+

TWI855845B - User networking protection system, method, and computer-readable medium based on network threat information - Google Patents

User networking protection system, method, and computer-readable medium based on network threat information Download PDF

Info

Publication number
TWI855845B
TWI855845B TW112133072A TW112133072A TWI855845B TW I855845 B TWI855845 B TW I855845B TW 112133072 A TW112133072 A TW 112133072A TW 112133072 A TW112133072 A TW 112133072A TW I855845 B TWI855845 B TW I855845B
Authority
TW
Taiwan
Prior art keywords
traffic
threat intelligence
network
malicious
module
Prior art date
Application number
TW112133072A
Other languages
Chinese (zh)
Other versions
TW202511991A (en
Inventor
王祥安
黃傳強
徐正磬
Original Assignee
中華電信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中華電信股份有限公司 filed Critical 中華電信股份有限公司
Priority to TW112133072A priority Critical patent/TWI855845B/en
Application granted granted Critical
Publication of TWI855845B publication Critical patent/TWI855845B/en
Publication of TW202511991A publication Critical patent/TW202511991A/en

Links

Images

Landscapes

  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a user networking protection system, method, and computer-readable medium based on network threat information. A traffic diversion and filtering module filters network traffic related to a connection request of a user device to prevent the connection to an external malicious website, and updates latest network threat information of a threat information module. When the user device wants to make a malicious connection to a malicious website, the threat information module will block or protect the malicious connection based on the latest network threat information. In addition, a recording analysis module can record the network traffic passing through the traffic diversion and filtering module, and a threat information module can analyze network threat information of the network traffic. When there is a threat risk, the recording analysis module performs a connection backtracking of the network threat information, and then feeds back a connection backtracking result of the network threat information to the threat information module.

Description

基於網路威脅情資之使用者上網防護系統、方法及電腦可讀媒介 User Internet protection system, method and computer-readable medium based on network threat intelligence

本發明係關於一種使用者上網防護技術,特別是指一種基於網路威脅情資之使用者上網防護系統、方法及電腦可讀媒介。 The present invention relates to a user online protection technology, and in particular to a user online protection system, method and computer-readable medium based on network threat intelligence.

近年來網路蓬勃發展,且網路具有複雜(如來源複雜)及迅速(攻擊迅速)之特性,讓使用者、企業或組織面臨嚴峻之網路威脅挑戰,亦讓駭客(如網路罪犯者)能針對特定之使用者、企業或組織(如政府/機關/團體)進行網路攻擊。 In recent years, the Internet has developed rapidly, and the Internet has the characteristics of complexity (such as complex sources) and rapidity (rapid attacks), which makes users, enterprises or organizations face severe network threat challenges, and also allows hackers (such as cyber criminals) to carry out network attacks on specific users, enterprises or organizations (such as governments/agencies/groups).

再者,國際間頻傳重大之資訊安全(資安)事件,駭客組織透過精心策畫之進階或持續性威脅,針對性入侵使用者、企業或組織之各種電子設備或資訊系統等,以竊取使用者、企業或組織之個人隱私、商業機密、重要情報並謀取巨額非法獲利。 Furthermore, major information security (information security) incidents are frequently reported internationally. Hacker organizations use carefully planned advanced or persistent threats to specifically invade various electronic devices or information systems of users, enterprises or organizations to steal personal privacy, business secrets, important intelligence of users, enterprises or organizations and make huge illegal profits.

資訊安全(資安)之攻防已是不對稱戰力之競爭,單一使用者、企業或組織愈來愈難以對抗有組織且專業分工之駭客集團。在新的網路戰 場上,網路威脅來自於世界各地,使用者、企業或組織應意識到若要面對全新的網路威脅需要有強大的威脅情資收集能力,亦需利用網路威脅情資做出符合目前外部威脅趨勢之相對應防禦。 Information security (ISE) offense and defense has become a competition of asymmetric combat power. It is increasingly difficult for a single user, enterprise or organization to fight against organized and professional hacker groups. In the new cyber battlefield, cyber threats come from all over the world. Users, enterprises or organizations should realize that in order to face new cyber threats, they need to have strong threat intelligence collection capabilities and use cyber threat intelligence to make corresponding defenses that are in line with current external threat trends.

然而,現有技術並無法將使用者裝置所提出之連線請求(如上網請求)相關聯之所有網路流量(如網路訊務)經過流量導流與過濾模組,以防止使用者裝置連線至外部之惡意網站/惡意IP位址/惡意網域名稱,亦無法快速地阻擋使用者裝置對外部之惡意網站/惡意IP位址/惡意網域名稱之惡意連線或惡意連線行為,也無法針對所有經過流量導流與過濾模組之網路流量(如網路訊務)進行側錄、分析或保存,更無法將網路威脅情資之連線之回溯結果回饋至威脅情資模組,以新增威脅情資模組之網路威脅情資之內容。 However, the existing technology cannot pass all network traffic (such as network traffic) associated with the connection request (such as Internet access request) made by the user device through the traffic diversion and filtering module to prevent the user device from connecting to external malicious websites/malicious IP addresses/malicious domain names, nor can it quickly block the user device from malicious connections or malicious connection behaviors to external malicious websites/malicious IP addresses/malicious domain names, nor can it profile, analyze or save all network traffic (such as network traffic) passing through the traffic diversion and filtering module, and it is even more impossible to feed back the traceback results of the network threat intelligence connection to the threat intelligence module to add the content of the network threat intelligence of the threat intelligence module.

因此,如何提供一種創新之使用者上網防護技術,以解決上述之任一問題並提供相關聯之系統/方法,已成為本領域技術人員之一大研究課題。 Therefore, how to provide an innovative user Internet protection technology to solve any of the above problems and provide related systems/methods has become a major research topic for technical personnel in this field.

本發明所述基於網路威脅情資之使用者上網防護系統包括:一流量導流與過濾模組,係於使用者裝置提出連線請求時,將有關使用者裝置之連線請求之網路流量經過流量導流與過濾模組進行過濾,以防止使用者裝置連線至外部之惡意網站、惡意IP(網際網路協定)位址與惡意網域名稱之任一者;一威脅情資模組,係提供最新網路威脅情資,俾於使用者裝置欲對外部之惡意網站、惡意IP位址與惡意網域名稱之任一者進行惡意 連線或惡意連線行為時,由最新網路威脅情資之內容將使用者裝置對外部之惡意網站、惡意IP位址與惡意網域名稱之任一者之惡意連線或惡意連線行為進行阻擋或防護;以及一側錄分析模組,係側錄、複製或保存經過流量導流與過濾模組之網路流量,其中,威脅情資模組將經過流量導流與過濾模組之網路流量進行網路威脅情資之分析,以於網路威脅情資之分析結果為網路威脅情資有威脅風險時,由側錄分析模組進行網路威脅情資之連線之回溯,俾由側錄分析模組將網路威脅情資之連線之回溯結果回饋至威脅情資模組,以新增威脅情資模組之網路威脅情資之內容。 The user Internet protection system based on network threat intelligence described in the present invention includes: a traffic diversion and filtering module, which filters the network traffic related to the connection request of the user device through the traffic diversion and filtering module when the user device makes a connection request to prevent the user device from connecting to any of the external malicious websites, malicious IP (Internet Protocol) addresses and malicious domain names; a threat intelligence module, which provides the latest network threat intelligence, so that when the user device intends to conduct malicious connection or malicious connection behavior to any of the external malicious websites, malicious IP addresses and malicious domain names, the user device is blocked from connecting to the external malicious websites, malicious IP addresses and malicious domain names according to the content of the latest network threat intelligence. a side-recording analysis module that side-records, copies or saves network traffic that passes through the traffic diversion and filtering module, wherein the threat intelligence module performs network analysis on the network traffic that passes through the traffic diversion and filtering module. Analysis of threat intelligence: When the analysis result of network threat intelligence indicates that the network threat intelligence has threat risk, the sidetrack analysis module will backtrack the connection of the network threat intelligence, so that the sidetrack analysis module can feed back the backtracking result of the connection of the network threat intelligence to the threat intelligence module to add the content of the network threat intelligence of the threat intelligence module.

本發明所述基於網路威脅情資之使用者上網防護方法包括:當使用者裝置提出連線請求時,由一流量導流與過濾模組過濾有關使用者裝置之連線請求之網路流量,以防止使用者裝置連線至外部之惡意網站、惡意IP(網際網路協定)位址與惡意網域名稱之任一者;由一威脅情資模組提供最新網路威脅情資,俾於使用者裝置欲對外部之惡意網站、惡意IP位址與惡意網域名稱之任一者進行惡意連線或惡意連線行為時,由最新網路威脅情資之內容將使用者裝置對外部之惡意網站、惡意IP位址與惡意網域名稱之任一者之惡意連線或惡意連線行為進行阻擋或防護;以及由一側錄分析模組側錄、複製或保存經過流量導流與過濾模組之網路流量,且由威脅情資模組將經過流量導流與過濾模組之網路流量進行網路威脅情資之分析,以於網路威脅情資之分析結果為網路威脅情資有威脅風險時,由側錄分析模組進行網路威脅情資之連線之回溯,俾由側錄分析模組將網路威脅情資之連線之回溯結果回饋至威脅情資模組,以新增威脅情資模組之網路威脅情資之內容。 The user Internet protection method based on network threat intelligence described in the present invention includes: when a user device makes a connection request, a traffic diversion and filtering module filters the network traffic related to the connection request of the user device to prevent the user device from connecting to any of external malicious websites, malicious IP (Internet Protocol) addresses and malicious domain names; a threat intelligence module provides the latest network threat intelligence, so that when the user device intends to conduct malicious connection or malicious connection behavior to any of external malicious websites, malicious IP addresses and malicious domain names, the content of the latest network threat intelligence will be used to block the user device from connecting to external malicious websites, malicious IP addresses and malicious domain names. Block or protect malicious connections or malicious connection behaviors of any of malicious IP addresses and malicious domain names; and have a sidetrack analysis module sidetrack, copy or save network traffic passing through the traffic diversion and filtering module, and have the threat intelligence module analyze the network traffic passing through the traffic diversion and filtering module for network threat intelligence, so that when the analysis result of the network threat intelligence is that the network threat intelligence has a threat risk, the sidetrack analysis module backtracks the connection of the network threat intelligence, so that the sidetrack analysis module feeds back the backtracking result of the connection of the network threat intelligence to the threat intelligence module to add the content of the network threat intelligence of the threat intelligence module.

本發明之電腦可讀媒介應用於計算裝置或電腦中,係儲存有指令,以執行上述基於網路威脅情資之使用者上網防護方法。 The computer-readable medium of the present invention is applied to a computing device or a computer, and stores instructions to execute the above-mentioned user Internet protection method based on network threat information.

因此,本發明提供一種創新之基於網路威脅情資之使用者上網防護系統、方法及電腦可讀媒介,係於使用者裝置提出連線請求(如上網請求)時,自動地將此連線請求(如上網請求)相關聯之所有網路流量(如網路訊務)經過流量導流與過濾模組,以防止使用者裝置連線至外部之惡意網站/惡意IP位址/惡意網域名稱,亦能針對外部之惡意網站/惡意IP位址/惡意網域名稱對內部之使用者裝置之連線請求進行監控,以防止惡意連線或惡意連線行為(如網路掃描等)。 Therefore, the present invention provides an innovative user Internet protection system, method and computer-readable medium based on network threat intelligence. When a user device makes a connection request (such as an Internet request), all network traffic (such as network traffic) associated with the connection request (such as an Internet request) is automatically diverted and filtered through a traffic diversion and filtering module to prevent the user device from connecting to external malicious websites/malicious IP addresses/malicious domain names. It can also monitor the connection requests of internal user devices against external malicious websites/malicious IP addresses/malicious domain names to prevent malicious connections or malicious connection behaviors (such as network scanning, etc.).

