[go: up one dir, main page]

CN115001867B - Network asset data threat hunting method and device, electronic equipment and storage medium - Google Patents

Network asset data threat hunting method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN115001867B
CN115001867B CN202210915411.8A CN202210915411A CN115001867B CN 115001867 B CN115001867 B CN 115001867B CN 202210915411 A CN202210915411 A CN 202210915411A CN 115001867 B CN115001867 B CN 115001867B
Authority
CN
China
Prior art keywords
newly added
domain name
matching
attribute information
asset
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210915411.8A
Other languages
Chinese (zh)
Other versions
CN115001867A (en
Inventor
蔡俊钒
崔寅
康吉金
樊兴华
薛锋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing ThreatBook Technology Co Ltd
Original Assignee
Beijing ThreatBook Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing ThreatBook Technology Co Ltd filed Critical Beijing ThreatBook Technology Co Ltd
Priority to CN202210915411.8A priority Critical patent/CN115001867B/en
Publication of CN115001867A publication Critical patent/CN115001867A/en
Application granted granted Critical
Publication of CN115001867B publication Critical patent/CN115001867B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/955Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
    • G06F16/9566URL specific, e.g. using aliases, detecting broken or misspelled links

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Power Engineering (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

本申请提供一种网络资产数据威胁狩猎方法、装置、电子设备和存储介质,其中,网络资产数据威胁狩猎方法包括:获取预设周期内的情报数据;基于预设周期内的情报数据识别预设周期内的新增域名和新增IP;对新增域名和新增IP进行分析,并得到新增域名的属性信息和新增IP的属性信息;基于资产规则库对新增域名的属性信息中的第一匹配字段和新增IP的属性信息中的第二匹配字段进行匹配计算,并得到第一计算结果;基于第一计算结果和资产规则库,确定新增IP和新增域名的同源分析结果等步骤。本申请用于实现在增加数据类型的情况下向下兼容,无需调整系统本身,而只需要直接接入数据类型,从而降低开发成本。

Figure 202210915411

The present application provides a network asset data threat hunting method, device, electronic device and storage medium, wherein the network asset data threat hunting method includes: acquiring intelligence data within a preset period; identifying preset based on the intelligence data within the preset period New domain names and new IPs in the cycle; analyze the new domain names and new IPs, and obtain the attribute information of the new domain names and the new IPs; based on the asset rule base, the attribute information of the new domain names is The first matching field and the second matching field in the attribute information of the newly added IP are matched and calculated, and the first calculation result is obtained; based on the first calculation result and the asset rule base, the same origin of the newly added IP and the newly added domain name is determined Analyzing the results, etc. The present application is used to realize downward compatibility under the condition of increasing the data type, without adjusting the system itself, but only need to directly access the data type, thereby reducing the development cost.

Figure 202210915411

Description

网络资产数据威胁狩猎方法、装置、电子设备和存储介质Network asset data threat hunting method, device, electronic equipment and storage medium

技术领域technical field

本申请涉及计算机技术领域,具体而言,涉及一种网络资产数据威胁狩猎方法、装置、电子设备和存储介质。The present application relates to the field of computer technology, in particular, to a network asset data threat hunting method, device, electronic equipment and storage medium.

背景技术Background technique

目前,现有的同源分析主要是通过人工对恶意代码进行分析,进而基于专业分析人员的经验对样本的同源关系进行分析,提取样本中的共有特征,形成静态规则,在采集到新样本后匹配静态规则,达到同源样本狩猎的目的,即完成同源分析。At present, the existing homology analysis mainly analyzes the malicious code manually, and then analyzes the homology relationship of the samples based on the experience of professional analysts, extracts the common features in the samples, forms static rules, and collects new samples. Finally, static rules are matched to achieve the purpose of homologous sample hunting, that is, homologous analysis is completed.

发明内容Contents of the invention

本申请实施例的目的在于提供一种网络资产数据威胁狩猎方法、装置、电子设备和存储介质,用于实现在增加数据类型的情况下向下兼容,无需调整系统本身,而只需要直接接入数据类型,从而降低开发成本。The purpose of the embodiment of the present application is to provide a network asset data threat hunting method, device, electronic equipment, and storage medium, which are used to achieve backward compatibility in the case of increasing data types, without adjusting the system itself, but only need to directly access data types, thereby reducing development costs.

第一方面,本申请提供一种网络资产数据威胁狩猎方法,所述方法包括:In a first aspect, the present application provides a network asset data threat hunting method, the method comprising:

获取预设周期内的情报数据;Obtain intelligence data within a preset period;

基于所述预设周期内的情报数据识别所述预设周期内的新增域名和新增IP;identifying new domain names and new IPs within the preset period based on intelligence data within the preset period;

对所述新增域名和所述新增IP进行分析,并得到所述新增域名的属性信息和所述新增IP的属性信息,其中,当所述新增域名为一般域名时,通过支持历史Whois查询的网站的API获取所述新增域名的历史注册信息,通过DNS协议获取所述新增域名的MX、SOA和TXT记录,获取所述新增域名中出现的子域名,计算所述新增域名的域名长度,将所述新增域名的MX、SOA和TXT记录、所述新增域名中出现的子域名、所述新增域名的域名长度、所述新增域名的历史注册信息作为所述新增域名的属性信息;Analyzing the newly added domain name and the newly added IP, and obtaining attribute information of the newly added domain name and attribute information of the newly added IP, wherein, when the newly added domain name is a general domain name, by supporting The API of the website queried by historical Whois obtains the historical registration information of the newly added domain name, obtains the MX, SOA and TXT records of the newly added domain name through the DNS protocol, obtains the subdomain name appearing in the newly added domain name, and calculates the The domain name length of the newly added domain name, the MX, SOA and TXT records of the newly added domain name, the subdomain names appearing in the newly added domain name, the domain name length of the newly added domain name, and the historical registration information of the newly added domain name As attribute information of the newly added domain name;

获取针对所述新增域名和所述新增IP的自定义匹配配置信息;Obtain custom matching configuration information for the newly added domain name and the newly added IP;

获取针对所述新增域名和所述新增IP的自定义匹配配置信息;Obtain custom matching configuration information for the newly added domain name and the newly added IP;

基于所述自定义匹配配置信息确定针对所述新增域名进行同源分析的第一匹配字段,和针对所述新增IP进行同源分析的第二匹配字段;Based on the custom matching configuration information, determine a first matching field for performing homology analysis on the newly added domain name, and a second matching field for performing homology analysis on the newly added IP;

基于资产规则库对所述新增域名的属性信息中的所述第一匹配字段和所述新增IP的属性信息中的所述第二匹配字段进行匹配计算,并得到所述第一计算结果;performing matching calculation on the first matching field in the attribute information of the newly added domain name and the second matching field in the attribute information of the newly added IP based on the asset rule base, and obtaining the first calculation result ;

基于所述第一计算结果和所述资产规则库,确定所述新增IP和所述新增域名的同源分析结果。Based on the first calculation result and the asset rule base, determine a homology analysis result of the newly added IP and the newly added domain name.

在本申请第一方面中,通过获取预设周期内的情报数据,进而能够基于所述预设周期内的情报数据识别所述预设周期内的新增域名和新增IP,进而能够对所述新增域名和所述新增IP进行分析,并得到所述新增域名的属性信息和所述新增IP的属性信息,通过获取针对所述新增域名和所述新增IP的自定义匹配配置信息,进而能够基于所述自定义匹配配置信息确定针对所述新增域名进行同源分析的第一匹配字段,和针对所述新增IP进行同源分析的第二匹配字段,进而能够基于资产规则库对所述新增域名的属性信息中的所述第一匹配字段和所述新增IP的属性信息中的所述第二匹配字段进行匹配计算,并得到所述第一计算结果,进而能够基于所述第一计算结果和所述资产规则库,确定所述新增IP和所述新增域名的同源分析结果。In the first aspect of the present application, by acquiring intelligence data within a preset period, it is possible to identify newly added domain names and newly added IPs within the preset period based on the intelligence data within the preset period, and then to identify all Analyze the newly added domain name and the newly added IP, and obtain the attribute information of the newly added domain name and the attribute information of the newly added IP. matching configuration information, and then based on the custom matching configuration information, it is possible to determine the first matching field for performing homology analysis on the newly added domain name, and the second matching field for performing homology analysis on the newly added IP, and then to be able to performing matching calculation on the first matching field in the attribute information of the newly added domain name and the second matching field in the attribute information of the newly added IP based on the asset rule base, and obtaining the first calculation result , and furthermore, based on the first calculation result and the asset rule base, the homology analysis result of the newly added IP and the newly added domain name can be determined.

