Threat response method and device based on threat intelligence and ATT&CK
What is Al technical title?
Al technical title is built by PatSnap Al team. It summarizes the technical point description of the patent document.
An ATT&CK and intelligence technology, applied in computer security devices, machine learning, instruments, etc., can solve the problems of high load overhead, disorder and disorder of the policy system, lack of effective evidence in the traceability process, etc.
Active Publication Date: 2021-05-07
NO 15 INST OF CHINA ELECTRONICS TECH GRP +1
View PDF7 Cites 16 Cited by
Summary
Abstract
Description
Claims
Application Information
AI Technical Summary
This helps you quickly interpret patents by identifying the three key elements:
Problems solved by technology
Method used
Benefits of technology
Problems solved by technology
[0005] In view of this, the present invention provides a threat response method and device based on threat intelligence and ATT&CK, which is mainly used to solve the single and chaotic threat intelligence information in the prior art, which leads to the lack of effective evidence in the traceability process, and the commonly adopted Issues such as banning and blocking strategies, high system load overhead, etc.
Method used
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more
Image
Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
Click on the blue label to locate the original text in one second.
Reading with bidirectional positioning of images and text.
Smart Image
Examples
Experimental program
Comparison scheme
Effect test
Embodiment 1
[0060] figure 1 An overall structural diagram of a threat response method based on threat intelligence and ATT&CK provided by an embodiment of the present invention.
[0061] S1 establishes a threat intelligence library:
[0062] S11 External threat collection steps: Use crawlers and open source threat intelligence sharing platform APIs to automatically collect external threat intelligence from public resources as the first collection result;
[0063] Specifically, to establish an open source threat intelligence collection and query framework, automatically collect threat intelligence from various public resources, use crawlers and open source threat intelligence sharing platform APIs, simplify the external collection process, and quickly collect and organize. Among them, the crawler part is mainly aimed at targets such as Twitter, Tor, dark web forums, security portal 360, freebuf, fireeye, MCAfee, etc., and uses libraries such as BeautifulSoup, Requests, and Scrapy in Pytho...
Embodiment 2
[0110] Further, another embodiment of the present invention provides a threat response device based on threat intelligence and ATT&CK as an implementation of the methods shown in the above embodiments. This device embodiment corresponds to the foregoing method embodiment. For the convenience of reading, this device embodiment does not repeat the details in the foregoing method embodiment one by one, but it should be clear that the device in this embodiment can correspond to the foregoing method implementation. Everything in the example. In the device of this embodiment, there are following modules:
[0111] One: Threat intelligence database module, corresponding to S1 in Embodiment 1, establishes a threat intelligence database.
[0112] The external threat collection sub-module uses crawlers and open source threat intelligence sharing platform APIs to automatically collect external threat intelligence from public resources as the first collection result. The external threat ...
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more
PUM
Login to view more
Abstract
The invention discloses a threat response method and device based on threat intelligence and ATT&CK, and belongs to the technical field of computer network security. The method comprises the following steps: establishing a threat intelligence library, collecting threat intelligence from public resources and traditional security equipment, analyzing the full life cycle of an attack behavior in combination with an ATT&CK framework, and establishing an attacker machine learning model in a complete attack chain form; establishing a mapping relation between the label and the processing rule according to an attacker machine learning model; monitoring and identifying the real-time flow data by using a DFI-based depth flow detection technology, and continuously changing a label value according to the change of the real-time characteristics of the flow; and activating threat defense according to the mapping relation between the label and the processing rule. According to the method, the problems that the traceability process lacks effective evidence due to single and disordered threat intelligence information and the load overhead of a forbidding and blocking strategy system which is usually adopted is large are solved.
Description
technical field [0001] The invention relates to the technical field of computer network security, in particular to a threat response method and device based on threat intelligence and ATT&CK. Background technique [0002] With the increasing openness and complexity of the Internet and the rapid development of new information technologies such as big data, cloud computing, the Internet of Things, and 5G mobile communication networks, cyberspace threats are also developing towards generalization and complexity. Network security defense based on threat intelligence can analyze existing intrusions in a timely manner, judge future threat situations, and assess potential security risks based on this to guide users to make effective security decisions. [0003] Traditional security protection only relies on firewalls, IDS, IPS and other security devices deployed on borders or special nodes for static control, implements network security monitoring based on feature detection, and ge...
Claims
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more
Application Information
Patent Timeline
Application Date:The date an application was filed.
Publication Date:The date a patent or application was officially published.
First Publication Date:The earliest publication date of a patent with the same application number.
Issue Date:Publication date of the patent grant document.
PCT Entry Date:The Entry date of PCT National Phase.
Estimated Expiry Date:The statutory expiry date of a patent right according to the Patent Law, and it is the longest term of protection that the patent right can achieve without the termination of the patent right due to other reasons(Term extension factor has been taken into account ).
Invalid Date:Actual expiry date is based on effective date or publication date of legal transaction data of invalid patent.
Login to view more 
Login to view more