CN116346409A - Network security defense method, device, equipment and storage medium - Google Patents

Abstract

The disclosure provides a network security defense method, a device, equipment and a storage medium, which can be applied to the technical field of information security. The method comprises the following steps: based on monitoring a network system, identifying suspicious security events and threat types existing in the network system; and verifying the execution subject of the suspicious security event by adopting a verification process which is arranged in advance. The verification process comprises the following steps: acquiring at least one alternative question from a question set preset for the threat type; processing the at least one alternative problem based on the information of the entity in the suspicious security event to obtain a question selection set; the selected question set is sent to the execution main body, and answer information returned by the execution main body for answering the questions in the selected question set is obtained; and comparing the answer information with corresponding information in the historical record data of the network system, and evaluating whether the executing main body has threat.

Description

Network security defense method, device, equipment and storage medium

technical field

The present disclosure relates to the field of information security, and in particular to a network security defense method, device, equipment, storage medium and program product.

Background technique

With the development of the times, more and more places use network systems, but attacks against network systems have never stopped, and there are more and more forms. The current network security threat defense usually collects different types of data from various subsystems of the network system to train machine learning algorithm models, and monitor network security through trained machine learning algorithm models.

However, the solution to protect network system security through machine learning training models requires multi-level analysis, which takes a long time, and multi-step processing tends to accumulate errors, which will affect the efficiency and accuracy of judgment. Moreover, some attack behaviors may be wrongly judged, which may easily cause data loss.

Contents of the invention

In view of the above problems, the present disclosure provides a network security defense method, device, device, medium and program product that can determine the legitimacy of initially identified objects with network security threats through active verification.

The first aspect of the embodiments of the present disclosure provides a network security defense method. The method includes: identifying suspicious security events and their threat types existing in the network system based on monitoring the network system; and verifying the execution subject of the suspicious security event by using a pre-arranged verification process. Wherein, verifying the execution subject of the suspicious security event includes: obtaining at least one candidate question from a preset question set for the threat type; A candidate question is processed to obtain a selected topic set, wherein the entities in the suspicious security incident include the execution subject in the suspicious security incident; send the selected topic set to the execution subject, and obtain all The answer information returned by the execution subject to answer the questions in the selected topic set; compare the answer information with the corresponding information in the historical record data of the network system to obtain the comparison result; when the comparison result meets the predetermined condition When , it is determined that there is no threat to the execution subject; and when the comparison result does not satisfy a predetermined condition, it is determined that there is a threat to the execution subject.

According to an embodiment of the present disclosure, the obtaining the selected topic set further includes: obtaining other objects having similar behavioral characteristics to the execution subject based on the historical record data in the network system; based on the information of the other objects, obtaining Processing at least part of the at least one candidate question to generate distracting items; and expanding the distracting items into the set of selected questions.

According to an embodiment of the present disclosure, the acquiring other objects having similar behavior characteristics to the execution subject based on the historical record data in the network system includes: extracting entity data from the historical record data in the network system, A plurality of entities are obtained, wherein the plurality of entities include the execution subject; from the historical record data of the network system, the behavior data of each entity in the plurality of entities is extracted and formed into a time series, and each Behavioral characteristics of the entity: based on the similarity judgment between the execution subject and the behavior characteristics of other entities among the multiple entities, determine the other objects that have similar behavior characteristics to the execution subject.

According to an embodiment of the present disclosure, the questions in the question set are divided into multiple second categories according to the similarity between the questions, wherein the questions in the same second category are similar. The obtaining at least one candidate question from the preset question set for the threat type includes: selecting at least one question from each of the plurality of second categories to obtain the at least one candidate question question.

According to an embodiment of the present disclosure, the questions in the question set are divided into multiple first categories according to the types of characteristics of the questions, and the questions in each first category have the same characteristics. The acquiring at least one candidate question from the preset question set for the threat type includes: selecting at least one question from each of the plurality of first categories to obtain the at least one candidate question . Wherein, the types of the characteristics include at least two types that must be answered correctly and errors that are allowed to occur.

According to an embodiment of the present disclosure, the predetermined condition includes that all questions in the set of selected questions that must be answered correctly are answered correctly.

According to an embodiment of the present disclosure, the comparing the answer information with the corresponding information in the historical record data of the network system, and obtaining the comparison result includes: based on the correspondence between the answer information and the historical record data of the network system Comparing the information to obtain the answer result information of whether the answer to each question in the selected topic set is correct or not; Collectively the characteristic is whether all questions that must be answered correctly are answered correctly.

According to an embodiment of the present disclosure, the predetermined condition further includes: when all the questions in the set of selected questions that must be answered correctly are answered correctly, the score of the answer information is greater than or equal to a preset threshold. The comparing the answer information with the corresponding information in the historical record data of the network system, and obtaining the comparison result also includes: in the case that the characteristics in the selected topic set are that all questions that must be answered correctly are all answered correctly, based on The answer result information of each question in the selected topic set and the difficulty level corresponding to each question are obtained to obtain the score of each question in the selected topic set, wherein the questions in the selected topic set are pre-divided into There are multiple difficulty levels, and the scoring rules of the questions in each difficulty level are the same; according to the importance level of each question in the selected topic set, the weight corresponding to each question is obtained, wherein the questions in the question set are ranked according to the importance The degree is pre-divided into a plurality of importance levels, and the questions in each importance level have the same weight; and the score of the answer information is obtained based on the scores of all the questions in the selected question set and the corresponding weight of each question.

According to an embodiment of the present disclosure, the predetermined condition is a predetermined condition updated according to the accumulated verification result data corresponding to the execution subject; wherein, the method further includes: setting the initial predetermined condition; and based on the execution The cumulative verification result data corresponding to the main body updates the predetermined condition. Wherein, updating the predetermined condition specifically includes: storing the verification result data obtained by using the verification process to verify the execution subject each time; based on the accumulation of the stored verification result data, obtaining the corresponding accumulative verification result data; and regularly or irregularly updating the predetermined condition based on the accumulative verification result data corresponding to the execution subject.

According to an embodiment of the present disclosure, the identifying suspicious security events and their threat types in the network system based on the monitoring of the network system includes: using a machine learning algorithm model to identify the suspicious security event, the threat type and level of threat. The acquiring at least one candidate question from the set of questions preset for the threat type includes: determining the number of questions and/or problem difficulty distribution of the at least one candidate question according to the threat level; wherein, the threat level It is positively correlated with the number of questions and the difficulty of the questions, wherein the questions in the question set are pre-divided into a plurality of difficulty levels according to the degree of difficulty, and the difficulty distribution of the questions is based on the at least one candidate question among the multiple The distribution data in each difficulty level is represented.

The second aspect of the embodiments of the present disclosure provides a network security defense device. The network security defense device includes a preliminary identification module and an active verification module. The preliminary identification module is used to identify suspicious security events and their threat types existing in the network system based on the monitoring of the network system. The active verification module is used to verify the execution subject of the suspicious security event by adopting a pre-arranged verification process. The active verification module includes: an acquisition sub-module, a topic generation sub-module, an answer sub-module and an answer evaluation sub-module. Specifically, the acquiring submodule is configured to acquire at least one candidate question from a preset question set for the threat type. The selected topic generation submodule is used to process the at least one candidate question based on the information of the entities in the suspicious security event to obtain a selected topic set, wherein the entities in the suspicious security event include the suspicious The execution subject in the security event. The sub-module of answering questions is used to send the set of selected questions to the execution subject, and obtain the answer information returned by the execution subject in response to the questions in the set of selected questions. The answer evaluation sub-module is used to: compare the answer information with the corresponding information in the historical record data of the network system to obtain a comparison result; when the comparison result meets a predetermined condition, determine that there is no threat to the execution subject; and When the comparison result does not meet the predetermined condition, it is determined that there is a threat to the execution subject.

A third aspect of the embodiments of the present disclosure provides an electronic device, including one or more processors and one or more memories. The memory is used to store one or more programs, wherein, when the one or more programs are executed by the one or more processors, the one or more processors are caused to execute the above method.

According to a fourth aspect of the embodiments of the present disclosure, there is also provided a computer-readable storage medium, on which executable instructions are stored, and when executed by a processor, the processor causes the processor to execute the above method.

A fifth aspect of the embodiments of the present disclosure further provides a computer program product, including a computer program, which implements the above method when the computer program is executed by a processor.

According to the network security protection method, device, equipment, medium, and program product provided by the present disclosure, the suspicious security incidents existing in the network system are preliminarily identified, and then the suspicious security incidents are detected by using a pre-arranged verification process. According to the type of threat, the execution subject selects the questions for active verification, and finally determines whether the execution subject user or processing process in the security incident is a threat according to the verification result. In this way, the accuracy and precision requirements in the preliminary recognition process can be reduced, so that the preliminary recognition process can be realized with fewer data types and network layers, reducing the complexity of the algorithm model used in the preliminary recognition. And after the initial identification, it will be actively verified, which can reduce the risk of data loss and improve the identification of network threats.

Description of drawings

Through the following description of the embodiments of the present disclosure with reference to the accompanying drawings, the above content and other objects, features and advantages of the present disclosure will be more clear, in the accompanying drawings:

FIG. 1 schematically shows an application scenario diagram of a network security defense method and device according to an embodiment of the present disclosure;

FIG. 2 schematically shows a flowchart of a network security defense method according to an embodiment of the present disclosure;

Fig. 3 schematically shows the data preparation process of the verification process in the network security defense method according to an embodiment of the present disclosure;

FIG. 4 schematically shows a flow chart of evaluating answer information in a network security defense method according to an embodiment of the present disclosure;

FIG. 5 schematically shows a flowchart of a method for obtaining a topic set in a network security defense method according to an embodiment of the present disclosure;

Fig. 6 schematically shows a flow chart of selecting other objects with similar behavioral characteristics in the process of obtaining a selected topic set according to an embodiment of the present disclosure;

Fig. 7 schematically shows a flow chart of dynamic adjustment of predetermined conditions in a network security defense method according to an embodiment of the present disclosure;

FIG. 8 schematically shows a flowchart of a network security defense method according to another embodiment of the present disclosure;

FIG. 9 schematically shows a structural block diagram of a network security defense device according to an embodiment of the present disclosure; and

Fig. 10 schematically shows a block diagram of an electronic device suitable for implementing a network security defense method according to an embodiment of the present disclosure.

Detailed ways

Hereinafter, embodiments of the present disclosure will be described with reference to the drawings. It should be understood, however, that these descriptions are exemplary only, and are not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the present disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Also, in the following description, descriptions of well-known structures and techniques are omitted to avoid unnecessarily obscuring the concepts of the present disclosure.

The terminology used herein is for the purpose of describing particular embodiments only, and is not intended to be limiting of the present disclosure. The terms "comprising", "comprising", etc. used herein indicate the presence of stated features, steps, operations and/or components, but do not exclude the presence or addition of one or more other features, steps, operations or components.

All terms (including technical and scientific terms) used herein have the meaning commonly understood by one of ordinary skill in the art, unless otherwise defined. It should be noted that the terms used herein should be interpreted to have a meaning consistent with the context of this specification, and not be interpreted in an idealized or overly rigid manner.

Where expressions such as "at least one of A, B, and C, etc." are used, they should generally be interpreted as those skilled in the art would normally understand the expression (for example, "having A, B, and C A system of at least one of "shall include, but not be limited to, systems with A alone, B alone, C alone, A and B, A and C, B and C, and/or A, B, C, etc. ).

In the technical solution of this disclosure, the collection, storage, use, processing, transmission, provision, disclosure, and application of the data involved (including but not limited to user personal information) are all in compliance with relevant laws and regulations. Necessary confidentiality measures have been taken, and it does not violate public order and good customs.

Embodiments of the present disclosure provide a network security defense method, device, equipment, storage medium and program product. In this network security defense method, based on the monitoring of the network system, the suspicious security events and their threat types in the network system are initially identified, and then the pre-arranged verification process is used to actively verify the execution subject of the suspicious security event , according to the verification result, it is determined whether the execution subject of the security event is a threat. Wherein, the execution subject of the suspicious security event may be a user of the network system, or a process in the network system, or an external process that interacts with the network system.

In the embodiment of the present disclosure, after the preliminary identification of a security threat, the validity of the execution subject of the suspicious security event will be verified through active verification, so that the accuracy and precision requirements in the preliminary identification process can be reduced, so that in the The preliminary identification process can be implemented with fewer data types and network layers, which reduces the complexity of the surveillance identification algorithm model. And after the initial identification, it will be actively verified, which can reduce the risk of data loss and improve the identification of network threats.

Fig. 1 schematically shows an application scenario diagram of a network security defense method and device according to an embodiment of the present disclosure.

As shown in FIG. 1 , an application scenario 100 according to this embodiment may include a first terminal device 101 , a second terminal device 102 , a third terminal device 103 , a network 104 and a server 105 . The network 104 is used as a medium for providing communication links among the first terminal device 101 , the second terminal device 102 , the third terminal device 103 and the server 105 . Network 104 may include various connection types, such as wires, wireless communication links, or fiber optic cables, among others.

A user can use at least one of the first terminal device 101 , the second terminal device 102 , and the third terminal device 103 to interact with the server 105 through the network 104 to receive or send messages and the like. Various communication client applications can be installed on the first terminal device 101, the second terminal device 102, and the third terminal device 103, such as shopping applications, web browser applications, search applications, instant messaging tools, email clients, Social platform software, etc. (examples only).

The first terminal device 101, the second terminal device 102, and the third terminal device 103 may be various electronic devices with display screens and supporting web browsing, including but not limited to smart phones, tablet computers, laptop computers and desktop computers etc.

The server 105 may be a server that provides various services, such as a background management server that supports websites browsed by users using the first terminal device 101 , the second terminal device 102 , and the third terminal device 103 (just an example). The background management server can analyze and process received data such as user requests, and feed back processing results (such as webpages, information, or data obtained or generated according to user requests) to the terminal device.

It should be noted that, generally, the network security defense method provided by the embodiment of the present disclosure may be executed by the server 105 . Correspondingly, the network security defense device provided by the embodiments of the present disclosure can generally be set in the server 105 . The network security defense method provided by the embodiments of the present disclosure may also be executed by a server or server cluster that is different from the server 105 and can communicate with the first terminal device 101, the second terminal device 102, the third terminal device 103 and/or the server 105 . Correspondingly, the network security defense device provided by the embodiments of the present disclosure may also be set on a server different from the server 105 and capable of communicating with the first terminal device 101, the second terminal device 102, the third terminal device 103 and/or the server 105 or in a server cluster.

It should be understood that the numbers of terminal devices, networks and servers in Fig. 1 are only illustrative. According to the implementation needs, there can be any number of terminal devices, networks and servers.

Based on the scenario described in FIG. 1 , the network security defense method of the disclosed embodiment will be described in detail through FIGS. 2 to 8 .

Fig. 2 schematically shows a flowchart of a network security defense method according to an embodiment of the present disclosure.

As shown in FIG. 2 , the network security defense method of this embodiment may include operation S210 to operation S280.

Firstly, in operation S210, based on the monitoring of the network system, suspicious security events and their threat types existing in the network system are identified. Specifically, machine learning algorithm models can be trained to initially identify suspicious security events and their threat types in the network system. Of course, non-machine learning algorithm models can also be used, such as models that set corresponding monitoring conditions for each threat type, for automatic monitoring. The model used here can be used for preliminary screening and identification. Therefore, the structure, hierarchy, and algorithm complexity of the model can be much simpler than the situation where the model identification result is used as the final judgment result, saving data collection and time-consuming data analysis. and resource consumption etc.

Then, through operation S220 to operation S280, active verification is performed on the identified execution subject of the suspicious security event using a pre-arranged verification process. The execution subject can be a user or a process. Among them, the processing process refers to the activities that can modify the received input or redirect the received input to the corresponding output, such as the microservice that receives the API call request and forwards it to the API processing service, and validates the data before writing it to the data store Entered data.

Specifically, in operation S220, at least one candidate question is obtained from a preset question set for the threat type.

The types of threats to network systems can roughly include attackers impersonating users or processes, attackers maliciously modifying data, or attackers maliciously using the system so that the system cannot provide normal services.

The attacker impersonates the user or process. Specifically, the attacker can send the user an email with a malicious link from a seemingly legitimate user to capture the user's credentials, data, and access to the device.

Malicious data modification by attackers is specifically performed by modifying data temporarily stored in the cache, sending erroneous data over the network to destroy the integrity of the data, inserting malicious payloads into the browser's cache, and causing errors in processing or data storage. Behavior is abnormal, or handle modified memory through weak API calls, resulting in system crashes or sensitive information disclosure.

The attacker maliciously causes the system to fail to provide normal services, such as sending a large number of requests to the system, occupying a large amount of memory or CPU resources, or storing too much data, causing the system to crash.

The pre-set question set for threat types can be to collect or generate a large number of questions according to each threat type after the threat type to be identified is determined; or, it can also be to collect a large number of various questions related to network security , and then classify the collected questions according to threat types, for example, attach corresponding threat type labels to questions related to corresponding threat types.

Specifically, for the type of threat where an attacker impersonates a user or process, more emphasis is placed on verifying the authenticity of the user or process, and the user's personal information, information about the application used, and daily interaction issues can be used as issues in this direction. problem, label it accordingly. For the threat type of malicious modification of data by attackers, more emphasis is placed on verifying the user's permissions and data issues. Issues related to permissions and data security can be taken as issues in this direction and labeled accordingly. For the type of threat that the attacker maliciously uses the system to cause the system to fail to provide normal services, it is more focused on verifying the authenticity of the user or the processing process, and the problem of using the system. The user's personal information and the problem of using the system correctly can be used as For questions in this direction, mark the corresponding label. A question can belong to multiple threat categories at the same time, that is, questions in question sets corresponding to different threat types can be repeated. For example, questions related to user information or user rights can be involved in different types of threats.

Therefore, when selecting a candidate question in operation S220, it may be selected from questions with a label corresponding to the threat type of the suspicious security event.

Next, in operation S230, at least one candidate question is processed based on the information of the entities in the suspicious security event, to obtain a selected topic set, wherein the entity in the suspicious security event includes the execution subject in the suspicious security event.

Entities refer to accounts, users, devices, applications, microservices, data or IPs, etc. Among them, applications and microservices belong to the processing process.

According to the event description elements, a suspicious security event can usually be described as: when and by what method (for example, which account or device was used), and what the execution subject did (for example, which application or data was accessed or called) etc. Therefore, the information of the entity in the suspicious security event can be extracted.

The candidate questions come from the question set, and the questions in the question set are usually processable question samples or question templates, for example, “What is [user]’s usual account?”, “When is the personnel level required to log in to [application]? ", where [user] and [application] need to fill in or replace the information of the entity in the security event when generating the topic.

Then in operation S240, the selected topic set is sent to the executing subject, and the answer information returned by the executing subject in response to the questions in the selected topic set is obtained.

Next, through S250 to operation S280, the answer information is evaluated to determine the legitimacy of the execution subject.

Specifically, in operation S250, the answer information is compared with the corresponding information in the historical record data of the network system to obtain a comparison result.

Then in operation S260, it is judged whether the comparison result satisfies a predetermined condition. If it is satisfied, then in operation S270, it is determined that there is no threat to the execution subject; if not, then in operation S280, it is determined that there is a threat on the execution subject.

In some embodiments, it may be determined whether there is a threat to the execution subject according to whether the accuracy rate of answering questions meets a predetermined threshold.

In other embodiments, when evaluating the answer information by comparing the comparison results with the predetermined conditions, it is also possible to comprehensively consider the number of selected topics in the topic selection set, the degree of difficulty of different problems, and the characteristics of different problems (such as whether it is necessary to Correct answer, importance level) and other information to make the final verification result more accurate. The specific will be introduced in detail below.

Fig. 3 schematically shows a data preparation process of a verification process in a network security defense method according to an embodiment of the present disclosure.

Referring to FIG. 2 and FIG. 3 , the network security defense method according to the embodiment of the present disclosure needs to arrange the verification process in advance before operation S220 to operation S280, wherein the data preparation process of the verification process includes operation S301 to operation S303.

First, in operation S301, a question data set (also called a question set, which is not clearly distinguished herein) is generated. In one embodiment, various problems related to network security may be collected or generated, and then collected together after preprocessing (such as format abstraction or unification).

The questions in the question data set can include various questions related to network security; for example, they can be questions about users' personal information, such as personal account information, commonly used IP information, and device information used; or, for example, they can be about users' commonly used The application information, such as the name of the application frequently used by the user, the time period of the frequent visit, and the time of the last visit; Colleagues; or, for example, it can be a question about permissions, such as what is the role of the individual, what resources can be accessed, and the time when the permission was last modified; or, for example, it can be a data security issue about access, the data to be accessed Whether it can be disclosed, the level of confidentiality, whether it can be copied; or, for example, it can be a problem of correct use of the system, the network bandwidth used by individuals, the maximum throughput that can be supported, and the maximum frequency of visits.

Then in operation S302, classify labels from different dimensions to the questions in the question dataset. The characteristics of each question or the classification category to which it belongs can be marked in the form of labels. Among them, different question category labels can be used from different dimensions, and corresponding labels can be attached to each question in the question dataset.

For example, as mentioned in the introduction about operation S220 above, the collected questions may be divided according to threat types, and a corresponding threat type label is attached to each question, so as to obtain a question set corresponding to each threat type. In this way, the selection of candidate questions in operation S220 can be selected from the question set corresponding to each threat type, which improves the pertinence of the verification of the execution subject.

For another example, labels can be set from dimensions such as the characteristics of the questions, the similarity between the questions, the difficulty of the questions, and the importance of the questions. Through such labels, the characteristics of the problem can be more precisely located. It is convenient to select alternative questions in operation S220 according to the characteristics of the questions, quickly remove duplicate or redundant information, and achieve a better experience effect.

Specifically, in some embodiments, the questions in the question set generated in operation S301 can be divided into a plurality of second categories according to the similarity between the questions, and the questions in each second category can use the same label for classification. mark, where the questions in the same second category are similar. In this way, when selecting candidate questions from the question set in the above operation S220, at least one question may be selected from each of the plurality of second categories. It is also possible to select an equivalent number of questions from a different second category. In this way, unrelated questions can be selected as much as possible, repeated or redundant information in the candidate questions can be avoided, and the breadth of the selected candidate questions can be increased.

When the problem set is divided according to the similarity between the problems, in one embodiment, the problem data in the problem set can be vectorized first according to the clustering algorithm, and then the vectorized data is clustered, so that The problem data in a class constitutes a second category; in another embodiment, it is also possible to manually classify similar problems (for example, all involving user information, all involving the operation process) into one category according to experience , questions within a class form a second class.

In some embodiments, when the question set is divided according to the similarity between the questions and then labeled, the label values are set between different second categories according to the correlation between the classes, and the label values reflect the differences between the questions. degree of mutual exclusion or similarity between them. For example, a binary value can be used to identify the correlation component between tags, and the value range is {0, 1}, and the higher the correlation is, the closer it is to 1. For personal information and frequently used applications that belong to the user's personal information or behavior, the similarity is relatively high. For personal information and data security issues, the authenticity of the object is verified from the perspective of the subject and the object respectively. The similarity of such issues relatively low. In this way, when selecting candidate questions from the question set in the above operation S220, more questions may be selected from the second category with lower relevance according to the label value as much as possible.

In some embodiments, the questions in the question data set generated in operation S301 can be divided into multiple first categories according to the types of characteristics of the questions, and the questions in each first category have the same characteristics and can be classified into Set the same label to denote. Wherein, the types of characteristics may include, for example, at least two types that must be answered correctly and errors that are allowed to occur. In some implementations, allowable errors can also be divided into multiple categories according to the probability or degree of allowable errors. In some implementations, the characteristics of the question may even include categories such as should not be answered correctly. For example, questions that must be answered correctly can be morphed into intrusive error-inducing questions. This deformation can be static, for example generated deformation problem data as part of the problem data set. Of course, it can also be dynamic deformation, such as the deformation in the process of processing from candidate questions to selected topics, that is, to change the characteristics of the questions in the process of generating selected topics from candidate questions, and generate disturbing questions, as shown in the figure below Disturbances mentioned in 5. In this way, when selecting candidate questions from the question set in the above operation S220, at least one question may be selected from each of the plurality of first categories. This can ensure that questions with various characteristics are selected, which helps to enrich the depth level of the selected candidate questions.

When classifying the problem set according to the type of characteristics of the problem, a corresponding label may be set according to the characteristics of each problem. For example, some questions must be right, and some questions can be wrong: such as account information, equipment information used, department name, personal role, such information questions that are often used or are being used, are questions that users must answer correctly, that is, these The nature of the question is that it must be answered correctly. For another example, for interactive problems: such as the last modification time and last login time, such historical problems allow users to have a certain probability of making mistakes, and the characteristics of such problems are that errors are allowed. For example, the maximum throughput that can be supported and the maximum access frequency are relatively professional settings that allow users to answer with certain errors. The characteristics of these questions are that errors are allowed. If they are further subdivided according to the probability of error tolerance, the characteristics of these questions are: It is relatively remote and has a high probability of error tolerance. If you can answer it accurately, it will increase the possibility of the object being real.

In some embodiments, the questions in the question set generated in operation S301 may also be divided into multiple third categories according to the difficulty level of the questions, and each question in the third category is labeled with a label corresponding to the same difficulty level. Questions in the same third category have the same difficulty level. The setting of the difficulty level may be based on manual experience, or several levels may be set according to the probability of occurrence of the question and the probability of success in answering the question after a large number of statistics.

In this way, when selecting candidate questions from the question set in the above operation S220, at least one question from each third category of multiple third categories may be targetedly selected. This can ensure that questions of various difficulty levels are selected, which helps to ensure the difficulty distribution of the selected candidate questions. Wherein, the problem difficulty distribution can be selected in multiple Characterized by the distribution data in the difficulty level.

In addition, in some embodiments, when the machine learning algorithm model is used to identify suspicious security events and threat types in the above operation S210, and the degree of threat is also identified at the same time, then in operation S220, an alternative question is selected from the question set When , it is also possible to determine the number of questions and/or the difficulty distribution of at least one candidate question according to the degree of threat, and then select the candidate questions from the question set in a targeted manner. Among them, the degree of threat is positively correlated with the number of questions and the difficulty of the questions, and the questions in the question set are pre-divided into multiple difficulty levels according to the degree of difficulty. For example, the mapping relationship between the threat level, the number of questions, and the difficulty of the question is set in advance, so that when the threat level is initially recognized, more questions can be selected in operation S220, and as many difficult questions as possible can be selected.

In some embodiments, the questions in the question data set generated in operation S301 can also be divided into multiple fourth categories according to the importance levels of the questions, and the questions in each fourth category are labeled with the same importance level. Tag of. Questions in the same fourth category have the same importance rating. In this way, in some embodiments, when selecting candidate questions from the question set in operation S220 above, candidate questions may be selected from questions corresponding to various importance levels, so that the distribution of importance of the selected questions is balanced. Alternatively, in some embodiments, in the above operation S220, the number of questions in various levels of importance may also be determined according to the identified threat level or the strictness of the evaluation of the execution subject, so as to select questions in a targeted manner.

It can be seen that in the embodiment of the present disclosure, labeling the questions in the question set from different dimensions through operation S302 can provide more information basis for selecting candidate questions in the active verification process, and quickly remove duplicate or redundant information. Increase the depth and breadth of the selected alternative questions, improve the comprehensiveness of the verification of the executive body of the security event, and achieve better and more accurate verification results.

Next, in operation S303, a random code may also be generated to prevent robot attacks. Wherein, a random code may be extracted and mixed into the topic selection set, and sent to the execution subject of the suspicious security event along with the topic selection set in operation S240. The random code can be a random verification code configured according to the needs, and it can be in the form of a picture or a character, which is used to prevent attacks from robots.

After operations S301 to S303, the data preparation in the verification process is basically completed. Next, when performing network security defense according to the flow shown in FIG. 2 , in operation S220, the questions under the corresponding labels can be extracted by means of the labels in the question data, such as for different types of security threats, the questions related to the labels are called, Then in operation S230, combine the information of entities such as specific users or processing procedures to generate corresponding selected topics and obtain a selected topic set. Topics with different labels, different numbers, and relatively low relevance can be selected according to the threat type and/or threat degree of the security threat. For relatively obvious objects that pose a security threat, you can choose a few more questions in order to more accurately judge whether it is a real action or a real threat.

When sending the selected topic set in operation S240, the questions in the selected topic set can be scrambled and verified with random codes to ensure that the questions are valid, the question expression is accurate, and the option settings are reasonable, and then sent to the user or the processing process, and recorded The corresponding answer information below.

Next, in the process of evaluating the answer information through operation S250 to operation S280, specific predetermined conditions or evaluation rules can also be set according to the label information of various dimensions in the question set.

For example, in one embodiment, the predetermined condition is set to be that all questions in the selected topic set must be answered correctly.

In another embodiment, the predetermined condition may be further set as: in the case that all the questions in the selected question set that must be answered correctly are all answered correctly, the score of the answer information is greater than or equal to a preset threshold. The scoring of the answer information can be obtained on the basis of the right or wrong results obtained after comparing the answer information with the historical records in the network system, combined with the scoring rules for each question, wherein the scoring rules for each question are preset , and can be associated with each question's labels on one or more dimensions.

Fig. 4 schematically shows a flow chart of evaluating answer information in a network security defense method according to an embodiment of the present disclosure.

As shown in FIG. 4 , in operation S260 , it is judged whether the comparison result satisfies a predetermined condition, which may specifically include operation S261 , or operation S261 to operation S265 .

In operation S261, it is judged whether all the questions in the selected topic collection are answered correctly or not. If yes, perform operation S262. If not, it may be determined in operation S280 that there is a threat to the execution subject.

Specifically, based on the comparison of the answer information and the corresponding information in the historical record data of the network system, the answer result information of whether the answer to each question in the selected topic set is correct or not can be obtained, and then the selected topic set is traversed. The answer result information of the selected topic determines whether all the questions that must be answered correctly are all answered correctly.

According to this embodiment, when the feature of topic selection is that there is a wrong answer in the question that must be answered correctly, it can be directly determined that the current suspicious security event is unsafe, and the execution subject (user or processing program) of the suspicious security event There is a threat. For example, for questions that users must answer correctly, such as account information and personal roles, if they do not answer correctly, the authenticity of the user will be seriously doubted, and it is directly determined that such an executive subject has a security threat.

In the case that the characteristics of the selected topic set are that all the questions that must be answered correctly can be answered correctly, in operation S262, based on the answer result information of each question in the selected topic set and the difficulty level corresponding to each question, each question in the selected topic set can be obtained score. Among them, as mentioned above, the problems in the problem set can be pre-divided into multiple difficulty levels according to the degree of difficulty. Wherein, in this embodiment, the same scoring rules may be set for questions in each difficulty level. For example, how many points are awarded for correct answers to questions of the same difficulty level, and how many points are deducted for wrong answers or no points are deducted. For example, for uncommon and difficult questions, no points will be deducted for wrong answers. In this way, according to the degree of difficulty of the question, attribute characteristics such as whether it is remote or not involve different scoring rules. The more difficult the question is, the higher the score is, and the more remote question is, the higher the score is, and vice versa. lower.

In operation S263, according to the importance level of each question in the selected topic set, the weight corresponding to each question is obtained, wherein, the questions in the question set are pre-divided into multiple importance levels according to the importance, and the questions in each importance level have the same weight. For example, the mapping relationship between various importance levels and weights may be preset. In some embodiments, the classification of the importance level may be consistent with the characteristic types of the question, so that the weight of the question may be determined according to the characteristic of the question.

In operation S264, based on the scores of all the questions in the selected question set and the weights corresponding to each question, the score of the answer information is obtained. The scores of each topic can be weighted and summed, and the overall score can be normalized.

Next, in operation S265, it is judged whether the score of the answer information is greater than or equal to a preset threshold. If yes, it is determined in operation S270 that there is no threat to the execution subject. If not, it is determined in operation S280 that there is a threat to the execution subject.

In this way, through the various characteristics of the question or the labels of each dimension, the answer information is screened and scored differently, and compared with the preset threshold, so as to accurately determine whether the object has a security threat.

Fig. 5 schematically shows a flowchart of a method for obtaining a topic set in a network security defense method according to an embodiment of the present disclosure.

As shown in FIG. 5 , in the network security defense method according to the embodiment of the present disclosure, in addition to the operation S230 described above, the manner of obtaining the selected topic set may further include operations S231-S233.

In operation S231, based on the historical record data in the network system, other objects having similar behavior characteristics to the execution subject are acquired. When it is determined that there are many other objects with similar behavior characteristics to the execution subject, several objects can be randomly selected. For a specific implementation process of determining other objects with similar behavior characteristics, please refer to the introduction in Figure 6 below.

Next, in operation S232, based on the information of other objects, at least part of the at least one candidate question is processed to generate interference items.

Thereafter, in operation S233, the distractor item is expanded into the selected topic set. Based on other objects (such as information about users or processing processes) that have similar behavioral characteristics to the execution subject, the candidate questions can be processed to generate distracting items, and then the distracting items are expanded to the selected topic set obtained in operation S230, Together they constitute the questions to be investigated in this study.

Fig. 6 schematically shows a flow chart of selecting other objects with similar behavior characteristics in the process of obtaining a selected topic set according to an embodiment of the present disclosure.

As shown in FIG. 6 , according to an embodiment of the present disclosure, operation S231 may include operation S601 to operation S603.

In operation S601, entity data is extracted from historical record data of the network system to obtain multiple entities, wherein the multiple entities include execution subjects.

The historical record data of the network system includes data collected in various ways and at various granularities. Adopt but not limited to the following two collection methods: log and flow.

The collected data is processed, and account, user, device, application, data, and IP elements (that is, entity data) are extracted from the data to obtain multiple entities.

In operation S602, extract behavior data of each of the multiple entities from the historical record data of the network system and form a time series to obtain behavior characteristics of each entity.

In the collected historical record data, the behavior data of the entity can be continuously tracked and sorted out based on time series to form the baseline information of the entity. The baseline information of the entities may be, for example, the connection relationship information between each entity and other entities according to the time series, the connection frequency information in each time period, and the like. For example, which accounts a certain user or process has, which applications they access, which files they use, which sensitive data, which devices they use, when they are online, and where they are located.

With the baseline information of entities, the behavior comparison between entities can be performed based on the baseline information of entities. For example, the behavior characteristics of the entity can be obtained based on the baseline information of the entity. In one embodiment, the entity's baseline information can be directly used as the entity's behavioral characteristics. In another embodiment, the entity's baseline information can also be coded or digitized to extract the entity's behavioral characteristics.

Next, in operation S603, based on the similarity judgment between the execution subject and the behavior characteristics of other entities among the multiple entities, other objects having similar behavior characteristics to the execution subject are determined.

There are many methods for similarity judgment, which can be comparing the cosine similarity or distance of vectors corresponding to the behavior characteristics of two entities, or comparing the coincidence degree of baseline information of two entities.

According to the embodiment of the present disclosure, the execution subject is a user or a processing procedure, and correspondingly, other objects having similar behavior characteristics as the execution subject are also correspondingly users or processing procedures.

It can be seen that the embodiments of the present disclosure can use the information of other objects having similar behavior characteristics as the execution subject to process the candidate questions to generate interference items. In this way, interference items can be added to the topic selection set, so that the execution subject can be verified more intelligently and accurately, the identification of network threats can be improved, and the risk of missing threats or data loss can be avoided.

According to an embodiment of the present disclosure, the predetermined conditions used when evaluating the answer information in the above operation S270 and operation S280 may be common conditions set uniformly in the network system. In some other embodiments, it is also possible to determine the strictness of verification of the execution subject according to the historical performance of the execution subject of the identified suspicious security event, and then set or adjust the corresponding predetermined conditions according to certain principles, so that the The predetermined conditions are personalized conditions for different execution subjects.

Moreover, in some embodiments, the predetermined condition may even be a condition obtained after dynamic adjustment according to the change trend of the verification result obtained by verifying the execution subject by using the above verification process in history. Affected by the external environment, the network system is also in a process of dynamic change, and it is necessary to dynamically adjust the parameters of the network system. For example, when the number of users is small, you can adopt a loose judgment standard. As the number of users increases, the system also accumulates a certain number of samples, which can more accurately judge security threats and reduce interaction friction.

Specifically, in one embodiment, the predetermined condition used in the above operations S270 and S280 is the latest updated predetermined condition according to the cumulative verification result data corresponding to the execution subject. Wherein, the accumulative verification result data is obtained by accumulating the stored verification result data obtained by verifying the execution subject through the above verification process.

Fig. 7 schematically shows a flowchart of dynamic adjustment of predetermined conditions in a network security defense method according to an embodiment of the present disclosure.

As shown in FIG. 7 , the network security defense method according to the embodiment of the present disclosure may further include operation S701 to operation S704.

In operation S701, initial predetermined conditions are set. The initial predetermined condition may be a universal condition set uniformly.

Then the accumulative verification result data corresponding to the execution subject can be continuously updated through operation S702 and operation S703.

Specifically, in operation S702, the verification result data obtained by using the verification process to verify the execution subject each time through operation S210 to operation S280 is stored.

In operation S703, based on the accumulation of the stored verification result data, the accumulated verification result data corresponding to the execution subject is obtained.

Next, in operation S704, the predetermined condition is regularly or irregularly updated based on the accumulated verification result data corresponding to the execution subject.

After each active verification of the execution subject according to operation S210 to operation S280, the verification result data of the execution subject can be obtained, and the execution subject can be judged more accurately. Save the verification result data of the execution subject and conduct trend analysis. If the verification result of the execution subject is stable, the security threat alarm threshold of the execution subject can be lowered under the predetermined conditions to make the access of the execution object smoother. The threshold can be increased.

In this way, the embodiment of the present disclosure can dynamically adjust the predetermined conditions applicable to the active verification of the execution subject according to the verification result data, and dynamically adjust the judgment standard of the execution subject according to the cumulative verification result data of the execution subject to meet While improving the security defense of the network system, it also increases the flexibility of the network system.

Fig. 8 schematically shows a flowchart of a network security defense method according to another embodiment of the present disclosure.

As shown in FIG. 8, the network security defense method according to this embodiment may include operation S801 to operation S807.

Firstly, in operation S801, the network system is modeled from the perspective of security threats. The data stream processing of the business mainly focuses on the specific processing process, the type of data storage, the form of data flow, and the status of external entities. The purpose of modeling is to facilitate subsequent data collection and monitoring, determine the location, data and time point of data collection or monitoring, and provide a basic framework for network security designers or managers to study.

According to the network system to be built and the required context, a flow chart of the network system can be drawn, which can include system relationships that represent the working principles of the systems and how they interact with each other, and should also include a detailed introduction to the data flow relationship of each system part. Among them, the specific descriptions of the main concerned processing, data storage, data flow and external entities are as follows.

A processing procedure represents an activity that can modify received input or redirect received input to a corresponding output. For example, a microservice that receives an API call request and forwards it to an API processing service that validates incoming data before it is written to a data store.

Data storage includes storing data temporarily or permanently, such as storing session-related data using the browser, adding security log information to files.

Data flow refers to the communication between data sources and targets, such as credentials submitted by users to access services, requests from processes to add content to data stores, and interactions between various system elements, including Outputs and responses and how they are transmitted.

External entities can be other processes, data stores or even complete systems outside of direct control, such as users interacting with the system or services created by other teams.

Such a system security threat model is conducive to the risk management of the entire R&D process, tracking and management of discovered security threats, discovering threats before the system goes online and designing effective countermeasures, and conducting a security review of the system during the design phase to reduce security risks. Threat problems, reduce costs.

In operation S802, summarize possible threat types in the system and collect data.

Specifically, summarize and sort out the types of threats that may occur in the system and collect corresponding data accordingly. Among them, according to statistical analysis, the types of threats existing in the network system can roughly include several types: attackers impersonate users or processing processes, attackers maliciously modify data, or attackers maliciously use the system so that the system cannot provide normal services.

For the above various types of threats, different data can be collected for real-time monitoring. Different data collection methods obtain different data types and granularity, but are not limited to the following two collection methods: log and traffic. Among them, the log method is to generate log data according to the relevant rules of the data format and content provided in advance by the device and network system. Similarly, the installation agent method also generates various log data and sends the log data to the log collector. Logging method As the content of log data changes from less to more, and the granularity changes from coarse to fine, the resources occupied will increase. It is necessary to set the same rules to retain log information within a certain period of time, and the previous information will be deleted. , need to be processed in advance. The traffic mode is to copy the network traffic through the switch and send it to the traffic collector. The network traffic mode is real and real-time network traffic, which contains more comprehensive information, is not intrusive to the current system, and is easy and flexible to deploy.

Next, in operation S803, the collected data is processed for preliminary anomaly detection, and suspicious security events are identified. The foregoing operation S210 is a specific embodiment of operation S803 for security monitoring.

Specifically, various machine learning algorithms such as random forests, support vector machines, K-Means clustering, and neural networks can be used for anomaly detection, and comprehensive comparative feature analysis of individuals and groups can be used to identify and discover security threats.

Since the identification result in operation S803 is only used as a preliminary identification, and will be actively verified through the verification process later, the level of the machine learning algorithm model used in this process does not need to be too many, which helps to reduce the time-consuming analysis, and Avoid problems such as multi-step processing that is easy to accumulate errors. Compared with the solution of directly obtaining the final judgment result by the machine learning algorithm model, the embodiments of the present disclosure can reduce the number of associated subsystems of the machine learning model, reduce the number of layers of the processing process, reduce the difficulty of processing, and respond quickly. Then, the anomaly detection results output by the machine learning algorithm model can be adjusted through the following follow-up active verification.

The data on which the machine learning algorithm is trained can come from the historical record data of the network system. Wherein, by processing the historical record data, the baseline information of each entity in the network system can be output. When the baseline information of users and entities is available, various types of data can be combined to train machine learning algorithm models for automated process analysis of security events. Among them, most of the security incidents are difficult to be found under the analysis of one or two dimensions, and need to be considered in multiple dimensions, such as time, network level, security business object and other dimensions. For example, real-time correlation analysis can be done from the dimensions of users, devices, applications, and data. It is not a one-time event, but an automated and continuous process.

Next, in operation S804, it is judged whether the result of the preliminary detection and identification is abnormal. If yes, through operation S805 and operation S806, active verification is performed by using a pre-written verification process. If not, directly go to operation S807, and end the detection of the current event.

Specifically, in operation S805, the questions under the corresponding tags are extracted. Specifically, as described in the aforementioned operation S220, the questions with tags corresponding to the detected threat types can be determined from the total question set to obtain the range of questions that can be extracted, and then the questions can be selected according to the difficulty of the questions. Level classification labels, or feature category labels, or similarity or mutual exclusion labels, etc., to extract candidate questions.

After the questions are extracted, the candidate questions can be processed according to the manner shown in operation S230 or operations S230 and S231-operation S233, to obtain a selected topic set that can be used for interaction. In some embodiments, a random verification code may also be added to the topic selection set before sending it out. When sending the selected topic set to the execution subject (user or processing process) of the suspicious security event, the order of the questions can be sent in disorder, and the reply of the execution subject of the suspicious security event to the selected topic set can be obtained, and the answer information can be obtained. For this, reference may be made to the aforementioned operation S240.

Next, in operation S806, the feedback results of the questions are evaluated. For details, please refer to the detailed introduction about evaluating the answer information in operation S250 to operation S280 above.

Finally, the evaluation result information obtained in operation S806 can be dynamically fed back to the machine learning algorithm model used for preliminary identification of suspicious security incidents, used for continuous learning and updating of the machine learning algorithm model, and can also be dynamically adjusted according to the evaluation result information The predetermined condition used in the assessment in operation S806 is used to improve the flexibility of the security protection of the network system.

It can be seen that according to the embodiments of the present disclosure, the network system can be modeled from the perspective of security threats according to the network system and context, and the possible threats of the system can be collected and data collected, and then the network system can be initially analyzed by collecting data in real time Anomaly detection, users or processing processes that are suspected of security threats are verified using a pre-arranged verification process, thereby reducing the variety of data types required for automatic anomaly detection on the premise of ensuring the accuracy of security threat verification The complexity of the nature and algorithm model level reduces the complexity of the machine learning algorithm model adopted.

According to the embodiments of the present disclosure, users can be actively guided to allow suspicious users to enter a pre-arranged verification process for further verification, avoiding the risk of missing or misidentifying the algorithm model and causing real data loss.

According to some embodiments of the present disclosure, the identity and authority of the user or processing process can be further verified, and the system will dynamically adjust the judgment criteria of the user or processing process according to the verification information of the user or processing process, which meets the security of the system While increasing the flexibility of the system.

Based on the network security defense method in each of the foregoing embodiments, an embodiment of the present disclosure further provides a network security defense device. The network security defense device 900 will be described in detail below with reference to FIG. 9 .

Fig. 9 schematically shows a structural block diagram of a network security defense device 900 according to an embodiment of the present disclosure.

As shown in FIG. 9 , according to an embodiment of the present disclosure, the network security defense device 900 includes a preliminary identification module 910 and an active verification module 920 .

The preliminary identification module 910 is configured to identify suspicious security events and their threat types existing in the network system based on the monitoring of the network system. In one embodiment, the preliminary identification module 910 may perform operation S210 described above.

The active verification module 920 is used to verify the execution subject of the suspicious security event by adopting a pre-arranged verification process.

Specifically, the active verification module 920 may include an acquisition submodule 921 , a topic generation submodule 922 , an answer submodule 923 and an answer evaluation submodule 924 .

The obtaining submodule 921 is used to obtain at least one candidate question from the preset question set for the threat type. In one embodiment, the obtaining submodule 921 may perform operation S220 described above.

The topic generation sub-module 922 is used to process at least one candidate question based on the information of the entities in the suspicious security event to obtain a topic set, wherein the entity in the suspicious security event includes the execution subject in the suspicious security event. In one embodiment, the topic generation sub-module 922 may perform the operation S230 described above. In some other embodiments, the topic selection generation submodule 922 may also perform operation S231 to operation S233 described above.

The answer sub-module 923 is used to send the selected topic set to the execution subject, and obtain the answer information returned by the execution subject to answer the questions in the selected topic set. In one embodiment, the question answering sub-module 923 may perform operation S240 described above.

The answer evaluation sub-module 924 is used to: compare the answer information with the corresponding information in the historical record data of the network system to obtain the comparison result; when the comparison result meets the predetermined condition, determine that there is no threat to the execution subject; and when the comparison result does not meet the predetermined condition , it is determined that there is a threat to the execution subject. In one embodiment, the answer evaluation sub-module 924 may perform the operations S260 to S280 described above.

According to other embodiments of the present disclosure, the network security defense device 900 may further include a question set generation module 930 , a predetermined condition dynamic setting module 940 and/or an entity behavior analysis module 950 .

The question set generation module 930 can collect and generate a large number of questions, and can classify the generated questions from different dimensions, for example, the category to which each question belongs can be identified in the form of labels. For example, the question set generating module 930 may classify the generated questions according to threat types, and add corresponding tags to questions belonging to corresponding threat types. For another example, the question set generating module 930 may set labels for the generated questions according to the types of characteristics and/or difficulty levels of the questions, and classify the questions. For another example, the question set generation module 930 can cluster the generated questions, or classify the questions according to the similarity between questions based on experience, wherein questions in the same class can be set with the same label, which can be regarded as similar questions. The problem between them can be regarded as a mutually exclusive problem.

The predetermined condition dynamic setting module 940 can be used to: set an initial predetermined condition; and update the predetermined condition based on the accumulated verification result data corresponding to the execution subject. Among them, updating the predetermined conditions specifically includes: storing the verification result data obtained by verifying the execution subject each time through the verification process; obtaining the cumulative verification result data corresponding to the execution subject based on the accumulation of the stored verification result data; The accumulated verification result data of , regularly or irregularly update the predetermined conditions. In one embodiment, the predetermined condition dynamic setting module 940 may perform the aforementioned operations S701 to S704.

The entity behavior analysis module 950 can be used to extract entity data from the historical record data of the network system to obtain multiple entities, wherein the multiple entities include execution subjects; from the historical record data of the network system, extract each Based on the similarity judgment of the behavioral characteristics of the execution subject and other entities in multiple entities, determine other objects with similar behavior characteristics to the execution subject. After obtaining other objects similar to the execution subject, the topic generation sub-module 922 can use the information of other objects to process and transform the candidate questions, generate interference items, and then expand the interference items into the topic selection. In one embodiment. The entity behavior analysis module 950 may perform operation S601 to operation S603 described above.

The network security defense device 900 can execute the network security defense method described with reference to FIG. 2 to FIG.

According to the embodiment of the present disclosure, the preliminary identification module 910, the active verification module 920, the acquisition sub-module 921, the topic generation sub-module 922, the answer sub-module 923, the answer evaluation sub-module 924, the question set generation module 930, and the dynamic setting of predetermined conditions Any number of modules in the module 940 and the entity behavior analysis module 950 can be implemented in one module, or any one module can be divided into multiple modules. Alternatively, at least part of the functions of one or more of these modules may be combined with at least part of the functions of other modules and implemented in one module. According to the embodiment of the present disclosure, the preliminary identification module 910, the active verification module 920, the acquisition sub-module 921, the topic generation sub-module 922, the answer sub-module 923, the answer evaluation sub-module 924, the question set generation module 930, and the dynamic setting of predetermined conditions At least one of the module 940 and the entity behavior analysis module 950 may be at least partially implemented as a hardware circuit, such as a field programmable gate array (FPGA), a programmable logic array (PLA), a system on a chip, a system on a substrate, a system on a package system, application-specific integrated circuit (ASIC), or can be implemented by hardware or firmware in any other reasonable way of integrating or packaging the circuit, or by any of the three implementation methods of software, hardware and firmware, or in any of them Any suitable combination of several can be realized. Or, preliminary identification module 910, active verification module 920, acquisition submodule 921, topic generation submodule 922, answer submodule 923, answer evaluation submodule 924, question set generation module 930, predetermined condition dynamic setting module 940 and entity behavior At least one of the analysis modules 950 may be at least partially implemented as a computer program module, and when the computer program module is executed, corresponding functions may be performed.

Fig. 10 schematically shows a block diagram of an electronic device 1000 suitable for implementing a network security defense method according to an embodiment of the present disclosure.

As shown in FIG. 10 , an electronic device 1000 according to an embodiment of the present disclosure includes a processor 1001 that can be loaded into a random access memory (RAM) 1003 according to a program stored in a read-only memory (ROM) 1002 or from a storage section 1008. Various appropriate actions and processing are performed by the program. The processor 1001 may include, for example, a general-purpose microprocessor (eg, a CPU), an instruction set processor and/or related chipsets, and/or a special-purpose microprocessor (eg, an application-specific integrated circuit (ASIC)), and the like. Processor 1001 may also include on-board memory for caching purposes. The processor 1001 may include a single processing unit or multiple processing units for executing different actions of the method flow according to the embodiments of the present disclosure.

In the RAM 1003, various programs and data necessary for the operation of the electronic device 1000 are stored. The processor 1001 , ROM 1002 , and RAM 1003 are connected to each other via a bus 1004 . The processor 1001 executes the programs in the ROM 1002 and/or RAM 1003 to perform various operations according to the method flow of the embodiment of the present disclosure. It should be noted that the program may also be stored in one or more memories other than ROM 1002 and RAM 1003 . The processor 1001 may also perform various operations according to the method flow of the embodiments of the present disclosure by executing programs stored in the one or more memories.

According to an embodiment of the present disclosure, the electronic device 1000 may further include an input/output (I/O) interface 1005 which is also connected to the bus 1004 . The electronic device 1000 may also include one or more of the following components connected to the I/O interface 1005: an input section 1006 including a keyboard, a mouse, etc.; including a cathode ray tube (CRT), a liquid crystal display (LCD), etc. An output section 1007 of a speaker or the like; a storage section 1008 including a hard disk or the like; and a communication section 1009 including a network interface card such as a LAN card, a modem, or the like. The communication section 1009 performs communication processing via a network such as the Internet. A drive 1010 is also connected to the I/O interface 1005 as needed. A removable medium 1011, such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, etc., is mounted on the drive 1010 as necessary so that a computer program read therefrom is installed into the storage section 1008 as necessary.

Embodiments of the present disclosure also provide a computer-readable storage medium, which may be included in the device/apparatus/system described in the above-mentioned embodiments; or may exist independently without being assembled into the equipment/device/system. The above-mentioned computer-readable storage medium carries one or more programs, and when the above-mentioned one or more programs are executed, the method according to the embodiment of the present disclosure is realized.

According to an embodiment of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, such as may include but not limited to: portable computer disk, hard disk, random access memory (RAM), read-only memory (ROM) , erasable programmable read-only memory (EPROM or flash memory), portable compact disk read-only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination of the above. In the present disclosure, a computer-readable storage medium may be any tangible medium that contains or stores a program that can be used by or in conjunction with an instruction execution system, apparatus, or device. For example, according to an embodiment of the present disclosure, a computer-readable storage medium may include one or more memories other than the ROM 1002 and/or RAM 1003 and/or ROM 1002 and RAM 1003 described above.

Embodiments of the present disclosure also include a computer program product, which includes a computer program including program codes for executing the methods shown in the flowcharts. When the computer program product runs in the computer system, the program code is used to make the computer system realize the method provided by the embodiments of the present disclosure.

When the computer program is executed by the processor 1001, the above-mentioned functions defined in the system/apparatus of the embodiment of the present disclosure are performed. According to the embodiments of the present disclosure, the above-described systems, devices, modules, units, etc. may be implemented by computer program modules.

In one embodiment, the computer program may rely on tangible storage media such as optical storage devices and magnetic storage devices. In another embodiment, the computer program can also be transmitted and distributed in the form of a signal on a network medium, downloaded and installed through the communication part 1009, and/or installed from the removable medium 1011. The program code contained in the computer program can be transmitted by any appropriate network medium, including but not limited to: wireless, wired, etc., or any appropriate combination of the above.

In such an embodiment, the computer program may be downloaded and installed from a network via communication portion 1009 and/or installed from removable media 1011 . When the computer program is executed by the processor 1001, the above-mentioned functions defined in the system of the embodiment of the present disclosure are performed. According to the embodiments of the present disclosure, the above-described systems, devices, devices, modules, units, etc. may be implemented by computer program modules.

According to the embodiments of the present disclosure, the program codes for executing the computer programs provided by the embodiments of the present disclosure can be written in any combination of one or more programming languages, specifically, high-level procedural and/or object-oriented programming language, and/or assembly/machine language to implement these computing programs. Programming languages include, but are not limited to, programming languages such as Java, C++, python, "C" or similar programming languages. The program code can execute entirely on the user computing device, partly on the user device, partly on the remote computing device, or entirely on the remote computing device or server. In cases involving a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a local area network (LAN) or a wide area network (WAN), or may be connected to an external computing device (for example, using an Internet service provider). business to connect via the Internet).

The flowchart and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in a flowchart or block diagram may represent a module, program segment, or portion of code that includes one or more logical functions for implementing specified executable instructions. It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or they may sometimes be executed in the reverse order, depending upon the functionality involved. It should also be noted that each block in the block diagrams or flowchart illustrations, and combinations of blocks in the block diagrams or flowchart illustrations, can be implemented by a dedicated hardware-based system that performs the specified function or operation, or can be implemented by a A combination of dedicated hardware and computer instructions.

Those skilled in the art can understand that various combinations and/or combinations of the features described in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not explicitly recorded in the present disclosure. In particular, without departing from the spirit and teaching of the present disclosure, the various embodiments of the present disclosure and/or the features described in the claims can be combined and/or combined in various ways. All such combinations and/or combinations fall within the scope of the present disclosure.

The embodiments of the present disclosure have been described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the various embodiments have been described separately above, this does not mean that the measures in the various embodiments cannot be advantageously used in combination. The scope of the present disclosure is defined by the appended claims and their equivalents. Various substitutions and modifications can be made by those skilled in the art without departing from the scope of the present disclosure, and these substitutions and modifications should all fall within the scope of the present disclosure.

Claims (14)

1. A network security defense method, comprising: Based on the monitoring of the network system, identifying suspicious security events and their threat types in the network system; and Use a pre-arranged verification process to verify the execution subject of the suspicious security event, including: obtaining at least one candidate question from a set of questions preset for the threat type; Based on the information of the entity in the suspicious security event, process the at least one candidate question to obtain a selected topic set; wherein, the entity in the suspicious security event includes an execution subject in the suspicious security event; Send the selected topic set to the executive body, and obtain the answer information returned by the executive body in response to the questions in the selected topic set; Comparing the answer information with the corresponding information in the historical record data of the network system to obtain a comparison result; When the comparison result satisfies a predetermined condition, it is determined that there is no threat to the execution subject; and When the comparison result does not meet the predetermined condition, it is determined that there is a threat to the execution subject. 2. The method according to claim 1, wherein said obtaining the selected topic set further comprises: Based on historical record data in the network system, obtain other objects with similar behavioral characteristics to the execution subject; Based on the information of the other objects, process at least part of the at least one candidate question to generate a distraction item; and The distracting item is expanded into the topic set. 3. The method according to claim 2, wherein said acquiring other objects having similar behavioral characteristics with said execution subject based on historical record data in said network system comprises: Extracting entity data from the historical record data of the network system to obtain multiple entities, wherein the multiple entities include the execution subject; From the historical record data of the network system, extract the behavior data of each entity in the plurality of entities and form a time series to obtain the behavior characteristics of each entity; Based on the judgment of the similarity of behavior characteristics between the execution subject and other entities among the plurality of entities, determine the other objects having similar behavior characteristics to the execution subject. 4. The method according to claim 1, wherein the questions in the set of questions are divided into a plurality of second categories according to the similarity between the questions, wherein the questions in the same second category are similar; The obtaining at least one candidate question from the preset question set for the threat type includes: At least one question is selected from each of the plurality of second categories to obtain the at least one candidate question. 5. The method according to any one of claims 1 to 4, wherein the problems in the problem set are divided into a plurality of first categories according to the types of characteristics of the problems, and the problems in each first category Having the same feature; the acquisition of at least one candidate question from the set of questions preset for the threat type includes: selecting at least one question from each of the plurality of first categories to obtain the at least one candidate question; Wherein, the types of the characteristics include at least two types that must be answered correctly and errors that are allowed to occur. 6. The method according to claim 5, wherein the predetermined condition includes that all questions in the set of selected questions that must be answered correctly are answered correctly. 7. The method according to claim 6, wherein said comparing said answer information with corresponding information in the historical record data of said network system, and obtaining a comparison result comprises: Based on the comparison of the answer information with the corresponding information in the historical record data of the network system, obtain the answer result information of whether the answer to each question in the selected topic set is correct or not; and Traverse the answer result information of the questions in the selected topic set that must be answered correctly, and determine whether all the questions in the selected topic set that must be answered correctly are answered correctly. 8. The method according to claim 6, wherein the predetermined condition further comprises: in the case that the characteristics in the selected topic set are that the questions that must be answered correctly are all answered correctly, the score of the answer information is greater than or equal to the preset threshold; Wherein, the comparison of the answer information and the corresponding information in the historical record data of the network system to obtain the comparison result also includes: In the case where the characteristic in the selected topic set is that all questions that must be answered correctly are answered correctly, based on the answer result information of each question in the selected topic set and the difficulty level corresponding to each question, the selected topic set is obtained. The score of each problem in the problem set; wherein, the problems in the problem set are pre-divided into multiple difficulty levels according to the degree of difficulty, and the scoring rules for the problems in each difficulty level are the same; According to the importance level of each question in the selected topic set, the weight corresponding to each question is obtained, wherein the questions in the question set are pre-divided into a plurality of importance levels according to the importance, and the questions in each importance level have the same weight; and Based on the scores of all the questions in the selected question set and the weights corresponding to each question, the score of the answer information is obtained. 9. The method according to claim 1, wherein the predetermined condition is a predetermined condition updated according to the cumulative verification result data corresponding to the execution subject; wherein the method further comprises: setting an initial said predetermined condition; and Updating the predetermined condition based on the cumulative verification result data corresponding to the execution subject, including: storing the verification result data obtained by using the verification process to verify the execution subject each time; Based on the accumulation of the stored verification result data, the cumulative verification result data corresponding to the execution subject is obtained; The predetermined condition is updated periodically or irregularly based on the accumulated verification result data corresponding to the execution subject. 10. The method of claim 1, wherein, The identifying suspicious security events and their threat types in the network system based on the monitoring of the network system includes: using a machine learning algorithm model to identify the suspicious security events, the threat types and threat levels; The acquiring at least one candidate question from the set of questions preset for the threat type includes: determining the number of questions and/or problem difficulty distribution of the at least one candidate question according to the threat level; wherein, the threat level It is positively correlated with the number of questions and the difficulty of the questions, wherein the questions in the question set are pre-divided into a plurality of difficulty levels according to the degree of difficulty, and the difficulty distribution of the questions is based on the at least one candidate question among the multiple The distribution data in each difficulty level is represented. 11. A network security defense device, comprising: A preliminary identification module, configured to identify suspicious security events and their threat types existing in the network system based on the monitoring of the network system; and The active verification module is used to verify the execution subject of the suspicious security event by adopting a pre-arranged verification process, including: An acquisition submodule, configured to acquire at least one candidate question from a question set preset for the threat type; The selected topic generation submodule is configured to process the at least one candidate question based on the information of the entity in the suspicious security event to obtain a selected topic set; wherein, the entity in the suspicious security event includes the Execution subjects in suspicious security incidents; An answering sub-module, configured to send the selected topic set to the execution subject, and obtain the answer information returned by the execution subject in response to the questions in the selected topic set; Response assessment sub-module for: Comparing the answer information with the corresponding information in the historical record data of the network system to obtain a comparison result; When the comparison result satisfies a predetermined condition, it is determined that there is no threat to the execution subject; and When the comparison result does not meet the predetermined condition, it is determined that the execution subject is threatened. 12. An electronic device comprising: one or more processors; storage means for storing one or more programs, Wherein, when the one or more programs are executed by the one or more processors, the one or more processors are made to execute the method according to any one of claims 1-10. 13. A computer-readable storage medium, on which executable instructions are stored, and the instructions, when executed by a processor, cause the processor to perform the method according to any one of claims 1-10. 14. A computer program product comprising a computer program, the computer program implementing the method according to any one of claims 1-10 when executed by a processor.

Images