与现有技术相比,本申请能够通过获取针对所述新增域名和所述新增IP的自定义匹配配置信息,进而基于所述自定义匹配配置信息确定针对所述新增域名进行同源分析的第一匹配字段,和针对所述新增IP进行同源分析的第二匹配字段,这样一来,就能够实现在同源分析过程中,基于自定义匹配配置信息灵活调整第一匹配字段和第二匹配字段,进而能够在增加数据类型的情况下向下兼容,并无需调整系统本身,而只需要直接接入数据类型即可,从而降低开发成本。Compared with the prior art, the present application can obtain the custom matching configuration information for the newly added domain name and the newly added IP, and then determine the same-origin matching for the newly added domain name based on the custom matching configuration information. The first matching field analyzed, and the second matching field for the same-origin analysis of the newly added IP, so that the first matching field can be flexibly adjusted based on the custom matching configuration information during the same-origin analysis process And the second matching field, so that it can be backward compatible with the addition of data types, without adjusting the system itself, but only needs to directly access the data types, thereby reducing development costs.

在可选的实施方式中,所述基于资产规则库对所述新增域名的属性信息中的所述第一匹配字段和所述新增IP的属性信息中的所述第二匹配字段进行匹配计算,并得到所述第一计算结果,包括:In an optional implementation manner, the asset-based rule base matches the first matching field in the attribute information of the newly added domain name with the second matching field in the attribute information of the newly added IP Calculate, and obtain the first calculation result, including:

确定所述资产规则库的匹配表达式;Determine the matching expression of the asset rule base;

基于所述匹配表达式将所述新增域名的属性信息中的所述第一匹配字段和所述新增IP的属性信息中的所述第二匹配字段与所述资产规则库中的字段进行匹配计算,得到第一计算结果。Matching the first matching field in the attribute information of the newly added domain name and the second matching field in the attribute information of the newly added IP with the fields in the asset rule base based on the matching expression The matching calculation is performed to obtain the first calculation result.

在本可选的实施方式中,通过确定所述资产规则库的匹配表达式,进而能够基于所述匹配表达式将所述新增域名的属性信息中的所述第一匹配字段和所述新增IP的属性信息中的所述第二匹配字段与所述资产规则库中的字段进行匹配计算,得到第一计算结果。In this optional implementation manner, by determining the matching expression of the asset rule base, based on the matching expression, the first matching field in the attribute information of the newly added domain name and the new Perform matching calculation on the second matching field in the attribute information of the added IP and the field in the asset rule base to obtain a first calculation result.

在可选的实施方式中,所述方法还包括:In an optional embodiment, the method also includes:

判断所述资产规则库是否存在运算表达式;Judging whether there is an operation expression in the asset rule base;

当所述资产规则库存在所述运算表达式时,基于所述运算表达式对所述新增域名的属性信息中的所述第一匹配字段和所述新增IP的属性信息中的所述第二匹配字段进行逻辑计算,并得到第二计算结果;When the operation expression exists in the asset rule library, based on the operation expression, the first matching field in the attribute information of the newly added domain name and the first matching field in the attribute information of the newly added IP Perform logical calculation on the second matching field, and obtain the second calculation result;

基于所述匹配表达式将所述第二计算结果与所述资产规则库中的字段进行匹配计算,得到所述第一计算结果。and performing matching calculation on the second calculation result with fields in the asset rule base based on the matching expression to obtain the first calculation result.

与现有技术相比,现有的同源分析方式只能够局限于数据的匹配而无法对算法的计算过程做同源分析,而本可选的实施方式能够在进行匹配之前,能够先基于资产规则库的运算表达式对相关字段进行运算,这样一来,本可选的实施方式就能够匹配一些无法直接基于字段进行匹配的字段,从而能够拓宽规则描述维度,提高同源分析。精确度。Compared with the existing technology, the existing homology analysis method can only be limited to the matching of data and cannot perform homology analysis on the calculation process of the algorithm. However, this optional implementation can be based on assets before matching. The operation expressions of the rule base operate on relevant fields, so that this optional implementation can match some fields that cannot be directly matched based on fields, thereby expanding the dimension of rule description and improving homology analysis. Accuracy.

在可选的实施方式中,所述匹配表达式包括相等运算式、不相等运算式、包含运算式、排除运算式、正则表达式中的至少一种;In an optional implementation manner, the matching expression includes at least one of an equality expression, an inequality expression, an inclusion expression, an exclusion expression, and a regular expression;

以及,所述运算表达式包括四则运算式、逻辑运算式中的至少一种。And, the operation expression includes at least one of four arithmetic operations and logic operations.

在本可选的实施方式中,通过相等运算式、不相等运算式、包含运算式、排除运算式、正则表达式能够实现根据多中匹配方式匹配第一字段和第二字段,进而提高第一字段和第二字段的匹配维度,从而提高基于第一字段和第二字段的同源分析精确度。In this optional implementation manner, the matching of the first field and the second field according to multiple matching methods can be realized by using the equality expression, the inequality expression, the inclusion expression, the exclusion expression, and the regular expression, thereby improving the first The matching dimension of the field and the second field, thereby improving the accuracy of homology analysis based on the first field and the second field.

在可选的实施方式中,所述基于所述第一计算结果和所述资产规则库,确定所述新增IP和所述新增域名的同源分析结果,包括:In an optional implementation manner, the determining the homology analysis result of the newly added IP and the newly added domain name based on the first calculation result and the asset rule base includes:

基于所述资产规则库确定规则描述;determining a rule description based on the asset rule library;

判断所述第一计算结果是否符合所述规则描述;judging whether the first calculation result conforms to the rule description;

当所述第一计算结果符合所述规则描述时,确定所述新增IP和所述新增域名的同源分析结果。When the first calculation result conforms to the rule description, determine a homology analysis result of the newly added IP and the newly added domain name.

在本可选的实施方式中,基于所述资产规则库确定规则描述,进而能够判断所述第一计算结果是否符合所述规则描述,进而当所述第一计算结果符合所述规则描述时,能够确定所述新增IP和所述新增域名的同源分析结果。In this optional implementation manner, the rule description is determined based on the asset rule library, and then it can be judged whether the first calculation result conforms to the rule description, and then when the first calculation result conforms to the rule description, A homology analysis result of the newly added IP and the newly added domain name can be determined.

在可选的实施方式中,所述第一匹配字段包括:域名提供商、域名长度、子域名、域名的Whois、域名的关联URL、域名的解析IP提供商、顶级域中的至少一种;In an optional embodiment, the first matching field includes at least one of: domain name provider, domain name length, subdomain name, Whois of the domain name, associated URL of the domain name, resolution IP provider of the domain name, and top-level domain;

在可选的实施方式中,所述第二匹配字段包括:端口开放状态、网络空间资产测绘结果数据、IP服务器提供商匹配、IP反查域名的Whois、IP的关联URL、关联证书的JARM。In an optional embodiment, the second matching field includes: port opening status, cyberspace assets surveying and mapping result data, IP server provider matching, Whois of IP domain name reverse lookup, IP associated URL, and JARM of associated certificate.

第二方面,本申请提供一种网络资产数据威胁狩猎装置,所述装置包括:In a second aspect, the present application provides a network asset data threat hunting device, which includes:

第一获取模块,用于获取预设周期内的情报数据;The first acquisition module is used to acquire intelligence data within a preset period;

识别模块,用于基于所述预设周期内的情报数据识别所述预设周期内的新增域名和新增IP;An identification module, configured to identify newly added domain names and newly added IPs within the preset period based on the intelligence data within the preset period;

分析模块,用于对所述新增域名和所述新增IP进行分析,并得到所述新增域名的属性信息和所述新增IP的属性信息;An analysis module, configured to analyze the newly added domain name and the newly added IP, and obtain attribute information of the newly added domain name and attribute information of the newly added IP;

第二获取模块,用于获取针对所述新增域名和所述新增IP的自定义匹配配置信息,其中,当所述新增域名为一般域名时,通过支持历史Whois查询的网站的API获取所述新增域名的历史注册信息,通过DNS协议获取所述新增域名的MX、SOA和TXT记录,获取所述新增域名中出现的子域名,计算所述新增域名的域名长度,将所述新增域名的MX、SOA和TXT记录、所述新增域名中出现的子域名、所述新增域名的域名长度、所述新增域名的历史注册信息作为所述新增域名的属性信息;The second obtaining module is used to obtain custom matching configuration information for the newly added domain name and the newly added IP, wherein, when the newly added domain name is a general domain name, it is obtained through an API of a website that supports historical Whois queries The historical registration information of the newly-increased domain name, obtain the MX, SOA and TXT records of the newly-increased domain name through the DNS protocol, obtain the sub-domain names appearing in the newly-increased domain name, calculate the domain name length of the newly-increased domain name, and The MX, SOA, and TXT records of the newly added domain name, the subdomain names appearing in the newly added domain name, the domain name length of the newly added domain name, and the historical registration information of the newly added domain name are taken as the attributes of the newly added domain name information;

获取针对所述新增域名和所述新增IP的自定义匹配配置信息;Obtain custom matching configuration information for the newly added domain name and the newly added IP;

确定模块,用于基于所述自定义匹配配置信息确定针对所述新增域名进行同源分析的第一匹配字段,和针对所述新增IP进行同源分析的第二匹配字段;A determining module, configured to determine, based on the custom matching configuration information, a first matching field for performing homology analysis on the newly added domain name, and a second matching field for performing homology analysis on the newly added IP;

计算模块,用于基于资产规则库对所述新增域名的属性信息中的所述第一匹配字段和所述新增IP的属性信息中的所述第二匹配字段进行匹配计算,并得到所述第一计算结果;A calculation module, configured to perform matching calculation on the first matching field in the attribute information of the newly added domain name and the second matching field in the attribute information of the newly added IP based on the asset rule base, and obtain the the first calculation result;

判断模块,用于基于所述第一计算结果和所述资产规则库,确定所述新增IP和所述新增域名的同源分析结果。A judging module, configured to determine a homology analysis result of the newly added IP and the newly added domain name based on the first calculation result and the asset rule base.

