CN111800439B - Application method and system of threat intelligence in bank - Google Patents

Abstract

The invention provides an application method and a system of threat information in a bank, wherein the method comprises the following steps: acquiring threat information data; when the time period begins, comparing the alarm logs collected from multiple links of the access data stream with threat information data one by one to obtain a comparison result; establishing an assignment calculation intermediate table for each link, and weighting threat information data in the assignment calculation intermediate table according to a comparison result to obtain a weighted value of each link; establishing a threat intelligence evaluation table, and establishing an index between the threat intelligence evaluation table and an assignment calculation intermediate table of each link; when the time period is over, calculating the weighted value of each link in a threat information evaluation table to obtain a credit value; and judging the reliability of the threat intelligence data according to the credit value. The invention compares the threat information with the alarm information by using the current security product of the bank, verifies the reliability of the threat information and improves the use value of the threat information on the ground.

Description

Application method and system of threat intelligence in bank

technical field

The invention relates to the field of information security, in particular, to a method and system for applying threat intelligence in a bank.

Background technique

With the continuous development of information security technology, threat intelligence, as an emerging concept, has attracted more and more attention from information security practitioners. According to Gartner's definition of threat intelligence, threat intelligence is some evidence-based knowledge, including context, mechanisms, signs, meanings, and actionable recommendations, related to existing or brewing threats or compromises to assets. , which can be used to provide information support for asset-related subjects to respond to threats or hazards or provide information support for decision-making, aiming to provide comprehensive, accurate, and relevant knowledge and information for asset subjects facing threats that can be implemented and made decisions.

In this process, threat intelligence, as a kind of data-based knowledge, cannot actually exist alone to bring value. Only together with some traditional security protection methods, can the security of the entire enterprise be fully guaranteed. At present, there are various ways to use threat intelligence on the market, such as combining with the existing security architecture and products of the enterprise, such as applying it to the internal incident response of the enterprise, etc. However, in the process of using threat intelligence, it is often passively accepting threat intelligence, lacking a reliability evaluation mechanism for threat intelligence provided by security vendors, or lacking threat intelligence application methods for targeted scenarios.

SUMMARY OF THE INVENTION

In view of the above problems, the present invention provides a method and system for the application of threat intelligence in a bank, which supplements firewall protection equipment strategies for threat intelligence with high credibility and high reliability, and improves the value of threat intelligence's landing and use.

In order to solve the above-mentioned technical problems, the technical solution adopted in the present invention is: a method for applying threat intelligence in a bank, comprising the following steps: step 1, obtaining threat intelligence data; step 2, when the time period starts, from the access data stream The alarm logs collected in multiple links are compared with the threat intelligence data one by one to obtain a comparison result; Step 3, an intermediate table of assignment calculation is established for each link, and a comparison is made in the intermediate table of assignment calculation according to the comparison result. The threat intelligence data is weighted to obtain the weighted value of each link; Step 4, a threat intelligence evaluation table is established, and an index is established between the threat intelligence evaluation table and the assignment calculation intermediate table of each link; Step 5, time At the end of the period, the weighted value of each link is calculated in the threat intelligence evaluation table to obtain a reputation value; step 6, according to the level of the reputation value, the reliability of the threat intelligence data is judged.

As a preferred solution, the multiple links of the access data flow include: the Internet DMZ, the core production area and the application server side, then the step 2 specifically includes:

For the first comparison in the Internet DMZ, if the source IP information in the alarm log of the Internet DMZ matches the attack source IP information in the threat intelligence data, the hit threat intelligence data will be weighted by FirstA, otherwise, no operation will be performed;

Perform a secondary comparison in the core production area. If both the source IP and attack feature information in the alarm log of the core production area can match the attack source IP and attack feature information in the threat intelligence data, the hit threat intelligence data will be weighted by SecondA ;If only the source IP information in the alarm log of the core production area hits the attack source IP information in the threat intelligence data, SeconddB weighting is performed on the hit threat intelligence data; if only the attack feature information in the alarm log of the core production area hits the threat intelligence If the attack feature information in the data, the hit threat intelligence data will be weighted by SecondC; if neither the source IP nor the attack feature information in the alarm log of the core production area can match the attack source IP and attack feature information in the threat intelligence data, the attack source IP and attack feature information in the threat intelligence data will not be matched. operate;

Perform three comparisons on the application server side. If the source IP and attack feature information in the alarm log on the application server side can match the attack source IP and attack feature information in the threat intelligence data, the third A weighting is performed on the hit threat intelligence data; If only the source IP information in the alarm log on the application server side hits the attack source IP information in the threat intelligence data, the hit threat intelligence data is subjected to ThirdB weighting; if only the attack feature information in the alarm log on the application server side hits the threat intelligence data If the attack feature information in the threat intelligence data is not matched, the thirdC weighting is performed on the hit threat intelligence data; if neither the source IP nor the attack feature information in the alarm log on the application server side can match the attack source IP and attack feature information in the threat intelligence data, it will not be performed. operate.

As a preferred solution, the step 2 also includes a comparison of special attack types. If the alarm log on the application server side contains a special attack type, the source IP and attack feature information in the special attack type can all hit the threat intelligence data. The attack source IP and attack feature information are compared with the firewall blocking log; if the alarm log in the special attack type matches the firewall blocking log, FourthA weighting is performed on the hit threat intelligence data, otherwise, no take any action.

As a preferred solution, within a time period of one round, if the threat intelligence data is hit multiple times in the same link, the weighted value in the intermediate table of assignment calculation selects the maximum value.

As a preferred solution, the calculation formula of the reputation value in the step 3 is:

Reputation value=initial assignment*(1+(K*(weighted item dimension index 1^weighted item weight1+weighted item dimension index2^weighted item weight2+...+weighted item dimension indexN^weighted item weightN)/100 ));

Weighted value = weighted item dimension index^ weighted item weight;

The initial assignment is 60, and the K value is the asset weight. According to the standardized rating L1-L5 level system, the K value is [10, 20, 30, 40, 50] respectively.

As a preferred solution, for different levels of protected assets, the interval level of the reputation value is also dynamically adjusted according to the difference in the asset weight K value to match different reputation values. The division method of the reputation value interval level is as follows:

Reputation value∈[60*(logK)^2,80*(logK)^2), the judgment result is that the reliability of the threat intelligence data is low;

Reputation value∈(80*(logK)^2,100*(logK)^2), the judgment result is that the reliability of the threat intelligence data is general;

The reputation value ∈(100*(logK)^2, 120*(logK)^2), the judgment result is that the reliability of the threat intelligence data is relatively high.

As a preferred solution, the threat intelligence data with a relatively high reputation value is put into the rule optimization directory, and is synchronized to the Internet DMZ domain egress firewall to block the source IP.

The invention also provides an application system of threat intelligence in a bank, comprising: an acquisition module, used for acquiring threat intelligence data; The alarm logs are compared with the threat intelligence data one by one to obtain a comparison result; a weighting module is used to establish an intermediate table of assignment calculation for each link, and according to the comparison result, the threat is calculated in the intermediate table of assignment calculation. The intelligence data is weighted to obtain the weighted value of each link; the index module is used to establish a threat intelligence evaluation table, and an index is established between the threat intelligence evaluation table and the assignment calculation intermediate table of each link; the operation module is used for At the end of the time period, the weighted values of each link are calculated in the threat intelligence evaluation table to obtain a reputation value; a judgment module is used to judge the reliability of the threat intelligence data according to the level of the reputation value .

As a preferred solution, the multiple links of the access data stream include: the Internet DMZ, the core production area and the application server side, and the comparison module includes a primary comparison module, a secondary comparison module and a tertiary comparison module;

The first comparison module is used to perform the first comparison in the Internet DMZ. If the source IP information in the alarm log of the Internet DMZ hits the attack source IP information in the threat intelligence data, FirstA weighting is performed on the hit threat intelligence data, and vice versa. operate;

The secondary comparison module is used to perform secondary comparison in the core production area. If both the source IP and the attack feature information in the alarm log of the core production area can hit the attack source IP and the attack feature information in the threat intelligence data, then SecondA weighting is performed on the hit threat intelligence data; if only the source IP information in the alarm log of the core production area hits the attack source IP information in the threat intelligence data, SeconddB weighting is performed on the hit threat intelligence data; If only the attack feature information in the log hits the attack feature information in the threat intelligence data, the hit threat intelligence data will be weighted by SecondC; if neither the source IP nor the attack feature information in the alarm log of the core production area can hit the attack in the threat intelligence data source IP and attack feature information, no operation is performed;

The three comparison module is used to perform three comparisons on the application server side. If both the source IP and the attack feature information in the alarm log on the application server side can match the attack source IP and the attack feature information in the threat intelligence data, then the match will be matched. ThirdA-weighted threat intelligence data;

If only the source IP information in the alarm log on the application server side hits the attack source IP information in the threat intelligence data, the hit threat intelligence data is subjected to ThirdB weighting; if only the attack feature information in the alarm log on the application server side hits the threat intelligence data If the attack feature information in the threat intelligence data is not matched, the thirdC weighting is performed on the hit threat intelligence data; if neither the source IP nor the attack feature information in the alarm log on the application server side can match the attack source IP and attack feature information in the threat intelligence data, it will not be performed. operate.

As a preferred solution, a special comparison module is also included, and the special comparison module is used for the comparison of special attack types. If the alarm log on the application server side includes the special attack type, the source IP and attack characteristics of the special attack type If the information can hit the attack source IP and attack feature information in the threat intelligence data, then compare the firewall blocking log; if the alarm log in the special attack type matches the firewall blocking log, then the attacked threat Intelligence data is FourthA weighted, otherwise, no action is taken.

Compared with the prior art, the beneficial effects of the present invention include: using the current security architecture and security products of the bank to compare the threat intelligence information with the warning information of security protection equipment such as WAF and IPS in the Internet DMZ area, and verifying the reliability of the threat intelligence information. Combined with different dimensions, weights, effectiveness, etc., the threat intelligence reputation value is given, and the reputation value is dynamically adjusted to the interval, and the threat intelligence data shared by the industry is optimized by the reputation value feedback, and the threat intelligence with high reputation value is firewalled, WAF and other protective equipment strategies are supplemented to enhance the value of threat intelligence.

Description of drawings

The disclosure of the present invention is explained with reference to the accompanying drawings. It should be understood that the accompanying drawings are for illustrative purposes only, and are not intended to limit the protection scope of the present invention. In the drawings, the same reference numerals are used to refer to the same parts. in:

1 is a schematic flowchart of a method for applying threat intelligence in a bank according to an embodiment of the present invention;

2 is a schematic flowchart of another form of a method for applying threat intelligence in a bank according to an embodiment of the present invention;

FIG. 3 is a schematic block diagram of an application system of threat intelligence in a bank according to an embodiment of the present invention.

FIG. 4 is a schematic structural diagram of a comparison module according to an embodiment of the present invention.

Detailed ways

It is easy to understand that, according to the technical solutions of the present invention, without changing the essential spirit of the present invention, those of ordinary skill in the art can propose various alternative structures and implementations. Therefore, the following specific embodiments and accompanying drawings are only exemplary descriptions of the technical solutions of the present invention, and should not be regarded as all of the present invention or as limitations or restrictions on the technical solutions of the present invention.

First of all, the technical terms appearing in the present invention are explained:

DMZ: is the abbreviation of "demilitarized zone" in English, and the Chinese name is "isolation zone". It is a non-secure system and a security system established to solve the problem that users who access the external network cannot access the internal network server after installing a firewall. buffer between.

WAF: is the abbreviation of "Web Application Firewall" in English, and the Chinese name is Web Application Protection System. It is a product that provides protection for Web applications by implementing a series of HTTP/HTTPS security policies.

IPS: is the abbreviation of "Intrusion Prevention System" in English, and the Chinese name is Intrusion Prevention System. It is a computer network security facility and a supplement to anti-virus software and firewalls.

IDS: is the abbreviation of "intrusion detection system" in English, and the Chinese name is intrusion detection system. It is a network security device that performs real-time monitoring of network transmissions, and sends out alarms or takes active response measures when suspicious transmissions are found.

RASP: is the abbreviation of "Runtime application self-protection" in English. It is a new type of application security protection technology. It injects protection programs into applications like vaccines, and integrates applications. It intercepts applications from applications to systems. It can detect and block security attacks in real time, so that the application has the ability to protect itself. When the application suffers actual attack damage, it can automatically defend against it.

SFTP: is the abbreviation of "SSH File Transfer Protocol" in English. The Chinese name is Secure File Transfer Protocol. It is a data stream connection and a network transfer protocol that provides file access, transmission and management functions.

csv format: is a comma-separated value file format.

APT: is the abbreviation of "Advanced Persistent Threat" in English. The Chinese name is Advanced Persistent Threat. It refers to a hidden and persistent computer intrusion process, usually carefully planned by some personnel, targeting specific targets.

Webshell: It is a code execution environment in the form of web page files such as asp, php, jsp or cgi. It can also be called a web page backdoor.

An embodiment according to the present invention is shown in conjunction with FIG. 1 . A method for applying threat intelligence in a bank, comprising the following steps:

S110: Obtain threat intelligence data.

S120: At the beginning of the time period, the alarm logs collected from the multiple links of the access data flow are compared with the threat intelligence data one by one to obtain a comparison result.

S130: Establish an assignment calculation intermediate table for each link, and weight the threat intelligence data in the assignment calculation intermediate table according to the comparison result, so as to obtain the weighted value of each link.

S140: Establish a threat intelligence evaluation table, and establish an index between the threat intelligence evaluation table and the assignment calculation intermediate table of each link.

S150: At the end of the time period, calculate the weighted value of each link in the threat intelligence evaluation table to obtain a reputation value.

S160: Judge the reliability of the threat intelligence data according to the level of the reputation value.

As shown in FIG. 2 , a method for applying threat intelligence in a bank provided by the present invention is described in detail below, taking the production environment of the banking industry as a reference object.

At present, the banking industry has more or less introduced threat intelligence data from third-party security vendors. First of all, for the receiving method of threat intelligence data, the present invention requires third-party security vendors to send data to the threat intelligence data center in the bank by means of SFTP daily fixed-point push. File transfer, the file should be in csv format for subsequent calls.

As the threat intelligence data source of the intra-industry security operation platform, the intra-industry threat intelligence data center sends the threat intelligence data to the intra-industry security operation platform. The multi-link alarm logs of the data flow are compared with the threat intelligence data one by one. In the embodiment of the present invention, the multiple links of accessing the data flow include: an Internet DMZ, a core production area, and an application server side. specific:

(1) Initial comparison of threat intelligence (Internet DMZ):

During the initial comparison of threat intelligence, the alarm logs of security protection devices such as IPS intrusion prevention devices and WAF web application firewalls that are collected by the joint security operation platform and deployed in the Internet DMZ area are compared with the threat intelligence data to compare the attack source IP. right.

I. If the source IP information in the alarm log of the security protection device can just hit the attack source IP information in the threat intelligence data, it proves that the threat intelligence data is initially valid or does not rule out the false alarm of the security protection device based on the rule base method. Therefore, at this time, the reputation value is initialized and assigned to the hit threat intelligence data, and FirstA weighting is performed.

II. If the source IP information in the alarm log of the security protection device does not match the attack source IP information in the threat intelligence data, this does not indicate any problem, because the security protection device as a real-time protection alarm may not be detected at this time. The relevant attack logs may also be inaccurate threat intelligence data. At this time, no operation is performed on the threat intelligence data.

(2) Secondary comparison of threat intelligence data (core production area):

According to the access data flow of Internet applications, when the access traffic reaches the application server and database server in the core production area, there should be corresponding intranet security monitoring means, such as IDS intrusion detection equipment, full traffic analysis and detection equipment, etc. During the second comparison process, the alarm logs of the bypass traffic mirrored intranet security monitoring equipment collected by the in-house security operation platform are combined to compare the attack source IP and attack characteristics.

I. If the source IP and attack feature information in the alarm log of the intranet security monitoring device can just hit the attack source IP and attack feature information in the threat intelligence data, it proves that the effectiveness of the threat intelligence data is improved, and there is security protection at the same time. The rule base of such equipment is imperfect and may be bypassed by attackers, and the possibility of false positives of intranet security monitoring equipment is not excluded. Therefore, SecondA weighting is performed on the hit threat intelligence data at this time.

II. If the source IP in the alarm log of the intranet security monitoring equipment can all hit the attack source IP information in the threat intelligence data, but the attack feature information does not hit, then it proves that the IP information provided in the threat intelligence is likely to be targeted The attack on the bank may change the attack method, bypass the security protection equipment and trigger the alarm of the intranet security monitoring equipment, but it does not rule out the possibility of false alarms from the intranet security monitoring equipment. The hit threat intelligence data is SeconddB weighted.

III. If the attack feature information in the alarm log of the intranet security monitoring device can match the attack feature information in the threat intelligence data, but the attack source IP information does not hit, it proves that the attacker may be changing the IP address to attack, or it may be It is the attacking IP or APT attacker that is not involved in the threat intelligence. In this case, SecondC weighting is performed on the hit threat intelligence data.

IV. If the alarm log information of the intranet security monitoring equipment does not match the attack source IP and attack feature information in the threat intelligence data, it does not mean that the threat intelligence data is inaccurate or the security monitoring rules are imperfect, because the randomness of real-time data At present, it is not possible to give a relatively accurate judgment on the validity of the security and fixed rules. At this time, no operation is performed on the threat intelligence data.

(3) Three comparisons of threat intelligence data (application server side)

In terms of application-side detection methods such as HIDS host IDS and RASP application self-protection deployed on the in-line application server, the final destination of the data stream is also the process of the final comparison of threat intelligence. During this process, the attack method can be relatively accurately confirmed. accuracy.

I. If the source IP and attack feature information in the monitoring alarm log on the application server side can just hit the attack source IP and attack feature information in the threat intelligence data, it is relatively accurate to think that the attack penetrated into the application server, and the threat intelligence information is relatively accurate. Accurate. At this time, ThirdA weighting is performed on the hit threat intelligence data.

II. If the source IP in the monitoring alarm log on the application server side can all hit the attack source IP information in the threat intelligence data, but the attack feature information does not hit, then it proves that the source IP information may be the long-term attack IP of APT. There may be multiple hits in the IP information, and the threat intelligence data of the hit is ThirdB weighted.

III. If the attack feature information in the monitoring alarm log on the application server side can all hit the attack feature information in the threat intelligence data, but the attack source IP information does not hit, it proves that the attacker has multiple attack methods, some of which bypass the attack. For security protection equipment, ThirdC weighting is performed on the hit threat intelligence data.

IV. If the monitoring alarm log information on the application server side does not match the attack source IP and attack feature information in the threat intelligence data, no operation is performed on the threat intelligence data at this time.

(4) Comparison of special attack types

Special, special judgment of attack type (such as Trojan horse implantation attack), if there are attack types such as webshell upload, Trojan horse file, and backdoor access in the monitoring alarm log on the application server side, after three comparisons of threat intelligence data, add The log comparison of the network egress firewall in the Internet DMZ area confirms the reliability of such high-risk attacks.

I. If the monitoring alarm log on the application server side contains a special attack type, the source IP and attack characteristic information in the special attack type log can exactly match the attack source IP and attack characteristic information in the threat intelligence data, and a comparison is required at this time. Firewall blocking logs. Since the banking industry currently has relatively complete Internet egress firewall port control measures, we compare the intranet outbound blocking logs other than non-80/443 business ports, which also proves that Trojan files, The access behavior of special attack types such as backdoor access using special ports is blocked by the firewall. If the alarm logs of special attack types monitored by the application server, threat intelligence data, and Internet DMZ egress firewall blocking logs match, FourthA weighting is performed on the hit threat intelligence data.

II. If the application server side monitors the special attack type alarm log, threat intelligence data, and the Internet DMZ zone egress firewall blocking log and does not match each other, then do nothing to the threat intelligence data at this time.

For the weighted adjustment of reputation value assignment by real-time log comparison and threat intelligence data, we only pay attention to the valid data with reputation value within a certain range, and this value is also dynamically adjusted. It is also quasi-real-time, and the follow-up will be reflected in the dynamic adjustment of the optimization of security protection rules.

At this point, we sort out all the assignments of the reputation value of the threat intelligence data, as shown in the following table:

In the initial comparison, the reputation value of the threat intelligence data is initialized and assigned to 60, that is, the security threat intelligence data provided by the third-party security vendor is trusted as the initialization level by default. When the access traffic reaches the application server and database server in the core production area, the A series of multiple judgment comparison processes, the weighted indicators are as follows:

The formula for calculating the reputation value is:

Reputation value=initial assignment*(1+(K*(weighted item dimension index 1^weighted item weight1+weighted item dimension index2^weighted item weight2+...+weighted item dimension indexN^weighted item weightN)/100 ));

Among them, the initial assignment is generally 60, and the K value is the asset weight. According to the standardized rating L1-L5 level system, the K value is [10, 20...50] respectively.

Taking K=10 (L1 level system) as an example, the calculation result of the reputation value is as follows:

Among them, because the FourthA special attack type comparison is a sub-category of the ThirdA application server side monitoring alarm log comparison, the ThirdA+FourthA judgment process needs to be used in combination.

Taking K=10 (L1 level system) as an example, the interval level of the reputation value is divided as follows:

Reputation value ∈ [60, 80), the judgment result is that the threat intelligence data has low reliability for L1-level system detection and protection in the banking environment;

Reputation value ∈ (80,100), the judgment result is that the threat intelligence data is generally reliable for L1-level system detection and protection in the banking environment;

The reputation value ∈ (100, 120), the judgment result is that the threat intelligence data has high reliability for L1 level system detection and protection in the banking environment.

For the protected assets of L* level (L* is L1-L5), the interval level of the reputation value is also dynamically adjusted according to the different asset weight K value to match different reputation values. The division method of the interval level of the reputation value is as follows :

Reputation value ∈[60*(logK)^2,80*(logK)^2), the judgment result is that the threat intelligence data has low reliability for L* level system detection and protection in the banking environment;

Reputation value∈(80*(logK)^2,100*(logK)^2), the judgment result is that the threat intelligence data is generally reliable for L* level system detection and protection in the banking environment;

The reputation value ∈(100*(logK)^2, 120*(logK)^2), the judgment result is that the threat intelligence data is highly reliable for L* level system detection and protection in the banking environment.

For the reputation value carried by threat intelligence data, it is always in the process of continuous dynamic adjustment along with the comparison process of different levels on the link.

In a round of time period, the starting point of the process initiation period is the starting point of the natural period, that is, the time node when the evaluation of threat intelligence data is started. In the period, each sub-link is a different comparison process, and each comparison process is relatively independent. After the comparison is completed, the reputation value assignment adjustment is performed on the threat intelligence data. The credit value assignment of each link will establish an assignment calculation intermediate table. The calculation and assignment process is completed in the assignment calculation intermediate table, and the original threat intelligence storage data will not be correlated. operate.

Further, considering that the threat intelligence data is not hit in each link stage, the time period is used as the end mark of each round of time period. The time period of each round is 1 minute, and the time period of each round ends. At the time, the intermediate table will be assigned and calculated by each link of the threat intelligence evaluation table index, and the reputation value will be calculated. Put the threat intelligence data with high reliability as a result of the reputation value judgment into the rule optimization directory, and synchronize it to the egress firewall in the Internet DMZ area to block the source IP.

Threat intelligence data storage is designed as follows:

serial number HASH value IP domain name Attack method address location ... unique index 1 X X X X X XXXX 2 X X X X X XXXX

The stage assignment intermediate table is designed as follows:

serial number HASH value IP domain name Attack method address location … unique index timestamp weighted term 1 X X X X X XXXX X SecondB 2 X X X X X XXXX X SecondA

The threat intelligence evaluation table is designed as follows:

In each round of time period, the hit processing of each sub-link alarm log comparison process is processed only once, that is, the hit of the same entry in the sub-link alarm log is only assigned and calculated once in a time period.

In each round of time period, if you encounter a threat intelligence data and the same link is hit multiple times, for example, the second stage assignment calculation hits the same threat intelligence data in the 10th and 30th seconds, but the hit method is different, the 10th second It is SecondA, and the 30th second is SeconddB, then there are repeated assignment adjustments in the cycle, and the repeated assignment of reputation value is only unidirectionally assigned to a larger value, and only the unique assignment result of threat intelligence data exists in the intermediate table of stage assignment calculation.

Due to the different K values caused by different asset levels, the calculation dimensions are different. In the threat intelligence evaluation table, different K values will be recorded for subsequent reputation value calculations, and the call calculation of different K values will be brought into different evaluation intervals for evaluation.

At the end of each time period, the data in the threat intelligence evaluation table will not be cleared to meet the calculation requirements, and the original table will be overwritten after a new round of time period. This avoids the assignment operation preemption behavior that occurs when the same piece of threat intelligence data is repeatedly operated across different links, and also avoids the problem of erroneous writing of multiple pieces of threat intelligence data in the same link. The problem of multiple hits of a piece of data brings mitigation measures.

The optimization of security protection rules is also a periodic action. During the dynamic adjustment of the reputation value of threat intelligence data, the data in the threat intelligence evaluation table is also periodically refreshed, which will inevitably bring about a shift in the interval where the reputation value is located. At this time, the security protection The rules need to be dynamically adjusted according to the "high reliability" evaluation score range. For example, the threat intelligence data of the "high reliability" level in the previous cycle will be shifted to the "average reliability" level after the new round of adjustment cycle. Then the corresponding rules will be removed from the address pool of firewall blocking rules.

As shown in FIG. 3 , the present invention also discloses an application system of threat intelligence in a bank, including:

an acquisition module 110, configured to acquire threat intelligence data;

The comparison module 120 is configured to compare the alarm logs collected from the multiple links of the access data flow with the threat intelligence data one by one at the beginning of the time period to obtain the comparison result;

The weighting module 130 is used to establish an assignment calculation intermediate table for each link, and weight the threat intelligence data in the assignment calculation intermediate table according to the comparison result, so as to obtain the weighted value of each link;

The indexing module 140 is used to establish a threat intelligence evaluation table, and establish an index between the threat intelligence evaluation table and the assignment calculation intermediate table of each link;

The calculation module 150 is used to calculate the weighted value of each link in the threat intelligence evaluation table at the end of the time period to obtain the reputation value;

The judging module 160 is used for judging the reliability of the threat intelligence data according to the level of the reputation value.

Further, the multi-link access data flow includes: Internet DMZ, core production area and application server side. As shown in FIG. 4 , the comparison module 120 includes a primary comparison module 1201 , a secondary comparison module 1202 and a third comparison module 1203 .

The initial comparison module 1201 is used to perform the initial comparison in the Internet DMZ. If the source IP information in the alarm log of the Internet DMZ hits the attack source IP information in the threat intelligence data, the hit threat intelligence data will be weighted by FirstA, otherwise, no operation will be performed. .

The secondary comparison module 1202 is used to perform secondary comparison in the core production area. If both the source IP and the attack feature information in the alarm log of the core production area can match the attack source IP and the attack feature information in the threat intelligence data, then check the source IP and the attack feature information in the threat intelligence data. The hit threat intelligence data is SecondA weighted. If only the source IP information in the alarm log of the core production area matches the attack source IP information in the threat intelligence data, SeconddB weighting is performed on the hit threat intelligence data. If only the attack feature information in the alarm log of the core production area hits the attack feature information in the threat intelligence data, SecondC weighting is performed on the hit threat intelligence data. If the source IP and attack feature information in the alarm log of the core production area cannot match the attack source IP and attack feature information in the threat intelligence data, no operation is performed.

The three comparison module 1203 is used to perform three comparisons on the application server side. If both the source IP and the attack feature information in the alarm log on the application server side can match the attack source IP and attack feature information in the threat intelligence data, then the hit Threat Intelligence Data ThirdA-weights hit threat intelligence data. If only the source IP information in the alarm log on the application server side matches the attack source IP information in the threat intelligence data, ThirdB weighting is performed on the hit threat intelligence data. If only the attack feature information in the alarm log on the application server side matches the attack feature information in the threat intelligence data, ThirdC weighting is performed on the hit threat intelligence data. If neither the source IP address nor the attack signature information in the alarm log on the application server side can match the attack source IP address and attack signature information in the threat intelligence data, no operation is performed.

In the embodiment of the present invention, the comparison module 120 further includes a special comparison module 1204. The special comparison module 1204 is used for comparison of special attack types. If the alarm log on the application server side includes the special attack type, the source of the special attack type Both the IP and attack feature information can match the attack source IP and attack feature information in the threat intelligence data, and then compare the firewall blocking logs. If the special attack type alarm log matches the firewall blocking log, FourthA weighting is performed on the hit threat intelligence data; otherwise, no operation is performed.

Those skilled in the art can clearly understand that, for the convenience and brevity of description, the specific working process of the system, device and unit described above may refer to the corresponding process in the foregoing method embodiments, which will not be repeated here.

It should be understood that, if the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present invention is essentially or a part that contributes to the prior art, or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present invention. The aforementioned storage medium includes: U disk, removable hard disk, Read-Only Memory (ROM, Read-Only Memory), Random Access Memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program codes.

The technical scope of the present invention is not limited to the content in the above description, and those skilled in the art can make various deformations and modifications to the above-mentioned embodiments without departing from the technical idea of the present invention, and these deformations and modifications should belong to within the protection scope of the present invention.

Claims (10)

1. A method for applying threat intelligence in a bank is characterized by comprising the following steps:

step 1, threat information data is obtained;

step 2, when the time period starts, comparing the alarm logs collected from multiple links of the access data stream with the threat information data one by one to obtain a comparison result;

step 3, establishing an assignment calculation intermediate table for each link, and weighting the threat intelligence data in the assignment calculation intermediate table according to a comparison result to obtain a weighted value of each link;

step 4, establishing a threat intelligence evaluation table, and establishing indexes between the threat intelligence evaluation table and an assignment calculation intermediate table of each link;

step 5, when the time period is over, calculating the weighted value of each link in the threat information evaluation table to obtain a credit value;

and 6, judging the reliability of the threat intelligence data according to the reputation value.

2. The method of applying threat intelligence in a bank of claim 1, wherein the accessing data flow multiple links comprise: the step 2 specifically includes, at the side of the internet DMZ, the core production area, and the application server:

performing primary comparison on the Internet DMZ, and if source IP information in an alarm log of the Internet DMZ hits attack source IP information in threat intelligence data, performing first tA weighting on the hit threat intelligence data, otherwise, not performing operation;

performing secondary comparison in the core production area, and performing SecondA weighting on hit threat information data if both the source IP and the attack characteristic information in the alarm log of the core production area can hit the attack source IP and the attack characteristic information in the threat information data;

if only the source IP information in the alarm log of the core production area hits the attack source IP information in the threat information data, SecondB weighting is carried out on the hit threat information data;

if only attack characteristic information in the threat information data is hit in the alarm log of the core production area, performing SecondC weighting on the hit threat information data;

if the source IP and the attack characteristic information in the alarm log of the core production area can not hit the attack source IP and the attack characteristic information in the threat intelligence data, the operation is not carried out;

comparing for three times on the side of the application server, and if the source IP and the attack characteristic information in the alarm log on the side of the application server can hit the attack source IP and the attack characteristic information in the threat intelligence data, carrying out Thirda weighting on the hit threat intelligence data;

if only the source IP information in the alarm log of the application server side hits attack source IP information in the threat intelligence data, carrying out ThirdB weighting on the hit threat intelligence data;

if only attack characteristic information in the threat intelligence data is hit in the alarm log of the application server side, ThircC weighting is carried out on the hit threat intelligence data;

and if the source IP and the attack characteristic information in the alarm log of the application server side can not hit the attack source IP and the attack characteristic information in the threat intelligence data, the operation is not carried out.

3. The method for applying threat intelligence in a bank according to claim 2, wherein the step 2 further comprises a special attack type comparison, if the alarm log at the application server side contains a special attack type, and both the source IP and the attack characteristic information in the special attack type can hit the attack source IP and the attack characteristic information in the threat intelligence data, the firewall is compared to block the log;

and if the alarm log in the special attack type is matched with the firewall blocking log, performing Fourtha weighting on hit threat intelligence data, and otherwise, not performing any operation.

4. The method of applying threat intelligence of claim 2, wherein the weighting values in the assignment calculation intermediate table are selected to be the maximum values if the threat intelligence data is hit multiple times in the same link during a round of time period.

5. The method for applying threat intelligence in banks according to claim 1, wherein the calculation formula of the reputation value in step 3 is:

a reputation value ═ an initialization valuation · (K ^ weight term index 1^ weight term weight 1+ weight term dimension index 2^ weight term weight 2+ … + weight term dimension index N ^ weight term N)/100));

weighting value ═ weighting item dimension index ^ weighting item weight;

where the initialization assignment is 60, the value of K is the asset weight, and the K values are [10, 20, 30, 40, 50], respectively, for a system rated in a standardized rating of L1-L5.

6. The method of claim 5, wherein for protected assets of different levels, the interval level of reputation value is dynamically adjusted according to the difference of asset weight K value to match different reputation values, and the division of reputation value interval level is as follows:

the credit value belongs to [60 x (logK) ^2,80 x (logK) ^2 ], and the judgment result shows that the reliability of the threat intelligence data is lower;

the credit value is belonged to (80 ^ log K) ^2,100 ^ log K ^2), and the judgment result is that the reliability of the threat intelligence data is general;

and the credit value is belonged to (100 ^ log K) 2,120 ^ log K ^2), and the judgment result shows that the reliability of the threat intelligence data is higher.

7. The method of claim 6, wherein the threat intelligence data with the reputation value of high reliability is put into a rule optimization directory and synchronized to an internet DMZ domain exit firewall to block the source IP.

8. A system for applying threat intelligence to a bank, comprising:

the acquisition module is used for acquiring threat information data;

the comparison module is used for comparing the alarm logs collected from multiple links of the access data stream with the threat information data one by one at the beginning of a time period to obtain a comparison result;

the weighting module is used for establishing an assignment calculation intermediate table for each link and weighting the threat intelligence data in the assignment calculation intermediate table according to a comparison result so as to obtain a weighted value of each link;

the index module is used for establishing a threat intelligence evaluation table and establishing an index between the threat intelligence evaluation table and the assignment calculation intermediate table of each link;

the operation module is used for operating the weighted value of each link in the threat information evaluation table to obtain a credit value when the time period is over;

and the judging module is used for judging the reliability of the threat intelligence data according to the credit value.

9. The system for applying threat intelligence to a bank according to claim 8, wherein the multiple access data flow links comprise: the system comprises an Internet DMZ, a core production area and an application server side, wherein the comparison module comprises a primary comparison module, a secondary comparison module and a tertiary comparison module;

the primary comparison module is used for carrying out primary comparison on the Internet DMZ, if source IP information in an alarm log of the Internet DMZ hits attack source IP information in threat information data, the hit threat information data is subjected to first tA weighting, otherwise, operation is not carried out;

the secondary comparison module is used for carrying out secondary comparison in the core production area, and if the source IP and the attack characteristic information in the alarm log of the core production area can both hit the attack source IP and the attack characteristic information in the threat information data, SecondA weighting is carried out on the hit threat information data;

if only the source IP information in the alarm log of the core production area hits the attack source IP information in the threat information data, SecondB weighting is carried out on the hit threat information data;

if only attack characteristic information in the threat information data is hit in the alarm log of the core production area, performing SecondC weighting on the hit threat information data;

if the source IP and the attack characteristic information in the alarm log of the core production area can not hit the attack source IP and the attack characteristic information in the threat intelligence data, the operation is not carried out;

the third comparison module is used for carrying out third comparison on the side of the application server, and if the source IP and the attack characteristic information in the alarm log of the side of the application server can hit the attack source IP and the attack characteristic information in the threat information data, ThirdA weighting is carried out on the hit threat information data;

if only the source IP information in the alarm log of the application server side hits attack source IP information in the threat intelligence data, carrying out ThirdB weighting on the hit threat intelligence data;

if only attack characteristic information in the threat intelligence data is hit in the alarm log of the application server side, ThircC weighting is carried out on the hit threat intelligence data;

and if the source IP and the attack characteristic information in the alarm log of the application server side can not hit the attack source IP and the attack characteristic information in the threat intelligence data, the operation is not carried out.

10. The system for applying threat intelligence in a bank according to claim 8, further comprising a special comparison module, wherein the special comparison module is used for comparing special attack types, if the alarm log at the application server side contains a special attack type, the source IP and the attack characteristic information in the special attack type can hit the attack source IP and the attack characteristic information in the threat intelligence data, and the firewall is compared to block the log;

and if the alarm log in the special attack type is matched with the firewall blocking log, performing Fourtha weighting on hit threat intelligence data, and otherwise, not performing any operation.

Images