或者,本發明所述基於網路威脅情資之使用者上網防護系統為一種創新之網路威脅情資上網防護系統,能快速地阻擋使用者裝置對外部之惡意網站、惡意IP位址與惡意網域名稱之任一者之惡意連線或惡意連線行為。 Alternatively, the user online protection system based on network threat intelligence described in the present invention is an innovative network threat intelligence online protection system that can quickly block malicious connections or malicious connection behaviors of user devices to any external malicious websites, malicious IP addresses and malicious domain names.

亦或者,本發明之側錄分析模組能自動或有效地針對所有經過流量導流與過濾模組之網路流量(如網路訊務)進行側錄、分析或保存,亦能自動地將網路威脅情資之連線之回溯結果回饋至威脅情資模組,以新增威脅情資模組之網路威脅情資之內容。 Alternatively, the profile analysis module of the present invention can automatically or effectively profile, analyze or save all network traffic (such as network traffic) that passes through the traffic diversion and filtering module, and can also automatically feed back the traceback results of the network threat intelligence connection to the threat intelligence module to add the content of the network threat intelligence of the threat intelligence module.

為使本發明之上述特徵與優點能更明顯易懂,下文特舉實施例,並配合所附圖式作詳細說明。在以下描述內容中將部分闡述本發明之額外特徵及優點,且此等特徵及優點將部分自所述描述內容可得而知,或可藉由對本發明之實踐習得。應理解,前文一般描述與以下詳細描述二者均為例示性及解釋性的,且不欲約束本發明所欲主張之範圍。 In order to make the above features and advantages of the present invention more clearly understandable, the following examples are given and detailed descriptions are provided in conjunction with the attached drawings. The following description will partially explain the additional features and advantages of the present invention, and these features and advantages will be partially known from the description or can be learned through the practice of the present invention. It should be understood that both the general description above and the detailed description below are exemplary and explanatory, and are not intended to limit the scope of the present invention.

1:使用者上網防護系統 1: User Internet protection system

10:流量導流與過濾模組 10: Flow diversion and filtration module

11:流量導流單元 11: Flow diversion unit

12:流量過濾單元 12: Flow filter unit

20:威脅情資模組 20: Threat Intelligence Module

21:威脅情資資料庫 21: Threat Intelligence Database

22:威脅情資分析與回溯單元 22: Threat intelligence analysis and backtracking unit

30:側錄分析模組 30: Profile analysis module

31:流量側錄單元 31: Traffic profiling unit

32:回溯分析單元 32: Retrospective analysis unit

A:使用者裝置 A: User device

B:網路 B: Internet

C:網路威脅情資 C: Cyber threat intelligence

D:網路流量 D: Network traffic

S01至S13:步驟 S01 to S13: Steps

圖1為本發明所述基於網路威脅情資之使用者上網防護系統之架構示意圖。 Figure 1 is a schematic diagram of the architecture of the user online protection system based on network threat intelligence described in the present invention.

圖2為本發明所述基於網路威脅情資之使用者上網防護系統之實施例示意圖。 Figure 2 is a schematic diagram of an embodiment of the user online protection system based on network threat information described in the present invention.

圖3為本發明所述基於網路威脅情資之使用者上網防護方法之使用情境實施例之流程示意圖。 Figure 3 is a flowchart of an implementation example of the user Internet protection method based on network threat information described in the present invention.

以下藉由特定的具體實施形態說明本發明之實施方式,熟悉此技術之人士可由本說明書所揭示之內容瞭解本發明之其他優點與功效,亦可因而藉由其他不同具體等同實施形態加以施行或運用。 The following describes the implementation of the present invention through a specific concrete implementation form. People familiar with this technology can understand other advantages and effects of the present invention from the content disclosed in this manual, and can also implement or use it through other different specific equivalent implementation forms.

圖1與圖2分別為本發明所述基於網路威脅情資之使用者上網防護系統1之架構示意圖及實施例示意圖。如圖1與圖2所示,基於網路威脅情資之使用者上網防護系統1可分別通訊連結使用者裝置A與網路B,並包括互相通訊連結之一流量導流與過濾模組10、一威脅情資模組20以及一側錄分析模組30等。此外,流量導流與過濾模組10可具有一流量導流單元11及一流量過濾單元12等,威脅情資模組20可具有一威脅情資資料庫21及一威脅情資分析與回溯單元22等,且側錄分析模組30可具有一流量側錄單元31及一回溯分析單元32等。 FIG1 and FIG2 are respectively a schematic diagram of the structure of the user online protection system 1 based on network threat intelligence and a schematic diagram of an embodiment of the present invention. As shown in FIG1 and FIG2, the user online protection system 1 based on network threat intelligence can respectively communicate with the user device A and the network B, and includes a traffic diversion and filtering module 10, a threat intelligence module 20, and a profile analysis module 30, etc., which are mutually communicated. In addition, the traffic diversion and filtering module 10 can have a traffic diversion unit 11 and a traffic filtering unit 12, etc., the threat intelligence module 20 can have a threat intelligence database 21 and a threat intelligence analysis and backtracking unit 22, etc., and the profile analysis module 30 can have a traffic profile unit 31 and a backtracking analysis unit 32, etc.

在一實施例中,使用者裝置A可為使用者及/或所使用之使用 者設備,且使用者裝置或設備可為智慧型手機、智慧型手錶、平板電腦、個人電腦、筆記型電腦、桌上型電腦等。網路B可為網際網路、有線網路、無線網路、廣域網路(Wide Area Network;WAN)、區域網路(Local Area Network;LAN)、都會網域(Metropolitan Area Network;MAN)等。 In one embodiment, user device A may be a user and/or a user device used, and the user device or device may be a smart phone, a smart watch, a tablet computer, a personal computer, a laptop computer, a desktop computer, etc. Network B may be the Internet, a wired network, a wireless network, a wide area network (WAN), a local area network (LAN), a metropolitan area network (MAN), etc.

在一實施例中,流量導流與過濾模組10可為流量導流與過濾器(晶片/電路)、流量導流與過濾軟體(程式)等,流量導流單元11可為流量導流器(晶片/電路)、流量導流軟體(程式)等,流量過濾單元12可為流量過濾器(晶片/電路)、流量過濾軟體(程式)等。威脅情資資料庫21可為威脅情資資料儲存器、威脅情資資料伺服器,亦可為用於儲存網路威脅情資C之記憶體、記憶卡、硬碟(如雲端/網路/外接式硬碟)、光碟、隨身碟等,威脅情資分析與回溯單元22可為威脅情資分析與回溯器、威脅情資分析與回溯軟體(程式)等。側錄分析模組30可為側錄分析器(晶片/電路)、側錄分析軟體(程式)等,流量側錄單元31可為流量側錄器(晶片/電路)、流量側錄軟體(程式)等,回溯分析單元32可為回溯分析器(晶片/電路)、回溯分析軟體(程式)等。 In one embodiment, the flow diversion and filtering module 10 can be a flow diversion and filter (chip/circuit), flow diversion and filtering software (program), etc., the flow diversion unit 11 can be a flow diverter (chip/circuit), flow diversion software (program), etc., and the flow filtering unit 12 can be a flow filter (chip/circuit), flow filtering software (program), etc. The threat intelligence database 21 may be a threat intelligence data storage device, a threat intelligence data server, or a memory, a memory card, a hard disk (such as a cloud/network/external hard disk), a CD, a flash drive, etc. for storing network threat intelligence C. The threat intelligence analysis and backtracking unit 22 may be a threat intelligence analysis and backtracking device, a threat intelligence analysis and backtracking software (program), etc. The profile analysis module 30 may be a profile analyzer (chip/circuit), profile analysis software (program), etc., the flow profile unit 31 may be a flow profiler (chip/circuit), flow profile software (program), etc., and the traceback analysis unit 32 may be a traceback analyzer (chip/circuit), traceback analysis software (program), etc.

在一實施例中,本發明所述「至少一」代表一個以上(如一、二或三個以上),「複數」代表二個以上(如二、三、四、十或百個以上),「通訊連結」代表以有線方式(如有線網路)或無線方式(如無線網路)互相通訊連結。網路流量(network traffic)D可為網路訊務等,「內部」可為內部之使用者裝置A、設備(如網路設備)、系統(如資訊系統)、網站等,「外部」有可能是或不是惡意網站、惡意IP(網際網路協定;Internet Protocol)位址、惡意網域名稱(domain name)等。但是,本發明並不以各實施例所提及者為 限。 In one embodiment, the "at least one" mentioned in the present invention represents more than one (such as one, two or three), "plurality" represents more than two (such as two, three, four, ten or one hundred), and "communication link" represents mutual communication link in wired mode (such as wired network) or wireless mode (such as wireless network). Network traffic D can be network traffic, etc., "internal" can be internal user device A, equipment (such as network equipment), system (such as information system), website, etc., and "external" may or may not be malicious website, malicious IP (Internet Protocol) address, malicious domain name, etc. However, the present invention is not limited to those mentioned in each embodiment.

詳言之,基於網路威脅情資之使用者上網防護系統1主要包括流量導流與過濾模組10、威脅情資模組20以及側錄分析模組30。流量導流與過濾模組10之流量導流單元11可控制網路流量D(如網路訊務)之方向,且流量導流與過濾模組10之流量過濾單元12可判斷網路流量D(如網路訊務)中是否存在惡意IP位址或惡意網域名稱之網路威脅情資C(如惡意威脅情資)。威脅情資模組20之威脅情資資料庫21可儲存網路威脅情資C,且威脅情資模組20之威脅情資分析與回溯單元22可分析欲新增之網路威脅情資C是否為惡意威脅情資(高風險惡意情資)。側錄分析模組30之流量側錄單元31可側錄及保存所有網路流量D(如網路訊務),且側錄分析模組30之回溯分析單元32可分析網路威脅情資C及查詢歷史(過去)之網路流量D(如網路訊務)。 In detail, the user online protection system 1 based on network threat intelligence mainly includes a traffic diversion and filtering module 10, a threat intelligence module 20 and a sidetracking analysis module 30. The traffic diversion unit 11 of the traffic diversion and filtering module 10 can control the direction of network traffic D (such as network traffic), and the traffic filtering unit 12 of the traffic diversion and filtering module 10 can determine whether there is network threat intelligence C (such as malicious threat intelligence) of a malicious IP address or a malicious domain name in the network traffic D (such as network traffic). The threat intelligence database 21 of the threat intelligence module 20 can store network threat intelligence C, and the threat intelligence analysis and backtracking unit 22 of the threat intelligence module 20 can analyze whether the newly added network threat intelligence C is malicious threat intelligence (high-risk malicious intelligence). The traffic profiler unit 31 of the profiler analysis module 30 can profile and save all network traffic D (such as network traffic), and the backtracking analysis unit 32 of the profiler analysis module 30 can analyze network threat intelligence C and query historical (past) network traffic D (such as network traffic).

當使用者裝置A提出連線請求(如上網請求)時,將有關使用者裝置A之連線請求(如上網請求)之所有網路流量D(如網路訊務)經過流量導流與過濾模組10進行過濾,以防止使用者裝置A連線至外部之惡意網站、惡意IP位址與惡意網域名稱之任一者,且在一實施例中,流量導流與過濾模組10可定期或不定期詢問威脅情資模組20是否有最新網路威脅情資C之內容,若有則將該最新網路威脅情資C傳送至該流量導流與過濾模組10,而在另一實施例中,當威脅情資模組20有最新網路威脅情資C之內容時,將該最新網路威脅情資C傳送至該流量導流與過濾模組10。當內部之使用者裝置A欲對外部(即內部對外部)之惡意網站、惡意IP位址與惡意網域名稱之任一者進行惡意連線或惡意連線行為時,威脅情資模組20 可依據最新網路威脅情資C之內容將使用者裝置A對外部之惡意網站、惡意IP位址與惡意網域名稱之任一者之惡意連線或惡意連線行為進行阻擋或防護。 When user device A makes a connection request (such as an Internet access request), all network traffic D (such as network traffic) related to the connection request (such as an Internet access request) of user device A is filtered by the traffic diversion and filtering module 10 to prevent user device A from connecting to any external malicious website, malicious IP address, and malicious domain name. In one embodiment, the traffic diversion and filtering module 10 is used to filter all network traffic D (such as network traffic) related to the connection request (such as an Internet access request) of user device A. The filtering module 10 may periodically or irregularly inquire whether the threat intelligence module 20 has the latest content of the network threat intelligence C. If so, the latest network threat intelligence C is transmitted to the traffic diversion and filtering module 10. In another embodiment, when the threat intelligence module 20 has the latest content of the network threat intelligence C, the latest network threat intelligence C is transmitted to the traffic diversion and filtering module 10. When the internal user device A intends to conduct a malicious connection or malicious connection behavior to any of the external malicious websites, malicious IP addresses and malicious domain names (i.e., internal to external), the threat intelligence module 20 can block or protect the malicious connection or malicious connection behavior of the user device A to any of the external malicious websites, malicious IP addresses and malicious domain names according to the content of the latest network threat intelligence C.

流量導流與過濾模組10對於外部對內部之連線請求之行為將一併進行監控,以防止惡意連線或惡意連線行為(如網路掃描等),所有經過流量導流與過濾模組10之網路流量D(如網路訊務)皆會被側錄或複製一份至側錄分析模組30之流量側錄單元31中進行保存,對於網路流量D(如網路訊務)中未被流量導流與過濾模組10偵測到之連線將傳送至威脅情資模組20,以進行網路威脅情資C之分析。當威脅情資模組20對網路威脅情資C之分析結果為網路威脅情資C有威脅風險(如高風險或潛在風險)時,由側錄分析模組30進行網路威脅情資C之連線之回溯,再由側錄分析模組30將網路威脅情資C之連線之回溯結果回饋至威脅情資模組20,以新增威脅情資模組20之網路威脅情資C(如最新網路威脅情資)之內容,藉此提升威脅情資模組20之網路威脅情資C之豐富度與廣度。 The traffic diversion and filtering module 10 will monitor the behavior of external to internal connection requests to prevent malicious connections or malicious connection behaviors (such as network scanning, etc.). All network traffic D (such as network traffic) passing through the traffic diversion and filtering module 10 will be profiled or copied to the traffic profiling unit 31 of the profiling analysis module 30 for storage. The connections in the network traffic D (such as network traffic) that are not detected by the traffic diversion and filtering module 10 will be transmitted to the threat intelligence module 20 for analysis of network threat intelligence C. When the threat intelligence module 20 analyzes the network threat intelligence C and finds that the network threat intelligence C has a threat risk (such as high risk or potential risk), the sidetrack analysis module 30 performs a backtracking of the connection of the network threat intelligence C, and then the sidetrack analysis module 30 feeds back the backtracking result of the connection of the network threat intelligence C to the threat intelligence module 20 to add the content of the network threat intelligence C of the threat intelligence module 20 (such as the latest network threat intelligence), thereby improving the richness and breadth of the network threat intelligence C of the threat intelligence module 20.

一、流量導流與過濾模組10:可具有流量導流單元11及流量過濾單元12,在流量導流與過濾模組10之初始化階段,流量導流與過濾模組10之流量過濾單元12將接收威脅情資模組20所提供之最新網路威脅情資C之內容。 1. Traffic diversion and filtering module 10: It may have a traffic diversion unit 11 and a traffic filtering unit 12. During the initialization phase of the traffic diversion and filtering module 10, the traffic filtering unit 12 of the traffic diversion and filtering module 10 will receive the latest network threat intelligence C provided by the threat intelligence module 20.

[1]內部對外部之連線行為:當內部之使用者裝置A欲對外部(即內部對外部)進行連線請求時,流量導流與過濾模組10之流量導流單元11可將使用者裝置A對外部之連線請求所包括之

Figure 112133072-A0101-12-0008-8
目的端之IP位址、
Figure 112133072-A0101-12-0008-9
DNS(網域名稱服務;Domain Name Service)查詢請求、
Figure 112133072-A0101-12-0008-10
回應之IP位 址紀錄進行解析及萃取,以由流量導流單元11將目的端之IP位址/網域名稱傳送至流量導流與過濾模組10之流量過濾單元12,再由流量過濾單元12將目的端之IP位址/網域名稱與已更新之最新網路威脅情資C(如IP位址/網域名稱)兩者進行比對。若流量過濾單元12之比對結果為目的端之IP位址/網域名稱與已更新之最新網路威脅情資C(如IP位址/網域名稱)兩者相符(命中),則代表本次內部之使用者裝置A對外部之連線請求為有威脅風險(如高風險或潛在風險)之連線行為,故流量過濾單元12可將有威脅風險之連線行為(結果)回應至流量導流單元11,俾由流量導流單元11拒絕本次內部之使用者裝置A對外部之連線請求。 [1] Internal to external connection behavior: When the internal user device A wishes to make a connection request to the outside (i.e., internal to external), the traffic diversion unit 11 of the traffic diversion and filtering module 10 may include the user device A's external connection request
Figure 112133072-A0101-12-0008-8
The IP address of the destination,
Figure 112133072-A0101-12-0008-9
DNS (Domain Name Service) query requests,
Figure 112133072-A0101-12-0008-10
The IP address record of the response is parsed and extracted, and the IP address/domain name of the destination is transmitted by the traffic diversion unit 11 to the traffic filtering unit 12 of the traffic diversion and filtering module 10, and then the traffic filtering unit 12 compares the IP address/domain name of the destination with the latest updated network threat information C (such as IP address/domain name). If the comparison result of the traffic filtering unit 12 is that the IP address/domain name of the destination and the updated latest network threat information C (such as IP address/domain name) are consistent (hit), it means that the connection request from the internal user device A to the outside is a connection behavior with a threat risk (such as high risk or potential risk). Therefore, the traffic filtering unit 12 can respond to the connection behavior (result) with a threat risk to the traffic diversion unit 11, so that the traffic diversion unit 11 rejects the connection request from the internal user device A to the outside.

[2]外部對內部之連線行為:若連線請求之來源端(如發起端)為外部對內部進行連線行為,則流量導流與過濾模組10之流量導流單元11可將外部對內部之連線行為所包括之來源端之IP位址進行解析及萃取,以由流量導流單元11將來源端之IP位址傳送至流量導流與過濾模組10之流量過濾單元12,再由流量過濾單元12將來源端之IP位址與已更新之最新網路威脅情資C(如IP位址)兩者進行比對。若流量過濾單元12之比對結果為來源端之IP位址與已更新之最新網路威脅情資C(如IP位址)兩者相符(命中),則代表本次外部對內部之連線請求為有威脅風險(如高風險或潛在風險)之連線行為,故流量導流與過濾模組10之流量過濾單元12可將有威脅風險之連線行為(結果)回應至流量導流單元11,俾由流量導流單元11拒絕本次外部對內部之連線請求。 [2] External-to-internal connection behavior: If the source end (such as the initiator) of the connection request is an external-to-internal connection behavior, the traffic diversion unit 11 of the traffic diversion and filtering module 10 can parse and extract the IP address of the source end included in the external-to-internal connection behavior, and transmit the IP address of the source end to the traffic filtering unit 12 of the traffic diversion and filtering module 10 by the traffic diversion unit 11. The traffic filtering unit 12 then compares the IP address of the source end with the latest updated network threat information C (such as the IP address). If the comparison result of the traffic filtering unit 12 is that the IP address of the source end and the updated latest network threat information C (such as IP address) are consistent (hit), it means that this external to internal connection request is a connection behavior with threat risk (such as high risk or potential risk). Therefore, the traffic filtering unit 12 of the traffic diversion and filtering module 10 can respond to the connection behavior (result) with threat risk to the traffic diversion unit 11, so that the traffic diversion unit 11 rejects this external to internal connection request.

[3]如果上述[1]內部對外部之連線行為與[2]外部對內部之連線行為,皆沒對應到任何網路威脅情資C(如惡意威脅情資),則流量導流與 過濾模組10之流量導流單元11將分別同意本次使用者裝置A之連線請求與本次外部之連線請求。 [3] If the above-mentioned [1] internal to external connection behavior and [2] external to internal connection behavior do not correspond to any network threat information C (such as malicious threat information), then the traffic diversion unit 11 of the traffic diversion and filtering module 10 will respectively approve the connection request of the user device A and the external connection request.

為了增加網路威脅情資C之深度與廣度,流量導流與過濾模組10之流量過濾單元12於進行內部對外部之連線之監控過程中,會將未相符(未命中)之網域名稱服務(DNS)之查詢請求紀錄之連線解析結果傳送至威脅情資模組20,以進行網路威脅情資C之分析與回饋,且流量導流與過濾模組10之流量導流單元11皆會針對內部對外部之連線及外部對內部之連線之網路流量D(如網路訊務)側錄或複製一份至側錄分析模組30之流量側錄單元31中進行完整保存。 In order to increase the depth and breadth of network threat intelligence C, the traffic filtering unit 12 of the traffic diversion and filtering module 10 will transmit the connection resolution results of the query request record of the domain name service (DNS) that does not match (miss) to the threat intelligence module 20 during the monitoring process of the internal to external connection, so as to analyze and feedback the network threat intelligence C, and the traffic diversion unit 11 of the traffic diversion and filtering module 10 will profile or copy the network traffic D (such as network traffic) of the internal to external connection and the external to internal connection to the traffic profile unit 31 of the profile analysis module 30 for complete storage.

二、威脅情資模組20:可具有威脅情資資料庫21及威脅情資分析與回溯單元22,且威脅情資資料庫21儲存有IP位址與網域名稱共兩種類型之網路威脅情資C,以由威脅情資模組20定期推播威脅情資資料庫21中之最新網路威脅情資C至流量導流與過濾模組10,再由流量導流與過濾模組10依據最新網路威脅情資C進行過濾網路流量D(如網路訊務)中是否存在惡意連線或惡意連線行為。 2. Threat intelligence module 20: It may have a threat intelligence database 21 and a threat intelligence analysis and backtracking unit 22, and the threat intelligence database 21 stores two types of network threat intelligence C, namely IP addresses and domain names, so that the threat intelligence module 20 regularly pushes the latest network threat intelligence C in the threat intelligence database 21 to the traffic diversion and filtering module 10, and then the traffic diversion and filtering module 10 filters the network traffic D (such as network traffic) according to the latest network threat intelligence C to see if there are malicious connections or malicious connection behaviors.

[1]內部對外部之連線行為:當內部之使用者裝置A是以「IP位址」進行連線請求(直接連線)時,流量導流與過濾模組10可將使用者裝置A之IP位址與預先更新之網路威脅情資C兩者進行比對是否為惡意連線或惡意連線行為。若流量導流與過濾模組10之比對結果為使用者裝置A之IP位址與預先更新之網路威脅情資C兩者相符(命中),則流量導流與過濾模組10阻擋本次內部之使用者裝置A之連線請求,並將使用者裝置A之IP位址傳送至威脅情資模組20之威脅情資分析與回溯單元22,以由威 脅情資分析與回溯單元22進行使用者裝置A之IP位址之歷程回溯來找出與使用者裝置A之IP位址相關聯之網域名稱,再由威脅情資分析與回溯單元22將所找出之網域名稱回饋至威脅情資資料庫21中。反之,若流量導流與過濾模組10之比對結果為使用者裝置A之IP位址與預先更新之網路威脅情資C兩者未相符(未命中),則流量導流與過濾模組10允許內部之使用者裝置A對外部進行連線。 [1] Internal to external connection behavior: When an internal user device A makes a connection request (direct connection) using an "IP address", the traffic diversion and filtering module 10 can compare the IP address of the user device A with the pre-updated network threat intelligence C to determine whether it is a malicious connection or malicious connection behavior. If the comparison result of the traffic diversion and filtering module 10 is that the IP address of the user device A matches the pre-updated network threat intelligence C, the traffic diversion and filtering module 10 blocks the connection request of the internal user device A and transmits the IP address of the user device A to the threat intelligence analysis and tracing unit 22 of the threat intelligence module 20, so that the threat intelligence analysis and tracing unit 22 traces back the history of the IP address of the user device A to find the domain name associated with the IP address of the user device A, and then the threat intelligence analysis and tracing unit 22 feeds the found domain name back to the threat intelligence database 21. On the contrary, if the comparison result of the traffic diversion and filtering module 10 is that the IP address of the user device A does not match the pre-updated network threat information C (miss), the traffic diversion and filtering module 10 allows the internal user device A to connect to the outside.

又,當內部之使用者裝置A是以「網域名稱」進行連線請求時,流量導流與過濾模組10將使用者裝置A之網域名稱與預先更新之網路威脅情資C兩者進行比對是否為惡意連線或惡意連線行為。若流量導流與過濾模組10之比對結果為使用者裝置A之網域名稱與預先更新之網路威脅情資C兩者相符(命中),則流量導流與過濾模組10阻擋本次內部之使用者裝置A之連線請求。反之,若流量導流與過濾模組10之比對結果為使用者裝置A之網域名稱與預先更新之網路威脅情資C兩者未相符(未命中),則流量導流與過濾模組10允許內部之使用者裝置A對外部進行DNS(網域名稱服務)之查詢,以由流量導流與過濾模組10依據對外部進行DNS(網域名稱服務)之查詢後所回應之IP位址再一次進行網路威脅情資C之比對來確認是否為惡意連線或惡意連線行為,藉此進行即時防護。當所回應之IP位址為惡意連線或惡意連線行為時,流量導流與過濾模組10將所回應之IP位址即時進行阻擋防護,再由威脅情資模組20之威脅情資分析與回溯單元22進行所回應之IP位址之歷程回溯來找出與所回應之IP位址相關聯之網域名稱,再由威脅情資分析與回溯單元22將所找出之網域名稱回饋至威脅情資資料庫21中。經由上述即時防護或阻擋防護之過程後, 若流量導流與過濾模組10發現所找出之網域名稱皆無惡意行為,則流量導流與過濾模組10可將所找出之網域名稱傳送至威脅情資分析與回溯單元22以進行進一步之分析。 Furthermore, when the internal user device A makes a connection request using a "domain name", the traffic diversion and filtering module 10 compares the domain name of the user device A with the pre-updated network threat intelligence C to determine whether it is a malicious connection or malicious connection behavior. If the comparison result of the traffic diversion and filtering module 10 is that the domain name of the user device A and the pre-updated network threat intelligence C match (hit), the traffic diversion and filtering module 10 blocks the connection request of the internal user device A this time. On the contrary, if the comparison result of the traffic diversion and filtering module 10 is that the domain name of the user device A and the pre-updated network threat intelligence C do not match (miss), the traffic diversion and filtering module 10 allows the internal user device A to query the external DNS (Domain Name Service), so that the traffic diversion and filtering module 10 will once again compare the network threat intelligence C based on the IP address responded after the external DNS (Domain Name Service) query to confirm whether it is a malicious connection or malicious connection behavior, thereby performing real-time protection. When the responded IP address is a malicious connection or malicious connection behavior, the traffic diversion and filtering module 10 will immediately block and protect the responded IP address, and then the threat intelligence analysis and backtracking unit 22 of the threat intelligence module 20 will backtrack the history of the responded IP address to find the domain name associated with the responded IP address, and then the threat intelligence analysis and backtracking unit 22 will feed back the found domain name to the threat intelligence database 21. After the above-mentioned real-time protection or blocking protection process, if the traffic diversion and filtering module 10 finds that the found domain names have no malicious behavior, the traffic diversion and filtering module 10 can transmit the found domain names to the threat intelligence analysis and backtracking unit 22 for further analysis.

[2]外部對內部之連線行為:當外部使用者是以「IP位址」之形式對內部之設備進行連線行為(即外部對內部之連線請求),流量導流與過濾模組10可將外部使用者之IP位址與預先更新之網路威脅情資C兩者進行比對是否為惡意連線或惡意連線行為。若流量導流與過濾模組10之比對結果為外部使用者之IP位址與預先更新之網路威脅情資C兩者相符(命中),則代表本次外部對內部之連線請求為有威脅風險(如高風險或潛在風險)之惡意連線或惡意連線行為,故流量導流與過濾模組10可阻擋本次外部對內部之連線請求,並將外部使用者之IP位址傳送至威脅情資模組20之威脅情資分析與回溯單元22,以由威脅情資分析與回溯單元22進行外部使用者之IP位址之歷程回溯來找出與外部使用者之IP位址相關聯之網域名稱,並將相關聯之網域名稱回饋至威脅情資資料庫21中。反之,若流量導流與過濾模組10之比對結果為外部使用者之IP位址與預先更新之網路威脅情資C兩者未相符(未命中),則代表本次外部對內部之連線請求為無威脅風險(如高風險或潛在風險)之連線行為,故流量導流與過濾模組10可允許本次外部對內部之連線請求。 [2] External to internal connection behavior: When an external user connects to an internal device in the form of an "IP address" (i.e., an external to internal connection request), the traffic diversion and filtering module 10 can compare the external user's IP address with the pre-updated network threat intelligence C to determine whether it is a malicious connection or malicious connection behavior. If the comparison result of the traffic diversion and filtering module 10 is that the IP address of the external user matches (hit) the pre-updated network threat intelligence C, it means that this external-to-internal connection request is a malicious connection or malicious connection behavior with a threat risk (such as high risk or potential risk). Therefore, the traffic diversion and filtering module 10 can block this external-to-internal connection request and transmit the IP address of the external user to the threat intelligence analysis and backtracking unit 22 of the threat intelligence module 20, so that the threat intelligence analysis and backtracking unit 22 can backtrack the history of the external user's IP address to find the domain name associated with the external user's IP address, and feed the associated domain name back to the threat intelligence database 21. On the contrary, if the comparison result of the traffic diversion and filtering module 10 is that the IP address of the external user does not match the pre-updated network threat information C (miss), it means that this external to internal connection request is a connection behavior with no threat risk (such as high risk or potential risk), so the traffic diversion and filtering module 10 can allow this external to internal connection request.

當威脅情資模組20之威脅情資分析與回溯單元22收到流量導流與過濾模組10之流量過濾單元12所發送之欲分析之網域名稱時,威脅情資分析與回溯單元22可利用下列威脅情資信譽計算方法,將已預先定義之分佈模型P與欲分析之網域名稱Q兩者進行計算以得出欲分析之網域 名稱Q之威脅情資信譽分數Verdict(σ)。例如,威脅情資信譽計算方法為

Figure 112133072-A0101-12-0013-2
,其中,Verdict(σ)代表威脅情資 信譽分數,P代表已預先定義之分佈模型,Q代表欲分析之網域名稱,i代表1至n,且n代表等於或大於2之正整數。 When the threat intelligence analysis and tracing unit 22 of the threat intelligence module 20 receives the domain name to be analyzed sent by the traffic filtering unit 12 of the traffic diversion and filtering module 10, the threat intelligence analysis and tracing unit 22 can use the following threat intelligence reputation calculation method to calculate the predefined distribution model P and the domain name Q to be analyzed to obtain the threat intelligence reputation score Verdict (σ) of the domain name Q to be analyzed. For example, the threat intelligence reputation calculation method is
Figure 112133072-A0101-12-0013-2
, where Verdict(σ) represents the threat information reputation score, P represents a predefined distribution model, Q represents the domain name to be analyzed, i represents 1 to n, and n represents a positive integer equal to or greater than 2.

當欲分析之網域名稱Q之威脅情資信譽分數Verdict(σ)超過一定門檻值時,威脅情資模組20可將欲分析之網域名稱Q定義為惡意網域名稱,以由威脅情資模組20之威脅情資分析與回溯單元22針對惡意網域名稱向側錄分析模組30進行一定時間區間之歷程回溯來找出與惡意網域名稱相關聯之惡意IP位址,其中包括與惡意網域名稱Di相關聯之惡意IP位址(如IP1,IP2,...,IPn),例如Di={IP1,IP2,...,IPn},再由威脅情資分析與回溯單元22將與惡意網域名稱Di相關聯之惡意IP位址視為新增之網路威脅情資C,俾由威脅情資分析與回溯單元22將與惡意網域名稱Di相關聯之惡意IP位址回饋至威脅情資資料庫21中。 When the threat intelligence reputation score Verdict(σ) of the domain name Q to be analyzed exceeds a certain threshold value, the threat intelligence module 20 may define the domain name Q to be analyzed as a malicious domain name, so that the threat intelligence analysis and backtracking unit 22 of the threat intelligence module 20 performs a certain time period of backtracking on the malicious domain name to the sidetracking analysis module 30 to find out the malicious IP addresses associated with the malicious domain name, including the malicious IP addresses associated with the malicious domain name D i (such as IP 1 , IP 2 , ..., IP n ), for example, D i ={IP 1 , IP 2 , ..., IP n }, and then the threat intelligence analysis and backtracking unit 22 will be associated with the malicious domain name D The malicious IP address associated with the malicious domain name D i is regarded as the newly added network threat intelligence C, so that the threat intelligence analysis and tracing unit 22 feeds back the malicious IP address associated with the malicious domain name D i to the threat intelligence database 21.

當威脅情資分析與回溯單元22收到之資料為IP位址時,將直接向側錄分析模組30進行一定時間區間之歷程回溯來找出與此IP位址相關聯之網域名稱,其中包括與惡意IP位址IPi相關聯之惡意網域名稱(如D1,D2,...,Dn),例如IPi={D1,D2,...,Dn},再由威脅情資分析與回溯單元22將與惡意IP位址IPi相關聯之惡意網域名稱視為新增之網路威脅情資C,俾由威脅情資分析與回溯單元22將與惡意IP位址IPi相關聯之惡意網域名稱回饋至威脅情資資料庫21中。 When the data received by the threat intelligence analysis and backtracking unit 22 is an IP address, it will directly trace back a certain period of time to the sidetracking analysis module 30 to find the domain names associated with the IP address, including the malicious domain names associated with the malicious IP address IP i (such as D 1 , D 2 , ..., D n ), for example, IP i = {D 1 , D 2 , ..., D n }, and then the threat intelligence analysis and backtracking unit 22 will regard the malicious domain names associated with the malicious IP address IP i as newly added network threat intelligence C, so that the threat intelligence analysis and backtracking unit 22 will feed back the malicious domain names associated with the malicious IP address IP i to the threat intelligence database 21.

三、側錄分析模組30:可具有流量側錄單元31及回溯分析單元32,流量側錄單元31可將流量導流與過濾模組10所傳遞之流量進行 側錄及儲存,且回溯分析單元32可依據威脅情資模組20所要求之相關聯參數(例如:欲查詢之有威脅風險之網域名稱、IP位址與一定時間區間等)進行相關聯之歷程回溯,以由回溯分析單元32按照此歷程回溯回傳相關聯之惡意IP位址或惡意網域名稱之對應結果至威脅情資資料庫21。 3. Profile analysis module 30: It may have a traffic profile unit 31 and a backtracking analysis unit 32. The traffic profile unit 31 may profile and store the traffic diversion and the traffic transmitted by the filtering module 10, and the backtracking analysis unit 32 may backtrack the associated process according to the associated parameters required by the threat intelligence module 20 (for example: the domain name, IP address and a certain time period to be queried for threat risk, etc.), so that the backtracking analysis unit 32 may backtrack the corresponding results of the associated malicious IP address or malicious domain name to the threat intelligence database 21 according to the process.

圖3為本發明所述基於網路威脅情資之使用者上網防護方法之使用情境實施例之流程示意圖,並參閱圖1與圖2所示基於網路威脅情資之使用者上網防護系統1一併說明。 FIG3 is a flowchart of an implementation example of the use scenario of the user online protection method based on network threat intelligence described in the present invention, and is also described together with the user online protection system 1 based on network threat intelligence shown in FIG1 and FIG2.

如圖3所示,基於網路威脅情資之使用者上網防護系統1在收到連線請求時(見步驟S01),會先進入流量導流與過濾模組10之流量導流單元11(見步驟S02),流量導流單元11除了將網路流量D(如網路訊務)傳送至流量過濾單元12,以偵測網路威脅情資C外(見步驟S03),還會側錄或複製一份網路流量D(如網路訊務)至側錄分析模組30之流量側錄單元31以進行儲存完整網路流量D之內容(見步驟S04)。 As shown in FIG3 , when the user online protection system 1 based on network threat intelligence receives a connection request (see step S01), it will first enter the traffic diversion unit 11 of the traffic diversion and filtering module 10 (see step S02). In addition to transmitting the network traffic D (such as network traffic) to the traffic filtering unit 12 to detect the network threat intelligence C (see step S03), the traffic diversion unit 11 will also profile or copy a copy of the network traffic D (such as network traffic) to the traffic profile unit 31 of the profile analysis module 30 to store the complete content of the network traffic D (see step S04).

流量導流與過濾模組10之流量過濾單元12通過威脅情資模組20之威脅情資資料庫21中之網路威脅情資C(如惡意威脅情資)進行即時比對本次之連線請求。[1]若流量過濾單元12對於本次之連線請求比對到網路威脅情資C之惡意IP位址或惡意網域名稱,則由流量過濾單元12拒絕本次之連線請求(見步驟S05),並將本次之連線請求傳送至威脅情資分析與回溯單元22(見步驟S09)。[2]若流量過濾單元12對於本次之連線請求未比對到網路威脅情資C之惡意IP位址,則由流量過濾單元12判定本次之連線請求之IP位址為非惡意IP位址,並同意本次之連線請求(見步驟S06)。[3]若流量過濾單元12對於本次之連線請求未比對到網路威脅情 資C之網域名稱,則由流量過濾單元12判定本次之連線請求之網域名稱為未知網域名稱,以由流量過濾單元12將未知網域名稱透過網域名稱服務伺服器(DNS server)查詢所有對應IP位址(例如IP={IP1,IP2,...,IPn};見步驟S07),再透過網域名稱服務伺服器(圖未示)將所有對應IP位址逐一傳送至流量過濾單元12進行比對或偵測(見步驟S08)。 The traffic filtering unit 12 of the traffic diversion and filtering module 10 performs a real-time comparison of the current connection request with the network threat intelligence C (such as malicious threat intelligence) in the threat intelligence database 21 of the threat intelligence module 20. [1] If the traffic filtering unit 12 matches the current connection request with a malicious IP address or malicious domain name of the network threat intelligence C, the traffic filtering unit 12 rejects the current connection request (see step S05) and transmits the current connection request to the threat intelligence analysis and backtracking unit 22 (see step S09). [2] If the traffic filtering unit 12 does not match the malicious IP address of the network threat intelligence C for the current connection request, the traffic filtering unit 12 determines that the IP address of the current connection request is a non-malicious IP address and approves the current connection request (see step S06). [3] If the traffic filtering unit 12 does not match the domain name of the network threat intelligence C for the current connection request, the traffic filtering unit 12 determines that the domain name of the current connection request is an unknown domain name, and the traffic filtering unit 12 queries all corresponding IP addresses (e.g., IP={IP 1 , IP 2 ,..., IP n }; see step S07) for the unknown domain name through a domain name service server (DNS server), and then transmits all corresponding IP addresses one by one to the traffic filtering unit 12 through a domain name service server (not shown) for comparison or detection (see step S08).

當流量過濾單元12比對或偵測到所有對應IP位址之任一者為惡意對應IP位址時,由流量過濾單元12拒絕本次之連線請求(見步驟S05),並將惡意對應IP位址傳送至威脅情資分析與回溯單元22。反之,當流量過濾單元12對所有對應IP位址皆未比對或偵測到惡意對應IP位址時,由流量過濾單元12將未知網域名稱傳送至威脅情資分析與回溯單元22(見步驟S09)。 When the traffic filtering unit 12 matches or detects that any of the corresponding IP addresses is a malicious corresponding IP address, the traffic filtering unit 12 rejects the current connection request (see step S05) and transmits the malicious corresponding IP address to the threat intelligence analysis and tracing unit 22. On the contrary, when the traffic filtering unit 12 does not match or detect a malicious corresponding IP address for all the corresponding IP addresses, the traffic filtering unit 12 transmits the unknown domain name to the threat intelligence analysis and tracing unit 22 (see step S09).

威脅情資模組20之威脅情資分析與回溯單元22可依據網路威脅情資C(如惡意威脅情資)中不同的惡意請求或未知請求進行不同的回溯或分析。[1]若網路威脅情資C(如惡意威脅情資)中之惡意請求為「惡意IP位址或惡意對應IP位址」,則威脅情資分析與回溯單元22可透過側錄分析模組30之流量側錄單元31所側錄之網路流量D(如網路訊務)之資料進行回溯相關聯之網域名稱(如{D1,D2,...,Dn};見步驟S10),再由威脅情資分析與回溯單元22將相關聯之網域名稱(如{D1,D2,...,Dn})新增至威脅情資資料庫21(見步驟S13)。[2]若網路威脅情資C(如惡意威脅情資)中之惡意請求為「惡意網域名稱」,則威脅情資分析與回溯單元22可回溯相關聯之IP位址(如IP{IP1,IP2,...,IPn};見步驟S11),再由威脅情資分析與回溯單元22將相關聯之IP位址(如IP{IP1,IP2,...,IPn})新增至威脅情資資料庫21(見步 驟S13)。[3]若網路威脅情資C(如惡意威脅情資)中之未知請求為未知網域名稱,則威脅情資分析與回溯單元22可通過威脅情資信譽計算方法計算出未知網域名稱之威脅情資信譽分數Verdict(σ),例如威脅情資信譽計算方法 為

Figure 112133072-A0101-12-0016-4
,以由威脅情資分析與回溯單 元22依據未知網域名稱之威脅情資信譽分數Verdict(σ)判斷未知網域名稱是否有威脅風險(見步驟S12)。 The threat intelligence analysis and backtracking unit 22 of the threat intelligence module 20 can perform different backtracking or analysis according to different malicious requests or unknown requests in the network threat intelligence C (such as malicious threat intelligence). [1] If the malicious request in the network threat intelligence C (such as malicious threat intelligence) is a "malicious IP address or a malicious corresponding IP address", the threat intelligence analysis and tracing unit 22 can trace back the associated domain name (such as { D1 , D2 , ..., Dn }; see step S10) through the data of the network traffic D (such as network traffic) sidetracked by the traffic sidetracking unit 31 of the sidetracking analysis module 30, and then the threat intelligence analysis and tracing unit 22 adds the associated domain name (such as { D1 , D2 , ..., Dn }) to the threat intelligence database 21 (see step S13). [2] If the malicious request in the network threat intelligence C (such as malicious threat intelligence) is a "malicious domain name", the threat intelligence analysis and tracing unit 22 can trace back the associated IP address (such as IP {IP 1 , IP 2 , ..., IP n }; see step S11), and then the threat intelligence analysis and tracing unit 22 will add the associated IP address (such as IP {IP 1 , IP 2 , ..., IP n }) to the threat intelligence database 21 (see step S13). [3] If the unknown request in the network threat intelligence C (such as malicious threat intelligence) is an unknown domain name, the threat intelligence analysis and backtracking unit 22 can calculate the threat intelligence reputation score Verdict (σ) of the unknown domain name through the threat intelligence reputation calculation method. For example, the threat intelligence reputation calculation method is
Figure 112133072-A0101-12-0016-4
The threat information analysis and backtracking unit 22 determines whether the unknown domain name has a threat risk according to the threat information reputation score Verdict (σ) of the unknown domain name (see step S12).

例如,當未知網域名稱之威脅情資信譽分數Verdict(σ)超過一定門檻值時,由威脅情資分析與回溯單元22判斷未知網域名稱為有威脅風險(如高風險或潛在風險);反之,當威脅情資信譽分數Verdict(σ)未超過一定門檻值時,由威脅情資分析與回溯單元22判斷未知網域名稱為無威脅風險(如無風險及無潛在風險)。如果未知網域名稱為有威脅風險(如高風險或潛在風險),則將有威脅風險(如高風險或潛在風險)之未知網域名稱傳送至威脅情資分析與回溯單元22,以回溯所有關聯IP位址(如IP{IP1,IP2,...,IPn};見步驟S11),再由威脅情資分析與回溯單元22將所有關聯IP位址新增至威脅情資資料庫21(見步驟S13)。相對地,如果未知網域名稱為無威脅風險(如無風險及無潛在風險),則由流量導流與過濾模組10之流量過濾單元12同意本次之連線請求(見步驟S06)。 For example, when the threat intelligence reputation score Verdict(σ) of the unknown domain name exceeds a certain threshold value, the threat intelligence analysis and backtracking unit 22 determines that the unknown domain name has a threat risk (such as a high risk or a potential risk); conversely, when the threat intelligence reputation score Verdict(σ) does not exceed the certain threshold value, the threat intelligence analysis and backtracking unit 22 determines that the unknown domain name has no threat risk (such as no risk and no potential risk). If the unknown domain name is a threat risk (such as high risk or potential risk), the unknown domain name with threat risk (such as high risk or potential risk) is transmitted to the threat intelligence analysis and tracing unit 22 to trace back all related IP addresses (such as IP {IP 1 , IP 2 , ..., IP n }; see step S11), and then the threat intelligence analysis and tracing unit 22 adds all related IP addresses to the threat intelligence database 21 (see step S13). In contrast, if the unknown domain name is considered to have no threat risk (such as no risk and no potential risk), the traffic filtering unit 12 of the traffic diversion and filtering module 10 agrees to the connection request (see step S06).

申言之,本發明所述基於網路威脅情資之使用者上網防護方法可包括:[1]流量導流之方法、[2]流量過濾之方法、[3]威脅情資資料庫21、[4]威脅情資分析與回溯之方法、[5]流量側錄之方法、[6]回溯分析之方法。 In other words, the user Internet protection method based on network threat intelligence described in the present invention may include: [1] a traffic diversion method, [2] a traffic filtering method, [3] a threat intelligence database 21, [4] a threat intelligence analysis and backtracking method, [5] a traffic sidetracking method, and [6] a backtracking analysis method.

[1]流量導流之方法:流量導流單元11之網路流量D(如網路 訊務)之導流可透通內部對外部之連線行為與外部對內部之連線行為,這些網路流量D(如網路訊務)經由埠控制(Port Control)方式被側錄或複製至其他埠進行輸出到側錄分析模組30之流量側錄單元31中,透通之過程中也一併將連線指標(例如:

Figure 112133072-A0101-12-0017-11
來源端之IP位址、
Figure 112133072-A0101-12-0017-12
目的端之IP位址、
Figure 112133072-A0101-12-0017-13
網域名稱服務DNS之查詢請求、
Figure 112133072-A0101-12-0017-14
回應之IP位址紀錄)進行解析及萃取。若連線請求中存在惡意連線或惡意連線行為,則由流量導流與過濾模組10進行即時阻擋本次之連線請求之惡意連線或惡意連線行為;反之,若連線請求中不存在惡意連線或惡意連線行為,則由流量導流與過濾模組10允許網路透通而不阻擋本次之連線請求或連線行為。 [1] Traffic diversion method: The diversion of network traffic D (such as network traffic) by the traffic diversion unit 11 can be transparent to the internal to external connection behavior and the external to internal connection behavior. These network traffic D (such as network traffic) are profiled or copied to other ports through port control and output to the traffic profile unit 31 of the profile analysis module 30. In the process of transparency, the connection index (for example:
Figure 112133072-A0101-12-0017-11
The IP address of the source,
Figure 112133072-A0101-12-0017-12
The IP address of the destination,
Figure 112133072-A0101-12-0017-13
DNS query request,
Figure 112133072-A0101-12-0017-14
If there is a malicious connection or malicious connection behavior in the connection request, the traffic diversion and filtering module 10 will immediately block the malicious connection or malicious connection behavior of this connection request; on the contrary, if there is no malicious connection or malicious connection behavior in the connection request, the traffic diversion and filtering module 10 will allow the network to pass through without blocking the connection request or connection behavior.

[2]流量過濾之方法:基於威脅情資模組20之最新網路威脅情資C以及內部對外部與外部對內部之連線指標(例如:

Figure 112133072-A0101-12-0017-15
來源端之IP位址、
Figure 112133072-A0101-12-0017-16
目的端之IP位址、
Figure 112133072-A0101-12-0017-17
網域名稱服務DNS之查詢請求、
Figure 112133072-A0101-12-0017-18
回應之IP位址紀錄)進行比對,當指標連線中包括惡意連線或惡意連線行為時,由流量導流與過濾模組10之流量導流單元11進行控制,以拒絕本次之連線請求,且將IP位址或網域名稱傳送至威脅情資模組20之威脅情資分析與回溯單元22,以進行網路威脅情資C之回溯及搜尋。 [2] Traffic filtering method: Based on the latest network threat intelligence C from threat intelligence module 20 and internal-to-external and external-to-internal connection indicators (for example:
Figure 112133072-A0101-12-0017-15
The IP address of the source,
Figure 112133072-A0101-12-0017-16
The IP address of the destination,
Figure 112133072-A0101-12-0017-17
DNS query request,
Figure 112133072-A0101-12-0017-18
When the index connection includes malicious connection or malicious connection behavior, the traffic diversion unit 11 of the traffic diversion and filtering module 10 controls to reject the connection request and transmits the IP address or domain name to the threat intelligence analysis and backtracking unit 22 of the threat intelligence module 20 to backtrack and search for network threat intelligence C.

[3]威脅情資資料庫21:可儲存IP位址與網域名稱等兩種網路威脅情資C(如惡意威脅情資),威脅情資資料庫21亦可提供最新網路威脅情資C至流量導流與過濾模組10之流量過濾單元12,且威脅情資模組20之威脅情資分析與回溯單元22可對威脅情資資料庫21進行新增網路威脅情資C之操作。 [3] Threat intelligence database 21: can store two types of network threat intelligence C (such as malicious threat intelligence), such as IP addresses and domain names. Threat intelligence database 21 can also provide the latest network threat intelligence C to the traffic filtering unit 12 of the traffic diversion and filtering module 10, and the threat intelligence analysis and backtracking unit 22 of the threat intelligence module 20 can add new network threat intelligence C to the threat intelligence database 21.

[4]威脅情資分析與回溯之方法:流量導流與過濾模組10之 流量過濾單元12可判斷網路威脅情資C是否為惡意IP位址與惡意網域名稱等惡意威脅情資,且側錄分析模組30之回溯分析單元32可回溯相關聯之對應IP位址或網域名稱以新增至威脅情資資料庫21。 [4] Method for threat intelligence analysis and backtracking: The traffic filtering unit 12 of the traffic diversion and filtering module 10 can determine whether the network threat intelligence C is malicious threat intelligence such as malicious IP addresses and malicious domain names, and the backtracking analysis unit 32 of the sidetracking analysis module 30 can backtrack the associated corresponding IP addresses or domain names to add them to the threat intelligence database 21.

[5]流量側錄之方法:側錄分析模組30之流量側錄單元31可採用全時(如24小時)方式進行網路流量D(如網路訊務)之側錄及保存,且側錄分析模組30之回溯分析單元32可進行網路流量D(如網路訊務)之查詢。 [5] Traffic profiling method: The traffic profiling unit 31 of the profiling analysis module 30 can perform full-time (e.g., 24-hour) profiling and storage of network traffic D (e.g., network traffic), and the backtracking analysis unit 32 of the profiling analysis module 30 can perform inquiries on network traffic D (e.g., network traffic).

[6]回溯分析之方法:當威脅情資分析與回溯單元22查詢IP位址時,由威脅情資分析與回溯單元22向側錄分析模組30進行一定時間區間之歷程回溯來找出與此IP位址相關聯之網域名稱(例如IPi={D1,D2,...,Dn})。而當威脅情資分析與回溯單元22查詢網域名稱時,由威脅情資分析與回溯單元22向側錄分析模組30進行一定時間區間之歷程回溯來找出與此網域名稱相關聯之IP位址(例如Di={IP1,IP2,...,IPn})。然後,威脅情資分析與回溯單元22可將相關聯之網域名稱或IP位址視為新增之網路威脅情資C以回饋至威脅情資資料庫21中。 [6] Backtracking analysis method: When the threat intelligence analysis and backtracking unit 22 queries an IP address, the threat intelligence analysis and backtracking unit 22 performs a backtracking of a certain period of time to the sidetracking analysis module 30 to find out the domain name associated with the IP address (e.g., IP i ={D 1 ,D 2 ,...,D n }). When the threat intelligence analysis and backtracking unit 22 queries a domain name, the threat intelligence analysis and backtracking unit 22 performs a backtracking of a certain period of time to the sidetracking analysis module 30 to find out the IP address associated with the domain name (e.g., D i ={IP 1 ,IP 2 ,...,IP n }). Then, the threat intelligence analysis and tracing unit 22 may regard the associated domain name or IP address as newly added network threat intelligence C and feed it back to the threat intelligence database 21.

此外,本發明還提供一種針對基於網路威脅情資之使用者上網防護方法之電腦可讀媒介,係應用於具有處理器及/或記憶體之計算裝置或電腦中,且電腦可讀媒介儲存有指令,並可利用計算裝置或電腦透過處理器及/或記憶體執行電腦可讀媒介,以於執行電腦可讀媒介時執行上述內容。 In addition, the present invention also provides a computer-readable medium for a user Internet protection method based on network threat intelligence, which is applied to a computing device or computer having a processor and/or memory, and the computer-readable medium stores instructions, and the computing device or computer can execute the computer-readable medium through the processor and/or memory to execute the above content when executing the computer-readable medium.

在一實施例中,處理器可為處理電路、中央處理器(CPU)、圖形處理器(GPU)、微處理器(MPU)、微控制器(MCU)等,記憶體可為隨 機存取記憶體(RAM)、唯讀記憶體(ROM)、快閃(flash)記憶體、記憶卡、硬碟(如雲端/網路/外接式硬碟)、光碟、隨身碟、資料庫等,且計算裝置或電腦可為計算機、智慧型手機、平板電腦、個人電腦、筆記型電腦、桌上型電腦、伺服器(如雲端/遠端/網路伺服器)等。 In one embodiment, the processor may be a processing circuit, a central processing unit (CPU), a graphics processing unit (GPU), a microprocessor (MPU), a microcontroller (MCU), etc., the memory may be a random access memory (RAM), a read-only memory (ROM), a flash memory, a memory card, a hard disk (such as a cloud/network/external hard disk), an optical disk, a flash drive, a database, etc., and the computing device or computer may be a computer, a smart phone, a tablet computer, a personal computer, a laptop, a desktop computer, a server (such as a cloud/remote/network server), etc.

綜上,本發明所述基於網路威脅情資之使用者上網防護系統及其方法係至少具有下列特色、優點或技術功效。 In summary, the user online protection system and method based on network threat intelligence described in the present invention have at least the following features, advantages or technical effects.

一、本發明能於使用者裝置提出連線請求(如上網請求)時,自動地將此連線請求(如上網請求)相關聯之所有網路流量(如網路訊務)經過流量導流與過濾模組,以防止使用者裝置連線至外部之惡意網站/惡意IP位址/惡意網域名稱,亦能針對外部之惡意網站/惡意IP位址/惡意網域名稱對內部之使用者裝置之連線請求進行監控,以防止惡意連線或惡意連線行為(如網路掃描等)。 1. When a user device makes a connection request (such as an Internet access request), the present invention can automatically route all network traffic (such as network communications) associated with the connection request (such as an Internet access request) through a traffic diversion and filtering module to prevent the user device from connecting to external malicious websites/malicious IP addresses/malicious domain names. It can also monitor the connection requests of internal user devices against external malicious websites/malicious IP addresses/malicious domain names to prevent malicious connections or malicious connection behaviors (such as network scanning, etc.).

二、本發明所述基於網路威脅情資之使用者上網防護系統為一種創新之網路威脅情資上網防護系統,能快速地阻擋使用者裝置對外部之惡意網站、惡意IP位址與惡意網域名稱之任一者之惡意連線或惡意連線行為。 2. The user online protection system based on network threat intelligence described in the present invention is an innovative network threat intelligence online protection system that can quickly block malicious connections or malicious connection behaviors of user devices to any external malicious websites, malicious IP addresses and malicious domain names.

三、本發明能有效運用威脅情資模組之威脅情資資料庫所儲存之網路威脅情資(如IP位址與網域名稱)等大數據,以利保護使用者裝置之上網安全,亦能降低使用者裝置進行上網之風險。 3. The present invention can effectively utilize the big data such as network threat intelligence (such as IP addresses and domain names) stored in the threat intelligence database of the threat intelligence module to protect the Internet security of user devices and reduce the risks of Internet access of user devices.

四、本發明之威脅情資模組之威脅情資分析與回溯單元能提供威脅情資信譽計算方法,以有效地基於已預先定義之分佈模型與欲分析之網域名稱計算出威脅情資信譽分數,藉此迅速地找出可能或潛在之網域 威脅情資,亦能依據威脅情資信譽分數判斷未知網域名稱是否有威脅風險。 4. The threat intelligence analysis and backtracking unit of the threat intelligence module of the present invention can provide a threat intelligence reputation calculation method to effectively calculate the threat intelligence reputation score based on the pre-defined distribution model and the domain name to be analyzed, thereby quickly finding possible or potential domain threat intelligence, and can also judge whether an unknown domain name has a threat risk based on the threat intelligence reputation score.

五、本發明之威脅情資模組能對未知網域名稱(如未被偵測到之網域名稱)進行分析,以利於威脅情資模組之分析結果為未知網域名稱有威脅風險(如高風險或潛在風險)時,由威脅情資模組自動進行威脅風險情資之連線之回溯及新增網路威脅情資,俾有效地提升網路威脅情資之豐富度及廣度。 5. The threat intelligence module of the present invention can analyze unknown domain names (such as domain names that have not been detected). When the analysis result of the threat intelligence module is that the unknown domain name has a threat risk (such as a high risk or potential risk), the threat intelligence module automatically traces back the connection of the threat risk intelligence and adds new network threat intelligence, so as to effectively improve the richness and breadth of network threat intelligence.

六、本發明之側錄分析模組之流量側錄單元能自動或有效地針對所有經過流量導流與過濾模組之網路流量(如網路訊務)進行側錄、分析或保存。 6. The traffic profiling unit of the profiling analysis module of the present invention can automatically or effectively profile, analyze or save all network traffic (such as network traffic) passing through the traffic diversion and filtering module.

七、本發明之側錄分析模組之回溯分析單元能自動地將網路威脅情資之連線之回溯結果回饋至威脅情資模組,以新增威脅情資模組之網路威脅情資之內容,亦能透過服務(如網域名稱服務)即時查詢與關聯網路威脅情資,以有效達到網路威脅情資之回溯與即時防護之目的。 7. The retrospective analysis unit of the sidetrack analysis module of the present invention can automatically feed back the retrospective results of the connection of the network threat intelligence to the threat intelligence module to add the content of the network threat intelligence of the threat intelligence module. It can also query and associate network threat intelligence in real time through services (such as domain name services) to effectively achieve the purpose of retrospection and real-time protection of network threat intelligence.

八、本發明能透過網路威脅情資之正向循環,以新增或強化網路威脅情資之內容之即時性、正確性及完整性,亦能全面提高網路安全事故(如網路資訊安全事故)之早期預警及應變能力,也能降低使用者裝置之網路安全風險(如網路資訊安全風險)。 8. The present invention can increase or strengthen the timeliness, accuracy and completeness of the content of network threat intelligence through the positive cycle of network threat intelligence, and can also comprehensively improve the early warning and response capabilities of network security incidents (such as network information security incidents), and can also reduce the network security risks of user devices (such as network information security risks).

上述實施形態僅例示性說明本發明之原理、特點及其功效,並非用以限制本發明之可實施範疇,任何熟習此項技藝之人士均能在不違背本發明之精神及範疇下,對上述實施形態進行修飾與改變。任何使用本發明所揭示內容而完成之等效改變及修飾,均仍應為申請專利範圍所涵蓋。因此,本發明之權利保護範圍應如申請專利範圍所列。 The above implementation forms are only illustrative of the principles, features and effects of the present invention, and are not intended to limit the scope of implementation of the present invention. Anyone familiar with this technology can modify and change the above implementation forms without violating the spirit and scope of the present invention. Any equivalent changes and modifications completed using the content disclosed by the present invention should still be covered by the scope of the patent application. Therefore, the scope of protection of the present invention should be as listed in the scope of the patent application.

1:使用者上網防護系統 1: User Internet protection system

10:流量導流與過濾模組 10: Flow diversion and filtration module

11:流量導流單元 11: Flow diversion unit

12:流量過濾單元 12: Flow filter unit

20:威脅情資模組 20: Threat Intelligence Module

21:威脅情資資料庫 21: Threat Intelligence Database

22:威脅情資分析與回溯單元 22: Threat intelligence analysis and backtracking unit

30:側錄分析模組 30: Profile analysis module

31:流量側錄單元 31: Traffic recording unit

32:回溯分析單元 32: Retrospective analysis unit

A:使用者裝置 A: User device

B:網路 B: Internet

Claims (14)

一種基於網路威脅情資之使用者上網防護系統,包括:一流量導流與過濾模組,係於使用者裝置提出連線請求時,將有關該使用者裝置之該連線請求之網路流量經過該流量導流與過濾模組進行過濾,以防止該使用者裝置連線至外部之惡意網站、惡意IP(網際網路協定)位址與惡意網域名稱之任一者;一威脅情資模組,係提供最新網路威脅情資,俾於該使用者裝置欲對該外部之惡意網站、惡意IP位址與惡意網域名稱之任一者進行惡意連線或惡意連線行為時,由該威脅情資模組依據該最新網路威脅情資之內容將該使用者裝置對該外部之惡意網站、惡意IP位址與惡意網域名稱之任一者之該惡意連線或惡意連線行為進行阻擋或防護;以及一側錄分析模組,係側錄、複製或保存經過該流量導流與過濾模組之該網路流量,其中,該威脅情資模組將經過該流量導流與過濾模組之該網路流量進行網路威脅情資之分析,以於該網路威脅情資之分析結果為該網路威脅情資有威脅風險時,由該側錄分析模組進行該網路威脅情資之連線之回溯,俾由該側錄分析模組將該網路威脅情資之連線之回溯結果回饋至該威脅情資模組,以新增該威脅情資模組之該網路威脅情資之內容,其中,該流量導流與過濾模組具有一流量過濾單元,且該威脅情資模組具有一威脅情資分析與回溯單元,以於該威脅情資模組之該威脅情資分析與回溯單元收到該流量導流與過濾模組之該流量過濾單元所發送之欲分析之網域名稱時,由該威脅情資分析與回溯單元利用威脅情資信譽計算方 法將已預先定義之分佈模型與該欲分析之網域名稱兩者進行計算,以得出該欲分析之網域名稱之威脅情資信譽分數。 A user Internet protection system based on network threat intelligence includes: a traffic diversion and filtering module, which filters the network traffic related to the connection request of the user device through the traffic diversion and filtering module when the user device makes a connection request to prevent the user device from connecting to any of the external malicious websites, malicious IP (Internet Protocol) addresses and malicious domain names; a threat intelligence module, which provides the latest network threat intelligence so that the user device can When any of the external malicious website, malicious IP address and malicious domain name conducts malicious connection or malicious connection behavior, the threat intelligence module blocks or protects the user device from the malicious connection or malicious connection behavior of any of the external malicious website, malicious IP address and malicious domain name according to the content of the latest network threat intelligence; and a side-recording analysis module, which side-records, copies or saves the network traffic passing through the traffic diversion and filtering module, wherein the threat The intelligence module analyzes the network traffic passing through the traffic diversion and filtering module for network threat intelligence. When the analysis result of the network threat intelligence is that the network threat intelligence has a threat risk, the sidetrack analysis module backtracks the connection of the network threat intelligence, so that the sidetrack analysis module feeds back the backtracking result of the connection of the network threat intelligence to the threat intelligence module to add the content of the network threat intelligence of the threat intelligence module. Traffic filtering unit, and the threat intelligence module has a threat intelligence analysis and tracing unit, so that when the threat intelligence analysis and tracing unit of the threat intelligence module receives the domain name to be analyzed sent by the traffic filtering unit of the traffic diversion and filtering module, the threat intelligence analysis and tracing unit uses the threat intelligence reputation calculation method to calculate the pre-defined distribution model and the domain name to be analyzed to obtain the threat intelligence reputation score of the domain name to be analyzed. 如請求項1所述之使用者上網防護系統,其中,該流量導流與過濾模組更具有一流量導流單元,以由該流量導流與過濾模組之該流量導流單元控制該網路流量之方向,且由該流量導流與過濾模組之該流量過濾單元判斷該網路流量中是否存在該惡意IP位址或該惡意網域名稱之該網路威脅情資。 As described in claim 1, the user online protection system, wherein the traffic diversion and filtering module further has a traffic diversion unit, so that the traffic diversion unit of the traffic diversion and filtering module controls the direction of the network traffic, and the traffic filtering unit of the traffic diversion and filtering module determines whether the network traffic contains the network threat information of the malicious IP address or the malicious domain name. 如請求項1所述之使用者上網防護系統,其中,該流量導流與過濾模組更具有一流量導流單元,以於該使用者裝置欲對外部進行該連線請求時,由該流量導流單元將該使用者裝置對該外部之連線請求所包括之目的端之IP位址、DNS(網域名稱服務)查詢請求、回應之IP位址紀錄進行解析及萃取,且由該流量導流單元將該目的端之IP位址/網域名稱傳送至該流量過濾單元,再由該流量過濾單元將該目的端之IP位址/網域名稱與已更新之最新網路威脅情資兩者進行比對,其中,若該流量過濾單元之比對結果為該目的端之IP位址/網域名稱與該已更新之最新網路威脅情資兩者相符,則代表該使用者裝置對該外部之連線請求為有威脅風險之連線行為,且由該流量過濾單元將該有威脅風險之連線行為回應至該流量導流單元,俾由該流量導流單元拒絕該使用者裝置對該外部之連線請求。 The user Internet protection system as described in claim 1, wherein the traffic diversion and filtering module further comprises a traffic diversion unit, so that when the user device intends to make the connection request to the outside, the traffic diversion unit parses and extracts the destination IP address, DNS (Domain Name Service) query request, and the response IP address record included in the user device's connection request to the outside, and the traffic diversion unit transmits the destination IP address/domain name to the traffic filtering unit, and then the traffic filtering unit The flow filtering unit compares the destination IP address/domain name with the latest updated network threat information. If the comparison result of the traffic filtering unit is that the destination IP address/domain name matches the latest updated network threat information, it means that the user device has a threatening connection behavior to the external connection request, and the traffic filtering unit responds to the threatening connection behavior to the traffic diversion unit so that the traffic diversion unit rejects the user device's external connection request. 如請求項1所述之使用者上網防護系統,其中,該流量導流與過濾模組更具有一流量導流單元,以由該流量導流單元將外部對內部之連線行為所包括之來源端之IP位址進行解析及萃取,且由該流量導流單元將該來源端之IP位址傳送至該流量過濾單元,再由該流量過濾單元將該 來源端之IP位址與已更新之最新網路威脅情資兩者進行比對,其中,若該流量過濾單元之比對結果為該來源端之IP位址與該已更新之最新網路威脅情資兩者相符,則代表該外部對內部之連線請求為有威脅風險之連線行為,且由該流量過濾單元將該有威脅風險之連線行為回應至該流量導流單元,俾由該流量導流單元拒絕該外部對內部之連線請求。 The user Internet protection system as described in claim 1, wherein the traffic diversion and filtering module further comprises a traffic diversion unit, which parses and extracts the IP address of the source end included in the external to internal connection behavior, and transmits the IP address of the source end to the traffic filtering unit by the traffic diversion unit, and then compares the IP address of the source end with the latest updated The two are compared with the network threat intelligence. If the comparison result of the traffic filtering unit is that the IP address of the source end matches the updated latest network threat intelligence, it means that the external to internal connection request is a threatening connection behavior, and the traffic filtering unit responds to the threatening connection behavior to the traffic diversion unit so that the traffic diversion unit rejects the external to internal connection request. 如請求項1所述之使用者上網防護系統,其中,該威脅情資模組更具有一威脅情資資料庫,以由該威脅情資模組之該威脅情資資料庫儲存該網路威脅情資,且由該威脅情資模組之該威脅情資分析與回溯單元分析欲新增之該網路威脅情資是否為惡意威脅情資。 As described in claim 1, the user online protection system, wherein the threat information module further has a threat information database, so that the threat information database of the threat information module stores the network threat information, and the threat information analysis and backtracking unit of the threat information module analyzes whether the network threat information to be added is malicious threat information. 如請求項1所述之使用者上網防護系統,其中,該威脅情資模組更具有一威脅情資資料庫,以由該威脅情資模組之該威脅情資資料庫儲存IP位址與網域名稱之該網路威脅情資,且由該威脅情資模組定期推播該威脅情資資料庫中之該最新網路威脅情資至該流量導流與過濾模組,再由該流量導流與過濾模組依據該最新網路威脅情資進行過濾該網路流量中是否存在該惡意連線或惡意連線行為。 As described in claim 1, the user online protection system, wherein the threat intelligence module further has a threat intelligence database, so that the threat intelligence database of the threat intelligence module stores the network threat intelligence of IP addresses and domain names, and the threat intelligence module regularly pushes the latest network threat intelligence in the threat intelligence database to the traffic diversion and filtering module, and then the traffic diversion and filtering module filters whether there is the malicious connection or malicious connection behavior in the network traffic according to the latest network threat intelligence. 如請求項1所述之使用者上網防護系統,其中,該側錄分析模組係具有一流量側錄單元及一回溯分析單元,以由該側錄分析模組之該流量側錄單元側錄及保存所有網路流量,且由該側錄分析模組之該回溯分析單元分析該網路威脅情資及查詢歷史之網路流量。 The user online protection system as described in claim 1, wherein the sidetracking analysis module has a traffic sidetracking unit and a backtracking analysis unit, so that the traffic sidetracking unit of the sidetracking analysis module sidetracks and saves all network traffic, and the backtracking analysis unit of the sidetracking analysis module analyzes the network threat information and queries the historical network traffic. 如請求項1所述之使用者上網防護系統,其中,該流量導流與過濾模組更具有一流量導流單元,且該側錄分析模組係具有一流量側錄單元,以由該流量導流與過濾模組之該流量過濾單元於進行內部對外部 之連線之監控過程中,將未相符之網域名稱服務之查詢請求紀錄之連線解析結果傳送至該威脅情資模組來進行該網路威脅情資之分析,且由該流量導流與過濾模組之該流量導流單元將該內部對外部之連線之網路流量側錄或複製一份至該側錄分析模組之該流量側錄單元中進行保存。 The user Internet protection system as described in claim 1, wherein the traffic diversion and filtering module further has a traffic diversion unit, and the profile analysis module has a traffic profile unit, so that the traffic filtering unit of the traffic diversion and filtering module transmits the connection analysis result of the query request record of the unmatched domain name service to the threat intelligence module to analyze the network threat intelligence during the monitoring process of the internal to external connection, and the traffic diversion unit of the traffic diversion and filtering module profiles the network traffic of the internal to external connection or copies a copy to the traffic profile unit of the profile analysis module for storage. 一種基於網路威脅情資之使用者上網防護方法,包括:當使用者裝置提出連線請求時,由一流量導流與過濾模組過濾有關該使用者裝置之該連線請求之網路流量,以防止該使用者裝置連線至外部之惡意網站、惡意IP(網際網路協定)位址與惡意網域名稱之任一者;由一威脅情資模組提供最新網路威脅情資,俾於該使用者裝置欲對該外部之惡意網站、惡意IP位址與惡意網域名稱之任一者進行惡意連線或惡意連線行為時,由該最新網路威脅情資之內容將該使用者裝置對該外部之惡意網站、惡意IP位址與惡意網域名稱之任一者之該惡意連線或惡意連線行為進行阻擋或防護;由一側錄分析模組側錄、複製或保存經過該流量導流與過濾模組之該網路流量,且由該威脅情資模組將經過該流量導流與過濾模組之該網路流量進行網路威脅情資之分析,以於該網路威脅情資之分析結果為該網路威脅情資有威脅風險時,由該側錄分析模組進行該網路威脅情資之連線之回溯,俾由該側錄分析模組將該網路威脅情資之連線之回溯結果回饋至該威脅情資模組,以新增該威脅情資模組之該網路威脅情資之內容;以及由該威脅情資模組之威脅情資分析與回溯單元依據該網路威脅情資中之未知請求進行回溯或分析,其中,若該網路威脅情資中之該未知請求為未知網域名稱,則由該威脅情資分析與回溯單元通過威脅情資信譽計算方 法計算出該未知網域名稱之威脅情資信譽分數,以由該威脅情資分析與回溯單元依據該未知網域名稱之威脅情資信譽分數判斷該未知網域名稱是否有威脅風險。 A method for protecting users from Internet access based on network threat intelligence includes: when a user device makes a connection request, a traffic diversion and filtering module filters the network traffic related to the connection request of the user device to prevent the user device from connecting to any of external malicious websites, malicious IP (Internet Protocol) addresses and malicious domain names; a threat intelligence module provides the latest network threat intelligence so that the user device can When any of the malicious websites, malicious IP addresses and malicious domain names conduct malicious connections or malicious connection behaviors, the latest network threat intelligence content will block or protect the user device from the malicious connections or malicious connection behaviors of any of the external malicious websites, malicious IP addresses and malicious domain names; a sidetracking analysis module sidetracks, copies or saves the network traffic passing through the traffic diversion and filtering module, and the threat intelligence module will The network traffic of the traffic diversion and filtering module is used to analyze the network threat intelligence. When the analysis result of the network threat intelligence is that the network threat intelligence has a threat risk, the sidetracking analysis module performs a backtracking of the connection of the network threat intelligence, so that the sidetracking analysis module feeds back the backtracking result of the connection of the network threat intelligence to the threat intelligence module to add the content of the network threat intelligence of the threat intelligence module; and the threat intelligence of the threat intelligence module The analysis and tracing back unit performs tracing back or analysis based on the unknown request in the network threat information. If the unknown request in the network threat information is an unknown domain name, the threat information analysis and tracing back unit calculates the threat information reputation score of the unknown domain name through the threat information reputation calculation method, so that the threat information analysis and tracing back unit determines whether the unknown domain name has a threat risk based on the threat information reputation score of the unknown domain name. 如請求項9所述之使用者上網防護方法,更包括由該流量導流與過濾模組之流量過濾單元通過該威脅情資模組之威脅情資資料庫中之該網路威脅情資進行即時比對本次之連線請求,其中,若該流量過濾單元對於本次之連線請求比對到該網路威脅情資之該惡意IP位址或惡意網域名稱,則由該流量過濾單元拒絕本次之連線請求,而若該流量過濾單元對於本次之連線請求未比對到該網路威脅情資之該惡意IP位址,則由該流量過濾單元判定本次之連線請求之IP位址為非惡意IP位址並同意本次之連線請求。 The user Internet protection method as described in claim 9 further includes the traffic filtering unit of the traffic diversion and filtering module performing a real-time comparison of the current connection request with the network threat intelligence in the threat intelligence database of the threat intelligence module, wherein if the traffic filtering unit matches the current connection request to the malicious IP address or malicious domain name of the network threat intelligence, the traffic filtering unit rejects the current connection request, and if the traffic filtering unit does not match the current connection request to the malicious IP address of the network threat intelligence, the traffic filtering unit determines that the IP address of the current connection request is a non-malicious IP address and approves the current connection request. 如請求項10所述之使用者上網防護方法,更包括若該流量過濾單元對於本次之連線請求未比對到該網路威脅情資之網域名稱,則由該流量過濾單元判定本次之連線請求之網域名稱為未知網域名稱,以由該流量過濾單元將該未知網域名稱透過網域名稱服務伺服器查詢所有對應IP位址,再透過該網域名稱服務伺服器將該所有對應IP位址逐一傳送至該流量過濾單元進行比對或偵測。 The user Internet protection method as described in claim 10 further includes: if the traffic filtering unit does not match the domain name of the network threat intelligence for the current connection request, the traffic filtering unit determines that the domain name of the current connection request is an unknown domain name, and the traffic filtering unit queries all corresponding IP addresses of the unknown domain name through the domain name service server, and then transmits all corresponding IP addresses one by one to the traffic filtering unit through the domain name service server for comparison or detection. 如請求項9所述之使用者上網防護方法,更包括由該威脅情資模組之威脅情資分析與回溯單元依據該網路威脅情資中之惡意請求進行回溯或分析,其中,若該網路威脅情資中之該惡意請求為該惡意IP位址或惡意對應IP位址,則由該威脅情資分析與回溯單元透過該側錄分析模組之流量側錄單元所側錄之網路流量之資料進行回溯相關聯之網域名稱,再 由該威脅情資分析與回溯單元將該相關聯之網域名稱新增至威脅情資資料庫。 The user Internet protection method as described in claim 9 further includes the threat intelligence analysis and tracing unit of the threat intelligence module tracing back or analyzing the malicious request in the network threat intelligence, wherein if the malicious request in the network threat intelligence is the malicious IP address or the malicious corresponding IP address, the threat intelligence analysis and tracing unit traces back the associated domain name through the network traffic data sidetracked by the traffic sidetracking unit of the sidetracking analysis module, and then the threat intelligence analysis and tracing unit adds the associated domain name to the threat intelligence database. 如請求項9所述之使用者上網防護方法,更包括當該威脅情資分析與回溯單元查詢IP位址時,由該威脅情資分析與回溯單元向該側錄分析模組進行一定時間區間之歷程回溯來找出與該IP位址相關聯之網域名稱,而當該威脅情資分析與回溯單元查詢網域名稱時,由該威脅情資分析與回溯單元向該側錄分析模組進行一定時間區間之歷程回溯來找出與該網域名稱相關聯之IP位址。 The user online protection method as described in claim 9 further includes that when the threat intelligence analysis and tracing unit queries the IP address, the threat intelligence analysis and tracing unit performs a certain time period of history backtracking to the sidetrack analysis module to find the domain name associated with the IP address, and when the threat intelligence analysis and tracing unit queries the domain name, the threat intelligence analysis and tracing unit performs a certain time period of history backtracking to the sidetrack analysis module to find the IP address associated with the domain name. 一種電腦可讀媒介,應用於計算裝置或電腦中,係儲存有指令,以執行如請求項9至13之任一者所述基於網路威脅情資之使用者上網防護方法。 A computer-readable medium, used in a computing device or a computer, stores instructions for executing a user Internet protection method based on network threat intelligence as described in any one of claims 9 to 13.
TW112133072A 2023-08-31 2023-08-31 User networking protection system, method, and computer-readable medium based on network threat information TWI855845B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW112133072A TWI855845B (en) 2023-08-31 2023-08-31 User networking protection system, method, and computer-readable medium based on network threat information

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW112133072A TWI855845B (en) 2023-08-31 2023-08-31 User networking protection system, method, and computer-readable medium based on network threat information

Publications (2)

Publication Number Publication Date
TWI855845B true TWI855845B (en) 2024-09-11
TW202511991A TW202511991A (en) 2025-03-16

Family

ID=93649219

Family Applications (1)

Application Number Title Priority Date Filing Date
TW112133072A TWI855845B (en) 2023-08-31 2023-08-31 User networking protection system, method, and computer-readable medium based on network threat information

Country Status (1)

Country Link
TW (1) TWI855845B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TW201002008A (en) * 2008-06-18 2010-01-01 Acer Inc Method and system for preventing from communication by hackers
TW201947442A (en) * 2018-05-09 2019-12-16 中華電信股份有限公司 Suspicious domain detecting method, gateway apparatus and non-transitory computer readable medium apparatus
CN113691491A (en) * 2020-05-18 2021-11-23 安碁资讯股份有限公司 Method and device for detecting malicious domain name in domain name system
US11720844B2 (en) * 2018-08-31 2023-08-08 Sophos Limited Enterprise network threat detection

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TW201002008A (en) * 2008-06-18 2010-01-01 Acer Inc Method and system for preventing from communication by hackers
TW201947442A (en) * 2018-05-09 2019-12-16 中華電信股份有限公司 Suspicious domain detecting method, gateway apparatus and non-transitory computer readable medium apparatus
US11720844B2 (en) * 2018-08-31 2023-08-08 Sophos Limited Enterprise network threat detection
CN113691491A (en) * 2020-05-18 2021-11-23 安碁资讯股份有限公司 Method and device for detecting malicious domain name in domain name system

Also Published As

Publication number Publication date
TW202511991A (en) 2025-03-16

Similar Documents

Publication Publication Date Title
CN109639670B (en) Knowledge graph-based industrial control network security situation quantitative evaluation method
CN108696473B (en) Attack path restoration method and device
CN115134099B (en) Network attack behavior analysis method and device based on full flow
CN104052734B (en) It the attack detecting that is identified using global device-fingerprint and prevents
US8051484B2 (en) Method and security system for indentifying and blocking web attacks by enforcing read-only parameters
CN104579773B (en) Domain name system analyzes method and device
CN107392016A (en) A kind of web data storehouse attack detecting system based on agency
CN102685145A (en) Domain name server (DNS) data packet-based bot-net domain name discovery method
CN110417578B (en) An abnormal FTP connection alarm processing method
CN106850647A (en) Malice domain name detection algorithm based on the DNS request cycle
CN116451215A (en) Correlation analysis method and related equipment
CN105141573A (en) Security protection method and security protection system based on WEB access compliance auditing
CN107733867A (en) It is a kind of to find Botnet and the method and system of protection
WO2024198285A1 (en) Method and system for reporting alarm event by vehicle-mounted firewall on basis of probe mechanism
CN117527412A (en) Data security monitoring method and device
Gamundani et al. A review of new trends in cyber attacks: A zoom into distributed database systems
Shaorong et al. RETRACTED ARTICLE: Research on campus network security protection system framework based on cloud data and intrusion detection algorithm
CN114238279B (en) Database security protection method, device, system, storage medium and electronic device
TWI855845B (en) User networking protection system, method, and computer-readable medium based on network threat information
CN114430344A (en) Attack organization identification method based on industrial control flow and threat information correlation analysis
CN117792733A (en) Network threat detection method and related device
CN117650923A (en) K-means-based information security active defense method
AU2022213452B2 (en) Evaluating access requests using assigned common actor identifiers
Anashkin et al. Implementation of Behavioral Indicators in Threat Detection and User Behavior Analysis
Hsiao et al. Detecting stepping‐stone intrusion using association rule mining
点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载