Design And Implementation Of Threat Intelligence Platform Based On ScyllaDB

With cyber security incidents occurring in recent years and cyber threat attacks tending to be organized and scaled,threat intelligence is particularly important to cyber security,often allowing more relevant threat intelligence and incident information to be correlated from a single threat intelligence.The author's internship department has built a high-performance threat intelligence platform with a large amount of data and accurate data based on the rich intelligence data accumulated over the years and a mature technology stack.We have also actively researched the actual business needs of security analysts to iterate and innovate on the system's functionality.This paper focuses on the design and implementation of a threat intelligence platform that not only enables the operation of threat prediction data and the search and presentation of threat intelligence,but also brings security analysts intuitive correlations between intelligence and high freedom of node operations through correlation diagrams.The core business cases of the system are: intelligence data operation module,intelligence search module,file intelligence module,IP intelligence module,domain intelligence module and graph analysis module.The author has designed and implemented the following parts:(1)Intelligence data operation module: enables data operators to operate and analysis forecast data efficiently.(2)Intelligence query module: provides users with a clear search interface and practical support functions.(3)File intelligence module: Provides users with a wealth of document intelligence.(4)IP intelligence module: aggregates accurate and rich IP intelligence.(5)Domain intelligence module: enables users to use IP and domain names in conjunction with each other for security analysis.(6)Graph analysis module: enables intelligence correlation analysis and allows multi-functional and high degree of freedom to manipulate the nodes in the graph.The above functions are implemented in accordance with software engineering specifications.The system is mainly based on ScyllaDB highperformance No SQL database,supplemented by Ti DB and My SQL relational database as data storage,using Golang and Iris framework for back-end development,using Vue framework and D3.js for front-end development,the overall architecture using front and back-end separation architecture,in line with high cohesion and low coupling design guidelines.The threat intelligence platform implemented in this paper,after functional and nonfunctional testing,has met the expected objectives and gone live to provide accurate and efficient security analysis services for security analysis.