behavior analysis information of the virus samples, safety suggestions and intrusion indexes associated with the virus groups.
The introduction information of the virus group and the virus sample family is shown in fig. 6, and when introducing, the virus group is introduced first, and then the virus sample family used by the virus group is introduced. As previously described, the introductory information is retrieved from the knowledge map of the asynchronous information acquisition system. The knowledge graph of the virus group is shown in fig. 7, and the generation of the knowledge graph relates to a community discovery algorithm, relationship data expansion through a homology clustering server, and data retrieval in the knowledge graph, and the knowledge graph is used for outputting relationship and text description among md5, ip and domain. As shown in fig. 7, the text description may introduce group disclosure time, attack mode, and the like, which is not particularly limited by the embodiment of the present invention. Both parts are derived from the first description information.
The behavior analysis information of the virus sample is shown in fig. 8, which is derived from the second description information, and the virus sample of the virus group is pushed into the sandbox for execution, and then the behavior of the virus sample is analyzed to generate the behavior analysis information of the virus sample.
Further, the threat analysis report includes a security recommendation output according to the virus group partner feature as shown in fig. 9, and an intrusion indicator related to the virus group partner as shown in fig. 10. The virus group characteristics include, but are not limited to, a virus sample used by the virus group, an attack means, a propagation path, a system platform, an attack object, and the like.
The method provided by the embodiment of the invention is based on the input sample queue, data query and data clustering are carried out in the knowledge graph, data expansion is carried out through the homology clustering server and the sandbox, character description is carried out on the expanded data, the virus sample is placed in the sandbox to be executed so as to analyze the behavior of the virus sample, the safety suggestion and the associated intrusion index are output, and the fully-automatic generation of the threat analysis report is realized. Because the mode of generating the threat analysis report in the whole course in the related technology in a manual mode is converted into a fully-automatic report generation mode, the time consumption for generating the threat analysis report is short, and the quality of the threat analysis report is convenient to control, so the mode for generating the threat analysis report has a good effect.
In another expression mode, the embodiment of the invention realizes whole process standardization, process and template of the generation process of the threat analysis report through experience transformation, for example, the generation time of one threat analysis report can be shortened to 10 seconds, and the production efficiency is greatly improved.
Fig. 11 is a schematic structural diagram of an analysis report generation apparatus for a security event according to an embodiment of the present invention. Referring to fig. 11, the apparatus includes:
an obtaining module 1101, configured to obtain an input sample queue, where the input sample queue includes at least one virus sample;
the query module 1102 is configured to perform data query in a knowledge graph of an information acquisition system based on the input sample queue, and perform clustering on the queried data to obtain primary relationship data of a virus group, where the primary relationship data provides an edge relationship between virus samples;
an extension module 1103, configured to invoke a homology clustering server and a sandbox, and extend the primary relationship data;
the query module 1102 is further configured to perform data query in the knowledge graph based on the obtained expansion relationship data to obtain first description information, where the first description information is used to introduce the virus group and a virus sample set used by the virus group;
an execution module 1104, configured to place the primary relationship data and the extended relationship data in the sandbox for execution, so as to obtain second description information, where the second description information is used to analyze a sample behavior of the virus sample set;
an obtaining module 1101, configured to obtain a security suggestion and a relevant intrusion index that are matched with the virus group;
a generating module 1105, configured to generate an analysis report of the virus group based on the first description information, the second description information, the security suggestion, and the associated intrusion indicator.
The device provided by the embodiment of the invention is used for performing data query and data clustering in the knowledge graph based on the input sample queue, performing data expansion through the homology clustering server and the sandbox, performing character description on the expanded data, putting the virus sample into the sandbox to analyze the behavior of the virus sample, outputting the safety suggestion and the associated intrusion index, and realizing the full-automatic generation of the threat analysis report. Because the mode of generating the threat analysis report in the whole course in the related technology in a manual mode is converted into a fully-automatic report generation mode, the time consumption for generating the threat analysis report is short, and the quality of the threat analysis report is convenient to control, so the mode for generating the threat analysis report has a good effect.
In a possible implementation manner, the obtaining module 1101 is further configured to obtain activity information of the virus group, where the activity information includes hotness information and breadth information of the virus group;
a generating module 1105, configured to generate an analysis report of the virus group based on the first description information, the second description information, the security suggestion, the activity information, and the associated intrusion indicator.
In a possible implementation manner, the query module 1102 is further configured to filter the input sample queue; and performing data query in the knowledge graph based on the filtered input sample queue.
In a possible implementation manner, the obtaining module 1101 is further configured to obtain a first type of keywords from the knowledge graph, where the first type of keywords are keywords facing to an organization; when the first-class keywords hit the first description information and the second description information, obtaining first-class safety suggestions matched with the first-class keywords from the knowledge graph; for any one safety suggestion in the first type of safety suggestions, acquiring a first keyword contained in the safety suggestion; and when the first keyword hits the first description information and the second description information, the security suggestion is used as a security suggestion matched with the virus group.
In a possible implementation manner, the obtaining module 1101 is further configured to obtain a second type of security suggestion matched with a second type of keyword from the knowledge graph when the first type of keyword misses the first description information and the second description information, where the second type of keyword is a user-oriented keyword; for any one safety suggestion in the second type of safety suggestions, acquiring a second keyword contained in the safety suggestion; and when the second keyword hits the first description information and the second description information, the security suggestion is used as a security suggestion matched with the virus group.
In one possible implementation, the analysis report includes at least: introduction information of the virus groups and the virus sample sets, knowledge maps of the virus groups, behavioral analysis information of virus samples, security recommendations, and intrusion indicators associated with the virus groups.
All the above optional technical solutions may be combined arbitrarily to form the optional embodiments of the present disclosure, and are not described herein again.
It should be noted that: the analysis report generating device for a security event provided in the above embodiments is only illustrated by the division of the above functional modules when generating an analysis report for a security event, and in practical applications, the above functions may be distributed to different functional modules according to needs, that is, the internal structure of the device may be divided into different functional modules to complete all or part of the above described functions. In addition, the device for generating an analysis report of a security event and the method for generating an analysis report of a security event provided in the above embodiments belong to the same concept, and specific implementation processes thereof are detailed in the method embodiments and are not described herein again.
Fig. 12 is a schematic structural diagram of an apparatus for generating an analysis report of a security event according to an embodiment of the present invention, where the apparatus 1200 corresponds to the scheduling server 12 shown in fig. 1. The apparatus 1200 may generate relatively large differences due to different configurations or performances, and may include one or more processors (CPUs) 1201 and one or more memories 1202, where the memory 1202 stores at least one instruction, and the at least one instruction is loaded and executed by the processors 1201 to implement the analysis report generation method for security events provided by the above-described method embodiments. Of course, the device may also have components such as a wired or wireless network interface, a keyboard, and an input/output interface, so as to perform input/output, and the device may also include other components for implementing the functions of the device, which are not described herein again.
In an exemplary embodiment, there is also provided a computer readable storage medium, such as a memory, comprising instructions executable by a processor in a terminal to perform the method of analysis report generation of a security event in the above embodiments. For example, the computer readable storage medium may be a ROM, a Random Access Memory (RAM), a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, and the like.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, where the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.
Claims (10)
1. A method for generating an analysis report of a security event, the method comprising:
acquiring an input sample queue, wherein the input sample queue comprises at least one virus sample;
performing data query in a knowledge graph of an information acquisition system based on the input sample queue, and clustering the queried data to obtain primary relationship data of a virus group, wherein the primary relationship data gives an edge relationship between virus samples;
calling a homology clustering server and a sandbox to expand the primary relationship data;
performing data query in the knowledge graph based on the obtained expansion relation data to obtain first description information, wherein the first description information is used for introducing the virus group and a virus sample set used by the virus group;
placing the primary relationship data and the extended relationship data in the sandbox for execution to obtain second description information, wherein the second description information is used for analyzing the sample behavior of the virus sample set;
acquiring a security suggestion matched with the virus group and a related intrusion index;
generating an analysis report of the virus group based on the first description information, the second description information, the security recommendation and the associated intrusion indicator.
2. The method of claim 1, wherein generating an analysis report for the virus group based on the first descriptive information, the second descriptive information, the security recommendation, and the associated intrusion metrics comprises:
acquiring activity information of the virus group, wherein the activity information comprises heat information and breadth information of the virus group;
generating an analysis report of the virus group based on the first description information, the second description information, the security suggestion, the liveness information, and the associated intrusion indicator.
3. The method of claim 1, wherein the querying data in a knowledge-graph of an information acquisition system based on the input sample queue comprises:
filtering the input sample queue;
and performing data query in the knowledge graph based on the filtered input sample queue.
4. The method of claim 1, wherein obtaining the security recommendation matching the virus group comprises:
acquiring first-class keywords from the knowledge graph, wherein the first-class keywords are keywords facing to the organization;
when the first-class keywords hit the first description information and the second description information, obtaining first-class safety suggestions matched with the first-class keywords from the knowledge graph;
for any one safety suggestion in the first type of safety suggestions, acquiring a first keyword contained in the safety suggestion;
and when the first keyword hits the first description information and the second description information, the security suggestion is used as a security suggestion matched with the virus group.
5. The method of claim 4, further comprising:
when the first type of keywords miss the first description information and the second description information, obtaining a second type of safety suggestions matched with a second type of keywords from the knowledge graph, wherein the second type of keywords are keywords facing users;
for any one safety suggestion in the second type of safety suggestions, acquiring a second keyword contained in the safety suggestion;
and when the second keyword hits the first description information and the second description information, the security suggestion is used as a security suggestion matched with the virus group.
6. The method according to any one of claims 1 to 5, wherein the analysis report includes at least: introduction information of the virus groups and the virus sample sets, knowledge maps of the virus groups, behavioral analysis information of virus samples, security recommendations, and intrusion indicators associated with the virus groups.
7. An apparatus for generating an analysis report of a security event, the apparatus comprising:
the system comprises an acquisition module, a storage module and a processing module, wherein the acquisition module is used for acquiring an input sample queue, and the input sample queue comprises at least one virus sample;
the query module is used for performing data query in a knowledge graph of the information acquisition system based on the input sample queue, clustering the queried data to obtain primary relationship data of the virus group, wherein the primary relationship data gives out an edge relationship between the virus samples;
the extension module is used for calling the homology clustering server and the sandbox to extend the primary relationship data;
the query module is further configured to perform data query in the knowledge graph based on the obtained expansion relationship data to obtain first description information, where the first description information is used to introduce the virus group and a virus sample set used by the virus group;
the execution module is used for placing the primary relationship data and the extended relationship data in the sandbox for execution to obtain second description information, and the second description information is used for analyzing the sample behaviors of the virus sample set;
the acquisition module is further used for acquiring a security suggestion matched with the virus group and a relevant invasion index;
a generating module, configured to generate an analysis report of the virus group based on the first description information, the second description information, the security suggestion, and the associated intrusion indicator.
8. The apparatus of claim 7, wherein the obtaining module is further configured to obtain activity information of the virus group, and the activity information includes hotness information and breadth information of the virus group;
the generation module is further configured to generate an analysis report of the virus group based on the first description information, the second description information, the security suggestion, the liveness information, and the associated intrusion indicator.
9. A storage medium having stored therein at least one instruction, which is loaded and executed by a processor to implement the method for analysis report generation of security events according to any of claims 1 to 6.
10. An apparatus for generating an analysis report of a security event, the apparatus comprising a processor and a memory, the memory having stored therein at least one instruction, the at least one instruction being loaded and executed by the processor to implement the analysis report generation method of a security event according to any of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910161352.8A CN111651751B (en) | 2019-03-04 | 2019-03-04 | Security event analysis report generation method and device, storage medium and equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910161352.8A CN111651751B (en) | 2019-03-04 | 2019-03-04 | Security event analysis report generation method and device, storage medium and equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111651751A CN111651751A (en) | 2020-09-11 |
| CN111651751B true CN111651751B (en) | 2022-04-15 |
Family
ID=72349123
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910161352.8A Active CN111651751B (en) | 2019-03-04 | 2019-03-04 | Security event analysis report generation method and device, storage medium and equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111651751B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112182567B (en) * | 2020-09-29 | 2022-12-27 | 西安电子科技大学 | Multi-step attack tracing method, system, terminal and readable storage medium |
| CN112073437B (en) * | 2020-10-09 | 2023-12-19 | 腾讯科技(深圳)有限公司 | Multi-dimensional security threat event analysis method, device, equipment and storage medium |
| CN112751883B (en) * | 2021-01-19 | 2023-11-24 | 杨建鑫 | IP threat score judgment method, device, equipment and medium |
| CN113158189B (en) * | 2021-04-28 | 2023-12-26 | 绿盟科技集团股份有限公司 | Method, device, equipment and medium for generating malicious software analysis report |
| CN113836273A (en) * | 2021-11-23 | 2021-12-24 | 天津汇智星源信息技术有限公司 | Legal consultation method based on complex context and related equipment |
| CN116244694A (en) * | 2022-12-04 | 2023-06-09 | 云南电网有限责任公司信息中心 | A firmware vulnerability discovery method based on knowledge graph |
| CN116471123B (en) * | 2023-06-14 | 2023-08-25 | 杭州海康威视数字技术股份有限公司 | Intelligent analysis method, device and equipment for security threat of intelligent equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102831149A (en) * | 2012-06-25 | 2012-12-19 | 腾讯科技(深圳)有限公司 | Sample analyzing method, device and storage medium |
| US9183387B1 (en) * | 2013-06-05 | 2015-11-10 | Google Inc. | Systems and methods for detecting online attacks |
| CN106803039A (en) * | 2016-12-30 | 2017-06-06 | 北京神州绿盟信息安全科技股份有限公司 | The homologous decision method and device of a kind of malicious file |
| CN108985361A (en) * | 2018-07-02 | 2018-12-11 | 北京金睛云华科技有限公司 | A kind of malicious traffic stream detection implementation method and device based on deep learning |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| ES2755780T3 (en) * | 2011-09-16 | 2020-04-23 | Veracode Inc | Automated behavior and static analysis using an instrumented sandbox and machine learning classification for mobile security |
| US10542015B2 (en) * | 2016-08-15 | 2020-01-21 | International Business Machines Corporation | Cognitive offense analysis using contextual data and knowledge graphs |
-
2019
- 2019-03-04 CN CN201910161352.8A patent/CN111651751B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102831149A (en) * | 2012-06-25 | 2012-12-19 | 腾讯科技(深圳)有限公司 | Sample analyzing method, device and storage medium |
| US9183387B1 (en) * | 2013-06-05 | 2015-11-10 | Google Inc. | Systems and methods for detecting online attacks |
| CN106803039A (en) * | 2016-12-30 | 2017-06-06 | 北京神州绿盟信息安全科技股份有限公司 | The homologous decision method and device of a kind of malicious file |
| CN108985361A (en) * | 2018-07-02 | 2018-12-11 | 北京金睛云华科技有限公司 | A kind of malicious traffic stream detection implementation method and device based on deep learning |
Non-Patent Citations (1)
| Title |
|---|
| "基于序列比对的勒索病毒同源性分析";龚琪;《计算机与现代化》;20180228(第2期);1-5 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111651751A (en) | 2020-09-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111651751B (en) | Security event analysis report generation method and device, storage medium and equipment | |
| US9348934B2 (en) | Systems and methods for facilitating open source intelligence gathering | |
| CN112749266B (en) | Industrial question and answer method, device, system, equipment and storage medium | |
| CN103631882B (en) | Semantization service generation system and method based on graph mining technique | |
| CN110990218A (en) | Visualization and alarm method and device based on mass logs and computer equipment | |
| US9069880B2 (en) | Prediction and isolation of patterns across datasets | |
| CN114791846B (en) | Method for realizing observability aiming at cloud-originated chaos engineering experiment | |
| CN109254959B (en) | A data evaluation method, device, terminal device and readable storage medium | |
| JP2017538229A (en) | Perceptual memory for neuro-language behavior recognition system | |
| JP2018503183A (en) | Vocabulary analyzer for neuro-language behavior recognition system | |
| CN114564595A (en) | Knowledge graph updating method and device and electronic equipment | |
| CN113918534B (en) | Policy processing system and method | |
| CN113434607A (en) | Behavior analysis method and device based on graph data, electronic equipment and storage medium | |
| CN116340536A (en) | Operation and maintenance knowledge graph construction method, device, equipment, medium and program product | |
| US20130159327A1 (en) | Apparatus and method for visualizing data | |
| CN109766488B (en) | Data acquisition method based on Scapy | |
| CN103699590A (en) | Method and server for providing graphic tutorial problem solution | |
| CN119066181A (en) | Engineering project artificial intelligence interaction method, device, equipment and storage medium | |
| CN114254014A (en) | A method, device, device and storage medium for displaying business data | |
| KR20050070955A (en) | Method of scientific information analysis and media that can record computer program thereof | |
| CN110928938A (en) | Interface middleware system | |
| CN114143173B (en) | Data processing method, apparatus, device and storage medium | |
| CN111443943B (en) | Attribute dynamic configuration method based on rule engine | |
| Asha et al. | A survey on efficient incremental algorithm for mining high utility itemsets in distributed and dynamic database | |
| Hentschel et al. | Big data benefits for the software measurement community |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |