摘要
针对黑客攻击技术的升级、攻击手段的多样化和智能化,仅仅依靠固化模型以及规则已经不能满足对威胁对象精准研判的效果,所以设计一种交互式威胁研判系统,辅助安全运营人员进行威胁研判.该系统由数据采集、数据建模、模型分析、威胁研判、研判报告、检索分析、态势监测等模块组成.交互式威胁研判过程首先获取至少一个告警事件以及初始威胁度,通过交互式研判工具箱中的多种能力对告警事件进行线索收集,包括PCAP包分析、可疑文件沙箱检测、流量分析等,在使用过程中基于历史知识学习进行智能推荐具体的工具.根据交互式研判工具箱挖掘线索生成不同级别证据,系统根据威胁度分数算法自动进行威胁度更新计算,最终得出告警事件的威胁分值.通过实践,证明本系统可以实现对告警事件的威胁度高精准、综合性判定.
In response to the upgrading of hacker attack technology,the diversification and intelligence of attack methods,relying solely on fixed models and rules is no longer sufficient to accurately assess threat objects.Therefore,an interactive threat assessment system is designed to assist security operators in threat assessment.The system consists of modules such as data collection,data modeling,model analysis,threat assessment,assessment reports,retrieval analysis,and situation monitoring.The interactive threat assessment process first obtains at least one alarm event and initial threat level.Through various capabilities in the interactive assessment toolbox,clues are collected for the alarm event,including PCAP package analysis,suspicious file sandbox detection,traffic analysis,etc.During use,specific tools are intelligently recommended based on historical knowledge learning.According to the interactive judgment toolbox,clues are mined to generate evidence of different levels.The system automatically updates and calculates the threat score based on the threat score algorithm,and finally obtains the threat score of the alarm event.Through practice,it has been proven that this system can achieve high-precision and comprehensive judgment of the threat level of alarm events.
作者
王世峰
Wang Shifeng(Beijing Topsec Network Security Technology Co.,Ltd.,Beijing 100089)
出处
《信息安全研究》
CSCD
北大核心
2024年第6期574-578,共5页
Journal of Information Security Research
关键词
交互式
威胁研判
网络安全
协同
工具箱
interactive
threat assessment
network security
collaborative analysis
toolbox
作者简介
王世峰,硕士.主要研究方向为数据安全、大数据安全.928795706@qq.com。
