CN108076006A - A kind of lookup is by the method and log management server of attack host - Google Patents
A kind of lookup is by the method and log management server of attack host Download PDFInfo
- Publication number
- CN108076006A CN108076006A CN201610989051.0A CN201610989051A CN108076006A CN 108076006 A CN108076006 A CN 108076006A CN 201610989051 A CN201610989051 A CN 201610989051A CN 108076006 A CN108076006 A CN 108076006A
- Authority
- CN
- China
- Prior art keywords
- address
- daily record
- malicious
- url
- addresses
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
It is searched the embodiment of the invention discloses a kind of by the method and log management server of attack host, is related to the communications field, solve network management personnel during the host attacked is searched, expend the problem of time is long, and accuracy rate is low.Concrete scheme is:Log management server receives the inquiry request for coming from query facility, and the first IP address and object event type included according to the inquiry request received, and pre-stored all daily record datas, determine target ip address, the target ip address is to be managed the IP address that the host attacked in host complexes uses, and to the target ip address determined of query facility transmission, come from the target ip address of log management server so that query facility is received and shown.The process for the host that the embodiment of the present invention is attacked for lookup.
Description
Technical field
The present embodiments relate to the communications fields more particularly to a kind of search to be taken by the method for attack host and log management
Business device.
Background technology
It is that a kind of attacker is attacked to specific that advanced continuation, which threatens (Advanced Persistent Threat, APT),
Hit the attack form that object carries out long duration network attack.The advanced property of APT attacks is embodied in attacker and APT is being mobilized to attack
It needs accurately to collect by the Workflow messages of object of attack before hitting.During Workflow messages are collected, attack
Person understands the loophole of active analysis application program used in object of attack, implements to attack using these loopholes, be stolen with reaching
The illegal objectives such as the core data by object of attack, threaten as by the data safety of the enterprise of object of attack.
In order to protect the data safety of enterprise, under APT scenes, the administrative staff of enterprise network can be by analyzing enterprise
The daily record data of All hosts in network, finds the host attacked, to take safeguard measure to the host attacked, so as to
Data is avoided to be stolen.
At least there are the following problems in the prior art:The individual of network management personnel will be depended on by searching the host attacked
Experience.There is expend the problem of time is long, and accuracy rate is low.
The content of the invention
Offer of the embodiment of the present invention is a kind of to search by the method and log management server of attack host, solves network pipe
Reason personnel expend the problem of time is long, and accuracy rate is low during the host attacked is searched.
In order to achieve the above objectives, the embodiment of the present invention adopts the following technical scheme that:
It is searched in a first aspect, offer is a kind of by the method for attack host, including:
Log management server receives the inquiry request for coming from query facility, and the first IP address is carried in the inquiry request
With the object event type of the event that is used to indicate URL exceptions, and the first IP address is the first master being managed in host complexes
The IP address of machine.Log management server is after inquiry request is received, according to the first IP address, object event type and pre-
All daily record datas first stored, determine to be managed the IP address that the host attacked in host complexes uses, i.e. Target IP
Location, and send target ip address to query facility.
Wherein, daily record data is preserved in a manner of entry, and every daily record data includes the corresponding session of this daily record data
Source IP address, the URL of session access, source IP address is the IP address for a host being managed in host complexes.
It is provided in an embodiment of the present invention to search by the method for attack host, it receives to come from log management server and look into
When asking the inquiry request of equipment, by determining what is attacked according to the inquiry request and pre-stored daily record data that receive
The IP address that host uses, and the IP address that the host attacked to query facility transmission uses.So that in network management personnel
When requiring to look up the host attacked, it is only necessary to the IP address of host and object event type are inputted on query facility, it can
The IP address that the host attacked uses is directly viewable, and then determines the host attacked.It solves network management personnel to exist
During searching the host attacked, the problem of time is long, and accuracy rate is low is expended.
With reference to first aspect, in a kind of possible realization method of first aspect, log management server is according to first
IP address, object event type and pre-stored all daily record datas, determine target ip address, can specifically include:Day
Will management server obtains at least one source IP address included as the first IP address from pre-stored all daily record datas
Daily record data, to obtain the first daily record data set.And obtain what every daily record data in the first daily record data set included
URL is closed with obtaining the first set of URL.Log management server also obtains the URL for meeting object event type during the first set of URL closes,
As malice URL.At this point, log management server obtains at least one source included from pre-stored all daily record datas
IP address is the daily record data of the second IP address, and in the daily record for determining that at least one source IP address included is the second IP address
When a daily record data in data includes malice URL, it is target ip address to determine second IP address.Wherein, the 2nd IP
Location is the IP address for the second host being managed in host complexes.
With reference to first aspect with the possible realization method of above-mentioned first aspect, in the alternatively possible realization of first aspect
In mode, log management server, which is obtained during the first set of URL closes, meets the URL of object event type, as malice URL, specifically
Can include:Log management server obtains the domain name of each URL during the first set of URL closes, and merging the first set of URL conjunction has
The URL of same domain name obtains the 3rd set of URL and closes, and the 3rd set of URL is closed comprising the URL after merging treatment.And log management server
The URL for not meeting object event type is deleted from the conjunction of the 3rd set of URL, remaining URL is malice URL after deletion.Mesh is not met
The URL of mark event type is the URL for including normal domain name.
Wherein, log management server deletes the URL, the 3rd URL for not meeting object event type from the conjunction of the 3rd set of URL
Remaining URL is malice URL after being deleted in set, can specifically be included:Log management server is obtained in the conjunction of the 3rd set of URL
The domain name of each URL, and the prestige indicator of each domain name is obtained, which includes normal mark and improper mark
Know.Log management server deletes the prestige indicator of domain name as normal part URL from the conjunction of the 3rd set of URL, is remained after deletion
Remaining URL is malice URL.
With reference to first aspect with the possible realization method of above-mentioned first aspect, in the alternatively possible realization of first aspect
In mode, in order to further shorten consuming time of the network management personnel when searching by attack host, and in order into one
Step improves accuracy rate, the URL for meeting object event type during the first set of URL closes is obtained in log management server, as malice
It is provided in an embodiment of the present invention to search by the method for attack host after URL, it can also include:Log management server is searched
To provide the IP address for the page that malice URL is identified, as malicious IP addresses.Every daily record data also includes this daily record
The purpose IP address of the corresponding session of data.Log management server is the 2nd IP in definite at least one source IP address included
When a daily record data in the daily record data of address includes malice URL, the second IP address is determined as target ip address, specifically
It can include:Log management server obtains at least one source IP address included as every in the daily record data of the second IP address
The purpose IP address of daily record data, to obtain purpose IP address set.And include malice IP in definite purpose IP address set
During address, it is target ip address to determine the second IP address.
Wherein, log management server is in the daily record data for determining that at least one source IP address included is the second IP address
In daily record data when including malice URL, determine that the second IP address for target ip address, can specifically include:Daily record
Management server obtains at least one source IP address included and is included for every daily record data in the daily record data of the second IP address
URL, with obtain the second set of URL close.And when the conjunction of definite second set of URL includes malice URL, it is mesh to determine the second IP address
Mark IP address.
With reference to first aspect with the possible realization method of above-mentioned first aspect, in the alternatively possible realization of first aspect
It is provided in an embodiment of the present invention to search by the method for attack host in mode, it can also include:Log management server is to inquiry
Equipment sends malicious IP addresses.
With reference to first aspect with the possible realization method of above-mentioned first aspect, in the alternatively possible realization of first aspect
In mode, if the quantity of malicious IP addresses is at least two, in order to which network management personnel is enable intuitively to view malice IP
The malice degree of address, and preferentially defend the higher malicious IP addresses of malice degree, in log management server to query facility
Before sending malicious IP addresses, it can also include:For each malicious IP addresses, log management server is from all daily record datas
In filter out at least one daily record data comprising malicious IP addresses, according to the source IP included in the daily record data filtered out
Location determines the quantity of the IP address to communicate with the malicious IP addresses.And according to communicating with each malicious IP addresses
How much orders of the quantity of IP address are ranked up at least two malicious IP addresses, so as at least two after being sorted
Malicious IP addresses.At this point, correspondingly, log management server can specifically include to query facility transmission malicious IP addresses:
Log management server sends at least two malicious IP addresses after sequence to query facility.
With reference to first aspect with the possible realization method of above-mentioned first aspect, in the alternatively possible realization of first aspect
In mode, every daily record data also includes:The access time of the corresponding session of this daily record data.And at least two malice IP
Location includes the first malicious IP addresses and the second malicious IP addresses.If the number with the IP address that the first malicious IP addresses communicate
It measures and identical with the quantity for the IP address that the second malicious IP addresses communicate, is sent in log management server to query facility
Before at least two malicious IP addresses after sequence, it can also include:Log management server is screened from all daily record datas
Go out to include at least one daily record data of the first malicious IP addresses, and from the daily record data filtered out with obtaining the first malice IP
The time that location communicates at first with source IP address, and filter out from all daily record datas at least one comprising the second malicious IP addresses
Daily record data, and the time that the second malicious IP addresses communicate at first with source IP address is obtained from the daily record data filtered out.
Log management server dislikes the first malicious IP addresses and second according to the sequencing of the time to communicate at first with source IP address
Meaning IP address is ranked up, using ranking results as at least two malicious IP addresses after sequence to be sent.
With reference to first aspect with the possible realization method of above-mentioned first aspect, in the alternatively possible realization of first aspect
In mode, if the quantity of target ip address is at least two, in order to enable network management personnel preferentially to first being attacked
Host takes safeguard measure, before log management server sends target ip address to query facility, can also include:Daily record
Management server obtains the daily record data comprising target ip address and malicious IP addresses simultaneously, to obtain from all daily record datas
Obtain the second daily record data acquisition system.Log management server determines to lead to each target ip address according to the second daily record data acquisition system
The quantity of the malicious IP addresses of letter, and how much orders of the quantity according to the malicious IP addresses to communicate with each target ip address,
At least two target ip address are ranked up.At this point, correspondingly, log management server sends Target IP to query facility
Location can specifically include:Log management server sends at least two target ip address after sequence to query facility.
With reference to first aspect with the possible realization method of above-mentioned first aspect, in the alternatively possible realization of first aspect
In mode, at least two target ip address include:First object IP address and the second target ip address.When with each Target IP
When the quantity of the malicious IP addresses of location communication is identical, at least two after log management server sends sequence to query facility
Before target ip address, it can also include:Log management server is filtered out from the second daily record data acquisition system comprising the first mesh
At least one daily record data of IP address is marked, and first object IP address is obtained with malice IP from the daily record data filtered out
The time that location communicates at first, and log management server is filtered out from the second daily record data acquisition system comprising the second target ip address
At least one daily record data, and obtain the second target ip address from the daily record data filtered out and lead at first with malicious IP addresses
The time of letter.At this point, sequencing of the log management server according to the time to communicate at first with malicious IP addresses, to the first mesh
Mark IP address and the second target ip address are ranked up, using ranking results as at least two Target IPs after sequence to be sent
Address.
Second aspect, provide it is a kind of search by the method for attack host, including:
Log management server receives the inquiry request for including malicious IP addresses for coming from query facility, malice IP
Address is the IP address that the attacker of network attack is mobilized to use.And log management server is deposited according to malicious IP addresses and in advance
All daily record datas of storage, determine to be managed the IP address that the host attacked in host complexes uses, i.e. target ip address, and
The target ip address determined to query facility transmission.
Wherein, daily record data is preserved in a manner of entry, and every daily record data includes the corresponding session of this daily record data
Source IP address, source IP address is the IP address for a host being managed in host complexes.
It is provided in an embodiment of the present invention to search by the method for attack host, it receives to come from log management server and look into
When asking the inquiry request of equipment, by determining what is attacked according to the inquiry request and pre-stored daily record data that receive
The IP address that host uses, and the IP address that the host attacked to query facility transmission uses.So that in network management personnel
When requiring to look up the host attacked, it is only necessary to malicious IP addresses are inputted on query facility, can be directly viewable and be attacked
The IP address that uses of host, and then determine the host attacked.Solves the host that network management personnel is attacked in lookup
During, expend the problem of time is long, and accuracy rate is low.
The third aspect provides a kind of log management server, which, which has, realizes above method design
The function of middle log management server behavior.The function can also be performed corresponding by hardware realization by hardware
Software is realized.The hardware or software include the one or more and corresponding module of above-mentioned function.
In a kind of possible realization method, the log management server includes at least one processor, and memory leads to
Believe interface, communication bus.At least one processor is connected with memory, communication interface by communication bus, and memory is used to deposit
Computer executed instructions are stored up, when log management server is run, processor performs the computer executed instructions of memory storage,
So that any lookup is attacked in the possible realization method of log management server execution first aspect or first aspect
The method for hitting host.
In alternatively possible realization method, the log management server include at least one processor, memory,
Communication interface, communication bus.At least one processor is connected with memory, communication interface by communication bus, and memory is used for
Computer executed instructions are stored, when log management server is run, the computer execution that processor performs memory storage refers to
Order, so that any lookup quilt in the possible realization method of log management server execution second aspect or second aspect
The method for attacking host.
Fourth aspect provides a kind of computer storage media, for storing the calculating used in above-mentioned log management server
Machine software instruction, the computer software instructions include to perform above-mentioned lookup by the program designed by the method for attack host.
Description of the drawings
Fig. 1 is a kind of network architecture schematic diagram applied to APT scenes;
Fig. 2 is a kind of rough schematic view of system architecture using the embodiment of the present invention provided in an embodiment of the present invention;
Fig. 3 is a kind of composition schematic diagram of log management server provided in an embodiment of the present invention;
Fig. 4 is a kind of lookup provided in an embodiment of the present invention by the flow chart of the method for attack host;
Fig. 5 is another lookup provided in an embodiment of the present invention by the flow chart of the method for attack host;
Fig. 6 is another lookup provided in an embodiment of the present invention by the flow chart of the method for attack host;
Fig. 7 is a kind of display schematic diagram of query facility provided in an embodiment of the present invention;
Fig. 8 is the display schematic diagram of another query facility provided in an embodiment of the present invention;
Fig. 9 is the display schematic diagram of another query facility provided in an embodiment of the present invention;
Figure 10 is the display schematic diagram of another query facility provided in an embodiment of the present invention;
Figure 11 is the display schematic diagram of another query facility provided in an embodiment of the present invention;
Figure 12 is another lookup provided in an embodiment of the present invention by the flow chart of the method for attack host;
Figure 13 is the display schematic diagram of another query facility provided in an embodiment of the present invention;
Figure 14 is the display schematic diagram of another query facility provided in an embodiment of the present invention;
Figure 15 is the composition schematic diagram of another log management server provided in an embodiment of the present invention.
Specific embodiment
Fig. 1 is a kind of network architecture schematic diagram applied to APT scenes.The network architecture includes:In enterprise network
Multiple main frames, the router, the stream probe device and network security intelligence system (Network that are deployed in core stratum reticulare
Security Intelligence System, CIS) log management server that includes.Wherein, probe device is flowed with being located at enterprise
The host connection of industry network exit, is also connected with the log management server that CIS includes.Multiple masters that enterprise network includes
Machine can be by being deployed in the router access internet of core stratum reticulare.
By disposing stream probe device in the exit of enterprise network, the traffic monitoring to enterprise network can be realized, also
The daily record data generated when user accesses internet by each host in enterprise network can be got.Also, flow probe
The network traffics got and daily record data can also be transmitted to the log management server that CIS includes by equipment.Log management
Server can store network traffics and daily record data after network traffics and daily record data are received, with convenient
Data needed for network management personnel's inquiry.
Under scene shown in Fig. 1, when network management personnel requires to look up the host attacked, log management server
It is only capable of returning to daily record data associated with the IP address of host or certain event type for network management personnel.Network pipe
Reason personnel need to search the host attacked based on personal experience, this can a large amount of consumption network administrative staff time, and lookup
As a result accuracy rate is relatively low.In order to solve network management personnel during the host attacked is searched, the consuming time is long, accurate
The problem of really rate is low, the embodiment of the present invention provide a kind of lookup by the method for attack host, and basic principle is:Log management takes
Business device reception comes from the inquiry request of query facility, and the first IP address and mesh included according to the inquiry request received
Event type and pre-stored all daily record datas are marked, determines target ip address, which is to be managed host
The IP address that the host attacked in set uses, and to the target ip address that query facility transmission is determined, set to inquire about
It is standby to receive and show the target ip address for coming from log management server.It is attacked so that being required to look up in network management personnel
Host when, it is only necessary to the IP address of host and object event type are inputted on query facility, can be directly viewable and be attacked
The IP address that the host hit uses, and then determine the host attacked.Solves the master that network management personnel is attacked in lookup
During machine, the problem of time is long, and accuracy rate is low is expended.
The embodiment of the embodiment of the present invention is described in detail below in conjunction with attached drawing.
Fig. 2 is illustrated that the rough schematic view for the system architecture that can apply the embodiment of the present invention.As shown in Fig. 2, this is
System framework can include:At least one log management server 11 and query facility 12.
Wherein, it is stored at least one log management server 11:Each master that user is included by enterprise network
The network traffics that generate when machine accesses internet, the network traffics can be divided into domain name system (Domain Name System,
DNS) flow and non-domain name system flow, wherein, non-domain name system flow is all streams in addition to DNS flows in network traffics
Amount.Wherein, the All hosts composition that enterprise network includes is managed host complexes.In at least one log management server 11
Also it is stored with:The daily record data that user generates when accessing internet by each host.The side of these daily record datas in a distributed manner
Formula is stored in multiple log management servers 11~16.The daily record data stored in multiple log management servers 11~16 can
To be obtained at the network equipments such as stream probe device, interchanger, router.
It should be noted that in embodiments of the present invention, daily record data is preserved in a manner of entry, every daily record data bag
The source IP address and purpose IP address of the corresponding session of the daily record data containing this, the URL of session access, access time etc. of session
Deng.Source IP address is the IP address for a host being managed in host complexes.
In the concrete realization, five log management clothes are included as a kind of embodiment, such as system architecture shown in Fig. 2
Business device, respectively:Log management server 11, log management server 13, log management server 14, log management server
15 and log management server 16.Daily record data can be stored in log management server 11, daily record pipe in a distributed fashion
It manages in server 13, log management server 14, log management server 15 and log management server 16.
Query facility 12 be used for for network management personnel provide query interface and show log management server return
Data.
In concrete implementation, which can be mobile phone, tablet computer, laptop, super movement
People's computer (Ultra-mobile Personal Computer, UMPC), net book, personal digital assistant (Personal
Digital Assistant, PDA) etc..
Fig. 3 is a kind of composition schematic diagram of log management server provided in an embodiment of the present invention, as shown in figure 3, daily record
Management server can include at least one processor 21, memory 22, communication interface 23, communication bus 24.
Each component parts of log management server is specifically introduced with reference to Fig. 3:
Processor 21 is the control centre of log management server, can be a processor or multiple processing
The general designation of element.For example, processor 21 is a central processing unit (central processing unit, CPU), it can also
It is specific integrated circuit (Application Specific Integrated Circuit, ASIC) or is arranged to reality
One or more integrated circuits of the embodiment of the present invention are applied, such as:One or more microprocessors (digital signal
Processor, DSP) or, one or more field programmable gate array (Field Programmable Gate Array,
FPGA)。
Wherein, processor 21 can be deposited by running or performing the software program being stored in memory 22 and call
Store up the data in memory 22, the various functions of execution journal management server.
In concrete implementation, as a kind of embodiment, processor 21 can include one or more CPU, such as in Fig. 3
Shown CPU0 and CPU1.
In the concrete realization, as a kind of embodiment, log management server can include multiple processors, such as Fig. 3
Shown in processor 21 and processor 25.Each in these processors can be a single core processor (single-
) or a polycaryon processor (multi-CPU) CPU.Here processor can refer to one or more equipment, circuit,
And/or the process cores for handling data (such as computer program instructions).
Memory 22 can be read-only memory (read-only memory, ROM) or can store static information and instruction
Other kinds of static storage device, random access memory (random access memory, RAM) or letter can be stored
Breath and the other kinds of dynamic memory or Electrically Erasable Programmable Read-Only Memory (Electrically of instruction
Erasable Programmable Read-Only Memory, EEPROM), read-only optical disc (Compact Disc Read-
Only Memory, CD-ROM) or other optical disc storages, optical disc storage (including compression optical disc, laser disc, optical disc, digital universal
Optical disc, Blu-ray Disc etc.), magnetic disk storage medium or other magnetic storage apparatus or can be used in carrying or store with referring to
Order or data structure form desired program code simultaneously can by any other medium of computer access, but not limited to this.
Memory 22 can be individually present, and be connected by communication bus 24 with processor 21.Memory 22 can also and processor
21 integrate.
Wherein, the memory 22 is for storing the software program of execution the present invention program, and is controlled by processor 21
It performs.
Communication interface 23, using the device of any transceiver one kind, for other equipment or communication, such as with
Too net, wireless access network (radio access network, RAN), WLAN (Wireless Local Area
Networks, WLAN) etc..Communication interface 23 can include receiving unit and realize that receive capabilities and transmitting element are realized and sent
Function.
Communication bus 24 can be industry standard architecture (Industry Standard Architecture, ISA)
Bus, external equipment interconnection (Peripheral Component, PCI) bus or extended industry-standard architecture
(Extended Industry Standard Architecture, EISA) bus etc..The bus can be divided into address bus,
Data/address bus, controlling bus etc..Only represented for ease of representing, in Fig. 3 with a thick line, it is not intended that an only bus or
A type of bus.
The device structure shown in Fig. 3 does not form the restriction to log management server, can include more more than illustrating
Or less component either combines some components or different components arrangement.
Fig. 4 for it is provided in an embodiment of the present invention it is a kind of lookup by the flow chart of the method for attack host, as shown in figure 4, should
Method can include:
301st, query facility obtains the first IP address and object event type of network management personnel's input.
Wherein, the first IP address is the IP address for the first host being managed in host complexes, and object event type is used for
Indicate the event of URL exceptions.
During due to the host in enterprise network by the attack outside enterprise network is come from, host accesses internet and generates
Network traffics can raise suddenly.Therefore, log management server can access mutual according to the host in the enterprise network of acquisition
The network traffics that networking generates, judge whether the host in enterprise network is attacked.Using fire wall or intruding detection system as
When the Network Security Device of example determines that the host in enterprise network is attacked, warning can be sent to network management personnel and referred to
Show, to prompt network management personnel that there are malicious attacks.Know in network management personnel there are during malicious attack, in order to true
The fixed host attacked, the first IP address and object event type can be inputted in the display interface of query facility, is looked at this time
The first IP address and object event type of network management personnel's input can be obtained by asking equipment.
302nd, query facility sends inquiry request to log management server.
Wherein, after query facility gets the first IP address of network management personnel's input and object event type,
Query facility can send the inquiry request for carrying that the first IP address and object event type carry to log management server.
303rd, log management server reception comes from the inquiry request of query facility.
304th, log management server is according to the first IP address, object event type and pre-stored all daily record numbers
According to determining target ip address.
Wherein, after log management server receives and comes from the inquiry request of query facility, log management service
The first IP address and object event type and pre-stored all daily record numbers that device can include according to inquiry request
According to determining to be managed the IP address that the host attacked in host complexes uses, i.e. target ip address.
305th, log management server sends target ip address to query facility.
306th, query facility reception comes from the target ip address of log management server.
307th, query facility display target IP address.
Wherein, after query facility receives and comes from the target ip address of log management server, query facility can
With display target IP address.In this way, network management personnel can determine the master attacked according to the target ip address shown
Machine, and the host to being attacked takes safeguard measure, so as to which the data for preventing enterprise are leaked.
It is provided in an embodiment of the present invention to search by the method for attack host, it receives to come from log management server and look into
When asking the inquiry request of equipment, by determining what is attacked according to the inquiry request and pre-stored daily record data that receive
The IP address that host uses, and the IP address that the host attacked to query facility transmission uses.So that in network management personnel
When requiring to look up the host attacked, it is only necessary to the IP address of host and object event type are inputted on query facility, it can
The IP address that the host attacked uses is directly viewable, and then determines the host attacked.It solves network management personnel to exist
During searching the host attacked, the problem of time is long, and accuracy rate is low is expended.
Fig. 5 is searched for another kind provided in an embodiment of the present invention by the flow chart of the method for attack host, as shown in figure 5,
This method can include:
401st, query facility obtains the malicious IP addresses of network management personnel's input.
Wherein, malicious IP addresses are the IP address that the attacker of network attack is mobilized to use.Known to network management personnel
It, can when network management personnel is known there are during malicious attack in the case of starting the IP address that the attacker of network attack uses
Directly to input malicious IP addresses in the display interface of query facility.
402nd, query facility sends inquiry request to log management server, and malicious IP addresses are carried in the inquiry request.
403rd, log management server reception comes from the inquiry request of query facility.
404th, log management server is according to malicious IP addresses and pre-stored all daily record datas, with determining Target IP
Location.
Wherein, after log management server receives and comes from the inquiry request of query facility, log management service
Device can be determined to be managed master according to the malicious IP addresses and pre-stored all daily record datas that inquiry request includes
The IP address that the host attacked in machine set uses, that is, determine target ip address.
405th, log management server sends target ip address to query facility.
406th, query facility reception comes from the target ip address of log management server.
407th, query facility display target IP address.
It is provided in an embodiment of the present invention to search by the method for attack host, it receives to come from log management server and look into
When asking the inquiry request of equipment, by determining what is attacked according to the inquiry request and pre-stored daily record data that receive
The IP address that host uses, and the IP address that the host attacked to query facility transmission uses.So that in network management personnel
When requiring to look up the host attacked, it is only necessary to malicious IP addresses are inputted on query facility, can be directly viewable and be attacked
The IP address that uses of host, and then determine the host attacked.Solves the host that network management personnel is attacked in lookup
During, expend the problem of time is long, and accuracy rate is low.
Fig. 6 is searched for another kind provided in an embodiment of the present invention by the flow chart of the method for attack host, as shown in fig. 6,
This method can include:
501st, query facility obtains the first IP address and object event type of network management personnel's input.
Wherein, after query facility gets the first IP address of network management personnel's input and object event type,
Query facility can show the first IP address got and object event type in the character input region of query facility.
Illustratively, it is assumed that the first IP address of network management personnel that query facility is got input is
192.168.102.55, and object event type is event type (event type):URL.As shown in fig. 7, in character input
In region, 192.168.102.55 and (and) event type (event type) can be shown:URL.
502nd, query facility sends inquiry request to log management server.
503rd, log management server reception comes from the inquiry request of query facility.
Wherein, after log management server receives and comes from the inquiry request of query facility, log management service
Device can be determined to be managed host set according to the first IP address, object event type and pre-stored all daily record datas
The IP address that the host attacked in conjunction uses, i.e. target ip address can specifically perform following steps 504- steps 510:
504th, log management server obtains the first daily record data set from pre-stored all daily record datas.
Wherein, the first daily record data set includes the daily record number that at least one source IP address included is the first IP address
According to.Log management server can filter out institute's source IP address as the first IP address from pre-stored all daily record datas
Daily record data, to obtain the first daily record data set.
505th, log management server obtains the first set of URL and closes.
Wherein, the first set of URL conjunction includes the URL that every daily record data includes in the first daily record data set.In daily record
After management server gets the first daily record data set, every daily record data bag in the first daily record data set can be obtained
The URL contained is closed with obtaining the first set of URL.
Illustratively, it is assumed that the first set of URL conjunction that log management server acquires includes five URL, is respectively:
http:// 1234.com/cn/ijvsdadld.net,
http://qllyx.com/cn/solutions/industries/public-safety,
http://ABC.com/cn/lyxtwcadic,
http://xyz.com/cn/hqdhwkppjd,
http://qllyx.com/cn/solutions/industries/education。
After log management server gets the conjunction of the first set of URL, it can obtain during first set of URL closes and meet target
The URL of event type, as malice URL.Specifically, following steps 506 and step 507 can be performed.
506th, log management server obtains the domain name of each URL during the first set of URL closes, and merges in the conjunction of the first set of URL
URL with same domain name obtains the 3rd set of URL and closes.
Wherein, the 3rd set of URL is closed comprising the URL after merging treatment.
Illustratively, according to the example in step 505, it is assumed that the domain name of first URL is during the first set of URL of acquisition closes
The domain name of 1234.com, second URL are qllyx.com, and the domain name of the 3rd URL is ABC.com, the domain name of the 4th URL
For xyz.com, the domain name of the 5th URL is qllyx.com.It is achieved that, second URL and the 5th URL has phase
Same domain name.At this point, log management server can merge second URL and the 5th URL.It is assumed that after merging
URL is http://qllyx.com/cn/solutions/industries/.In this way, log management server obtain the 3rd
Set of URL includes four URL in closing, and is respectively:
http:// 1234.com/cn/ijvsdadld.net,
http://ABC.com/cn/lyxtwcadic,
http://xyz.com/cn/hqdhwkppjd,
http://qllyx.com/cn/solutions/industries/。
507th, log management server deletes the URL, the 3rd URL for not meeting object event type from the conjunction of the 3rd set of URL
Remaining URL is malice URL after being deleted in set.
Wherein, the URL for not meeting object event type is the URL for including normal domain name.Domain name is divided into normal operation in normal domain
Name and abnormal domain name.One domain name is that normal domain name or abnormal domain name can be determined by the corresponding prestige of the domain name.Letter
Reputation can be represented by a numerical value, can also be represented by an indicator.Log management server can by with
Interaction between reputation server, to obtain to represent the numerical value or indicator of domain name prestige.
When by numerical value come when representing prestige, can root differentiate normal domain name and abnormal domain according to the rule pre-set
Name.For example, the credit value of a domain name is the natural number between 1 to 100, when the numerical value for representing domain name prestige is more than 60, really
Domain name is recognized for normal domain name, and when the numerical value for representing domain name prestige is not more than 60, confirmation domain name is abnormal domain name.
When by indicator, come when representing prestige, log management server can first obtain each URL during the 3rd set of URL closes
Domain name, and obtain the prestige indicator of each domain name.Prestige indicator can include normal mark and improper mark.So
Afterwards, log management server deletes part URL from the conjunction of the 3rd set of URL, the prestige indicator of the domain name of part URL be it is normal,
Remaining URL is malice URL after 3rd set of URL is deleted in closing.
Illustratively, according to the example in step 506, it is assumed that the domain name of the 4th URL is during the 3rd set of URL of acquisition closes
Qllyx.com, prestige indicator are normal mark.Therefore, log management server can delete the 4th during the 3rd set of URL closes
A URL.In this way, remaining first URL, second URL and the 3rd URL are malice after the 3rd set of URL is deleted in closing
URL。
Certainly, the domain name of which URL known to log management server prestige indicator be improper mark situation
Under, the prestige indicator of domain name can also be directly filtered out from the conjunction of the 3rd set of URL as improper URL, to obtain malice
URL。
508th, log management server is searched to provide the IP address for the page that malice URL is identified, as malice IP
Address.
Log management server can obtain with providing the IP for the page that malice URL is identified through a variety of ways
Location.
Wherein, the situation of the correspondence of malice URL and malicious IP addresses is previously stored in log management server
Under, it, can be by searching for pre-stored malice URL and malicious IP addresses after log management server obtains malice URL
Correspondence, obtain providing the IP address of the page that malice URL is identified, i.e. malicious IP addresses.
If the correspondence of malice URL and malicious IP addresses is not stored in log management server, log management service
Device then can be by threatening information platform to search to provide the IP address of the page that malice URL is identified, which puts down
The correspondence of malice URL and malicious IP addresses is stored in platform.
Illustratively, according to the example in step 507, it is assumed that log management server finds to provide first
The IP address for the page that URL is identified is 55.66.99.66, finds to provide second URL and the 3rd URL and is identified
The IP address of the page be 55.66.99.58.So, the malicious IP addresses of log management server acquisition are
55.66.99.66 and 55.66.99.58.
Log server, which can also obtain providing malice URL from the network message for carrying malice URL, to be identified
The page IP address.Destination address and source address are carried in network message, if carry the network message of malice URL
Purpose IP address is to be managed the IP address of any one host in host complexes, then source IP address is malicious IP addresses.
509th, log management server is with obtaining at least one source IP included from pre-stored all daily record datas
Location is the daily record data of the second IP address.
Wherein, the second IP address is the IP address for the second host being managed in host complexes.
510th, log management server is in the daily record data for determining that at least one source IP address included is the second IP address
In a daily record data include malice URL when, determine the second IP address be target ip address.
Wherein, target ip address is to be managed the IP address that the host attacked in host complexes uses.
In embodiments of the present invention, step 510 specifically can be there are two types of realization method.
Mode one, step 510 specifically may comprise steps of 510A and 510B:
510A, log management server obtain the second set of URL and close.
Wherein, the conjunction of the second set of URL is included in the daily record data that at least one source IP address included is the second IP address
The URL that every daily record data includes.At least one source IP address included is got in log management server for the 2nd IP
After the daily record data of location, every day in the daily record data that at least one source IP address included is the second IP address can be obtained
The URL that will data include is closed with obtaining the second set of URL.
510B, log management server determine that the second IP address is when the conjunction of definite second set of URL includes malice URL
Target ip address.
Wherein, log management server get the second set of URL close after, it can be determined that the second set of URL close in whether
Including malice URL, however, it is determined that the conjunction of the second set of URL includes malice URL, then can determine second IP address for Target IP
Location.
Mode two, step 510 specifically may comprise steps of 510A ' and step 510B ':
510A ', log management server obtain purpose IP address set.
Wherein, purpose IP address set includes the daily record data that at least one source IP address included is the second IP address
In every daily record data purpose IP address.At least one source IP address included is got as second in log management server
After the daily record data of IP address, it can obtain every in the daily record data that at least one source IP address included is the second IP address
The purpose IP address of daily record data, to obtain purpose IP address set.
510B ', log management server determine the 2nd IP when definite purpose IP address set includes malicious IP addresses
Address is target ip address.
Wherein, after log management server gets purpose IP address set, it can be determined that purpose IP address set
In whether include malicious IP addresses, however, it is determined that include malicious IP addresses in purpose IP address set, then can determine this second
IP address is target ip address.
Illustratively, it is assumed that log management server determines to be managed the IP that the host attacked in host complexes uses
Address is respectively:192.168.102.45,192.168.102.85,192.168.102.95 and 192.168.102.10.
511st, log management server sends malicious IP addresses to query facility.
Wherein, after log management server gets malicious IP addresses, it can send what is got to query facility
Malicious IP addresses.
Further, if the quantity of malicious IP addresses is at least two, log management server can be first at least
Two malicious IP addresses are ranked up.Then, at least two malicious IP addresses after sequence are sent to query facility.
Wherein, log management server can realize the sequence at least two malicious IP addresses by following operation.Tool
Body:For each malicious IP addresses, log management server can be filtered out from all daily record datas comprising malice IP
At least one daily record data of address, and according to the source IP address included in the daily record data filtered out, determine and malice IP
The quantity for the IP address that address communicates.Then log management server is according to the IP to communicate with each malicious IP addresses
How much orders of the quantity of address are ranked up at least two malicious IP addresses, so as at least two evils after being sorted
Meaning IP address.
For the quantity that at least two malicious IP addresses, there is the IP address to communicate with certain two malicious IP addresses
Identical situation may be employed following operation and the two malicious IP addresses be ranked up.Specifically:Assuming that at least two malice
IP address includes the first malicious IP addresses and the second malicious IP addresses, and the IP address that communicates with the first malicious IP addresses
Quantity and identical with the quantity for the IP address that the second malicious IP addresses communicate.At this point, log management server can first from
Filter out at least one daily record data comprising the first malicious IP addresses in all daily record datas, and from the daily record data filtered out
In obtain the time that the first malicious IP addresses communicate at first with source IP address.Then log management server is again from all daily record numbers
At least one daily record data comprising the second malicious IP addresses is filtered out in, and second is obtained from the daily record data filtered out
The time that malicious IP addresses communicate at first with source IP address.Last log management server according to communicating at first with source IP address
The sequencing of time is ranked up the first malicious IP addresses and the second malicious IP addresses, and using ranking results as pending
At least two malicious IP addresses after the sequence sent.
Illustratively, according to the example in step 508, it is assumed that log management server is determined and malicious IP addresses
55.66.99.66 the quantity of the IP address to communicate is three, is respectively:192.168.102.45、192.168.102.85
And 192.168.102.95.Assuming that determine that with the quantity of the malicious IP addresses 55.66.99.58 IP address to communicate be two
It is a, be respectively:And 192.168.102.85 192.168.102.10.Malice after the sequence that so log management server obtains
IP address is 55.66.99.66,55.66.99.58.
512nd, log management server sends target ip address to query facility.
Wherein, after log management server determines target ip address, it can send what is determined to query facility
Target ip address.
Further, if the quantity of target ip address is at least two, log management server can be first at least
Two target ip address are ranked up.Then, at least two target ip address after sequence are sent to query facility.
Wherein, log management server can realize the sequence at least two target ip address by following operation.Tool
Body:Log management server can obtain at least one simultaneously comprising target ip address and malice from all daily record datas
The daily record data of IP address to obtain the second daily record data acquisition system, and based on the second daily record data acquisition system, determines and each target
The quantity of the malicious IP addresses of IP address communication.Then log management server is according to the malice to communicate with each target ip address
How much orders of the quantity of IP address are ranked up at least two target ip address, so as at least two after being sorted
Target ip address.
For the quantity that at least two target ip address, there are the malicious IP addresses to communicate with certain two target ip address
Identical situation may be employed following operation and the two target ip address be ranked up.Specifically:Assuming that at least two targets
IP address includes first object IP address and the second target ip address, and the malicious IP addresses that communicate with first object IP address
Quantity and identical with the data for the malicious IP addresses that the second target ip address communicates.At this point, log management server can be with
First filter out at least one daily record data comprising first object IP address from the second daily record data acquisition system, and from filtering out
The time that first object IP address communicates at first with malicious IP addresses is obtained in daily record data.Then log management server can be with
Filter out at least one daily record data comprising the second target ip address from the second daily record data acquisition system again, and from filtering out
The time that the second target ip address communicates at first with malicious IP addresses is obtained in daily record data.Last log management server according to
With the sequencing for the time that malicious IP addresses communicate at first, first object IP address and the second target ip address are arranged
Sequence, and using ranking results as at least two target ip address after sequence to be sent.
Illustratively, according to the example in step 510, it is assumed that log management server is determined and 192.168.102.85
The quantity of the malicious IP addresses of communication is two, is respectively:55.66.99.66、55.66.99.58.With 192.168.102.45
Quantity with the malicious IP addresses of 192.168.102.95 communications is one, is specifically 55.66.99.66.And assume to determine
It is four o'clock sharp of afternoon June 9 to go out 192.168.102.45 with the time that malicious IP addresses 55.66.99.66 communicates at first,
192.168.102.95 the time to communicate at first with malicious IP addresses 55.66.99.66 is six o'clock sharp of afternoon June 8.So day
Target ip address after the sequence that will management server obtains is:192.168.102.85、192.168.102.95、
192.168.102.45。
513rd, query facility reception comes from the malicious IP addresses of log management server.
514th, query facility reception comes from the target ip address of log management server.
515th, query facility shows malicious IP addresses, and display target IP address.
Optionally, query facility receive come from log management server malicious IP addresses and target ip address it
Afterwards, query facility can first show malicious IP addresses, then detect network management personnel to the malicious IP addresses that show
Trigger action after, then show target ip address corresponding with the malicious IP addresses.Wherein, target corresponding with malicious IP addresses
IP address is:The IP address that attacker is used using the host that the malicious IP addresses are attacked.In this way, network management people can be facilitated
Member knows which host attacker has attacked using which malicious IP addresses.
Further, if the quantity of malicious IP addresses is at least two, query facility can receive and show sequence
At least two malicious IP addresses afterwards.Also, if the quantity of target ip address is at least two, query facility can receive
And show at least two target ip address after sequence.Optionally, query facility can detect network management personnel to disliking
After the trigger action for IP address of anticipating, display is corresponding with the malicious IP addresses, the target ip address after sequence.
Illustratively, according to the example in step 511, it is assumed that the malicious IP addresses after sequence are:55.66.99.66、
55.66.99.58.Therefore, as shown in figure 8, query facility can be shown in the first result display area 55.66.99.66,
55.66.99.58。
Also, it is further, in order to which network management personnel is caused more intuitively to see the malice of malicious IP addresses
Degree, query facility can also in the first result display area display level icon.The level icon is used to indicate malice IP
The malice degree of address.Also, query facility can also show triggering icon, the triggering icon in the first result display area
For showing the target ip address after sorting.
Wherein it is possible to the malice degree of malicious IP addresses is indicated with level icon of different shapes.It is of course also possible to
The level icon of same shape but different colours indicates the malice degree of malicious IP addresses.With with level icon of different shapes
Exemplified by indicating the malicious IP addresses after sequence, then show that result is shown in Figure 9.In this way, network management personnel can basis
The level icon of display determines the malice degree of malicious IP addresses, so as to the higher malice IP of preferentially defence malice rank
Location.
Illustratively, according to the example in step 512, target ip address corresponding with 55.66.99.66, after sequence
For:192.168.102.85、192.168.102.95、192.168.102.45.So, if network management personnel needs to inquire about
During the host 55.66.99.66 attacked, network management personnel can click on shown in Fig. 9 shown in 55.66.99.66, alternatively,
Level icon corresponding with 55.66.99.66, alternatively, triggering icon corresponding with 55.66.99.66.At this point, query facility exists
It, can be in the second result display area, with showing the Target IP after sequence after the trigger action for detecting network management personnel
Location:192.168.102.85、192.168.102.95、192.168.102.45.And second result display area can be covered in
In first result display area, as shown in Figure 10.Alternatively, the second result display area can not cover the first result show area
Domain, as shown in figure 11.
It is provided in an embodiment of the present invention to search by the method for attack host, it receives to come from log management server and look into
When asking the inquiry request of equipment, by determining what is attacked according to the inquiry request and pre-stored daily record data that receive
The IP address that host uses, and the IP address that the host attacked to query facility transmission uses.So that in network management personnel
When requiring to look up the host attacked, it is only necessary to the IP address of host and object event type are inputted on query facility, it can
The IP address that the host attacked uses is directly viewable, and then determines the host attacked.It solves network management personnel to exist
During searching the host attacked, the problem of time is long, and accuracy rate is low is expended.
Also, the IP address used when determining that attacker attacks host by log management server so that searching quilt
Consuming time when attacking host further shortens, and accuracy rate further improves.Log management server by malice IP
Location is ranked up, and target ip address is ranked up, and after query facility sends malicious IP addresses and sequence after sequence
Target ip address, so that network management personnel can directly know the sequencing that host is attacked, so as to priority processing quilt
The host first attacked.
Figure 12 for it is provided in an embodiment of the present invention it is another search by the flow chart of the method for attack host, such as Figure 12 institutes
Show, this method can include:
601st, query facility obtains the malicious IP addresses of network management personnel's input.
Wherein, malicious IP addresses are the IP address that the attacker of network attack is mobilized to use.Net is got in query facility
After the malicious IP addresses of network administrative staff input, query facility can be in the character input region of query facility, and display obtains
The malicious IP addresses got.
Illustratively, it is assumed that the malicious IP addresses of network management personnel that query facility is got input are
55.66.99.66.As shown in figure 13, in character input region, 55.66.99.66 can be shown.
602nd, query facility sends inquiry request to log management server.
603rd, log management server reception comes from the inquiry request of query facility.
Wherein, after log management server receives and comes from the inquiry request of query facility, log management service
Device can determine to be managed the master attacked in host complexes according to malicious IP addresses and pre-stored all daily record datas
The IP address that machine uses, i.e. target ip address can specifically perform following steps 604- steps 606:
604th, log management server obtains daily record data set from pre-stored all daily record datas.
Wherein, daily record data set includes:At least one source IP address included is one be managed in host complexes
The daily record data of the IP address of a host.Log management server can be filtered out from pre-stored all daily record datas
Institute's source IP address is the daily record data of the IP address for a host being managed in host complexes, to obtain log data set
It closes.
605th, log management server obtains purpose IP address set.
Wherein, purpose IP address set includes the purpose IP address of every daily record data in daily record data set.
After log management server gets daily record data set from pre-stored all daily record datas, log management server
The purpose IP address that every daily record data includes in daily record data set can be obtained, to obtain purpose IP address set.
606th, log management server determines that IP address is when definite purpose IP address set includes malicious IP addresses
Target ip address.
Wherein, after log management server gets purpose IP address set, it can be determined that purpose IP address set
In whether include network management personnel input malicious IP addresses, however, it is determined that include network management people in purpose IP address set
The malicious IP addresses of member's input, the then IP address that can determine the host are target ip address.
Illustratively, it is assumed that determining to be managed the IP address that the host attacked in host complexes uses is respectively:
192.168.102.10、192.168.102.85。
607th, log management server sends target ip address to query facility.
Further, if the quantity of target ip address is at least two, log management server can be first at least
Two target ip address are ranked up.Then, at least two target ip address after sequence are sent to query facility.
Wherein, log management server can realize the sequence at least two target ip address by following operation.Tool
Body:For each target ip address, log management server can be filtered out from all daily record datas comprising the Target IP
At least one daily record data of address, and obtain the target ip address and malicious IP addresses at first from the daily record data filtered out
The time of communication.Last log management server according to the time to communicate at first with malicious IP addresses sequencing, at least
Two target ip address are ranked up, so as at least two target ip address after being sorted.
Illustratively, according to the example in step 606, it is assumed that log management server determine 192.168.102.10 with
The time that malicious IP addresses 55.66.99.66 communicates at first is three o'clock sharp of afternoon May 19.And assume to determine
192.168.102.85 the time to communicate at first with malicious IP addresses 55.66.99.66 for May 18 10 AM very.So
Target ip address after the sequence that log management server obtains is:192.168.102.85、192.168.102.10.
608th, query facility reception comes from the target ip address of log management server.
609th, query facility display target IP address.
Wherein, after query facility receives and comes from the target ip address of log management server, query facility can
With in the second result display area of query facility, display target IP address.
Further, if the quantity of target ip address is at least two, correspondingly, after query facility can show sequence
At least two target ip address.
Illustratively, according to the example in step 607, the target ip address after sequence is:192.168.102.85、
192.168.102.10.Therefore, as shown in figure 14, query facility can be shown in the second result display area
192.168.102.85、192.168.102.10.In this way, network management personnel can be according to the Target IP after the sequence shown
Address is directly viewable the sequencing that attacker attacks host, the host first attacked so as to priority processing.
It should be noted that the specific descriptions of step 601- steps 609 and another implementation of the present invention in the embodiment of the present invention
The specific descriptions of corresponding steps are similar in step 501- steps 515 in example, for step 601- steps 609 in the embodiment of the present invention
Specific descriptions may be referred to the specific descriptions of corresponding steps in step 501- steps 515 in another embodiment, the present invention is implemented
This is no longer going to repeat them for example.
It is provided in an embodiment of the present invention to search by the method for attack host, it receives to come from log management server and look into
When asking the inquiry request of equipment, by determining what is attacked according to the inquiry request and pre-stored daily record data that receive
The IP address that host uses, and the IP address that the host attacked to query facility transmission uses.So that in network management personnel
When requiring to look up the host attacked, it is only necessary to malicious IP addresses are inputted on query facility, can be directly viewable and be attacked
The IP address that uses of host, and then determine the host attacked.Solves the host that network management personnel is attacked in lookup
During, expend the problem of time is long, and accuracy rate is low.
Also, log management server is by being ranked up target ip address, and after query facility sends sequence
Target ip address, so that network management personnel can be directly viewable the sequencing that host is attacked, so as to priority processing
The host first attacked.
It is above-mentioned that mainly scheme provided in an embodiment of the present invention is described from the angle of interaction between each network element.It can
With understanding, each network element, such as log management server, in order to realize above-mentioned function, it comprises perform each function phase
The hardware configuration and/or software module answered.Those skilled in the art should be readily appreciated that, with reference to reality disclosed herein
Each exemplary algorithm steps of example description are applied, the present invention can come real with the combining form of hardware or hardware and computer software
It is existing.Some functions is performed in a manner of hardware or computer software driving hardware actually, specific depending on technical solution
Using and design constraint.Professional technician can be described to be realized using distinct methods to each specific application
Function, but it is this realization it is not considered that beyond the scope of this invention.
The embodiment of the present invention can carry out log management server according to the above method example division of function module, example
Such as, each function can be corresponded to and divide each function module, two or more functions can also be integrated at one
It manages in module.The form that hardware had both may be employed in above-mentioned integrated module is realized, can also use the form of software function module
It realizes.It is only that a kind of logic function is drawn it should be noted that being schematical to the division of module in the embodiment of the present invention
Point, there can be other dividing mode in actual implementation.
Figure 15 shows a kind of possible composition schematic diagram of the log management server involved in above-mentioned and embodiment, such as
Shown in Figure 15, which can include:Receiving unit 71, processing unit 72, transmitting element 73.
Wherein, receiving unit 71, for log management server to be supported to perform lookup shown in Fig. 4 by the side of attack host
Step 303 in method, the lookup shown in Fig. 5 by the step 403 in the method for attack host, by attack led by the lookup shown in Fig. 6
Step 503 in the method for machine, the lookup shown in Figure 12 is by the step 603 in the method for attack host.
Processing unit 72, for log management server to be supported to perform lookup shown in Fig. 4 by the method for attack host
Step 304, lookup shown in Fig. 5 is by the step 404 in the method for attack host, and the lookup shown in Fig. 6 is by attack host
Step 504, step 505, step 506, step 507, step 508, step 509, step 510 in method, looking into shown in Figure 12
It looks for by step 604, step 605, the step 606 in the method for attack host.
Transmitting element 73, for log management server to be supported to perform lookup shown in Fig. 4 by the method for attack host
Step 305, lookup shown in Fig. 5 is by the step 405 in the method for attack host, and the lookup shown in Fig. 6 is by attack host
Step 511, step 512 in method, the lookup shown in Figure 12 is by the step 607 in the method for attack host.
It should be noted that all related contents for each step that above method embodiment is related to can quote correspondence
The function description of function module, details are not described herein.
Wherein, each function module shown in attached drawing 15 can be realized by software, can also be by hardware realization.It is real in hardware
Under conditions of existing, the processor 21 in Fig. 3 can realize the function of above-mentioned processing unit 72.Communication interface 23 in Fig. 3 can be with
Realize the function of above-mentioned receiving unit 71 and transmitting element 73.Under conditions of software realization, each function module in attached drawing 15
It is realized by storing the program code in memory 22 in fig. 3.
Log management server provided in an embodiment of the present invention, for performing above-mentioned lookup by the method for attack host, because
This can achieve the effect that identical by the method for attack host with above-mentioned lookup.
Through the above description of the embodiments, it is apparent to those skilled in the art that, for description
It is convenienct and succinct, it, can as needed will be upper only with the division progress of above-mentioned each function module for example, in practical application
It states function distribution to be completed by different function modules, i.e., the internal structure of device is divided into different function modules, to complete
All or part of function described above.
In several embodiments provided herein, it should be understood that disclosed apparatus and method can pass through it
Its mode is realized.For example, the apparatus embodiments described above are merely exemplary, for example, the module or unit
Division is only a kind of division of logic function, can there is other dividing mode, such as multiple units or component in actual implementation
It may be combined or can be integrated into another device or some features can be ignored or does not perform.
If the integrated unit is realized in the form of SFU software functional unit and is independent production marketing or use
When, it can be stored in a read/write memory medium.Based on such understanding, the technical solution of the embodiment of the present invention is substantially
The part to contribute in other words to the prior art or all or part of the technical solution can be in the form of software products
It embodies, which is stored in a storage medium, is used including some instructions so that an equipment (can be single
Piece machine, chip etc.) or processor (processor) execution all or part of the steps of the method according to each embodiment of the present invention.
And foregoing storage medium includes:USB flash disk, mobile hard disk, ROM, RAM, magnetic disc or CD etc. are various can to store program code
Medium.
The above description is merely a specific embodiment, but protection scope of the present invention is not limited thereto, any
Those familiar with the art in the technical scope disclosed by the present invention, can readily occur in change or replacement, should all contain
Lid is within protection scope of the present invention.Therefore, protection scope of the present invention should be based on the protection scope of the described claims.
Claims (18)
1. a kind of lookup is by the method for attack host, which is characterized in that the described method includes:
Log management server receives the inquiry request for coming from query facility, and the first internet protocol is carried in the inquiry request
Discuss IP address and object event type, first IP address is the IP address for the first host being managed in host complexes, institute
State the event that object event type is used to indicate uniform resource position mark URL exception;
The log management server is according to first IP address, the object event type and pre-stored all daily records
Data determine target ip address, and the daily record data is preserved in a manner of entry, and every daily record data includes this daily record data
The URL of the source IP address of corresponding session, the session access, wherein the source IP address is described is managed in host complexes
A host IP address, the target ip address for it is described with being managed the IP that the host attacked in host complexes uses
Location;
The log management server sends the target ip address to the query facility.
2. according to the method described in claim 1, it is characterized in that, the log management server according to the first IP
Location, the object event type and pre-stored all daily record datas, determine target ip address, including:
The log management server obtains the first daily record data set from pre-stored all daily record datas, and described first
Daily record data set includes:At least one source IP address included is the daily record data of first IP address;
The log management server obtains the first set of URL and closes, and the first set of URL conjunction includes:First daily record data
The URL that every daily record data includes in set;
The log management server obtains the URL for meeting the object event type during first set of URL closes, as malice
URL;
The log management server obtains at least one source IP address included from pre-stored all daily record datas
The daily record data of second IP address, second IP address are managed the IP address of the second host in host complexes for described in;
The log management server is in the daily record data for determining that at least one source IP address included is the second IP address
In a daily record data include the malice URL when, determine second IP address be the target ip address.
3. according to the method described in claim 2, it is characterized in that, the log management server obtains first set of URL
Meet the URL of the object event type in conjunction, as malice URL, including:
The log management server obtains the domain name of each URL during first set of URL closes, and merges first set of URL
The URL with same domain name is closed, the 3rd set of URL is obtained and closes, the 3rd set of URL is closed comprising the URL after merging treatment;
The log management server deletes the URL for not meeting the object event type from the 3rd set of URL conjunction, described
The URL for not meeting the object event type is the URL for including normal domain name;
Remaining URL is the malice URL after 3rd set of URL is deleted in closing.
4. according to the method in claim 2 or 3, which is characterized in that obtain described first in the log management server
Set of URL meets the URL of the object event type in closing, after malice URL, further include:
The log management server is searched to provide the IP address for the page that the malice URL is identified, as malice IP
Address;
Every daily record data also includes:The purpose IP address of the corresponding session of this daily record data, the log management clothes
Business device is determining at least one source IP address included for a daily record data bag in the daily record data of the second IP address
When including the malice URL, second IP address is determined as the target ip address, including:
The log management server obtains purpose IP address set, and the destination IP address set includes:Described at least one
The source IP address that item includes for the second IP address daily record data in every daily record data purpose IP address;
The log management server determines described when definite the destination IP address set includes the malicious IP addresses
Second IP address is the target ip address.
5. it according to the method described in claim 4, it is characterized in that, further includes:
The log management server sends the malicious IP addresses to the query facility.
If 6. according to the method described in claim 5, it is characterized in that, the quantity of the malicious IP addresses be at least two,
Before the log management server sends the malicious IP addresses to the query facility, further include:
For each malicious IP addresses, the log management server is filtered out from all daily record datas comprising institute
At least one daily record data of malicious IP addresses is stated, according to the source IP address included in the daily record data filtered out, definite and institute
State the quantity for the IP address that malicious IP addresses communicate;
The log management server is suitable according to the number of the quantity of the IP address to communicate with each malicious IP addresses
Sequence is ranked up described at least two malicious IP addresses, at least two malicious IP addresses after being sorted;
The log management server sends the malicious IP addresses to the query facility, including:
The log management server sends at least two malicious IP addresses after sequence to the query facility.
7. according to the method described in claim 6, it is characterized in that, every daily record data also includes:This daily record data
The access time of corresponding session, at least two malicious IP addresses are including the first malicious IP addresses and the second malice IP
Location, if the quantity of the IP address to communicate with first malicious IP addresses and led to second malicious IP addresses
The quantity of the IP address of letter is identical, at least two evils after the log management server sends sequence to the query facility
Before IP address of anticipating, further include:
The log management server is filtered out from all daily record datas comprising first malicious IP addresses at least
One daily record data, and obtain what first malicious IP addresses communicated at first with source IP address from the daily record data filtered out
Time;
The log management server is filtered out from all daily record datas comprising second malicious IP addresses at least
One daily record data, and obtain what second malicious IP addresses communicated at first with source IP address from the daily record data filtered out
Time;
The log management server according to the time to communicate at first with source IP address sequencing, to the first malice IP
Address and second malicious IP addresses are ranked up, using ranking results as at least two malice IP after sequence to be sent
Address.
8. according to any method in claim 4-7, which is characterized in that if the quantity of the target ip address is extremely
It is two few, before the log management server sends the target ip address to the query facility, further include:
The log management server obtains the second daily record data acquisition system, second daily record from all daily record datas
Every daily record data in data acquisition system is simultaneously comprising the target ip address and the malicious IP addresses;
The log management server determines to communicate with each target ip address described according to the second daily record data acquisition system
The quantity of malicious IP addresses;
The log management server is suitable according to the number of the quantity of the malicious IP addresses to communicate with each target ip address
Sequence is ranked up at least two target ip address;
The log management server sends the target ip address to the query facility, including:
The log management server sends at least two target ip address after sequence to the query facility.
9. according to the method described in claim 8, it is characterized in that, at least two target ip address include:First object
IP address and the second target ip address, when the quantity of the malicious IP addresses to communicate with each target ip address is identical,
The log management server also wraps before at least two target ip address that the query facility sends after sequence
It includes:
The log management server is filtered out from the second daily record data acquisition system comprising the first object IP address
At least one daily record data, and the first object IP address and the malicious IP addresses are obtained from the daily record data filtered out
The time to communicate at first;
The log management server is filtered out from the second daily record data acquisition system comprising second target ip address
At least one daily record data, and second target ip address and the malicious IP addresses are obtained from the daily record data filtered out
The time to communicate at first;
The log management server according to the time to communicate at first with the malicious IP addresses sequencing, to described first
Target ip address and second target ip address are ranked up, using ranking results as at least two after sequence to be sent
Target ip address.
10. a kind of log management server, which is characterized in that including:
For receiving the inquiry request for coming from query facility, the first internet protocol is carried in the inquiry request for receiving unit
Discuss IP address and object event type, first IP address is the IP address for the first host being managed in host complexes, institute
State the event that object event type is used to indicate uniform resource position mark URL exception;
Processing unit, for first IP address received according to the receiving unit and the object event type, with
And pre-stored all daily record datas, determine target ip address, the daily record data is preserved in a manner of entry, every daily record
Data include source IP address, the URL of the session access of the corresponding session of this daily record data, wherein the source IP address is
The IP address of a host being managed in host complexes, the target ip address are managed quilt in host complexes to be described
The IP address that the host of attack uses;
Transmitting element, for the target ip address obtained to the query facility transmission processing unit.
11. log management server according to claim 10, which is characterized in that the processing unit is specifically used for:
The first daily record data set is obtained from pre-stored all daily record datas, is wrapped in the first daily record data set
It includes:At least one source IP address included is the daily record data of first IP address;
The conjunction of the first set of URL is obtained, the first set of URL conjunction includes:Every daily record data in the first daily record data set
Comprising URL;
The URL for meeting the object event type during first set of URL closes is obtained, as malice URL;
The daily record number that at least one source IP address included is the second IP address is obtained from pre-stored all daily record datas
According to second IP address is managed the IP address of the second host in host complexes for described in;
Determining at least one source IP address included for a daily record data bag in the daily record data of the second IP address
When including the malice URL, it is the target ip address to determine second IP address.
12. log management server according to claim 11, which is characterized in that the processing unit is specifically used for:
The domain name of each URL during first set of URL closes is obtained, and merges first set of URL and closes with same domain name
URL obtains the 3rd set of URL and closes, and the 3rd set of URL is closed comprising the URL after merging treatment;
The URL for not meeting the object event type is deleted from the 3rd set of URL conjunction, it is described not meet the object event
The URL of type is the URL for including normal domain name;
Remaining URL is the malice URL after 3rd set of URL is deleted in closing.
13. the log management server according to claim 11 or 12, which is characterized in that
The processing unit is additionally operable to search the IP address for providing the page that the malice URL is identified, as malice IP
Address;
Every daily record data also includes:The purpose IP address of the corresponding session of this daily record data, the processing unit, tool
For obtaining purpose IP address set, the destination IP address set includes body:At least one source IP address included
For the purpose IP address of every daily record data in the daily record data of the second IP address;It is wrapped in definite the destination IP address set
When including the malicious IP addresses, it is the target ip address to determine second IP address.
14. log management server according to claim 13, which is characterized in that
The transmitting element is additionally operable to the malicious IP addresses for sending the processing unit to the query facility and obtaining.
15. log management server according to claim 14, which is characterized in that if the quantity of the malicious IP addresses
For at least two,
The processing unit is additionally operable to, for each malicious IP addresses, filter out and include from all daily record datas
At least one daily record data of the malicious IP addresses, according to the source IP address included in the daily record data filtered out, determine with
The quantity for the IP address that the malicious IP addresses communicate;According to the IP address to communicate with each malicious IP addresses
Quantity how much orders, described at least two malicious IP addresses are ranked up, at least two evils after being sorted
Meaning IP address;
The transmitting element, specifically at least two after the sequence that the query facility transmission processing unit obtains
Malicious IP addresses.
16. log management server according to claim 15, which is characterized in that every daily record data also includes:
The access time of the corresponding session of this daily record data, at least two malicious IP addresses include the first malicious IP addresses and the
Two malicious IP addresses, if the quantity of the IP address to communicate with first malicious IP addresses and with the second malice IP
The quantity for the IP address that address communicates is identical,
The processing unit is additionally operable to filter out comprising first malicious IP addresses at least from all daily record datas
One daily record data, and obtain what first malicious IP addresses communicated at first with source IP address from the daily record data filtered out
Time;Filter out at least one daily record data for including second malicious IP addresses from all daily record datas, and from
The time that second malicious IP addresses communicate at first with source IP address is obtained in the daily record data filtered out;According to source IP
The sequencing for the time that location communicates at first is ranked up first malicious IP addresses and second malicious IP addresses,
Using ranking results as at least two malicious IP addresses after sequence to be sent.
17. according to any log management server in claim 13-16, which is characterized in that if the Target IP
The quantity of address is at least two,
The processing unit is additionally operable to from all daily record datas, obtains the second daily record data acquisition system, second daily record
Every daily record data in data acquisition system is simultaneously comprising the target ip address and the malicious IP addresses;According to the second day
Will data acquisition system determines the quantity of the malicious IP addresses to communicate with each target ip address;According to each Target IP
How much orders of the quantity of the malicious IP addresses of location communication, are ranked up at least two target ip address;
The transmitting element, specifically at least two after the sequence that the query facility transmission processing unit obtains
The target ip address.
18. log management server according to claim 17, which is characterized in that at least two target ip address bags
It includes:First object IP address and the second target ip address, when the number of the malicious IP addresses to communicate with each target ip address
When measuring identical,
The processing unit is additionally operable to filter out comprising the first object IP address from the second daily record data acquisition system
At least one daily record data, and the first object IP address and the malicious IP addresses are obtained from the daily record data filtered out
The time to communicate at first;It is filtered out from the second daily record data acquisition system and includes at least one of second target ip address
Daily record data, and obtain second target ip address from the daily record data filtered out and communicate at first with the malicious IP addresses
Time;According to the sequencing of the time to communicate at first with the malicious IP addresses, to the first object IP address and institute
It states the second target ip address to be ranked up, using ranking results as at least two target ip address after sequence to be sent.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610989051.0A CN108076006B (en) | 2016-11-09 | 2016-11-09 | Method for searching attacked host and log management server |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610989051.0A CN108076006B (en) | 2016-11-09 | 2016-11-09 | Method for searching attacked host and log management server |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108076006A true CN108076006A (en) | 2018-05-25 |
CN108076006B CN108076006B (en) | 2020-06-16 |
Family
ID=62154450
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610989051.0A Active CN108076006B (en) | 2016-11-09 | 2016-11-09 | Method for searching attacked host and log management server |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108076006B (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109194605A (en) * | 2018-07-02 | 2019-01-11 | 中国科学院信息工程研究所 | A kind of suspected threat index Proactive authentication method and system based on open source information |
CN109831415A (en) * | 2018-12-27 | 2019-05-31 | 北京奇艺世纪科技有限公司 | A kind of object processing method, device, system and computer readable storage medium |
CN112187719A (en) * | 2020-08-31 | 2021-01-05 | 新浪网技术(中国)有限公司 | Information acquisition method and device of attacked server and electronic equipment |
CN112685072A (en) * | 2020-12-31 | 2021-04-20 | 恒安嘉新(北京)科技股份公司 | Method, device, equipment and storage medium for generating communication address knowledge base |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103916406A (en) * | 2014-04-25 | 2014-07-09 | 上海交通大学 | System and method for detecting APT attacks based on DNS log analysis |
CN103916385A (en) * | 2014-03-13 | 2014-07-09 | 南京理工大学 | WAF safety monitoring system based on intelligent algorithm |
KR101623068B1 (en) * | 2015-01-28 | 2016-05-20 | 한국인터넷진흥원 | System for collecting and analyzing traffic on network |
CN105681298A (en) * | 2016-01-13 | 2016-06-15 | 成都安信共创检测技术有限公司 | Data security abnormity monitoring method and system in public information platform |
CN105915532A (en) * | 2016-05-23 | 2016-08-31 | 北京网康科技有限公司 | Method and device for recognizing fallen host |
-
2016
- 2016-11-09 CN CN201610989051.0A patent/CN108076006B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103916385A (en) * | 2014-03-13 | 2014-07-09 | 南京理工大学 | WAF safety monitoring system based on intelligent algorithm |
CN103916406A (en) * | 2014-04-25 | 2014-07-09 | 上海交通大学 | System and method for detecting APT attacks based on DNS log analysis |
KR101623068B1 (en) * | 2015-01-28 | 2016-05-20 | 한국인터넷진흥원 | System for collecting and analyzing traffic on network |
CN105681298A (en) * | 2016-01-13 | 2016-06-15 | 成都安信共创检测技术有限公司 | Data security abnormity monitoring method and system in public information platform |
CN105915532A (en) * | 2016-05-23 | 2016-08-31 | 北京网康科技有限公司 | Method and device for recognizing fallen host |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109194605A (en) * | 2018-07-02 | 2019-01-11 | 中国科学院信息工程研究所 | A kind of suspected threat index Proactive authentication method and system based on open source information |
CN109194605B (en) * | 2018-07-02 | 2020-08-25 | 中国科学院信息工程研究所 | Active verification method and system for suspicious threat indexes based on open source information |
CN109831415A (en) * | 2018-12-27 | 2019-05-31 | 北京奇艺世纪科技有限公司 | A kind of object processing method, device, system and computer readable storage medium |
CN112187719A (en) * | 2020-08-31 | 2021-01-05 | 新浪网技术(中国)有限公司 | Information acquisition method and device of attacked server and electronic equipment |
CN112187719B (en) * | 2020-08-31 | 2023-04-14 | 新浪技术(中国)有限公司 | Information acquisition method and device of attacked server and electronic equipment |
CN112685072A (en) * | 2020-12-31 | 2021-04-20 | 恒安嘉新(北京)科技股份公司 | Method, device, equipment and storage medium for generating communication address knowledge base |
CN112685072B (en) * | 2020-12-31 | 2023-08-01 | 恒安嘉新(北京)科技股份公司 | Method, device, equipment and storage medium for generating communication address knowledge base |
Also Published As
Publication number | Publication date |
---|---|
CN108076006B (en) | 2020-06-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Adams | Big data and individual privacy in the age of the internet of things | |
CN107563203B (en) | Integrated security policy and event management | |
US11743271B2 (en) | Systems and methods for detecting and mitigating cyber security threats | |
US8973147B2 (en) | Geo-mapping system security events | |
CN110140125A (en) | Threat information management in safety and compliance environment | |
US11245716B2 (en) | Composing and applying security monitoring rules to a target environment | |
US10997289B2 (en) | Identifying malicious executing code of an enclave | |
CN110366845A (en) | Based on content, activity and the safety of metadata and compliance alarm in cloud | |
CN108076006A (en) | A kind of lookup is by the method and log management server of attack host | |
JP7320866B2 (en) | Method, apparatus and computer program for collecting data from multiple domains | |
JP6329267B2 (en) | Intelligent firewall access rules | |
US11627155B1 (en) | Cloud infrastructure detection with resource path tracing | |
CN109274639A (en) | The recognition methods of open platform abnormal data access and device | |
US11824894B2 (en) | Defense of targeted database attacks through dynamic honeypot database response generation | |
Mohammed et al. | A new lightweight data security system for data security in the cloud computing | |
US11228619B2 (en) | Security threat management framework | |
Li et al. | PhotoSafer: content-based and context-aware private photo protection for smartphones | |
Hermawan et al. | Cyber Physical System Based Smart Healthcare System with Federated Deep Learning Architectures with Data Analytics | |
CN114268481A (en) | Method, device, equipment and medium for processing illegal external connection information of intranet terminal | |
Albanese et al. | Moving target defense quantification | |
Kalmar et al. | Legal and regulative aspects of IoT cloud systems | |
CN107302536A (en) | Method for managing security, device, medium and the storage control of cloud computing platform | |
Ali et al. | A Novel Privacy-Preserving Framework Based on Blockchain Technology to Secure Industrial IoT Data | |
Gupta et al. | Modeling Internet-of-Things (IoT) Behavior for Enforcing Security and Privacy Policies | |
Dixit et al. | Big Data in Computer Cyber Security as an Emergent Infrastructure |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |