CN109617885A - Capture host automatic judging method, device, electronic equipment and storage medium - Google Patents
Capture host automatic judging method, device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN109617885A CN109617885A CN201811567279.6A CN201811567279A CN109617885A CN 109617885 A CN109617885 A CN 109617885A CN 201811567279 A CN201811567279 A CN 201811567279A CN 109617885 A CN109617885 A CN 109617885A
- Authority
- CN
- China
- Prior art keywords
- attack
- security incident
- host
- address
- chain
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/069—Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
The present invention relates to technical field of network security, it discloses one kind and captures host automatic judging method, device, electronic equipment and storage medium, the described method includes: generating security incident according to the log of safety equipment output, security incident is the description movable event of attacker, includes purpose IP address and phase of the attack in security incident;It polymerize the identical security incident of purpose IP address, and the attack chain of the corresponding host of purpose IP address is obtained according to the phase of the attack of the security incident of polymerization;The security incident for the IP address that source IP address is host is searched, and according to the security incident amendment attack chain found;Judge whether host is captured according to revised attack chain.Technical solution provided in an embodiment of the present invention, realize the automatic function of determining host and whether captured, solve the problems, such as to determine whether host is captured must be by safety engineer, and alarm can be made to being captured host in time, reduce host and captured rear bring and lose.
Description
Technical field
The present invention relates to technical field of network security more particularly to one kind to capture host automatic judging method, device, electronics
Equipment and storage medium.
Background technique
Safety equipment can generate a large amount of logs when monitoring network activity, but these logs are to there is network status monitoring
For ordinary user, data volume is very big and meaning is indefinite, intuitively cannot tell what user has occurred.Therefore, main
The determination method whether machine is captured mostly is to carry out artificial judgment by safety engineer, to manpower while needing human resources
The professional of resource has higher requirements, and can also exist and determine to capture a possibility that causing heavy losses not in time.
Summary of the invention
The embodiment of the present invention provides one kind and captures host automatic judging method, device, electronic equipment and storage medium, with solution
It is certainly in the prior art that the problem of whether host is captured can not be judged automatically.
In a first aspect, one embodiment of the invention, which provides one kind, captures host automatic judging method, comprising:
Security incident is generated according to the log of safety equipment output, security incident is the description movable event of attacker, peace
It include purpose IP address and phase of the attack in total event;
It polymerize the identical security incident of purpose IP address, and destination IP is obtained according to the phase of the attack of the security incident of polymerization
The attack chain of the corresponding host in address;
The security incident for the IP address that source IP address is host is searched, and according to the security incident amendment attack found
Chain;
Judge whether host is captured according to revised attack chain.
Second aspect, one embodiment of the invention provide one kind and capture host automatic judging device, comprising:
Security incident generation module, the log for being exported according to safety equipment generate security incident, and security incident is to retouch
The movable event of attacker is stated, includes purpose IP address and phase of the attack in security incident;
Chain generation module is attacked, for polymerizeing the identical security incident of purpose IP address, and according to the security incident of polymerization
Phase of the attack obtain the attack chain of the corresponding host of purpose IP address;
Chain correction module is attacked, for searching the security incident for the IP address that source IP address is host, and according to finding
Security incident amendment attack chain;
Judgment module, for judging whether host is captured according to revised attack chain.
The third aspect, one embodiment of the invention provide a kind of electronic equipment, including transceiver, memory, processor and
Store the computer program that can be run on a memory and on a processor, wherein transceiver is under the control of a processor
Send and receive data, the step of processor realizes any of the above-described kind of method when executing program.
Fourth aspect, one embodiment of the invention provide a kind of computer readable storage medium, are stored thereon with computer
The step of program instruction, which realizes any of the above-described kind of method when being executed by processor.
Technical solution provided in an embodiment of the present invention will be converted into security incident after the log processing of safety equipment transmission,
And the phase of the attack locating in attack chain for security incident label, then, the identical security incident of polymerization purpose IP address, and
Security incident reasoning based on polymerization obtains the attack chain at victim host visual angle, and the process that reduction victim host is attacked passes through
Judge that the attack chain of victim host judges whether host is captured, to realize the automatic function of determining host and whether captured, solution
Whether judgement host of having determined is captured must be by safety engineer the problem of, meets user to knowing whether assets are captured
Demand, save a large amount of human resources, realize the real-time uninterrupted monitoring to the network equipment, and can be in time to being captured master
Machine makes alarm, reduces host and is captured rear bring loss.
Detailed description of the invention
In order to illustrate the technical solution of the embodiments of the present invention more clearly, will make below to required in the embodiment of the present invention
Attached drawing is briefly described, it should be apparent that, attached drawing described below is only some embodiments of the present invention, for
For those of ordinary skill in the art, without creative efforts, it can also be obtained according to these attached drawings other
Attached drawing.
Fig. 1 is the flow diagram for capturing host automatic judging method that one embodiment of the invention provides;
Fig. 2 is the process signal for capturing generation security incident in host automatic judging method that one embodiment of the invention provides
Figure;
Fig. 3 is the structural schematic diagram for capturing host automatic judging device that one embodiment of the invention provides;
Fig. 4 is the structural schematic diagram for the electronic equipment that one embodiment of the invention provides.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention
In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described.
In order to facilitate understanding, noun involved in the embodiment of the present invention is explained below:
Assets are the network equipments used in the internal network of tissue, such as: server, the network equipment, personal computer
Deng.
Host refers to the network equipment, including but not limited to for Types Below: server, mobile terminal, notebook, gateway.
Zombie host refers to infection bot program virus, can be with thus by the computer equipment of hacker's process control
When according to hacker order and control (C&C, command and control) instruction expansion refusal service (DoS) attack or hair
Send junk information.
Botnet, Botnet refers to using one or more communication means, and a large amount of hosts are infected bot program (corpse
Program), thus be formed by between controller and infected host one can one-to-many control network.
Chain is attacked, has recorded each stage in APT attack, a complete attack chain includes 7 stages altogether: investigation,
Tools, delivery, utilization, installation, order and control, rogue activity.
Situation Awareness, Situation Awareness, be it is a kind of based on environment, dynamic, integrally know security risk clearly
Ability, be to be promoted from global visual angle to the discovery of security threat identification based on safe big data, understand analysis, response
A kind of mode of disposing capacity is finally for decision and action, is the landing of security capabilities.
Source IP address is the IP address that one side of data packet is sent in communication process.
Purpose IP address is the IP address of one side of received data packet in communication process.
Any number of elements in attached drawing is used to example rather than limitation and any name are only used for distinguishing, without
With any restrictions meaning.
Lower mask body introduces basic principle of the invention.
During concrete practice, existing Situation Awareness product generally only provides attack, asset threats, risk and comments
Grading information still can not provide user's conclusion information of most concerned " whether assets are captured ", almost not have currently on the market
The product or method for thering is automation to determine whether host is captured.It is most common determine the method whether captured of equipment still by
Professional higher safety engineer carries out artificial judgment, labor intensive resource, while there is also determine to capture to cause not in time
The risk of heavy losses.
For this purpose, inventor, which proposes one kind, captures host automatic judging method, this method is by Network Security Device
Security incident is converted into after the log processing of transmission, then, the identical security incident of polymerization purpose IP address (i.e. victim host),
And the security incident reasoning based on polymerization obtains the attack chain at victim host visual angle, the process that reduction victim host is attacked is led to
The attack chain for crossing victim host judges whether host is captured, and realizes the automatic function of determining host and whether captured, solves
Whether judgement host is captured must be by safety engineer the problem of, meets user to knowing what whether assets were captured
Demand saves a large amount of human resources, realizes the real-time uninterrupted monitoring to the network equipment, and can be in time to being captured host
Alarm is made, host is reduced and is captured rear bring loss.
In addition, the present inventor has found in practice process, in successful network attack, what attacker often used
That connection-oriented Transmission Control Protocol is communicated and launched a offensive to victim device, the data packet in communication process be it is two-way, both
The data packet for thering is request end to issue to requested end, and the data for thering is requested end to transmit to request end.Existing network security
Equipment is often concerned with the process that request end issues data packet to requested end, and generates device log according to this process,
Requested end is seldom paid close attention to the process of request end transmission data and time packet log that should be generated in the process.And in fact, returning
Packet log has great help to analysis network activity, for example, can by return packet log confirm network activity whether succeed into
Row, whether Network Security Device successfully prevents the activities such as scanning, invasion, to further judge attacker successfully to assets
It is attacked, filters out unsuccessful attack, improve the accuracy of victim host attack chain, to improve judgement and capture and be
No successful accuracy.
When constructing reasoning host machine attack chain, common way is to collect the network of other hosts active and the main-machine communication
Activity, this modeling method, which has ignored, becomes the case where zombie host attacks other hosts after the host is captured.And it is of the invention
Inventors have found that victim host actively initiates the network activity of communication to other hosts and the victim host is attacked by APT
Hit one of process, it should be collected into the attack chain of the victim host, and as the last one phase of the attack, with reach optimization by
The purpose of evil host machine attack chain, raising judge the accuracy whether host is captured.
After introduced the basic principles of the present invention, lower mask body introduces various non-limiting embodiment party of the invention
Formula.
With reference to Fig. 1, the embodiment of the present invention provides one kind and captures host automatic judging method, comprising the following steps:
S101, security incident is generated according to the log of safety equipment output.
Wherein, security incident is the description movable event of attacker, for example scanning host, webshell are launched.Attacker
When carrying out network activity, safety equipment can generate one or more log, be parsed to obtain required field to these logs,
Then, it carries out enhancing to required field to handle to obtain new field, i.e., the field value of required field meets in polymerization certain time
The required field that parsing obtains is converted into preset field, and is preset according to log aggregation situation by the log of preset requirement
The field value of field, finally, the field obtained after being handled according to enhancing carries out Feature Selection, to determine log with the presence or absence of preset
Feature described in rule.For example, the security incident of " Brute Force " type is characterized in certain in certain time in presetting rule
The number that a user executes the log of login movement is more than threshold value, then each field of security log will be parsed, polymerization one
Interior action field value of fixing time is that 2 (meaning login) and the identical log of purpose IP address are polymerized to after polymerizeing log
A kind of log sum can be enhanced to obtain " total login times " field of the corresponding host of the purpose IP address, then filter out
" total login times " are greater than the log of threshold value, obtain one " Brute Force " of the corresponding host of the purpose IP address in log
Security incident.Therefore, a security incident can be obtained by polymerizeing multiple relevant logs when specific implementation, in security incident all
It will record the corresponding purpose IP address of event, source IP address and phase of the attack.
Phase of the attack include one to seven stage, this to seven stages be corresponding in turn to investigation, tools, delivery,
Using, installation, order with control, rogue activity.
When it is implemented, can identify that the security incident belongs to investigation, system by the specific fields for including in security incident
Make which of tool, delivery, utilization, installation, order and control, the rogue activity stage, which specific fields be specifically chosen
And the corresponding relationship of specific fields and phase of the attack, it can be predefined according to practical situations, be not construed as limiting herein.
S102, the identical security incident of polymerization purpose IP address, and obtained according to the phase of the attack of the security incident of polymerization
The attack chain of the corresponding host of purpose IP address.
It is easily understood that polymerization should be safety relevant to the host in order to generate the attack chain of a certain host
Event, and security incident is usually to be initiated by attacker victim host, the purpose IP address in security incident is i.e. corresponding
Therefore victim host can soon filter out safety relevant to victim host by purpose IP address from security incident
Event.
The phase of the attack for attacking chained record victim host experience, can obtain the attack of host according to the security incident of polymerization
Chain.For example, the security incident of polymerization includes event 1, event 2, event 3 and event 4, the phase of the attack of event 1 is one, event 2
Phase of the attack be three, the phase of the attack of event 3 is three, the phase of the attack of event 4 is four, then include in the attack chain of host
Phase of the attack is one, three, four, which can be denoted as { 1,3,4 }.The number that attack chain does not occur phase of the attack is united
Meter, only records the attack that a certain stage whether occurred.
S103, the security incident for searching the IP address that source IP address is host, and corrected according to the security incident found
Attack chain.
Security incident based on destination IP polymerization has ignored victim host as attacker and attacks the safe thing of other hosts
Part, in this kind of security incident, source IP address is also victim host, by the detection to the default stage, is carried out to security incident
Supplement detection, to correct attack chain, raising judges the accuracy whether victim host is successfully captured.
When it is implemented, step S103 is specifically included: if not including the security incident in default stage in attack chain, searching
Source IP address is the security incident of the IP address of host, and is mended the security incident found as the security incident in default stage
It is charged in attack chain.Wherein, the default stage is that user sets one or more phase of the attack.Safe thing based on destination IP polymerization
Part has ignored the security incident that victim host attacks other hosts as attacker, in this kind of security incident, source IP address
It is victim host, by the detection to the default stage, supplement detection is carried out to security incident, to correct attack chain.For example, default
Stage can be the 7th stage in attack chain.Source IP address is the security incident of the IP address of victim host, as aggrieved master
Machine initiates the event of malicious attack to other hosts, shows that victim host at this time was in for the 7th stage.Victim host is actively
The event for initiating malicious attack to other hosts and the victim host are by one of APT attack process, it should as most
The latter phase of the attack adds in the attack chain model of the victim host, so that the attack chain of victim host is advanced optimized,
To improve the accuracy for judging whether victim host is successfully captured.
S104, judge whether host is captured according to attack chain.
When it is implemented, can capture rule by preset and judge whether host is captured, for this purpose, step 103 is specific
It include: to judge whether the phase of the attack for attacking the security incident for including meets to capture rule in chain, if satisfied, then judging host quilt
It captures, otherwise determines that host is not captured.Wherein, it captures rule to be configurable, captures rule to continue to optimize, raising is sentenced
Disconnected accuracy rate.
A possibility that phase of the attack is higher, and host is captured is higher, for example, when highest phase of the attack in host machine attack chain
The 6th stage (order and control) or the 7th stage (malice controls) are had reached, then host is captured certainly at this time.Therefore,
Capturing rule can be, and attack in chain the event existed higher than high-risk phase threshold.For example, high-risk phase threshold is 5, aggrieved master
Event comprising the 6th stage or the 7th stage in the attack chain of machine, then assert that the host is captured.
Since network attack is an incremental process, usually pass through investigation, tools, delivery, utilization, peace
The purpose for capturing host is realized in dress, order with control, this seven stages of rogue activity, that is to say, that it is straight to skip first five stage
It is connected to up to the case where the 6th stage and is unlikely to occur, at this time, it may be possible to which the security incident for generating mistake causes
's.In order to improve the accuracy rate of judgement, the integrity degree for attacking chain can also be brought into and be captured in rule, when the integrity degree of attack chain
When very low, there are the events in the 7th stage in attack chain immediately, also do not indicate that the host is captured.Such as { 1,2,3,4,5,6 }
It is exactly the high attack chain of an integrity degree, and { 1,3,4,5,6 } integrity degree is more relatively low, the integrity degree of { 7 } is with regard to very low
?.For this purpose, capturing rule can be, attacks in chain and there is the event higher than high-risk phase threshold and at least exist a certain number of
Phase of the attack.For example, capturing rule is the event at least 2 stages in the attack chain of host, and highest phase of the attack is high
In fourth stage.
The host of capturing of the present embodiment determines automatically, will be converted into security incident after the log processing of safety equipment transmission,
And be the phase of the attack that each security incident marks it locating in attack chain, then, the identical safety of polymerization purpose IP address
Event, and the security incident reasoning based on polymerization obtains the attack chain at victim host visual angle, the mistake that reduction victim host is attacked
Journey judges whether host is captured by the attack chain of victim host, realizes the automatic function of determining host and whether captured,
User must be met to knowing whether assets are attacked by safety engineer by solving the problems, such as to determine whether host is captured
Sunken demand saves a large amount of human resources, realizes the real-time uninterrupted monitoring to the network equipment, and can be in time to being captured
Host makes alarm, reduces host and is captured rear bring loss.
When basic principle of the invention is introduced it has been noted that conventional generates security incident based on device log
When, only account for request end to requested end issue data packet the corresponding event of process, that is, only account for attacker whether to
Whether host has initiated attack, and succeed as the attack, can not know in fact, if the attack does not succeed,
But the event is added into the attack chain of host, certainly will will affect final judging result.
As shown in Fig. 2, in order to improve the accuracy of security incident, step S101 specifically includes the following steps:
S201, the attack logs for obtaining safety equipment output and time packet log.
Attack logs include the information of intruder attack, specifically may include source IP address, purpose IP address, source host end
Mouth, destination host port, source host MAC Address, destination host MAC Address, Log Types, attack strategies, attack the duration,
The information such as protocol type.
Returning packet log includes returning package informatin by attacker's session, specifically includes source IP address, purpose IP address, source host
Port, destination host port, source host MAC Address, destination host MAC Address, instruction whether successful information of attack etc.
Content.It can be confirmed whether its corresponding network activity is successfully executed by returning packet log.
The attack logs that S202, polymerization meet event rules obtain attack.
Event rules be it is pre-configured, event rules include, but are not limited to, the following rules: when the generation of attack logs
Between within a preset period of time, the purpose IP address of attack logs is identical, in attack logs comprising preset attack field, comprising together
The quantity of the attack logs of one attack field is more than first threshold, that whether the information obtained based on attack logs reasoning is met is default
Rule etc..Event rules are configurable, to continue to optimize event rules.
Whether the information obtained based on attack logs reasoning, which meets preset rules, refers to, according to include in attack logs one
Data in a or multiple fields, reasoning presupposed information, and judge whether presupposed information meets preset rules, it is indicated if meeting
Attack has occurred, if not satisfied, attack does not occur then.For example, include field " duration " in attack logs, when
When duration in a certain attack logs is more than preset time, the frequency of failure adds 1, if according to multiple attack logs it is lasting when
Between reasoning obtained frequency of failure when being more than preset value, then it represents that meet event rules, generate corresponding attack.
Wherein, different attack fields, the attack of each type can be set for different types of attack
One attack field is at least set.For example, being directed to attack A, the first field can be set, it is settable for attack B
Second field and third field, if detected in attack logs C and attack logs D comprising the first field, attack logs C and
Attack logs D condenses together to obtain an attack, if detected in attack logs E and attack logs F comprising second
Field and third field, then attack logs E and attack logs F condenses together to obtain an attack.Certainly, above-mentioned example
In, for attack B, the relationship of "or" is also possible between the second field and third field of setting, is attacked for example, detecting
Hitting includes the second field in log E, includes third field in attack logs F, then attack logs E and attack logs F are aggregated in one
It rises and obtains an attack.
The above-mentioned each event rules enumerated can any combination, that is, need to meet simultaneously a plurality of event rules just produce attack
Hit event.For example, when it is implemented, the attack logs generated in 5 minutes before can first searching current time, by what is found
Attack logs are put into set M;It is polymerize further according to the purpose IP address in attack logs, by purpose IP address in set M
Identical attack logs condense together, one or more set available at this time, attack in each set comprising at least one
Hit log, the corresponding purpose IP address of each set;Then, located respectively for the corresponding set of each purpose IP address
Reason: judge whether comprising preset attack field in event rules in the attack logs in a set, will include identical attack
The attack logs of field, which are aggregated to, is formed together an attack, or by comprising attack field correspond to same attack
Attack logs be aggregated to and be formed together an attack, at this point, producing one or more attacks relevant to destination IP
Event.It is, of course, also possible to which first threshold is arranged in event rules, that is, only when in attack include same attack field
Attack logs quantity be more than the first threshold when, just confirmation generation the attack.
Above-mentioned is only the example that attack is generated using event rules, specific event rules and polymerization
It can be configured and adjust according to actual needs.
Matched time packet log of attack logs in S203, lookup and attack.
In specific implementation process, according to attack logs and purpose IP address, source IP address and end in packet log can be gone back to
At least one of port address, MAC Address and probe_id field information is matched, and probe_id is used to distinguish different interior
Net.It can also be matched according to the generation time of attack logs and time packet log, when the generation of attack logs and time packet log
When the time difference of time is more than the maximum time difference of setting, show that this time packet log and the attack logs mismatch.
S204, determine whether attack is success events according to the first identifier returned in packet log found.
First identifier be used for mark with return packet log matches attack logs in attack whether successful execution.Specifically
When implementation, first identifier can be back the status code field in packet log in payload field, by returning in packet log
Status code field can be confirmed whether its corresponding network activity is successfully executed, if status code field is
200, indicate that attack runs succeeded.
When it is implemented, if first identifier is successfully to return the quantity of packet log in all times packet logs found
When meeting preset condition, determine that attack is success events, otherwise, which is not success events.Wherein, item is preset
Part can be configured according to actual needs, for example, it is successfully to return the quantity of packet log that preset condition, which may include: first identifier,
More than preset threshold, or, the quantity that first identifier is successfully time packet log accounts for the ratio of the total quantity for returning packet log found
Example is more than preset ratio.
S205, the attack of success events will be confirmed as security incident.
It can be found and the matched time packet log of attack logs in attack, this time packet log by step S203
In the information that whether is successfully executed of the matched corresponding network activity of attack logs of payload field record, then
The executive condition that the corresponding network activity of each attack logs in the attack is counted by step S204, according to executive condition
Determine whether the attack succeeds.For example, hacker's host scans a certain host, if the security appliance intercepts row of hacker
For being then scanned host will not be to hacker's host return information, if being scanned host to the normal return information of hacker's host,
Think that the success of inbreak scan event, the movement that hacker's host scans a certain host can be recorded in scanning log, is scanned master
The logout of the whether normal return information of machine is to returning in packet log, therefore, can know scanning log pair by returning packet log
Whether it is executed normally for the intrusion event answered.
Therefore, according to the first identifier in matched time packet log of attack, can determine that attack is true
Performance is only exported successful attack as security incident, so as to improve the accurate of victim host attack chain is generated
Degree, thus improve judgement capture whether successful accuracy.
When generating attack, an attack method mark can be generated for each attack, attack mark is used
In the attack method that label attack uses.But it finds in actual application, many attack methods are mutual exclusions, i.e.,
Many methods can not occur simultaneously.For example a behavior being scanned by scanner, safety equipment can export the scanning
The corresponding log of behavior, these logs may meet a variety of event rules simultaneously, thus generate multiple security incidents simultaneously, such as sweep
Event, loophole attack, virus attack event etc. are retouched, at this point, the only security incident that just really occurs of scan event, loophole
Attack, virus attack event are the noise events generated during event recognition, need to filter these noise events
Fall.
For this purpose, the method for this example is further comprising the steps of before step S203: according to preset denoising redundant rule elimination
Noise event in attack.Wherein, the attack it is not possible that simultaneous mutual exclusion is configured in denoising rule.Example
Such as, the rule configured in denoising rule are as follows: the event that attack method is B when the event that attack method is A occurs is to make an uproar
Sound events then in practical applications when the event for being A comprising attack method in the attack for detect generation, are then deleted and are attacked
The event that the attack method that the event that the method for hitting is A occurs to occur in the certain period of time of front and back is B, the above-mentioned period can be voluntarily
Setting, such as 2 minutes.
According to the denoising rule configured in advance, on the contrary it will not be possible to the noise in simultaneous two kinds or more of exclusive events
Event filtering is fallen, and the quantity of the security incident of generation is reduced, and reduces data processing amount.
The method of the present embodiment is further comprising the steps of:, will attack if attack is success events by handmarking
Event is as security incident.
In the method for the present embodiment, allow whether one attack of handmarking succeeds, and the priority of handmarking
Not Gao Yu machine label, to cope with the omission situation occurred in machine labeling process.
As shown in figure 3, the embodiment of the present invention is also based on the identical inventive concept of host automatic judging method is captured with above-mentioned
It provides one kind and captures host automatic judging device 30, including security incident generation module 301, attack chain generation module 302, attack
Hit chain correction module 303 and judgment module 304.
The log that security incident generation module 301 is used to be exported according to safety equipment generates security incident, and security incident is
The movable event of attacker is described, includes purpose IP address and phase of the attack in security incident;
Attack chain generation module 302 is used to polymerize the identical security incident of purpose IP address, and according to the safe thing of polymerization
The phase of the attack of part obtains the attack chain of the corresponding host of purpose IP address;
Attack chain correction module 303 is used to search the security incident for the IP address that source IP address is host, and according to lookup
The security incident amendment attack chain arrived;
Judgment module 304 is used to judge whether host is captured according to revised attack chain.
Optionally, security incident generation module 301 specifically includes log acquisition module, log aggregation module, matching module
And security incident determination unit.
Log acquisition unit is used to obtain the attack logs of safety equipment output and returns packet log, and attack logs include invasion
The information of person's attack, returning packet log includes returning package informatin by attacker's session;
Log aggregation unit is used to polymerize the attack logs for meeting event rules and obtains attack;
Matching unit is used to search and the matched time packet log of attack logs in attack;
Security incident determination unit is used for whether determining attack according to the first identifier returned in packet log found
For success events, first identifier be used to marking with return packet log matches attack logs in network activity whether successful execution,
It will be confirmed as the attack of success events as security incident.
Optionally, event rules include following any one or more rule: the generation time of attack logs is when default
Between in section, the purpose IP address of attack logs is identical, in attack logs comprising preset attack field, include same attack field
Attack logs quantity be more than first threshold.
Optionally, if security incident determination unit is specifically used in all times packet logs found, first identifier is
When successfully the quantity of time packet log meets preset condition, determine that attack is success events.
Optionally, security incident generation module 301 further includes denoising unit, for being attacked according to preset denoising redundant rule elimination
The noise event in event is hit, to delete the attack that can not occur.
Optionally, security incident generation module 301 further includes handmarking's unit, if for attack by handmarking
For success events, then using attack as security incident.
Optionally, it if attack chain correction module 303 is specifically used for not wrapping the security incident in default stage in attack chain, looks into
Looking for source IP address is the security incident of the IP address of host, and using the security incident found as the security incident in default stage
It adds in attack chain, to modify attack chain.
Optionally, whether full judgment module 304 is specifically used for the phase of the attack for judging to attack the security incident for including in chain
Foot captures rule, if satisfied, then judging that host is captured, otherwise determines that host is not captured.
What the embodiment of the present invention mentioned capture host automatic judging device uses with above-mentioned host automatic judging method of capturing
Identical inventive concept can obtain identical beneficial effect, and details are not described herein.
Based on the identical inventive concept of host automatic judging method is captured with above-mentioned, the embodiment of the invention also provides one kind
Electronic equipment, the electronic equipment are specifically as follows desktop computer, portable computer, smart phone, tablet computer, a number
Word assistant (PersonalDigital Assistant, PDA), server etc..As shown in figure 4, the electronic equipment 40 may include
Processor 401, memory 402 and transceiver 403.Transceiver 403 is for sending and receiving number under the control of processor 401
According to.
Memory 402 may include read-only memory (ROM) and random access memory (RAM), and provide to processor
The program instruction and data stored in memory.In embodiments of the present invention, memory can be used for storing that capture host automatic
The program of determination method.
Processor 401 can be CPU (centre buries device), ASIC (Application Specific Integrated
Circuit, specific integrated circuit), FPGA (Field-Programmable Gate Array, field programmable gate array) or
CPLD (Complex Programmable Logic Device, Complex Programmable Logic Devices) processor is by calling storage
The program instruction of device storage, realizes in any of the above-described embodiment according to the program instruction of acquisition and captures the host side of judgement automatically
Method.
The embodiment of the invention provides a kind of computer readable storage mediums, for being stored as above-mentioned electronic equipments
Computer program instructions, it includes for executing the above-mentioned program for capturing host automatic judging method.
Above-mentioned computer storage medium can be any usable medium or data storage device that computer can access, packet
Include but be not limited to magnetic storage (such as floppy disk, hard disk, tape, magneto-optic disk (MO) etc.), optical memory (such as CD, DVD,
BD, HVD etc.) and semiconductor memory (such as it is ROM, EPROM, EEPROM, nonvolatile memory (NAND FLASH), solid
State hard disk (SSD)) etc..
The above, above embodiments are only described in detail to the technical solution to the application, but the above implementation
The method that the explanation of example is merely used to help understand the embodiment of the present invention, should not be construed as the limitation to the embodiment of the present invention.This
Any changes or substitutions that can be easily thought of by those skilled in the art, should all cover the embodiment of the present invention protection scope it
It is interior.
Claims (11)
1. one kind captures host automatic judging method characterized by comprising
Security incident is generated according to the log of safety equipment output, the security incident is the description movable event of attacker, institute
It states in security incident comprising purpose IP address and phase of the attack;
It polymerize the identical security incident of purpose IP address, and the destination IP is obtained according to the phase of the attack of the security incident of polymerization
The attack chain of the corresponding host in address;
The security incident for the IP address that source IP address is the host is searched, and is attacked according to the security incident amendment found
Hit chain;
Judge whether the host is captured according to revised attack chain.
2. the method according to claim 1, wherein the log according to safety equipment output generates safe thing
Part specifically includes:
It obtains the attack logs of safety equipment output and returns packet log, the attack logs include the information of intruder attack, institute
Stating back packet log includes returning package informatin by attacker's session;
The attack logs that polymerization meets event rules obtain attack;
It searches and the matched time packet log of attack logs in the attack;
Determine whether the attack is success events according to the first identifier returned in packet log found, first mark
Know for mark and the attack logs of described time packet log matches in network activity whether successful execution;
It will be confirmed as the attack of success events as security incident.
3. according to the method described in claim 2, it is characterized in that, the event rules include following any one or more rule
Then: the generation time of attack logs is within a preset period of time, the purpose IP address of attack logs is identical, in attack logs comprising pre-
If attack field, the quantity of attack logs comprising same attack field is more than first threshold, obtained based on attack logs reasoning
To information whether meet preset rules.
4. according to the method described in claim 2, it is characterized in that, being determined according to the first identifier returned in packet log found
Whether the attack is success events, is specifically included:
If in all times packet logs found, when first identifier is that the quantity of successfully time packet log meets preset condition,
Determine that the attack is success events.
5. according to the method described in claim 2, it is characterized in that, being matched searching with the attack logs in the attack
Return packet log before, further includes:
According to the noise event in preset denoising redundant rule elimination attack.
6. according to the method described in claim 2, it is characterized in that, the method also includes:
If the attack is success events by handmarking, using the attack as security incident.
7. according to claim 1 to any method in 6, which is characterized in that the lookup source IP address is the host
IP address security incident, and the attack chain is corrected according to the security incident that finds, comprising:
If not including the security incident for attacking the default stage in the attack chain, with searching the IP that source IP address is the host
The security incident of location, and added to the security incident found as the security incident in default stage in the attack chain, with
Correct the attack chain.
8. according to claim 1 to any method in 6, which is characterized in that judge the host according to the attack chain
Whether captured, specifically included:
Judge whether the phase of the attack for the security incident for including in the attack chain meets and capture rule, if satisfied, then judging institute
It states host to be captured, otherwise determines that the host is not captured.
9. one kind captures host automatic judging device characterized by comprising
Security incident generation module, the log for being exported according to safety equipment generate security incident, and the security incident is to retouch
The movable event of attacker is stated, includes purpose IP address and phase of the attack in the security incident;
Chain generation module is attacked, for polymerizeing the identical security incident of purpose IP address, and attacking according to the security incident of polymerization
The stage of hitting obtains the attack chain of the corresponding host in the destination IP address;
Chain correction module is attacked, for searching the security incident for the IP address that source IP address is the host, and according to finding
Security incident correct the attack chain;
Judgment module, for judging whether the host is captured according to revised attack chain.
10. a kind of electronic equipment, including transceiver, memory, processor and storage can transport on a memory and on a processor
Capable computer program, which is characterized in that the transceiver under the control of the processor for sending and receiving data, institute
State the step of realizing any one of claim 1 to 8 the method when processor executes described program.
11. a kind of computer readable storage medium, is stored thereon with computer program instructions, which is characterized in that the program instruction
The step of any one of claim 1 to 8 the method is realized when being executed by processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811567279.6A CN109617885B (en) | 2018-12-20 | 2018-12-20 | Attack and subsidence host automatic judgment method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811567279.6A CN109617885B (en) | 2018-12-20 | 2018-12-20 | Attack and subsidence host automatic judgment method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109617885A true CN109617885A (en) | 2019-04-12 |
| CN109617885B CN109617885B (en) | 2021-04-16 |
Family
ID=66010152
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811567279.6A Active CN109617885B (en) | 2018-12-20 | 2018-12-20 | Attack and subsidence host automatic judgment method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109617885B (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110213077A (en) * | 2019-04-18 | 2019-09-06 | 国家电网有限公司 | A kind of method, apparatus and system of determining electric power monitoring system security incident |
| CN110650156A (en) * | 2019-10-23 | 2020-01-03 | 北京天融信网络安全技术有限公司 | Method and device for clustering relationships of network entities and method for identifying network events |
| CN112187720A (en) * | 2020-09-01 | 2021-01-05 | 杭州安恒信息技术股份有限公司 | Method and device for generating secondary attack chain, electronic device and storage medium |
| CN112217777A (en) * | 2019-07-12 | 2021-01-12 | 上海云盾信息技术有限公司 | Attack backtracking method and equipment |
| CN112311728A (en) * | 2019-07-29 | 2021-02-02 | 中国移动通信集团重庆有限公司 | Host attack and sink judgment method and device, computing equipment and computer storage medium |
| CN112532631A (en) * | 2020-11-30 | 2021-03-19 | 深信服科技股份有限公司 | Equipment safety risk assessment method, device, equipment and medium |
| CN112738071A (en) * | 2020-12-25 | 2021-04-30 | 中能融合智慧科技有限公司 | Method and device for constructing attack chain topology |
| CN113259361A (en) * | 2021-05-20 | 2021-08-13 | 常州皓焱信息科技有限公司 | Internet security data processing method and system |
| CN113411288A (en) * | 2020-03-17 | 2021-09-17 | 中国电信股份有限公司 | Equipment security detection method and device and storage medium |
| CN113672913A (en) * | 2021-08-20 | 2021-11-19 | 绿盟科技集团股份有限公司 | Security event processing method and device and electronic equipment |
| CN114499959A (en) * | 2021-12-24 | 2022-05-13 | 北京网神洞鉴科技有限公司 | Server attack tracing method and device |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101018121A (en) * | 2007-03-15 | 2007-08-15 | 杭州华为三康技术有限公司 | Log convergence processing method and convergence processing device |
| CN101262351A (en) * | 2008-05-13 | 2008-09-10 | 华中科技大学 | A network tracking system |
| US20150082399A1 (en) * | 2013-09-17 | 2015-03-19 | Auburn University | Space-time separated and jointly evolving relationship-based network access and data protection system |
| CN104901971A (en) * | 2015-06-23 | 2015-09-09 | 北京东方棱镜科技有限公司 | Method and device for carrying out safety analysis on network behaviors |
| CN105577679A (en) * | 2016-01-14 | 2016-05-11 | 华东师范大学 | Method for detecting anomaly traffic based on feature selection and density peak clustering |
| CN106506556A (en) * | 2016-12-29 | 2017-03-15 | 北京神州绿盟信息安全科技股份有限公司 | A kind of network flow abnormal detecting method and device |
| CN106790186A (en) * | 2016-12-30 | 2017-05-31 | 中国人民解放军信息工程大学 | Multi-step attack detection method based on multi-source anomalous event association analysis |
| CN107145779A (en) * | 2017-03-16 | 2017-09-08 | 北京网康科技有限公司 | A kind of recognition methods of offline Malware daily record and device |
| US20180032724A1 (en) * | 2015-04-16 | 2018-02-01 | Nec Laboratories America, Inc. | Graph-based attack chain discovery in enterprise security systems |
| CN107770168A (en) * | 2017-10-18 | 2018-03-06 | 杭州白客安全技术有限公司 | Low rate of false alarm IDS/IPS based on attack chain markov decision process |
| CN108076040A (en) * | 2017-10-11 | 2018-05-25 | 北京邮电大学 | A kind of APT Attack Scenarios method for digging based on killing chain and fuzzy clustering |
| US9992219B1 (en) * | 2014-11-13 | 2018-06-05 | National Technology & Engineering Solutions Of Sandia, Llc | Framework and methodology for supply chain lifecycle analytics |
| US10122738B2 (en) * | 2016-04-25 | 2018-11-06 | Acer Incorporated | Botnet detection system and method |
-
2018
- 2018-12-20 CN CN201811567279.6A patent/CN109617885B/en active Active
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101018121A (en) * | 2007-03-15 | 2007-08-15 | 杭州华为三康技术有限公司 | Log convergence processing method and convergence processing device |
| CN101262351A (en) * | 2008-05-13 | 2008-09-10 | 华中科技大学 | A network tracking system |
| US20150082399A1 (en) * | 2013-09-17 | 2015-03-19 | Auburn University | Space-time separated and jointly evolving relationship-based network access and data protection system |
| US9992219B1 (en) * | 2014-11-13 | 2018-06-05 | National Technology & Engineering Solutions Of Sandia, Llc | Framework and methodology for supply chain lifecycle analytics |
| US20180032724A1 (en) * | 2015-04-16 | 2018-02-01 | Nec Laboratories America, Inc. | Graph-based attack chain discovery in enterprise security systems |
| CN104901971A (en) * | 2015-06-23 | 2015-09-09 | 北京东方棱镜科技有限公司 | Method and device for carrying out safety analysis on network behaviors |
| CN105577679A (en) * | 2016-01-14 | 2016-05-11 | 华东师范大学 | Method for detecting anomaly traffic based on feature selection and density peak clustering |
| US10122738B2 (en) * | 2016-04-25 | 2018-11-06 | Acer Incorporated | Botnet detection system and method |
| CN106506556A (en) * | 2016-12-29 | 2017-03-15 | 北京神州绿盟信息安全科技股份有限公司 | A kind of network flow abnormal detecting method and device |
| CN106790186A (en) * | 2016-12-30 | 2017-05-31 | 中国人民解放军信息工程大学 | Multi-step attack detection method based on multi-source anomalous event association analysis |
| CN107145779A (en) * | 2017-03-16 | 2017-09-08 | 北京网康科技有限公司 | A kind of recognition methods of offline Malware daily record and device |
| CN108076040A (en) * | 2017-10-11 | 2018-05-25 | 北京邮电大学 | A kind of APT Attack Scenarios method for digging based on killing chain and fuzzy clustering |
| CN107770168A (en) * | 2017-10-18 | 2018-03-06 | 杭州白客安全技术有限公司 | Low rate of false alarm IDS/IPS based on attack chain markov decision process |
Non-Patent Citations (1)
| Title |
|---|
| 李艳斐: "基于SIEM的APT检测与防御体系研究", 《网络空间安全》 * |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110213077A (en) * | 2019-04-18 | 2019-09-06 | 国家电网有限公司 | A kind of method, apparatus and system of determining electric power monitoring system security incident |
| CN110213077B (en) * | 2019-04-18 | 2022-02-22 | 国家电网有限公司 | Method, device and system for determining safety event of power monitoring system |
| CN112217777A (en) * | 2019-07-12 | 2021-01-12 | 上海云盾信息技术有限公司 | Attack backtracking method and equipment |
| CN112311728A (en) * | 2019-07-29 | 2021-02-02 | 中国移动通信集团重庆有限公司 | Host attack and sink judgment method and device, computing equipment and computer storage medium |
| CN110650156A (en) * | 2019-10-23 | 2020-01-03 | 北京天融信网络安全技术有限公司 | Method and device for clustering relationships of network entities and method for identifying network events |
| CN110650156B (en) * | 2019-10-23 | 2021-12-31 | 北京天融信网络安全技术有限公司 | Method and device for clustering relationships of network entities and method for identifying network events |
| CN113411288A (en) * | 2020-03-17 | 2021-09-17 | 中国电信股份有限公司 | Equipment security detection method and device and storage medium |
| CN112187720A (en) * | 2020-09-01 | 2021-01-05 | 杭州安恒信息技术股份有限公司 | Method and device for generating secondary attack chain, electronic device and storage medium |
| CN112187720B (en) * | 2020-09-01 | 2022-11-15 | 杭州安恒信息技术股份有限公司 | Method and device for generating secondary attack chain, electronic device and storage medium |
| CN112532631A (en) * | 2020-11-30 | 2021-03-19 | 深信服科技股份有限公司 | Equipment safety risk assessment method, device, equipment and medium |
| CN112738071A (en) * | 2020-12-25 | 2021-04-30 | 中能融合智慧科技有限公司 | Method and device for constructing attack chain topology |
| CN112738071B (en) * | 2020-12-25 | 2023-07-28 | 中能融合智慧科技有限公司 | Method and device for constructing attack chain topology |
| CN113259361A (en) * | 2021-05-20 | 2021-08-13 | 常州皓焱信息科技有限公司 | Internet security data processing method and system |
| CN113259361B (en) * | 2021-05-20 | 2022-03-22 | 常州皓焱信息科技有限公司 | Internet security data processing method and system |
| CN113672913A (en) * | 2021-08-20 | 2021-11-19 | 绿盟科技集团股份有限公司 | Security event processing method and device and electronic equipment |
| CN114499959A (en) * | 2021-12-24 | 2022-05-13 | 北京网神洞鉴科技有限公司 | Server attack tracing method and device |
| CN114499959B (en) * | 2021-12-24 | 2024-04-16 | 北京网神洞鉴科技有限公司 | Server attack tracing method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109617885B (en) | 2021-04-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109617885A (en) | Capture host automatic judging method, device, electronic equipment and storage medium | |
| CN108471429B (en) | Network attack warning method and system | |
| CN108881265B (en) | Network attack detection method and system based on artificial intelligence | |
| US10467411B1 (en) | System and method for generating a malware identifier | |
| CN109660539B (en) | Method and device for identifying defect-losing equipment, electronic equipment and storage medium | |
| CN100448203C (en) | System and method for identifying and preventing malicious intrusions | |
| CN108881263B (en) | Network attack result detection method and system | |
| US7853689B2 (en) | Multi-stage deep packet inspection for lightweight devices | |
| CN105493060B (en) | Sweet end Active Network Security | |
| CN106537872B (en) | Method for detecting attacks in a computer network | |
| CN105450619A (en) | Method, device and system of protection of hostile attacks | |
| CN111131253A (en) | Scene-based security event global response method, device, equipment and storage medium | |
| CN103297433A (en) | HTTP botnet detection method and system based on net data stream | |
| US11314789B2 (en) | System and method for improved anomaly detection using relationship graphs | |
| CN107770125A (en) | A kind of network security emergency response method and emergency response platform | |
| CN110581851A (en) | cloud identification method for abnormal behaviors of Internet of things equipment | |
| WO2017101874A1 (en) | Detection method for apt attack, terminal device, server and system | |
| CN110858831B (en) | Safety protection method and device and safety protection equipment | |
| CN112685734A (en) | Security protection method and device, computer equipment and storage medium | |
| CN105447385A (en) | Multilayer detection based application type database honey pot realization system and method | |
| CN108737344B (en) | Network attack protection method and device | |
| CN108270783A (en) | A kind of data processing method and device | |
| US10963562B2 (en) | Malicious event detection device, malicious event detection method, and malicious event detection program | |
| CN110417578B (en) | Abnormal FTP connection alarm processing method | |
| CN113630417B (en) | WAF-based data transmission method, WAF-based data transmission device, WAF-based electronic device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building Patentee after: NSFOCUS Technologies Group Co.,Ltd. Patentee after: NSFOCUS TECHNOLOGIES Inc. Address before: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building Patentee before: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd. Patentee before: NSFOCUS TECHNOLOGIES Inc. |
|
| CP01 | Change in the name or title of a patent holder |