CN109617885B - Attack and subsidence host automatic judgment method and device, electronic equipment and storage medium - Google Patents
Attack and subsidence host automatic judgment method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN109617885B CN109617885B CN201811567279.6A CN201811567279A CN109617885B CN 109617885 B CN109617885 B CN 109617885B CN 201811567279 A CN201811567279 A CN 201811567279A CN 109617885 B CN109617885 B CN 109617885B
- Authority
- CN
- China
- Prior art keywords
- attack
- event
- host
- security
- log
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/069—Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
The invention relates to the technical field of network security, and discloses an automatic judgment method and device for a fault host, electronic equipment and a storage medium, wherein the method comprises the following steps: generating a security event according to a log output by security equipment, wherein the security event is an event describing the activity of an attacker and comprises a destination IP address and an attack stage; aggregating the security events with the same destination IP address, and obtaining an attack chain of the host corresponding to the destination IP address according to the attack stage of the aggregated security events; searching a security event with a source IP address as the IP address of the host, and correcting an attack chain according to the searched security event; and judging whether the host is attacked or not according to the corrected attack chain. The technical scheme provided by the embodiment of the invention realizes the function of automatically judging whether the host is attacked or not, solves the problem that whether the host is attacked or not needs to depend on a safety engineer, can give an alarm to the attacked host in time and reduces the loss caused by the attacking host.
Description
Technical Field
The invention relates to the technical field of network security, in particular to an attack and subsidence host automatic judgment method and device, electronic equipment and a storage medium.
Background
When the safety device monitors the network activity, a large number of logs are generated, but for an ordinary user with network state monitoring, the logs have large data volume and ambiguous meaning, and the user cannot be intuitively informed of what happens. Therefore, the method for judging whether the host is attacked or not is mostly manually judged by safety engineers, high requirements are required for the specialty of human resources while human resources are needed, and the possibility of serious loss caused by untimely attacking and attacking judgment also exists.
Disclosure of Invention
The embodiment of the invention provides an automatic determination method and device for a trapping host, electronic equipment and a storage medium, and aims to solve the problem that whether the host is trapped by the trapping cannot be automatically determined in the prior art.
In a first aspect, an embodiment of the present invention provides an automatic determination method for a fault host, including:
generating a security event according to a log output by security equipment, wherein the security event is an event describing the activity of an attacker and comprises a destination IP address and an attack stage;
aggregating the security events with the same destination IP address, and obtaining an attack chain of the host corresponding to the destination IP address according to the attack stage of the aggregated security events;
searching a security event with a source IP address as the IP address of the host, and correcting an attack chain according to the searched security event;
and judging whether the host is attacked or not according to the corrected attack chain.
In a second aspect, an embodiment of the present invention provides an automatic determination device for a fault host, including:
the security event generation module is used for generating a security event according to the log output by the security device, wherein the security event is an event for describing the activity of an attacker and comprises a destination IP address and an attack stage;
the attack chain generating module is used for aggregating the security events with the same destination IP address and obtaining the attack chain of the host corresponding to the destination IP address according to the attack stage of the aggregated security events;
the attack chain correction module is used for searching the security event of which the source IP address is the IP address of the host and correcting the attack chain according to the searched security event;
and the judging module is used for judging whether the host is attacked or not according to the corrected attack chain.
In a third aspect, an embodiment of the present invention provides an electronic device, including a transceiver, a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the transceiver is configured to receive and transmit data under the control of the processor, and the processor implements any of the above method steps when executing the program.
In a fourth aspect, an embodiment of the invention provides a computer-readable storage medium having stored thereon computer program instructions which, when executed by a processor, implement the steps of any of the methods described above.
According to the technical scheme provided by the embodiment of the invention, the log sent by the security device is converted into the security event after being processed, the attack stage of the security event in the attack chain is marked, then the security events with the same destination IP address are aggregated, the attack chain of the view angle of the victim host is inferred based on the aggregated security event, the process that the victim host is attacked is restored, whether the host is attacked or not is judged by judging the attack chain of the victim host, so that the function of automatically judging whether the host is attacked or not is realized, the problem that whether the host is attacked or not needs to depend on a security engineer is solved, the requirement of a user on knowing whether the asset is attacked or not is met, a large amount of manpower resources are saved, the real-time monitoring of network equipment is realized, the alarm can be given to the attacked host in time, and the loss caused by the attacked or trapped host is reduced.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments of the present invention will be briefly described below, and it is obvious that the drawings described below are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic flow chart illustrating an automatic determination method for a fault host according to an embodiment of the present invention;
fig. 2 is a schematic flow chart illustrating a security event generated in the method for automatically determining a fault host according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of an automatic determination device for a fault host according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention.
For convenience of understanding, terms referred to in the embodiments of the present invention are explained below:
assets are network devices used in the internal network of an organization, such as: servers, network devices, personal computers, and the like.
Host refers to a network device, including but not limited to the following types: server, mobile terminal, notebook, gateway.
A zombie host refers to a computer device infected with a zombie virus and thus program-controlled by a hacker, which can deploy a denial of service (DoS) attack or send spam according to commands and controls (C & C, command and control) of the hacker at any time.
Botnet, refers to a one-to-many controllable network formed between a controller and an infected host by infecting a large number of hosts with bot programs (bots) using one or more propagation means.
The attack chain records each stage of the APT attack, and a complete attack chain comprises 7 stages: detection, tool making, delivery, utilization, installation, command and control, malicious activities.
Situation Awareness, situational Awareness, is an ability to dynamically and integrally know about security risks based on the environment, and is a way to improve the capabilities of discovery, identification, understanding, analysis, and response handling of security threats from a global perspective based on security big data, and finally, for decision making and action, it is a ground of security capabilities.
The source IP address is an IP address of a party that transmits a packet during communication.
The destination IP address is an IP address of a party receiving the packet in the communication process.
Any number of elements in the drawings are by way of example and not by way of limitation, and any nomenclature is used solely for differentiation and not by way of limitation.
The basic principle of the present invention is described in detail below.
In a specific practice process, the existing situation awareness products generally only provide information such as attack events, asset threats, risk scores and the like, but cannot provide conclusion information about whether assets are attacked or not, which is most concerned by users, and at present, there are few products or methods for automatically judging whether a host is attacked or not in the market. The most common method for judging whether the equipment is damaged or not is to manually judge by a safety engineer with higher specialty, so that human resources are consumed, and meanwhile, the risk of serious loss caused by untimely damage caused by damage judgment is also existed.
Therefore, the invention provides an automatic determination method for a trapped host, which comprises the steps of converting logs sent by network security equipment into security events after processing, then aggregating the security events with the same target IP address (namely, the damaged host), reasoning and obtaining an attack chain of the view angle of the damaged host based on the aggregated security events, reducing the process that the damaged host is attacked, and determining whether the host is trapped or not through the attack chain of the damaged host, thereby realizing the function of automatically determining whether the host is trapped or not, solving the problem that whether the host is trapped or not must depend on a security engineer, meeting the requirement of a user on knowing whether assets are trapped or not, saving a large amount of manpower resources, realizing the real-time monitoring of the network equipment, timely alarming on the trapped host, and reducing the loss caused by the trapped host being trapped.
In addition, the inventor of the present invention finds in the practical process that in a successful network attack, an attacker often uses a connection-oriented TCP protocol to communicate with a victim device and initiate an attack, and a data packet in the communication process is bidirectional, and includes a data packet sent from a requesting end to a requested end and data transmitted from the requested end to the requesting end. The existing network security device usually pays attention to the process that a requesting terminal sends a data packet to a requested terminal and generates a device log according to the process, and rarely pays attention to the process that the requested terminal transmits data to the requesting terminal and a packet return log generated in the process. In fact, the back-packet log is of great help for analyzing network activities, for example, whether the network activities are successfully performed or not and whether the network security device successfully stops activities such as scanning and intrusion or not can be confirmed through the back-packet log, so that whether an attacker successfully attacks the assets or not is further judged, unsuccessful attack events are filtered, the accuracy of the attack chain of the victim host is improved, and the accuracy of judging whether the attack is successful or not is improved.
When an inference host attack chain is constructed, the common method is to collect network activities of other hosts actively communicating with the host, and the modeling method ignores the condition that the host is attacked by a zombie host after being trapped. The inventor of the present invention finds that a victim host actively initiates network activities of communication to other hosts, which is one of the processes of the victim host under the APT attack, and the network activities should be collected into an attack chain of the victim host and used as a last attack stage, so as to achieve the purpose of optimizing the attack chain of the victim host and improve the accuracy of judging whether the host is attacked or not.
Having described the general principles of the invention, various non-limiting embodiments of the invention are described in detail below.
Referring to fig. 1, an embodiment of the present invention provides an automatic determination method for a fault host, including the following steps:
and S101, generating a security event according to the log output by the security device.
The security event is an event describing the activity of an attacker, such as scanning a host and webshell launching. When an attacker carries out network activities, the security device generates one or more logs, analyzes the logs to obtain required fields, then carries out enhancement processing on the required fields to obtain new fields, namely aggregates the logs of which the field values of the required fields meet preset requirements within a certain time, converts the required fields obtained by analysis into preset fields, obtains the field values of the preset fields according to the aggregation condition of the logs, and finally carries out feature screening according to the fields obtained after enhancement processing to determine whether the logs have features described in preset rules. For example, a "brute force" type security event in a preset rule is characterized in that the number of times that a log of a certain user executes a login action within a certain time exceeds a threshold value, then each field of the security log is analyzed, logs with action field value 2 (meaning log) and identical destination IP addresses within a certain time are aggregated, after the logs are aggregated, the total number of the logs aggregated into one type can be enhanced to obtain a "total login number" field of a host corresponding to the destination IP address, and then logs with the "total login number" greater than the threshold value are screened out, so that a "brute force" security event of the host corresponding to the destination IP address in the logs is obtained. Therefore, in specific implementation, a security event can be obtained by aggregating a plurality of related logs, and the destination IP address, the source IP address and the attack stage corresponding to the event are recorded in the security event.
The attack stage comprises one to seven stages, and the one to seven stages correspond to detection, tool making, delivery, utilization, installation, command and control and malicious activities in sequence.
In specific implementation, the specific fields included in the security event can be used to identify which stage of the security event belongs to detection, tool making, delivery, utilization, installation, command and control, and malicious activities, specifically select which specific fields and the corresponding relationship between the specific fields and the attack stage, and can be predetermined according to the actual application conditions, which is not limited herein.
S102, aggregating the security events with the same destination IP address, and obtaining an attack chain of the host corresponding to the destination IP address according to the attack stage of the aggregated security events.
It is easily understood that, in order to generate an attack chain of a certain host, the aggregation should be security events related to the host, and the security events are generally initiated by an attacker to a victim host, and a destination IP address in the security events corresponds to the victim host, so that the security events related to the victim host can be quickly screened from the security events through the destination IP address.
The attack chain records the attack stage of the damaged host, and the attack chain of the host can be obtained according to the aggregated security event. For example, the aggregated security event includes event 1, event 2, event 3, and event 4, the attack phase of event 1 is one, the attack phase of event 2 is three, the attack phase of event 3 is three, and the attack phase of event 4 is four, so that the attack phases included in the attack chain of the host are one, three, and four, and the attack chain can be denoted as {1,3,4 }. The attack chain does not count the times of attack stages, and only records whether the attack of a certain stage occurs.
S103, searching for the security event with the source IP address as the IP address of the host, and correcting the attack chain according to the searched security event.
The security events based on the target IP aggregation ignore the security events of the victim host serving as an attacker to attack other hosts, in the security events, the source IP address is also the victim host, and the security events are subjected to supplementary detection through the detection of the preset stage so as to correct an attack chain and improve the accuracy of judging whether the victim host is successfully attacked or not.
In specific implementation, step S103 specifically includes: if the attack chain does not contain the security event of the preset stage, the security event of which the source IP address is the IP address of the host is searched, and the searched security event is used as the security event of the preset stage and is supplemented into the attack chain. Wherein, the preset stage is that a user sets one or more attack stages. The security event based on the destination IP aggregation ignores the security event that the victim host attacks other hosts as an attacker, in the security event, the source IP address is also the victim host, and the security event is subjected to supplementary detection through detection of a preset stage so as to correct an attack chain. For example, the preset phase may be a seventh phase in the attack chain. The source IP address is a security event of the IP address of the victim host, that is, an event that the victim host sends a malicious attack to other hosts indicates that the victim host is in the seventh stage at this time. The victim host actively initiates a malicious attack event to other hosts, which is also one of the APT attack processes of the victim host, and the event is used as the last attack stage to be supplemented into an attack chain model of the victim host, so that the attack chain of the victim host is further optimized, and the accuracy of judging whether the victim host is successfully attacked or not is improved.
And S104, judging whether the host is attacked or not according to the attack chain.
In specific implementation, whether the host is attacked or not can be determined by a preset attack and trap rule, and for this reason, step 103 specifically includes: and judging whether the attack stage of the security event contained in the attack chain meets the attack trapping rule, if so, judging that the host is trapped, otherwise, judging that the host is not trapped. The attack and trap rule is configurable so as to continuously optimize the attack and trap rule and improve the judgment accuracy.
The higher the attack phase, the higher the probability that the host is trapped, for example, when the highest attack phase in the host attack chain has reached the sixth phase (command and control) or the seventh phase (malicious control), the host must be trapped at this time. Thus, a fault rule may be that there are events in the attack chain that are above a high risk phase threshold. For example, if the high risk phase threshold is 5, and the attack chain of the victim host includes the event of the sixth phase or the seventh phase, the host is considered to be trapped.
Since the network attack is a progressive process, the purpose of attacking and trapping the host is usually achieved through seven stages of detection, tool making, delivery, utilization, installation, command and control and malicious activities, that is, it is unlikely that the first five stages are skipped to reach the sixth stage directly, and at this time, an erroneous security event may be generated. In order to improve the accuracy of the judgment, the integrity of the attack chain can be incorporated into the attack trapping rule, and when the integrity of the attack chain is very low, the event of the seventh stage exists in the attack chain immediately, and the host is not attacked and trapped. For example, {1,2,3,4,5,6} is a highly complete attack chain, whereas {1,3,4,5,6} is relatively less complete and {7} is very low. For this purpose, the attack rule may be that there are events in the attack chain above a high risk phase threshold and at least a certain number of attack phases. For example, the attack trapping rule is that the host has at least 2 stages of events in the attack chain, and the highest attack stage is higher than the fourth stage.
The attack and subsidence host of the embodiment automatically judges, converts logs sent by the security device into security events after processing, marks attack stages of the security events in an attack chain for the security events, then aggregates the security events with the same destination IP address, infers the attack chain of the view angle of the victim host based on the aggregated security events, restores the attacked process of the victim host, judges whether the host is attacked or not through the attack chain of the victim host, realizes the function of automatically judging whether the host is attacked or not, solves the problem that whether the host is attacked or not needs to depend on a security engineer, meets the requirement of a user on knowing whether assets are attacked or not, saves a large amount of manpower resources, realizes real-time monitoring of network devices, can timely give an alarm to the attacked or subsided host, and reduces the loss caused by the host being attacked or subsided.
When introducing the basic principle of the present invention, it has been mentioned that, when generating a security event based on a device log in the conventional method, only an event corresponding to a process of sending a data packet from a requesting end to a requested end is considered, that is, only whether an attacker launches an attack to a host is considered, and whether the attack event is successful or not is considered, which cannot be known in fact, if the attack event is not successful, but the event is added into an attack chain of the host, which will inevitably affect a final judgment result.
As shown in fig. 2, in order to improve the accuracy of the security event, step S101 specifically includes the following steps:
s201, obtaining an attack log and a packet return log output by the security device.
The attack log includes information of the attack of the intruder, and specifically may include information of a source IP address, a destination IP address, a source host port, a destination host port, a source host MAC address, a destination host MAC address, a log type, an attack policy, an attack duration, a protocol type, and the like.
The packet returning log comprises packet returning information of the attacker session, and specifically comprises contents such as a source IP address, a destination IP address, a source host port, a destination host port, a source host MAC address, a destination host MAC address, information indicating whether an attack action is successful and the like. Whether the corresponding network activities are successfully executed can be confirmed through the back packet log.
S202, aggregating the attack logs conforming to the event rule to obtain an attack event.
The event rules are pre-configured, and include, but are not limited to, the following: the generation time of the attack logs is within a preset time period, the target IP addresses of the attack logs are the same, the attack logs contain preset attack fields, the number of the attack logs containing the same attack fields exceeds a first threshold value, whether information obtained based on the attack log reasoning meets preset rules or not is judged, and the like. The event rules are configurable so that the event rules are continually optimized.
Whether the information obtained by inference based on the attack log meets the preset rule or not means that the preset information is inferred according to data in one or more fields contained in the attack log, whether the preset information meets the preset rule or not is judged, if yes, an attack event is shown to occur, and if not, the attack event does not occur. For example, the attack log includes a field "duration", and when the duration in a certain attack log exceeds a preset time, the failure times are added by 1, and if the failure times obtained by inference according to the durations of a plurality of attack logs exceed a preset value, it indicates that an event rule is satisfied, and a corresponding attack event is generated.
Wherein different attack fields can be set for different types of attack events, and at least one attack field is set for each type of attack event. For example, a first field may be set for attack event a, a second field and a third field may be set for attack event B, if it is detected that the first field is included in attack log C and attack log D, the attack log C and the attack log D are aggregated to obtain an attack event, and if it is detected that the second field and the third field are included in attack log E and attack log F, the attack log E and the attack log F are aggregated to obtain an attack event. Of course, in the above example, for the attack event B, the set relationship between the second field and the third field may also be an or relationship, for example, if it is detected that the attack log E includes the second field and the attack log F includes the third field, the attack log E and the attack log F are aggregated together to obtain an attack event.
The above listed event rules can be combined arbitrarily, that is, a plurality of event rules need to be satisfied simultaneously to generate an attack event. For example, in specific implementation, the attack logs generated within 5 minutes before the current time may be searched first, and the searched attack logs are placed in the set M; then, according to the destination IP addresses in the attack logs, carrying out aggregation, and aggregating the attack logs with the same destination IP addresses in the set M together, so that one or more sets can be obtained, wherein each set comprises at least one attack log, and each set corresponds to one destination IP address; then, the corresponding set of each destination IP address is processed respectively: judging whether the attack logs in a set contain preset attack fields in the event rules, aggregating the attack logs containing the same attack fields together to form an attack event, or aggregating the attack logs containing the same attack fields corresponding to the same attack event together to form an attack event, and at the moment, generating one or more attack events related to the target IP. Of course, it is also possible to set a first threshold value in the event rule, that is, to confirm that an attack event is generated only when the number of attack logs containing the same attack field in the attack event exceeds the first threshold value.
The above is only one example of generating an attack event by using an event rule, and a specific event rule and an aggregation method may be set and adjusted according to actual requirements.
S203, finding the back package log matched with the attack log in the attack event.
In a specific implementation process, matching can be performed according to at least one of information in fields of a destination IP address, a source IP address, a port address, a MAC address and a probe _ id in an attack log and a packet return log, and the probe _ id is used for distinguishing different internal networks. And matching according to the generation time of the attack log and the packet return log, and when the time difference between the generation time of the attack log and the generation time of the packet return log exceeds the set maximum time difference, indicating that the packet return log is not matched with the attack log.
S204, determining whether the attack event is a success event according to the first identifier in the found package-back log.
The first identification is used for marking whether the attack action in the attack log matched with the back package log is successfully executed. In a specific implementation, the first identifier may be a status code field in a payload field in the packet return log, and whether the corresponding network activity is successfully executed may be confirmed by the status code field in the packet return log, and if the status code field is 200, it indicates that the execution of the attack event is successful.
In specific implementation, if the number of the first-identified successful back packet logs in all the found back packet logs meets a preset condition, determining that the attack event is a successful event, otherwise, determining that the attack event is not a successful event. The preset conditions may be configured according to actual requirements, for example, the preset conditions may include: the number of the first identifier, which is successful, of the repackaging logs exceeds a preset threshold, or the proportion of the number of the first identifier, which is successful, of the total number of the found repackaging logs exceeds a preset proportion.
And S205, taking the attack event determined as the success event as a security event.
The packet returning log matched with the attack log in the attack event can be found through the step S203, the payload field in the packet returning log records information whether the network activity corresponding to the matched attack log is successfully executed, the execution condition of the network activity corresponding to each attack log in the attack event is counted through the step S204, and whether the attack event is successful is determined according to the execution condition. For example, a hacker host scans a certain host, if the security device intercepts the behavior of a hacker, the scanned host does not return information to the hacker host, if the scanned host normally returns information to the hacker host, it is considered that an intrusion scanning event is successful, the action of the hacker host scanning the certain host is recorded in a scanning log, and an event that whether the scanned host normally returns information is recorded in a loopback log, so that whether the intrusion event corresponding to the scanning log is normally executed or not can be known through the loopback log.
Therefore, according to the first identifier in the packet return log matched with the attack event, the true completion condition of the attack event can be determined, and only the successful attack event is output as the security event, so that the accuracy of generating the attack chain of the damaged host is improved, and the accuracy of judging whether the attack is successful is improved.
When generating attack events, an attack method identification is generated for each attack event, and the attack identification is used for marking the attack method used by the attack event. However, in the practical application process, it is found that many attack methods are mutually exclusive, that is, many methods cannot occur simultaneously. For example, a behavior of scanning by a scanner, the security device may output logs corresponding to the scanning behavior, and the logs may simultaneously satisfy multiple event rules, so that multiple security events, such as a scanning event, a vulnerability attack event, a virus attack event, and the like, are generated at the same time.
To this end, prior to step S203, the method of the present example further includes the steps of: and deleting the noise events in the attack events according to a preset denoising rule. Wherein, mutually exclusive attack events which cannot occur simultaneously are configured in the denoising rule. For example, one rule configured in the denoising rule is: when the event with the attack method a occurs, the event with the attack method B is a noise event, and in practical application, when it is detected that the generated attack event includes the event with the attack method a, the event with the attack method B occurring within a certain time period before and after the event with the attack method a is deleted, and the time period can be set by itself, for example, 2 minutes.
According to the pre-configured denoising rule, noise events in two or more mutually exclusive events which cannot occur simultaneously are filtered, the number of generated safety events is reduced, and the data processing amount is reduced.
The method of this embodiment further comprises the steps of: and if the attack event is manually marked as a success event, taking the attack event as a security event.
In the method of the embodiment, whether an attack event is successfully marked or not is allowed to be manually marked, and the priority level of the manual marking is higher than that of the machine marking, so that missing situations occurring in the machine marking process are solved.
As shown in fig. 3, based on the same inventive concept as the above-mentioned method for automatically determining a bogus host, an embodiment of the present invention further provides an apparatus 30 for automatically determining a bogus host, which includes a security event generating module 301, an attack chain generating module 302, an attack chain modifying module 303, and a determining module 304.
The security event generating module 301 is configured to generate a security event according to a log output by the security device, where the security event is an event describing an activity of an attacker and includes a destination IP address and an attack stage;
the attack chain generation module 302 is configured to aggregate security events with the same destination IP address, and obtain an attack chain of a host corresponding to the destination IP address according to an attack phase of the aggregated security events;
the attack chain modification module 303 is configured to search for a security event whose source IP address is an IP address of the host, and modify an attack chain according to the searched security event;
the determining module 304 is configured to determine whether the host is attacked according to the modified attack chain.
Optionally, the security event generating module 301 specifically includes a log obtaining module, a log aggregating module, a matching module, and a security event determining unit.
The log obtaining unit is used for obtaining an attack log and a packet returning log output by the security device, wherein the attack log comprises information of attack of an intruder, and the packet returning log comprises packet returning information of a session of an attacked;
the log aggregation unit is used for aggregating the attack logs meeting the event rule to obtain an attack event;
the matching unit is used for searching the back packet log matched with the attack log in the attack event;
the security event determining unit is used for determining whether the attack event is a successful event according to the first identifier in the found packet returning log, the first identifier is used for marking whether the network activity in the attack log matched with the packet returning log is successfully executed, and the attack event determined as the successful event is used as the security event.
Optionally, the event rules include any one or more of the following rules: the generation time of the attack logs is within a preset time period, the target IP addresses of the attack logs are the same, the attack logs contain preset attack fields, and the number of the attack logs containing the same attack fields exceeds a first threshold value.
Optionally, the security event determining unit is specifically configured to determine that the attack event is a successful event if, among all found back packet logs, the number of back packet logs for which the first identifier is successful meets a preset condition.
Optionally, the security event generating module 301 further includes a denoising unit, configured to delete a noise event in the attack event according to a preset denoising rule, so as to delete an attack event that is unlikely to occur.
Optionally, the security event generating module 301 further includes a manual marking unit, configured to regard the attack event as a security event if the attack event is manually marked as a successful event.
Optionally, the attack chain modification module 303 is specifically configured to, if the attack chain does not include the security event at the preset stage, search for a security event whose source IP address is the IP address of the host, and supplement the searched security event as the security event at the preset stage to the attack chain, so as to modify the attack chain.
Optionally, the determining module 304 is specifically configured to determine whether an attack stage of a security event included in an attack chain meets an attack trapping rule, if so, determine that the host is trapped, otherwise, determine that the host is not trapped.
The attack and subsidence host automatic judgment device and the attack and subsidence host automatic judgment method provided by the embodiment of the invention adopt the same inventive concept, can obtain the same beneficial effects, and are not repeated herein.
Based on the same inventive concept as the attack and subsidence host automatic determination method, the embodiment of the invention further provides an electronic device, which can be specifically a desktop computer, a portable computer, a smart phone, a tablet computer, a Personal Digital Assistant (PDA), a server and the like. As shown in fig. 4, the electronic device 40 may include a processor 401, a memory 402, and a transceiver 403. The transceiver 403 is used for receiving and transmitting data under the control of the processor 401.
The processor 401 may be a CPU (central processing unit), an ASIC (Application Specific Integrated Circuit), an FPGA (Field Programmable Gate Array), or a CPLD (Complex Programmable Logic Device), and implements the automatic determination method for a trapping host in any of the above embodiments according to an obtained program instruction by calling a program instruction stored in a memory.
An embodiment of the present invention provides a computer-readable storage medium for storing computer program instructions for the electronic device, which includes a program for executing the method for automatically determining a fault in the host.
The computer storage media may be any available media or data storage device that can be accessed by a computer, including but not limited to magnetic memory (e.g., floppy disks, hard disks, magnetic tape, magneto-optical disks (MOs), etc.), optical memory (e.g., CDs, DVDs, BDs, HVDs, etc.), and semiconductor memory (e.g., ROMs, EPROMs, EEPROMs, non-volatile memory (NAND FLASH), Solid State Disks (SSDs)), etc.
The above embodiments are only used to describe the technical solutions of the present application in detail, but the above embodiments are only used to help understanding the method of the embodiments of the present invention, and should not be construed as limiting the embodiments of the present invention. Variations or substitutions that may be readily apparent to one skilled in the art are intended to be included within the scope of the embodiments of the present invention.
Claims (10)
1. An automatic determination method for a fault host is characterized by comprising the following steps:
generating a security event according to a log output by security equipment, wherein the security event is an event describing activities of an attacker and comprises a destination IP address and an attack stage; the generating of the security event according to the log output by the security device specifically includes: acquiring an attack log and a packet returning log output by security equipment, wherein the attack log comprises information of attack of an intruder, and the packet returning log comprises packet returning information of an attacked session; aggregating the attack logs conforming to the event rule to obtain an attack event; searching a packet returning log matched with the attack log in the attack event; determining whether the attack event is a successful event according to a first identifier in the found packet returning log, wherein the first identifier is used for marking whether network activities in the attack log matched with the packet returning log are successfully executed; taking the attack event determined as a success event as a security event;
aggregating security events with the same destination IP address, and obtaining an attack chain of a host corresponding to the destination IP address according to the attack stage of the aggregated security events;
searching a security event with a source IP address as the IP address of the host, and correcting the attack chain according to the searched security event;
and judging whether the host is attacked or not according to the corrected attack chain.
2. The method of claim 1, wherein the event rules include any one or more of the following rules: the generation time of the attack logs is within a preset time period, the target IP addresses of the attack logs are the same, the attack logs contain preset attack fields, the number of the attack logs containing the same attack fields exceeds a first threshold value, and whether the information obtained based on the attack log reasoning meets a preset rule or not is judged.
3. The method according to claim 1, wherein determining whether the attack event is a success event according to the first identifier in the found loopback log specifically comprises:
and if the number of the first-identified successful back packet logs in all the found back packet logs meets a preset condition, determining that the attack event is a successful event.
4. The method of claim 1, further comprising, before searching for a back packet log that matches an attack log in the attack event:
and deleting the noise events in the attack events according to a preset denoising rule.
5. The method of claim 1, further comprising:
and if the attack event is manually marked as a successful event, taking the attack event as a security event.
6. The method according to any one of claims 1 to 5, wherein the searching for the security event whose source IP address is the IP address of the host, and modifying the attack chain according to the searched security event comprises:
if the attack chain does not contain the security event of the attack preset stage, searching the security event of which the source IP address is the IP address of the host, and supplementing the searched security event serving as the security event of the preset stage into the attack chain so as to correct the attack chain.
7. The method according to any one of claims 1 to 5, wherein determining whether the host is compromised according to the attack chain specifically comprises:
and judging whether the attack stage of the security event contained in the attack chain meets the attack trapping rule, if so, judging that the host is attacked and trapped, otherwise, judging that the host is not attacked and trapped.
8. The utility model provides an attack and sink host computer automatic decision maker which characterized in that includes:
the security event generation module is used for generating a security event according to a log output by security equipment, wherein the security event is an event for describing the activity of an attacker and comprises a destination IP address and an attack stage;
the security event generation module specifically comprises a log acquisition unit, a log aggregation unit, a matching unit and a security event determination unit; the log obtaining unit is used for obtaining an attack log and a packet returning log output by the security device, wherein the attack log comprises information of attack of an intruder, and the packet returning log comprises packet returning information of a session of an attacked; the log aggregation unit is used for aggregating the attack logs meeting the event rule to obtain attack events; the matching unit is used for searching the back packet log matched with the attack log in the attack event; the security event determining unit is configured to determine whether the attack event is a successful event according to a first identifier in the found back packet log, where the first identifier is used to mark whether network activity in the attack log matched with the back packet log is successfully executed, and the attack event determined as the successful event is used as a security event;
the attack chain generating module is used for aggregating the security events with the same destination IP address and obtaining the attack chain of the host corresponding to the destination IP address according to the attack stage of the aggregated security events;
the attack chain correction module is used for searching a security event with a source IP address as the IP address of the host and correcting the attack chain according to the searched security event;
and the judging module is used for judging whether the host is attacked or not according to the corrected attack chain.
9. An electronic device comprising a transceiver, a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the transceiver is configured to receive and transmit data under control of the processor, and wherein the processor implements the steps of the method of any one of claims 1 to 7 when executing the program.
10. A computer-readable storage medium, on which computer program instructions are stored, which program instructions, when executed by a processor, carry out the steps of the method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811567279.6A CN109617885B (en) | 2018-12-20 | 2018-12-20 | Attack and subsidence host automatic judgment method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811567279.6A CN109617885B (en) | 2018-12-20 | 2018-12-20 | Attack and subsidence host automatic judgment method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109617885A CN109617885A (en) | 2019-04-12 |
| CN109617885B true CN109617885B (en) | 2021-04-16 |
Family
ID=66010152
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811567279.6A Active CN109617885B (en) | 2018-12-20 | 2018-12-20 | Attack and subsidence host automatic judgment method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109617885B (en) |
Families Citing this family (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110213077B (en) * | 2019-04-18 | 2022-02-22 | 国家电网有限公司 | Method, device and system for determining safety event of power monitoring system |
| CN112217777A (en) * | 2019-07-12 | 2021-01-12 | 上海云盾信息技术有限公司 | Attack backtracking method and equipment |
| CN112311728A (en) * | 2019-07-29 | 2021-02-02 | 中国移动通信集团重庆有限公司 | Host attack and sink judgment method and device, computing equipment and computer storage medium |
| CN110650156B (en) * | 2019-10-23 | 2021-12-31 | 北京天融信网络安全技术有限公司 | Method and device for clustering relationships of network entities and method for identifying network events |
| CN113411288A (en) * | 2020-03-17 | 2021-09-17 | 中国电信股份有限公司 | Equipment security detection method and device and storage medium |
| CN112187720B (en) * | 2020-09-01 | 2022-11-15 | 杭州安恒信息技术股份有限公司 | Method and device for generating secondary attack chain, electronic device and storage medium |
| CN112532631A (en) * | 2020-11-30 | 2021-03-19 | 深信服科技股份有限公司 | Equipment safety risk assessment method, device, equipment and medium |
| CN112738071B (en) * | 2020-12-25 | 2023-07-28 | 中能融合智慧科技有限公司 | Method and device for constructing attack chain topology |
| CN113259361B (en) * | 2021-05-20 | 2022-03-22 | 常州皓焱信息科技有限公司 | Internet security data processing method and system |
| CN113672913A (en) * | 2021-08-20 | 2021-11-19 | 绿盟科技集团股份有限公司 | Security event processing method and device and electronic equipment |
| CN114499959B (en) * | 2021-12-24 | 2024-04-16 | 北京网神洞鉴科技有限公司 | Server attack tracing method and device |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101018121A (en) * | 2007-03-15 | 2007-08-15 | 杭州华为三康技术有限公司 | Log convergence processing method and convergence processing device |
| CN101262351A (en) * | 2008-05-13 | 2008-09-10 | 华中科技大学 | A network tracking system |
| CN104901971A (en) * | 2015-06-23 | 2015-09-09 | 北京东方棱镜科技有限公司 | Method and device for carrying out safety analysis on network behaviors |
| CN105577679A (en) * | 2016-01-14 | 2016-05-11 | 华东师范大学 | Method for detecting anomaly traffic based on feature selection and density peak clustering |
| CN106506556A (en) * | 2016-12-29 | 2017-03-15 | 北京神州绿盟信息安全科技股份有限公司 | A kind of network flow abnormal detecting method and device |
| CN106790186A (en) * | 2016-12-30 | 2017-05-31 | 中国人民解放军信息工程大学 | Multi-step attack detection method based on multi-source anomalous event association analysis |
| CN107145779A (en) * | 2017-03-16 | 2017-09-08 | 北京网康科技有限公司 | A kind of recognition methods of offline Malware daily record and device |
| CN107770168A (en) * | 2017-10-18 | 2018-03-06 | 杭州白客安全技术有限公司 | Low rate of false alarm IDS/IPS based on attack chain markov decision process |
| CN108076040A (en) * | 2017-10-11 | 2018-05-25 | 北京邮电大学 | A kind of APT Attack Scenarios method for digging based on killing chain and fuzzy clustering |
| US9992219B1 (en) * | 2014-11-13 | 2018-06-05 | National Technology & Engineering Solutions Of Sandia, Llc | Framework and methodology for supply chain lifecycle analytics |
| US10122738B2 (en) * | 2016-04-25 | 2018-11-06 | Acer Incorporated | Botnet detection system and method |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9208335B2 (en) * | 2013-09-17 | 2015-12-08 | Auburn University | Space-time separated and jointly evolving relationship-based network access and data protection system |
| US10289841B2 (en) * | 2015-04-16 | 2019-05-14 | Nec Corporation | Graph-based attack chain discovery in enterprise security systems |
-
2018
- 2018-12-20 CN CN201811567279.6A patent/CN109617885B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101018121A (en) * | 2007-03-15 | 2007-08-15 | 杭州华为三康技术有限公司 | Log convergence processing method and convergence processing device |
| CN101262351A (en) * | 2008-05-13 | 2008-09-10 | 华中科技大学 | A network tracking system |
| US9992219B1 (en) * | 2014-11-13 | 2018-06-05 | National Technology & Engineering Solutions Of Sandia, Llc | Framework and methodology for supply chain lifecycle analytics |
| CN104901971A (en) * | 2015-06-23 | 2015-09-09 | 北京东方棱镜科技有限公司 | Method and device for carrying out safety analysis on network behaviors |
| CN105577679A (en) * | 2016-01-14 | 2016-05-11 | 华东师范大学 | Method for detecting anomaly traffic based on feature selection and density peak clustering |
| US10122738B2 (en) * | 2016-04-25 | 2018-11-06 | Acer Incorporated | Botnet detection system and method |
| CN106506556A (en) * | 2016-12-29 | 2017-03-15 | 北京神州绿盟信息安全科技股份有限公司 | A kind of network flow abnormal detecting method and device |
| CN106790186A (en) * | 2016-12-30 | 2017-05-31 | 中国人民解放军信息工程大学 | Multi-step attack detection method based on multi-source anomalous event association analysis |
| CN107145779A (en) * | 2017-03-16 | 2017-09-08 | 北京网康科技有限公司 | A kind of recognition methods of offline Malware daily record and device |
| CN108076040A (en) * | 2017-10-11 | 2018-05-25 | 北京邮电大学 | A kind of APT Attack Scenarios method for digging based on killing chain and fuzzy clustering |
| CN107770168A (en) * | 2017-10-18 | 2018-03-06 | 杭州白客安全技术有限公司 | Low rate of false alarm IDS/IPS based on attack chain markov decision process |
Non-Patent Citations (1)
| Title |
|---|
| 基于SIEM的APT检测与防御体系研究;李艳斐;《网络空间安全》;20180630;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109617885A (en) | 2019-04-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109617885B (en) | Attack and subsidence host automatic judgment method and device, electronic equipment and storage medium | |
| CN109660539B (en) | Method and device for identifying defect-losing equipment, electronic equipment and storage medium | |
| US11082436B1 (en) | System and method for offloading packet processing and static analysis operations | |
| CN109831461B (en) | Distributed denial of service (DDoS) attack defense method and device | |
| US8650287B2 (en) | Local reputation to adjust sensitivity of behavioral detection system | |
| US20150033343A1 (en) | Method, Apparatus, and Device for Detecting E-Mail Attack | |
| CN105450619A (en) | Method, device and system of protection of hostile attacks | |
| CN111737696A (en) | Method, system and equipment for detecting malicious file and readable storage medium | |
| CN108809749B (en) | Performing upper layer inspection of a stream based on a sampling rate | |
| RU2666289C1 (en) | System and method for access request limits | |
| US20170041336A1 (en) | Signature rule processing method, server, and intrusion prevention system | |
| US11711395B2 (en) | User-determined network traffic filtering | |
| CN110266650B (en) | Identification method of Conpot industrial control honeypot | |
| WO2020037781A1 (en) | Anti-attack method and device for server | |
| CN111314328A (en) | Network attack protection method and device, storage medium and electronic equipment | |
| CN109756480B (en) | DDoS attack defense method, device, electronic equipment and medium | |
| EP3799386A1 (en) | System and method for detecting and blocking malicious attacks on a network | |
| CN110677414A (en) | Network detection method and device, electronic equipment and computer readable storage medium | |
| CN111901326B (en) | Multi-device intrusion detection method, device, system and storage medium | |
| CN108737344B (en) | Network attack protection method and device | |
| CN109474623B (en) | Network security protection and parameter determination method, device, equipment and medium thereof | |
| JP2019152912A (en) | Unauthorized communication handling system and method | |
| CN108471427B (en) | Method and device for defending attack | |
| KR102494546B1 (en) | A mail security processing device and an operation method of Email access security system providing mail communication protocol-based access management and blocking function | |
| CN113630417B (en) | WAF-based data transmission method, WAF-based data transmission device, WAF-based electronic device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building Patentee after: NSFOCUS Technologies Group Co.,Ltd. Patentee after: NSFOCUS TECHNOLOGIES Inc. Address before: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building Patentee before: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd. Patentee before: NSFOCUS TECHNOLOGIES Inc. |