在本申请第二方面中,通过获取预设周期内的情报数据,进而能够基于所述预设周期内的情报数据识别所述预设周期内的新增域名和新增IP,进而能够对所述新增域名和所述新增IP进行分析,并得到所述新增域名的属性信息和所述新增IP的属性信息,通过获取针对所述新增域名和所述新增IP的自定义匹配配置信息,进而能够基于所述自定义匹配配置信息确定针对所述新增域名进行同源分析的第一匹配字段,和针对所述新增IP进行同源分析的第二匹配字段,进而能够基于资产规则库对所述新增域名的属性信息中的所述第一匹配字段和所述新增IP的属性信息中的所述第二匹配字段进行匹配计算,并得到所述第一计算结果,进而能够基于所述第一计算结果和所述资产规则库,确定所述新增IP和所述新增域名的同源分析结果。In the second aspect of the present application, by acquiring the intelligence data within the preset period, the newly added domain names and newly added IPs within the preset period can be identified based on the intelligence data within the preset period, and the Analyze the newly added domain name and the newly added IP, and obtain the attribute information of the newly added domain name and the attribute information of the newly added IP. matching configuration information, and then based on the custom matching configuration information, it is possible to determine the first matching field for performing homology analysis on the newly added domain name, and the second matching field for performing homology analysis on the newly added IP, and then to be able to performing matching calculation on the first matching field in the attribute information of the newly added domain name and the second matching field in the attribute information of the newly added IP based on the asset rule base, and obtaining the first calculation result , and furthermore, based on the first calculation result and the asset rule base, the homology analysis result of the newly added IP and the newly added domain name can be determined.

与现有技术相比,本申请能够通过获取针对所述新增域名和所述新增IP的自定义匹配配置信息,进而基于所述自定义匹配配置信息确定针对所述新增域名进行同源分析的第一匹配字段,和针对所述新增IP进行同源分析的第二匹配字段,这样一来,就能够实现在同源分析过程中,基于自定义匹配配置信息灵活调整第一匹配字段和第二匹配字段,进而能够在增加数据类型的情况下向下兼容,并无需调整系统本身,而只需要直接接入数据类型即可,从而降低开发成本。Compared with the prior art, the present application can obtain the custom matching configuration information for the newly added domain name and the newly added IP, and then determine the same-origin matching for the newly added domain name based on the custom matching configuration information. The first matching field analyzed, and the second matching field for the same-origin analysis of the newly added IP, so that the first matching field can be flexibly adjusted based on the custom matching configuration information during the same-origin analysis process And the second matching field, so that it can be backward compatible with the addition of data types, without adjusting the system itself, but only needs to directly access the data types, thereby reducing development costs.

第三方面,本申请提供一种电子设备,包括:In a third aspect, the present application provides an electronic device, including:

处理器;以及processor; and

存储器,配置用于存储机器可读指令,所述指令在由所述处理器执行时,执行如前述实施方式任一项所述的网络资产数据威胁狩猎方法。The memory is configured to store machine-readable instructions, and when the instructions are executed by the processor, execute the network asset data threat hunting method according to any one of the foregoing implementation manners.

在本申请第三方面中,通过获取预设周期内的情报数据,进而能够基于所述预设周期内的情报数据识别所述预设周期内的新增域名和新增IP,进而能够对所述新增域名和所述新增IP进行分析,并得到所述新增域名的属性信息和所述新增IP的属性信息,通过获取针对所述新增域名和所述新增IP的自定义匹配配置信息,进而能够基于所述自定义匹配配置信息确定针对所述新增域名进行同源分析的第一匹配字段,和针对所述新增IP进行同源分析的第二匹配字段,进而能够基于资产规则库对所述新增域名的属性信息中的所述第一匹配字段和所述新增IP的属性信息中的所述第二匹配字段进行匹配计算,并得到所述第一计算结果,进而能够基于所述第一计算结果和所述资产规则库,确定所述新增IP和所述新增域名的同源分析结果。In the third aspect of the present application, by acquiring the intelligence data within the preset period, the newly added domain names and newly added IPs within the preset period can be identified based on the intelligence data within the preset period, and the Analyze the newly added domain name and the newly added IP, and obtain the attribute information of the newly added domain name and the attribute information of the newly added IP. matching configuration information, and then based on the custom matching configuration information, it is possible to determine the first matching field for performing homology analysis on the newly added domain name, and the second matching field for performing homology analysis on the newly added IP, and then to be able to performing matching calculation on the first matching field in the attribute information of the newly added domain name and the second matching field in the attribute information of the newly added IP based on the asset rule base, and obtaining the first calculation result , and furthermore, based on the first calculation result and the asset rule base, the homology analysis result of the newly added IP and the newly added domain name can be determined.

与现有技术相比,本申请能够通过获取针对所述新增域名和所述新增IP的自定义匹配配置信息,进而基于所述自定义匹配配置信息确定针对所述新增域名进行同源分析的第一匹配字段,和针对所述新增IP进行同源分析的第二匹配字段,这样一来,就能够实现在同源分析过程中,基于自定义匹配配置信息灵活调整第一匹配字段和第二匹配字段,进而能够在增加数据类型的情况下向下兼容,并无需调整系统本身,而只需要直接接入数据类型即可,从而降低开发成本。Compared with the prior art, the present application can obtain the custom matching configuration information for the newly added domain name and the newly added IP, and then determine the same-origin matching for the newly added domain name based on the custom matching configuration information. The first matching field analyzed, and the second matching field for the same-origin analysis of the newly added IP, so that the first matching field can be flexibly adjusted based on the custom matching configuration information during the same-origin analysis process And the second matching field, so that it can be backward compatible with the addition of data types, without adjusting the system itself, but only needs to directly access the data types, thereby reducing development costs.

第四方面,本申请提供一种存储介质,所述存储介质存储有计算机程序,所述计算机程序被处理器执行如前述实施方式任一项所述的网络资产数据威胁狩猎方法。In a fourth aspect, the present application provides a storage medium, the storage medium stores a computer program, and the computer program is executed by a processor according to the network asset data threat hunting method described in any one of the foregoing implementation manners.

在本申请第四方面中,通过获取预设周期内的情报数据,进而能够基于所述预设周期内的情报数据识别所述预设周期内的新增域名和新增IP,进而能够对所述新增域名和所述新增IP进行分析,并得到所述新增域名的属性信息和所述新增IP的属性信息,通过获取针对所述新增域名和所述新增IP的自定义匹配配置信息,进而能够基于所述自定义匹配配置信息确定针对所述新增域名进行同源分析的第一匹配字段,和针对所述新增IP进行同源分析的第二匹配字段,进而能够基于资产规则库对所述新增域名的属性信息中的所述第一匹配字段和所述新增IP的属性信息中的所述第二匹配字段进行匹配计算,并得到所述第一计算结果,进而能够基于所述第一计算结果和所述资产规则库,确定所述新增IP和所述新增域名的同源分析结果。In the fourth aspect of the present application, by acquiring the intelligence data within the preset period, the newly added domain names and newly added IPs within the preset period can be identified based on the intelligence data within the preset period, and the Analyze the newly added domain name and the newly added IP, and obtain the attribute information of the newly added domain name and the attribute information of the newly added IP. matching configuration information, and then based on the custom matching configuration information, it is possible to determine the first matching field for performing homology analysis on the newly added domain name, and the second matching field for performing homology analysis on the newly added IP, and then to be able to performing matching calculation on the first matching field in the attribute information of the newly added domain name and the second matching field in the attribute information of the newly added IP based on the asset rule base, and obtaining the first calculation result , and furthermore, based on the first calculation result and the asset rule base, the homology analysis result of the newly added IP and the newly added domain name can be determined.

与现有技术相比,本申请能够通过获取针对所述新增域名和所述新增IP的自定义匹配配置信息,进而基于所述自定义匹配配置信息确定针对所述新增域名进行同源分析的第一匹配字段,和针对所述新增IP进行同源分析的第二匹配字段,这样一来,就能够实现在同源分析过程中,基于自定义匹配配置信息灵活调整第一匹配字段和第二匹配字段,进而能够在增加数据类型的情况下向下兼容,并无需调整系统本身,而只需要直接接入数据类型即可,从而降低开发成本。Compared with the prior art, the present application can obtain the custom matching configuration information for the newly added domain name and the newly added IP, and then determine the same-origin matching for the newly added domain name based on the custom matching configuration information. The first matching field analyzed, and the second matching field for the same-origin analysis of the newly added IP, so that the first matching field can be flexibly adjusted based on the custom matching configuration information during the same-origin analysis process And the second matching field, so that it can be backward compatible with the addition of data types, without adjusting the system itself, but only needs to directly access the data types, thereby reducing development costs.

附图说明Description of drawings

为了更清楚地说明本申请实施例的技术方案,下面将对本申请实施例中所需要使用的附图作简单地介绍,应当理解,以下附图仅示出了本申请的某些实施例,因此不应被看作是对范围的限定,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他相关的附图。In order to more clearly illustrate the technical solutions of the embodiments of the present application, the accompanying drawings that need to be used in the embodiments of the present application will be briefly introduced below. It should be understood that the following drawings only show some embodiments of the present application, so It should not be regarded as a limitation on the scope, and those skilled in the art can also obtain other related drawings according to these drawings without creative work.

图1是本申请实施例公开的一种网络资产数据威胁狩猎方法的流程示意图;FIG. 1 is a schematic flow diagram of a method for hunting threats to network asset data disclosed in an embodiment of the present application;

图2是本申请实施例公开的一种网络资产数据威胁狩猎装置的结构示意图;FIG. 2 is a schematic structural diagram of a network asset data threat hunting device disclosed in an embodiment of the present application;

图3是本申请实施例公开的一种电子设备的结构示意图。Fig. 3 is a schematic structural diagram of an electronic device disclosed in an embodiment of the present application.

具体实施方式Detailed ways

下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行描述。The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.

实施例一Embodiment one

请参阅图1,图1是本申请实施例公开的一种网络资产数据威胁狩猎方法的流程示意图,如图1所示,本申请实施例的方法包括以下步骤:Please refer to FIG. 1. FIG. 1 is a schematic flow diagram of a network asset data threat hunting method disclosed in the embodiment of the present application. As shown in FIG. 1, the method in the embodiment of the present application includes the following steps:

101、获取预设周期内的情报数据;101. Obtain intelligence data within a preset period;

102、基于预设周期内的情报数据识别预设周期内的新增域名和新增IP;102. Identify new domain names and new IPs within a preset period based on intelligence data within a preset period;

103、对新增域名和新增IP进行分析,并得到新增域名的属性信息和新增IP的属性信息,其中,当新增域名为一般域名时,通过支持历史Whois查询的网站的API获取新增域名的历史注册信息,通过DNS协议获取新增域名的MX、SOA和TXT记录,获取新增域名中出现的子域名,计算新增域名的域名长度,将新增域名的MX、SOA和TXT记录、新增域名中出现的子域名、新增域名的域名长度、新增域名的历史注册信息作为新增域名的属性信息;103. Analyze the newly added domain name and newly added IP, and obtain the attribute information of the newly added domain name and the attribute information of the newly added IP. Wherein, when the newly added domain name is a general domain name, it is acquired through the API of a website that supports historical Whois query The historical registration information of the newly added domain name, the MX, SOA and TXT records of the newly added domain name are obtained through the DNS protocol, the subdomain names appearing in the newly added domain name are obtained, the domain name length of the newly added domain name is calculated, and the MX, SOA and TXT records of the newly added domain name are calculated. TXT records, the subdomain names appearing in the newly added domain name, the domain name length of the newly added domain name, and the historical registration information of the newly added domain name are used as the attribute information of the newly added domain name;

104、获取针对新增域名和新增IP的自定义匹配配置信息;104. Obtain custom matching configuration information for newly added domain names and newly added IPs;

105、基于自定义匹配配置信息确定针对新增域名进行同源分析的第一匹配字段,和针对新增IP进行同源分析的第二匹配字段;105. Based on the custom matching configuration information, determine the first matching field for performing homology analysis on the newly added domain name, and the second matching field for performing homology analysis on the newly added IP;

106、基于资产规则库对新增域名的属性信息中的第一匹配字段和新增IP的属性信息中的第二匹配字段进行匹配计算,并得到第一计算结果;106. Perform matching calculation on the first matching field in the attribute information of the newly added domain name and the second matching field in the attribute information of the newly added IP based on the asset rule base, and obtain the first calculation result;

107、基于第一计算结果和资产规则库,确定新增IP和新增域名的同源分析结果。107. Based on the first calculation result and the asset rule base, determine a homology analysis result of the newly added IP and the newly added domain name.

在本申请实施例中,通过获取预设周期内的情报数据,进而能够基于预设周期内的情报数据识别预设周期内的新增域名和新增IP,进而能够对新增域名和新增IP进行分析,并得到新增域名的属性信息和新增IP的属性信息,通过获取针对新增域名和新增IP的自定义匹配配置信息,进而能够基于自定义匹配配置信息确定针对新增域名进行同源分析的第一匹配字段,和针对新增IP进行同源分析的第二匹配字段,进而能够基于资产规则库对新增域名的属性信息中的第一匹配字段和新增IP的属性信息中的第二匹配字段进行匹配计算,并得到第一计算结果,进而能够基于第一计算结果和资产规则库,确定新增IP和新增域名的同源分析结果。In the embodiment of the present application, by acquiring the intelligence data within the preset period, the newly added domain names and newly added IPs within the preset period can be identified based on the intelligence data within the preset period, and then the newly added domain names and newly added The IP is analyzed, and the attribute information of the newly added domain name and the attribute information of the newly added IP are obtained. By obtaining the custom matching configuration information for the new domain name and the new IP, it is possible to determine the new domain name based on the custom matching configuration information. The first matching field for homology analysis, and the second matching field for homology analysis for newly added IPs, and then the first matching field in the attribute information of newly added domain names and the attributes of newly added IPs can be analyzed based on the asset rule base The second matching field in the information performs matching calculation and obtains the first calculation result, and then based on the first calculation result and the asset rule base, the homology analysis result of the newly added IP and the newly added domain name can be determined.

与现有技术相比,本申请实施例能够通过获取针对新增域名和新增IP的自定义匹配配置信息,进而基于自定义匹配配置信息确定针对新增域名进行同源分析的第一匹配字段,和针对新增IP进行同源分析的第二匹配字段,这样一来,就能够实现在同源分析过程中,基于自定义匹配配置信息灵活调整第一匹配字段和第二匹配字段,进而能够在增加数据类型的情况下向下兼容,并无需调整系统本身,而只需要直接接入数据类型即可,从而降低开发成本。Compared with the prior art, the embodiment of the present application can obtain the custom matching configuration information for the newly added domain name and the newly added IP, and then determine the first matching field for homology analysis for the newly added domain name based on the custom matching configuration information , and the second matching field for the same-origin analysis of the newly added IP. In this way, the first matching field and the second matching field can be flexibly adjusted based on the custom matching configuration information during the same-origin analysis process, and then the In the case of adding data types, it is backward compatible, and there is no need to adjust the system itself, but only needs to directly access the data types, thereby reducing development costs.

在本申请实施例中,作为一个示例,假设针对场景S1,需要将字段A、字段B作为第一字段,来对目标报文进行同源分析,而在场景S2中,需要将字段A、字段B、字段C作为第一字段,来对目标报文进行同源分析,此时,本申请实施例就能够在场景S1的基础上,通过自定义匹配配置信息增加字段C,以将字段A、字段B、字段C作为第一字段,来对目标报文进行同源分析,在该过程中,本申请实施例对目标报文进行同源分析并不是基于固定字段进行同源分析,而是能够通过自定义匹配配置信息自定义不同场景下同源分析所需字段,并且基于自定义匹配配置信息调整不同场景下同源分析所需字段这一方式,无需对同源分析的系统代码进行调整,从而能够降低开发成本。In the embodiment of this application, as an example, assume that for scenario S1, field A and field B need to be used as the first field to perform homologous analysis on the target message, while in scenario S2, field A and field B need to be used as the first field B. Field C is used as the first field to perform homologous analysis on the target message. At this time, the embodiment of the present application can add field C through custom matching configuration information on the basis of scenario S1, so as to combine fields A, Field B and field C are used as the first field to perform homology analysis on the target message. In this process, the homology analysis of the target message in the embodiment of the present application is not based on the fixed field. Instead, it can By customizing the matching configuration information to customize the fields required for homology analysis in different scenarios, and adjusting the fields required for homology analysis in different scenarios based on the custom matching configuration information, there is no need to adjust the system code for homology analysis. Thereby, the development cost can be reduced.

在本申请实施例中,针对步骤101,预设周期可以是一天、一个月,本申请实施例对其不作限定。In the embodiment of the present application, for step 101, the preset period may be one day or one month, which is not limited in the embodiment of the present application.

在本申请实施例中,针对步骤102,预设周期内的新增域名和新增IP是指相对于历史周期而言,新出现的域名和IP,例如,在S1历史周期内,出现了域名A、域名B,而在S1周期之后的S2周期内,出现了域名A、域名B、域名C,则域名C为新增域名。In this embodiment of the application, for step 102, the newly added domain names and newly added IPs in the preset period refer to the newly appearing domain names and IPs relative to the historical period, for example, in the S1 historical period, the domain name A, domain name B, and in the S2 period after the S1 period, domain name A, domain name B, and domain name C appear, then domain name C is a newly added domain name.

在本申请实施例中,针对步骤103,如果新增域名为一般域名,则对新增域名的分析过程为:In this embodiment of the application, for step 103, if the newly added domain name is a general domain name, the analysis process for the newly added domain name is as follows:

通过支持历史Whois查询的网站(如https://x.threatbook.cn/)的API获取新增域名的历史注册信息、通过DNS协议获取新增域名的MX、SOA、TXT等记录、获取新增域名中出现的子域名、计算新增域名的域名长度。Obtain the historical registration information of the newly added domain name through the API of the website that supports historical Whois query (such as https://x.threatbook.cn/), obtain the MX, SOA, TXT and other records of the newly added domain name through the DNS protocol, and obtain the newly added domain name. The subdomain name appearing in the domain name, calculate the domain name length of the newly added domain name.

相应地,将新增域名的MX、SOA、TXT等记录、新增域名中出现的子域名、计算新增域名的域名长度、新增域名的历史注册信息作为新增域名的属性信息。Correspondingly, the MX, SOA, TXT records of the newly added domain name, the subdomain names appearing in the newly added domain name, the length of the domain name calculated for the newly added domain name, and the historical registration information of the newly added domain name are used as the attribute information of the newly added domain name.

在本申请实施例中,针对步骤103,如果新增IP为一般IP服务器的IP,则对新增IP的分析过程为:In the embodiment of the present application, for step 103, if the newly added IP is the IP of a general IP server, then the analysis process for the newly added IP is:

通过网络空间资产测绘系统(例如:https://www.zoomeye.org/,可购买商业网络空间测绘系统生产的数据,或者私有的自研系统生产的数据)对IP服务器进行探测,拿到IP服务器对外开放的端口、服务类型(如HTTP、Apache)。Use the cyberspace asset surveying and mapping system (for example: https://www.zoomeye.org/, you can purchase the data produced by the commercial cyberspace surveying and mapping system, or the data produced by the private self-developed system) to detect the IP server and get the IP The port and service type (such as HTTP, Apache) opened by the server to the outside world.

相应地,将端口、服务类型作为新增IP的属性信息。Correspondingly, the port and service type are used as attribute information of the newly added IP.

在本申请实施例中,针对步骤103,还可通过沙箱(https://s.threatbook.cn/)、开源数据平台、收费数据平台(VirusToal),收集新增IP和新增域名出现的URL和对应URL响应的数据(如HTTP响应体、响应码),并将新增IP和新增域名出现的URL和对应URL响应的数据加入到新增IP的属性信息和新增域名的属性信息中。In the embodiment of this application, for step 103, the sandbox (https://s.threatbook.cn/), open source data platform, and charging data platform (VirusToal) can also be used to collect new IP and new domain names. URL and corresponding URL response data (such as HTTP response body, response code), and add the new IP and new domain name URL and corresponding URL response data to the attribute information of the new IP and the attribute information of the new domain name middle.

相应地,针对步骤105,第一匹配字段包括:域名提供商、域名长度、子域名、域名的Whois、域名的关联URL、域名的解析IP提供商、顶级域中的至少一种,而第二匹配字段包括:端口开放状态、网络空间资产测绘结果数据、IP服务器提供商匹配、IP反查域名的Whois、IP的关联URL、关联证书的JARM。Correspondingly, for step 105, the first matching field includes at least one of: domain name provider, domain name length, subdomain name, Whois of domain name, associated URL of domain name, resolution IP provider of domain name, top-level domain, and the second Matching fields include: port opening status, cyberspace assets surveying and mapping result data, IP server provider matching, IP reverse domain name Whois, IP associated URL, and associated certificate JARM.

在本申请实施例中,针对步骤104,自定义匹配配置信息可以存储在配置文件中,其中,本申请实施例通过读取配置文件并遍历配置文件的内容,能够获取自定义匹配配置信息。In the embodiment of the present application, for step 104, the custom matching configuration information may be stored in a configuration file, wherein the embodiment of the present application can obtain the custom matching configuration information by reading the configuration file and traversing the contents of the configuration file.

在本申请实施例中,针对步骤107,同源分析结果可以是指新增IP和新增域名所属的APT组织。In the embodiment of the present application, for step 107, the homology analysis result may refer to the APT organization to which the newly added IP and the newly added domain name belong.

在可选的实施方式中,步骤:基于资产规则库对新增域名的属性信息中的第一匹配字段和新增IP的属性信息中的第二匹配字段进行匹配计算,并得到第一计算结果,包括以下子步骤:In an optional embodiment, the step: perform matching calculation on the first matching field in the attribute information of the newly added domain name and the second matching field in the attribute information of the newly added IP based on the asset rule base, and obtain the first calculation result , including the following substeps:

确定资产规则库的匹配表达式;Determine the matching expression of the asset rule base;

基于匹配表达式将新增域名的属性信息中的第一匹配字段和新增IP的属性信息中的第二匹配字段与资产规则库中的字段进行匹配计算,得到第一计算结果。Based on the matching expression, the first matching field in the attribute information of the newly added domain name and the second matching field in the attribute information of the newly added IP are matched and calculated with the fields in the asset rule base to obtain a first calculation result.

在本可选的实施方式中,通过确定资产规则库的匹配表达式,进而能够基于匹配表达式将新增域名的属性信息中的第一匹配字段和新增IP的属性信息中的第二匹配字段与资产规则库中的字段进行匹配计算,得到第一计算结果。In this optional implementation, by determining the matching expression of the asset rule base, the first matching field in the attribute information of the newly added domain name can be matched with the second matching field in the attribute information of the newly added IP based on the matching expression. Fields are matched and calculated with fields in the asset rule base to obtain the first calculation result.

在可选的实施方式中,匹配表达式包括相等运算式、不相等运算式、包含运算式、排除运算式、正则表达式中的至少一种,例如,匹配表达式包括不相等运算式、包含运算式,相应地,基于不相等运算式、包含运算式,可判断第一字段与资产规则库的某一个字段是否值相等,而基于包含运算式能够判断资产规则库是否包含了第一字段。In an optional embodiment, the matching expression includes at least one of an equality expression, an inequality expression, an inclusion expression, an exclusion expression, and a regular expression. For example, the matching expression includes an inequality expression, an inclusion expression, The calculation formula, correspondingly, based on the inequality calculation formula and the inclusion calculation formula, it can be judged whether the value of the first field is equal to a certain field of the asset rule base, and based on the inclusion calculation formula, it can be judged whether the asset rule base contains the first field.

在可选的实施方式中,本申请实施例的方法还包括以下步骤:In an optional implementation manner, the method of the embodiment of the present application further includes the following steps:

判断资产规则库是否存在运算表达式;Determine whether there is an operation expression in the asset rule base;

当资产规则库存在运算表达式时,基于运算表达式对新增域名的属性信息中的第一匹配字段和新增IP的属性信息中的第二匹配字段进行逻辑计算,并得到第二计算结果;When there is an operation expression in the asset rule base, perform logical calculations on the first matching field in the attribute information of the newly added domain name and the second matching field in the attribute information of the newly added IP based on the operation expression, and obtain the second calculation result ;

基于匹配表达式将第二计算结果与资产规则库中的字段进行匹配计算,得到第一计算结果。Based on the matching expression, the second calculation result is matched and calculated with the fields in the asset rule base to obtain the first calculation result.

与现有技术相比,现有的同源分析方式只能够局限于数据的匹配而无法对算法的计算过程做同源分析,而本可选的实施方式能够在进行匹配之前,能够先基于资产规则库的运算表达式对相关字段进行运算,这样一来,本可选的实施方式就能够匹配一些无法直接基于字段进行匹配的字段,从而能够拓宽规则描述维度,提高同源分析精确度。Compared with the existing technology, the existing homology analysis method can only be limited to the matching of data and cannot perform homology analysis on the calculation process of the algorithm. However, this optional implementation can be based on assets before matching. The operation expressions of the rule base operate on relevant fields. In this way, this optional implementation can match some fields that cannot be directly matched based on fields, thereby expanding the dimension of rule description and improving the accuracy of homology analysis.

在本可选的实施方式中,作为一种示例,在一些场景中,如果直接将第一字段与资产规则库中的字段进行匹配,所得到第一计算结果无法判断新增域名APT组织,而需要对第一字段中的多个字段组合情况才能够判断新增域名APT组织,例如,基于新增域名的字段A的值无法判断新增域名所属APT组织,但是将新增域名的字段A的值与新增域名的字段B的值进行相加后,就能够与资产规则库中的某一字段的值匹配成功,进而能够判断新增域名所属APT组织。In this optional implementation manner, as an example, in some scenarios, if the first field is directly matched with the fields in the asset rule base, the obtained first calculation result cannot determine the newly added domain name APT organization, but It is necessary to combine multiple fields in the first field to determine the APT organization of the newly added domain name. For example, the APT organization of the newly added domain name cannot be determined based on the value of field A of the newly added domain name, but the value of field A of the newly added domain name After the value is added to the value of field B of the newly added domain name, it can be successfully matched with the value of a field in the asset rule base, and then the APT organization to which the newly added domain name belongs can be determined.

相应地,在本可选的实施方式中,运算表达式包括四则运算式、逻辑运算式中的至少一种,例如,运算表达式可以只包括四则运算式,也可以同时包括四则运算式、逻辑运算式。进一步地,逻辑运算式包括了或运算、异或等逻辑运算。Correspondingly, in this optional implementation manner, the operation expression includes at least one of the four arithmetic operations and logic operations. expression. Further, the logical operation formula includes logical operations such as OR operation and XOR operation.

在本可选的实施方式中,通过相等运算式、不相等运算式、包含运算式、排除运算式、正则表达式能够实现根据多中匹配方式匹配第一字段和第二字段,进而提高第一字段和第二字段的匹配维度,从而提高基于第一字段和第二字段的同源分析精确度。In this optional implementation manner, the matching of the first field and the second field according to multiple matching methods can be realized by using the equality expression, the inequality expression, the inclusion expression, the exclusion expression, and the regular expression, thereby improving the first The matching dimension of the field and the second field, thereby improving the accuracy of homology analysis based on the first field and the second field.

在可选的实施方式中,步骤:基于第一计算结果和资产规则库,确定新增IP和新增域名的同源分析结果,包括以下子步骤:In an optional embodiment, the step: based on the first calculation result and the asset rule base, determine the homology analysis result of the newly added IP and the newly added domain name, including the following sub-steps:

基于资产规则库确定规则描述;Determine the rule description based on the asset rule base;

判断第一计算结果是否符合规则描述;Judging whether the first calculation result conforms to the rule description;

当第一计算结果符合规则描述时,确定新增IP和新增域名的同源分析结果。When the first calculation result conforms to the rule description, determine the homology analysis result of the newly added IP and the newly added domain name.

在本可选的实施方式中,基于资产规则库确定规则描述,进而能够判断第一计算结果是否符合规则描述,进而当第一计算结果符合规则描述时,能够确定新增IP和新增域名的同源分析结果。In this optional implementation, the rule description is determined based on the asset rule base, and then it can be judged whether the first calculation result conforms to the rule description, and then when the first calculation result conforms to the rule description, it is possible to determine the new IP and the new domain name. Homology analysis results.

在可选的实施方式中,规则描述表述第一计算结果应当满足何种条件才能够确定新增域名和新增IP所属的APT组织,例如,规则描述可以是“字段A和字段B均被资产规则库的字段所包含时,APT组织为G”。In an optional implementation, the rule description expresses what conditions the first calculation result should meet in order to determine the APT organization to which the newly added domain name and the newly added IP belong. For example, the rule description can be "both field A and field B are When included in the field of the rule base, the APT organization is G".

实施例二Embodiment two

请参阅图2,图2是本申请实施例公开的一种网络资产数据威胁狩猎方法的结构示意图,如图2所示,本申请实施例的装置包括以下功能模块:Please refer to FIG. 2. FIG. 2 is a schematic structural diagram of a network asset data threat hunting method disclosed in the embodiment of the present application. As shown in FIG. 2, the device in the embodiment of the present application includes the following functional modules:

第一获取模块201,用于获取预设周期内的情报数据;The first acquisition module 201 is configured to acquire intelligence data within a preset period;

识别模块202,用于基于预设周期内的情报数据识别预设周期内的新增域名和新增IP;An identification module 202, configured to identify newly added domain names and newly added IPs within a preset period based on intelligence data within a preset period;

分析模块203,用于对新增域名和新增IP进行分析,并得到新增域名的属性信息和新增IP的属性信息,其中,当新增域名为一般域名时,通过支持历史Whois查询的网站的API获取新增域名的历史注册信息,通过DNS协议获取新增域名的MX、SOA和TXT记录,获取新增域名中出现的子域名,计算新增域名的域名长度,将新增域名的MX、SOA和TXT记录、新增域名中出现的子域名、新增域名的域名长度、新增域名的历史注册信息作为新增域名的属性信息;The analysis module 203 is used to analyze the newly-added domain name and the newly-added IP, and obtain the attribute information of the newly-added domain name and the attribute information of the newly-added IP. The API of the website obtains the historical registration information of the newly added domain name, obtains the MX, SOA and TXT records of the newly added domain name through the DNS protocol, obtains the subdomain name appearing in the newly added domain name, calculates the domain name length of the newly added domain name, and converts the newly added domain name MX, SOA and TXT records, the subdomain name appearing in the newly added domain name, the domain name length of the newly added domain name, and the historical registration information of the newly added domain name are used as the attribute information of the newly added domain name;

第二获取模块204,用于获取针对新增域名和新增IP的自定义匹配配置信息;The second obtaining module 204 is used to obtain custom matching configuration information for newly added domain names and newly added IPs;

确定模块205,用于基于自定义匹配配置信息确定针对新增域名进行同源分析的第一匹配字段,和针对新增IP进行同源分析的第二匹配字段;A determining module 205, configured to determine a first matching field for performing homology analysis on the newly added domain name and a second matching field for performing homology analysis on the newly added IP based on the custom matching configuration information;

计算模块206,用于基于资产规则库对新增域名的属性信息中的第一匹配字段和新增IP的属性信息中的第二匹配字段进行匹配计算,并得到第一计算结果;The calculation module 206 is used to perform matching calculation on the first matching field in the attribute information of the newly added domain name and the second matching field in the attribute information of the newly added IP based on the asset rule base, and obtain the first calculation result;

判断模块207,用于基于第一计算结果和资产规则库,确定新增IP和新增域名的同源分析结果。The judging module 207 is configured to determine the homologous analysis results of the newly added IP and the newly added domain name based on the first calculation result and the asset rule base.

在本申请实施例中,通过获取预设周期内的情报数据,进而能够基于预设周期内的情报数据识别预设周期内的新增域名和新增IP,进而能够对新增域名和新增IP进行分析,并得到新增域名的属性信息和新增IP的属性信息,通过获取针对新增域名和新增IP的自定义匹配配置信息,进而能够基于自定义匹配配置信息确定针对新增域名进行同源分析的第一匹配字段,和针对新增IP进行同源分析的第二匹配字段,进而能够基于资产规则库对新增域名的属性信息中的第一匹配字段和新增IP的属性信息中的第二匹配字段进行匹配计算,并得到第一计算结果,进而能够基于第一计算结果和资产规则库,确定新增IP和新增域名的同源分析结果。In the embodiment of the present application, by acquiring the intelligence data within the preset period, the newly added domain names and newly added IPs within the preset period can be identified based on the intelligence data within the preset period, and then the newly added domain names and newly added The IP is analyzed, and the attribute information of the newly added domain name and the attribute information of the newly added IP are obtained. By obtaining the custom matching configuration information for the new domain name and the new IP, it is possible to determine the new domain name based on the custom matching configuration information. The first matching field for homology analysis, and the second matching field for homology analysis for newly added IPs, and then the first matching field in the attribute information of newly added domain names and the attributes of newly added IPs can be analyzed based on the asset rule base The second matching field in the information performs matching calculation and obtains the first calculation result, and then based on the first calculation result and the asset rule base, the homology analysis result of the newly added IP and the newly added domain name can be determined.

与现有技术相比,本申请实施例能够通过获取针对新增域名和新增IP的自定义匹配配置信息,进而基于自定义匹配配置信息确定针对新增域名进行同源分析的第一匹配字段,和针对新增IP进行同源分析的第二匹配字段,这样一来,就能够实现在同源分析过程中,基于自定义匹配配置信息灵活调整第一匹配字段和第二匹配字段,进而能够在增加数据类型的情况下向下兼容,并无需调整系统本身,而只需要直接接入数据类型即可,从而降低开发成本。Compared with the prior art, the embodiment of the present application can obtain the custom matching configuration information for the newly added domain name and the newly added IP, and then determine the first matching field for homology analysis for the newly added domain name based on the custom matching configuration information , and the second matching field for the same-origin analysis of the newly added IP. In this way, the first matching field and the second matching field can be flexibly adjusted based on the custom matching configuration information during the same-origin analysis process, and then the In the case of adding data types, it is backward compatible, and there is no need to adjust the system itself, but only needs to directly access the data types, thereby reducing development costs.

需要说明的是,关于本申请实施例的其他说明,请参阅本申请实施例的相关说明,本申请实施例对此不作赘述。It should be noted that, for other descriptions of the embodiments of the present application, please refer to relevant descriptions of the embodiments of the present application, which will not be repeated in the embodiments of the present application.

实施例三Embodiment three

请参阅图3,图3是本申请实施例公开的一种电子设备的结构示意图,如图3所示,本申请实施例的电子设备包括:Please refer to FIG. 3. FIG. 3 is a schematic structural diagram of an electronic device disclosed in the embodiment of the present application. As shown in FIG. 3, the electronic device in the embodiment of the present application includes:

处理器301;以及processor 301; and

存储器302,配置用于存储机器可读指令,指令在由处理器301执行时,执行如前述实施方式任一项的网络资产数据威胁狩猎方法。The memory 302 is configured to store machine-readable instructions, and when the instructions are executed by the processor 301, execute the network asset data threat hunting method according to any one of the foregoing embodiments.

在本申请实施例中,通过获取预设周期内的情报数据,进而能够基于预设周期内的情报数据识别预设周期内的新增域名和新增IP,进而能够对新增域名和新增IP进行分析,并得到新增域名的属性信息和新增IP的属性信息,通过获取针对新增域名和新增IP的自定义匹配配置信息,进而能够基于自定义匹配配置信息确定针对新增域名进行同源分析的第一匹配字段,和针对新增IP进行同源分析的第二匹配字段,进而能够基于资产规则库对新增域名的属性信息中的第一匹配字段和新增IP的属性信息中的第二匹配字段进行匹配计算,并得到第一计算结果,进而能够基于第一计算结果和资产规则库,确定新增IP和新增域名的同源分析结果。In the embodiment of the present application, by acquiring the intelligence data within the preset period, the newly added domain names and newly added IPs within the preset period can be identified based on the intelligence data within the preset period, and then the newly added domain names and newly added The IP is analyzed, and the attribute information of the newly added domain name and the attribute information of the newly added IP are obtained. By obtaining the custom matching configuration information for the new domain name and the new IP, it is possible to determine the new domain name based on the custom matching configuration information. The first matching field for homology analysis, and the second matching field for homology analysis for newly added IPs, and then the first matching field in the attribute information of newly added domain names and the attributes of newly added IPs can be analyzed based on the asset rule base The second matching field in the information performs matching calculation and obtains the first calculation result, and then based on the first calculation result and the asset rule base, the homology analysis result of the newly added IP and the newly added domain name can be determined.

与现有技术相比,本申请实施例能够通过获取针对新增域名和新增IP的自定义匹配配置信息,进而基于自定义匹配配置信息确定针对新增域名进行同源分析的第一匹配字段,和针对新增IP进行同源分析的第二匹配字段,这样一来,就能够实现在同源分析过程中,基于自定义匹配配置信息灵活调整第一匹配字段和第二匹配字段,进而能够在增加数据类型的情况下向下兼容,并无需调整系统本身,而只需要直接接入数据类型即可,从而降低开发成本。Compared with the prior art, the embodiment of the present application can obtain the custom matching configuration information for the newly added domain name and the newly added IP, and then determine the first matching field for homology analysis for the newly added domain name based on the custom matching configuration information , and the second matching field for the same-origin analysis of the newly added IP. In this way, the first matching field and the second matching field can be flexibly adjusted based on the custom matching configuration information during the same-origin analysis process, and then the In the case of adding data types, it is backward compatible, and there is no need to adjust the system itself, but only needs to directly access the data types, thereby reducing development costs.

实施例四Embodiment four

本申请实施例提供一种存储介质,存储介质存储有计算机程序,计算机程序被处理器执行如前述实施方式任一项的网络资产数据威胁狩猎方法。An embodiment of the present application provides a storage medium, where a computer program is stored in the storage medium, and the computer program is executed by a processor according to the network asset data threat hunting method in any one of the foregoing implementation manners.

在本申请实施例中,通过获取预设周期内的情报数据,进而能够基于预设周期内的情报数据识别预设周期内的新增域名和新增IP,进而能够对新增域名和新增IP进行分析,并得到新增域名的属性信息和新增IP的属性信息,通过获取针对新增域名和新增IP的自定义匹配配置信息,进而能够基于自定义匹配配置信息确定针对新增域名进行同源分析的第一匹配字段,和针对新增IP进行同源分析的第二匹配字段,进而能够基于资产规则库对新增域名的属性信息中的第一匹配字段和新增IP的属性信息中的第二匹配字段进行匹配计算,并得到第一计算结果,进而能够基于第一计算结果和资产规则库,确定新增IP和新增域名的同源分析结果。In the embodiment of the present application, by acquiring the intelligence data within the preset period, the newly added domain names and newly added IPs within the preset period can be identified based on the intelligence data within the preset period, and then the newly added domain names and newly added The IP is analyzed, and the attribute information of the newly added domain name and the attribute information of the newly added IP are obtained. By obtaining the custom matching configuration information for the new domain name and the new IP, it is possible to determine the new domain name based on the custom matching configuration information. The first matching field for homology analysis, and the second matching field for homology analysis for newly added IPs, and then the first matching field in the attribute information of newly added domain names and the attributes of newly added IPs can be analyzed based on the asset rule base The second matching field in the information performs matching calculation and obtains the first calculation result, and then based on the first calculation result and the asset rule base, the homology analysis result of the newly added IP and the newly added domain name can be determined.

与现有技术相比,本申请实施例能够通过获取针对新增域名和新增IP的自定义匹配配置信息,进而基于自定义匹配配置信息确定针对新增域名进行同源分析的第一匹配字段,和针对新增IP进行同源分析的第二匹配字段,这样一来,就能够实现在同源分析过程中,基于自定义匹配配置信息灵活调整第一匹配字段和第二匹配字段,进而能够在增加数据类型的情况下向下兼容,并无需调整系统本身,而只需要直接接入数据类型即可,从而降低开发成本。Compared with the prior art, the embodiment of the present application can obtain the custom matching configuration information for the newly added domain name and the newly added IP, and then determine the first matching field for homology analysis for the newly added domain name based on the custom matching configuration information , and the second matching field for the same-origin analysis of the newly added IP. In this way, the first matching field and the second matching field can be flexibly adjusted based on the custom matching configuration information during the same-origin analysis process, and then the In the case of adding data types, it is backward compatible, and there is no need to adjust the system itself, but only needs to directly access the data types, thereby reducing development costs.

在本申请所提供的实施例中,应该理解到,所揭露装置和方法,可以通过其它的方式实现。以上所描述的装置实施例仅仅是示意性的,例如,单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,又例如,多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些通信接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the embodiments provided in this application, it should be understood that the disclosed devices and methods may be implemented in other ways. The device embodiments described above are only illustrative. For example, the division of units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components can be combined or integrated. to another system, or some features may be ignored, or not implemented. In another point, the mutual coupling or direct coupling or communication connection shown or discussed may be through some communication interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.

另外,作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。In addition, a unit described as a separate component may or may not be physically separated, and a component displayed as a unit may or may not be a physical unit, that is, it may be located in one place, or may be distributed to multiple network units. Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.

再者,在本申请各个实施例中的各功能模块可以集成在一起形成一个独立的部分,也可以是各个模块单独存在,也可以两个或两个以上模块集成形成一个独立的部分。Furthermore, each functional module in each embodiment of the present application may be integrated to form an independent part, each module may exist independently, or two or more modules may be integrated to form an independent part.

需要说明的是,功能如果以软件功能模块的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(Read-Only Memory,ROM)随机存取存储器(Random Access Memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。It should be noted that, if the functions are realized in the form of software function modules and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application is essentially or the part that contributes to the prior art or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disk, and various media capable of storing program codes.

在本文中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。In this document, relational terms such as first and second etc. are used only to distinguish one entity or operation from another without necessarily requiring or implying any such relationship between these entities or operations. Actual relationship or sequence.

以上所述仅为本申请的实施例而已,并不用于限制本申请的保护范围,对于本领域的技术人员来说,本申请可以有各种更改和变化。凡在本申请的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本申请的保护范围之内。The above descriptions are only examples of the present application, and are not intended to limit the scope of protection of the present application. For those skilled in the art, various modifications and changes may be made to the present application. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of this application shall be included within the protection scope of this application.

Claims (10)

1. A method for hunting network asset data threats, the method comprising:
acquiring intelligence data in a preset period;
identifying a newly added domain name and a newly added IP in the preset period based on the intelligence data in the preset period;
analyzing the newly added domain name and the newly added IP, and obtaining attribute information of the newly added domain name and attribute information of the newly added IP, wherein when the newly added domain name is a common domain name, acquiring historical registration information of the newly added domain name through an API (application programming interface) of a website supporting historical Whois inquiry, acquiring MX (executable instruction queue), SOA (service oriented architecture) and TXT (context extensible) records of the newly added domain name through a DNS (domain name system) protocol, acquiring a sub-domain name appearing in the newly added domain name, calculating the domain name length of the newly added domain name, and taking the MX, SOA and TXT records of the newly added domain name, the sub-domain name appearing in the newly added domain name, the domain name length of the newly added domain name and the historical registration information of the newly added domain name as the attribute information of the newly added domain name;
acquiring custom matching configuration information aiming at the newly added domain name and the newly added IP;
determining a first matching field for performing homology analysis on the newly added domain name and a second matching field for performing the homology analysis on the newly added IP based on the custom matching configuration information;
matching calculation is carried out on the first matching field in the attribute information of the newly added domain name and the second matching field in the attribute information of the newly added IP based on an asset rule base, and a first calculation result is obtained;
and determining the homologous analysis result of the newly added IP and the newly added domain name based on the first calculation result and the asset rule base.
2. The method as claimed in claim 1, wherein the performing a matching calculation on the first matching field in the attribute information of the newly added domain name and the second matching field in the attribute information of the newly added IP based on the asset rule base to obtain a first calculation result includes:
determining a matching expression of the asset rule base;
and matching and calculating the first matching field in the attribute information of the newly added domain name, the second matching field in the attribute information of the newly added IP and the fields in the asset rule base based on the matching expression to obtain a first calculation result.
3. The method of claim 2, wherein the method further comprises:
judging whether the asset rule base has an operational expression or not;
when the asset rule is stored in the operational expression, performing logic calculation on the first matching field in the attribute information of the newly added domain name and the second matching field in the attribute information of the newly added IP based on the operational expression to obtain a second calculation result;
and performing matching calculation on the second calculation result and the fields in the asset rule base based on the matching expression to obtain the first calculation result.
4. The method of claim 3, wherein the matching expressions comprise at least one of equality, inequality, inclusion, exclusion, and regular expressions;
and the operational expression comprises at least one of a four-rule operational expression and a logic operational expression.
5. The method of claim 3, wherein the determining the results of the homology analysis for the newly added IP and the newly added domain name based on the first calculation result and the asset rule base comprises:
determining a rule description based on the asset rule base;
judging whether the first calculation result meets the rule description;
and when the first calculation result accords with the rule description, determining the homologous analysis result of the newly added IP and the newly added domain name.
6. The method of claim 5, wherein the second match field comprises: port open status, cyberspace asset mapping result data, IP server provider matching, whois of IP back-check domain name, associated URL of IP, or JARM of associated certificate.
7. The method of claim 5, wherein the first match field comprises: at least one of a domain name provider, a domain name length, a sub-domain name, whois of a domain name, an associated URL of a domain name, a resolved IP provider of a domain name, a top-level domain.
8. A cyber asset data threat hunting apparatus, the apparatus comprising:
the first acquisition module is used for acquiring intelligence data in a preset period;
the identification module is used for identifying the newly added domain name and the newly added IP in the preset period based on the intelligence data in the preset period;
the analysis module is used for analyzing the newly added domain name and the newly added IP and obtaining attribute information of the newly added domain name and attribute information of the newly added IP, wherein when the newly added domain name is a general domain name, historical registration information of the newly added domain name is obtained through an API of a website supporting historical Whois inquiry, MX, SOA and TXT records of the newly added domain name are obtained through a DNS protocol, sub-domain names appearing in the newly added domain name are obtained, the domain name length of the newly added domain name is calculated, and the MX, SOA and TXT records of the newly added domain name, the sub-domain name appearing in the newly added domain name, the domain name length of the newly added domain name and the historical registration information of the newly added domain name are used as the attribute information of the newly added domain name;
the second acquisition module is used for acquiring custom matching configuration information aiming at the newly added domain name and the newly added IP;
the determining module is used for determining a first matching field for performing homologous analysis on the newly added domain name and a second matching field for performing homologous analysis on the newly added IP based on the custom matching configuration information;
the computing module is used for performing matching computation on the first matching field in the attribute information of the newly added domain name and the second matching field in the attribute information of the newly added IP based on an asset rule base, and obtaining a first computation result;
and the judging module is used for determining the homologous analysis result of the newly added IP and the newly added domain name based on the first calculation result and the asset rule base.
9. An electronic device, comprising:
a processor; and
a memory configured to store machine readable instructions that, when executed by the processor, perform the network asset data threat hunting method of any one of claims 1-7.
10. A storage medium storing a computer program for execution by a processor of the network asset data threat hunting method as recited in any one of claims 1-7.
CN202210915411.8A 2022-08-01 2022-08-01 Network asset data threat hunting method and device, electronic equipment and storage medium Active CN115001867B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210915411.8A CN115001867B (en) 2022-08-01 2022-08-01 Network asset data threat hunting method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210915411.8A CN115001867B (en) 2022-08-01 2022-08-01 Network asset data threat hunting method and device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN115001867A CN115001867A (en) 2022-09-02
CN115001867B true CN115001867B (en) 2022-11-04

Family

ID=83021897

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210915411.8A Active CN115001867B (en) 2022-08-01 2022-08-01 Network asset data threat hunting method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115001867B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119728160B (en) * 2024-11-18 2025-11-07 中国信息通信研究院 Threat hunting method and device for network data, storage medium and computer equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8201257B1 (en) * 2004-03-31 2012-06-12 Mcafee, Inc. System and method of managing network security risks
CN111800395A (en) * 2020-06-18 2020-10-20 云南电网有限责任公司信息中心 Threat information defense method and system
CN112636924A (en) * 2020-12-23 2021-04-09 北京天融信网络安全技术有限公司 Network asset identification method and device, storage medium and electronic equipment
CN114124586A (en) * 2022-01-28 2022-03-01 奇安信科技集团股份有限公司 A kind of network threat detection method and device

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8813228B2 (en) * 2012-06-29 2014-08-19 Deloitte Development Llc Collective threat intelligence gathering system
CN111935192B (en) * 2020-10-12 2021-03-23 腾讯科技(深圳)有限公司 Network attack event tracing processing method, device, equipment and storage medium
CN112738040A (en) * 2020-12-18 2021-04-30 国家计算机网络与信息安全管理中心 Network security threat detection method, system and device based on DNS log

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8201257B1 (en) * 2004-03-31 2012-06-12 Mcafee, Inc. System and method of managing network security risks
CN111800395A (en) * 2020-06-18 2020-10-20 云南电网有限责任公司信息中心 Threat information defense method and system
CN112636924A (en) * 2020-12-23 2021-04-09 北京天融信网络安全技术有限公司 Network asset identification method and device, storage medium and electronic equipment
CN114124586A (en) * 2022-01-28 2022-03-01 奇安信科技集团股份有限公司 A kind of network threat detection method and device

Also Published As

Publication number Publication date
CN115001867A (en) 2022-09-02

Similar Documents

Publication Publication Date Title
US11481513B2 (en) Decentralized storage of personal data
US10489714B2 (en) Fingerprinting and matching log streams
CN109361643B (en) A deep traceability method for malicious samples
TWI838461B (en) Methods and systems for accessing chainable records
US10862917B2 (en) Network resource implementation prioritization
US11916964B2 (en) Dynamic, runtime application programming interface parameter labeling, flow parameter tracking and security policy enforcement using API call graph
US11086827B1 (en) Dataset schema and metadata management service
CN111198976B (en) System, method, electronic device and medium for asset correlation analysis on cloud
US11477167B2 (en) Systems and methods for performing dynamic firewall rule evaluation
US11811587B1 (en) Generating incident response action flows using anonymized action implementation data
WO2020019510A1 (en) Information processing method, terminal, and computer readable storage medium
US12348485B2 (en) Systems and methods for determining asset importance in security risk management
JP2021516811A (en) Data anonymization
US10489715B2 (en) Fingerprinting and matching log streams
CN115865525B (en) Log data processing method, device, electronic equipment and storage medium
JP2019191657A (en) Threat information sharing system between a plurality of organizations and method
CN115001867B (en) Network asset data threat hunting method and device, electronic equipment and storage medium
Li et al. LogKernel: A threat hunting approach based on behaviour provenance graph and graph kernel clustering
CN111865976A (en) Access control method, device and gateway
CN116599722A (en) Domain name discrimination method and device, storage medium and electronic equipment
CN111212153A (en) IP address checking method, device, terminal equipment and storage medium
CN114357454A (en) Binary executable file dependency library analysis method and device, electronic equipment and storage medium
CN113721971A (en) Information display method and device, electronic equipment and computer readable storage medium
WO2023078078A1 (en) Unified data security labeling framework
CN113722334B (en) Data processing method, device, electronic equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP03 Change of name, title or address
CP03 Change of name, title or address

Address after: Building 1, 10th Floor 1-7, No. 76 Zhichun Road, Haidian District, Beijing 100082 (Office Building)

Patentee after: BEIJING THREATBOOK TECHNOLOGY CO.,LTD.

Country or region after: China

Address before: Room 301, floor 3, No. 49-3, Suzhou street, Haidian District, Beijing 100082

Patentee before: BEIJING THREATBOOK TECHNOLOGY CO.,LTD.

Country or region before: China