CN111490970A - Tracing analysis method for network attack - Google Patents

Tracing analysis method for network attack Download PDF

Info

Publication number
CN111490970A
CN111490970A CN202010101374.8A CN202010101374A CN111490970A CN 111490970 A CN111490970 A CN 111490970A CN 202010101374 A CN202010101374 A CN 202010101374A CN 111490970 A CN111490970 A CN 111490970A
Authority
CN
China
Prior art keywords
attack
alarm
source
alarms
stage
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010101374.8A
Other languages
Chinese (zh)
Inventor
李福宜
王平
陈宏伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xi'an Jiaotong University Jump Network Technology Co ltd
Original Assignee
Xi'an Jiaotong University Jump Network Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xi'an Jiaotong University Jump Network Technology Co ltd filed Critical Xi'an Jiaotong University Jump Network Technology Co ltd
Priority to CN202010101374.8A priority Critical patent/CN111490970A/en
Publication of CN111490970A publication Critical patent/CN111490970A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a tracing analysis method of network attack, which comprises the following steps: obtaining threat intelligence of a specified type, and caching the threat intelligence to a local threat intelligence database; obtaining the current alarm information and the local threat information, and judging the attack source of the alarm; respectively performing alarm association according to the equipment identification of the attack source and/or the attack destination, determining the attack stage of the equipment and judging the equipment collapse level according to the attack stage; and acquiring asset information of the equipment, and determining the attack influence range according to the alarm correlation result. The effective traceability analysis of the network attack is realized, various traceability results are obtained, the traceability data can be updated every time of traceability, and the basis for the network operation and maintenance personnel to process problems and strengthen the security strategy is provided.

Description

Tracing analysis method for network attack
Technical Field
The invention belongs to the technical field of network security and data analysis, and particularly relates to a source tracing analysis method for network attacks.
Background
With the technical progress, the internet has deepened into various aspects, attack events increase year by year, and the problem of network security gradually becomes a social focus. The attack technology and the attack means adopted by the network attacker also have a new development trend, and the traditional protection of isolating the internal network and the external network by setting security tools such as a firewall and the like at the network boundary point has an effect on attacking other nodes through a single node or attacking system bugs or preventing single and easily discovered attack modes such as Trojan programs and the like.
However, as network attack means are developed in a large number, the variety is not only various, but also the rapid development is towards the direction of high integration and automation, as the network becomes increasingly complex, the security Threat also tends to be diversified, and in the face of a large number of logs and alarms with different formats and different forms, especially for Advanced Persistent Threat Attack (APT), the used tools or malicious programs are generally developed specifically and are difficult to detect, and the attack also uses 0day vulnerability, has persistence, and can perform preparation for a long time such as observation, point stepping, information collection, social engineering and the like, and then gradually infiltrate, information returning, communication control and the like. The traditional processing method is too heavy for a long time, so that the network security situation perception is derived.
The network security situation perception is an active network defense means, a large amount of log data are obtained from software and hardware such as a firewall, security audit, antivirus software and the like, the current condition of the whole network is timely evaluated and reflected on the basis of data processing, and the future change trend is predicted. The method can not only reflect the current network security situation, but also predict the potential attacks in the network, thereby actively defending against the potential attacks. The manager can comprehensively know the security condition and the evolution trend of the network and quickly respond to complex and variable security threats so as to reduce the cognitive and response pressure.
The traceability analysis of the network attack is an important composition of situation awareness, based on a known security threat event, a threat path, a threat process, an attack method and a virtual identity are traced, useful information such as a source IP (Internet protocol) and a physical position of the attack is quickly found out, and a basis is provided for network operation and maintenance personnel to strengthen a security strategy for processing problems; the high efficiency of the traceability analysis and the accuracy of the traceability result directly relate to the subsequent strategy making and rectifying measures.
Disclosure of Invention
In view of the above, the present invention provides a method for analyzing the trace source of network attack, which determines the attack source according to the attack stage of the alarm, the time of the alarm, the source IP and the destination IP in the alarm in combination with the asset service library, the threat information library, etc.; process deduction is carried out on the attack chain, the time line of the attack process is restored, and the attack influence range is judged; the technical scheme is as follows.
A tracing analysis method for network attacks comprises the following steps:
obtaining threat intelligence of a specified type, and caching the threat intelligence to a local threat intelligence database;
obtaining the current alarm information and the local threat information, and judging the attack source of the alarm;
respectively performing alarm association according to the equipment identification of the attack source and/or the attack destination, determining the attack stage of the equipment and judging the equipment collapse level according to the attack stage;
and acquiring asset information of the equipment, and determining the attack influence range according to the alarm correlation result.
On the first hand, judging the attack source of the alarm, inquiring the threat information according to the source IP of the alarm, and determining the attack source as an internal network or an external network.
And in the second aspect, the attack process is restored, and alarm association, attack stage determination, collapse level determination and alarm time sequence correction are sequentially carried out.
Firstly, alarm association is carried out, specifically:
acquiring all alarms consistent with a source IP or a target IP of the alarm according to specified conditions;
if the source IP is consistent with the target IP of the alarm: when the source port and the destination port of the two alarms are consistent, combining the two alarms; when the source ports of the two alarms are not consistent and the destination ports of the two alarms are consistent, judging the two alarms as associated alarms;
if the destination IP is consistent with the source IP of the alarm: when the destination ports of other alarms are consistent with the source port of the alarm, judging the two alarms as associated alarms;
if the source IP and the destination IP are respectively consistent with the source IP and the destination IP of the alarm: when the source port and the destination port of the two alarms are consistent, the two alarms are combined.
Secondly, determining an attack stage of the IP, inquiring all alarms according to the IP, acquiring all alarm records of the IP, extracting attack behavior characteristics in alarm information, and determining the attack stage of each alarm according to the corresponding relation between preset attack behavior characteristics and the attack stage; taking the highest attack stage in the alarm as the current attack stage of the IP; and listing the attack stage into an alarm tracing record.
Thirdly, determining the collapse level of the IP according to the attack stage of the IP, comprising the following steps: determining the corresponding relation between the attack stage and the defect level, and determining that the defect level is low suspicious, high suspicious or lost according to the attack stage where the IP is located; and (5) listing the collapse grade into an alarm tracing record.
Finally, correcting the time sequence of the alarm: dividing the associated alarms according to the attack stages, and sequencing the alarms in each attack stage according to time to obtain an attack stage sequence of the alarms;
according to the alarm occurrence time, sequencing the alarms to obtain an initial time sequence of the alarms;
comparing the attack stage sequence of the alarm with the initial time sequence of the alarm, and removing the alarm with inconsistent sequence; removing the alarm of which the attack source is an internal network and is in a stage of investigation, tracking and load delivery;
and obtaining the attack propagation path according to the corrected alarm time sequence.
In a third aspect, the IP affected by the attack is determined according to the attack process; acquiring asset information of an IP (Internet protocol), and determining a service range influenced by the attack, wherein the asset information comprises the attribute, the vulnerability, the risk, the bearing service state and the running state of an asset; the asset attributes include region, department, and responsible person.
The source tracing analysis method of the invention firstly determines the attack source to be an outer net or an inner net by inquiring the threat intelligence library, and further determines the property of the attack source according to the intelligence; then, performing association alarm, attack stage determination, collapse grade determination and alarm time sequence correction in sequence, and restoring an attack process and a propagation path; and finally judging the attack influence range according to the asset information. The effective traceability analysis of the network attack is realized, various traceability results are obtained, the traceability data can be updated every time of traceability, and the basis for the network operation and maintenance personnel to process problems and strengthen the security strategy is provided.
Drawings
Fig. 1 is a schematic overall flow chart of an embodiment of a network attack tracing analysis method according to the present invention;
FIG. 2 is a schematic diagram of an alarm association process in FIG. 1;
FIG. 3 is a schematic view of the attack source analysis process of FIG. 1;
fig. 4 is a schematic view of an analysis flow of the attack process in fig. 1.
Detailed Description
The technical scheme of the invention is explained in detail with the accompanying drawings and the embodiments; it should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
To facilitate an understanding of the embodiments of the present invention, related art terms involved are first briefly described.
A threat, potentially leading to an undesirable potential cause of accident that may harm the system or organization.
Information security risks, and the degree of influence on an organization caused by security events due to threats and vulnerabilities existing in an information system.
Vulnerability, which may be a threat to the asset or weaknesses of several assets being utilized.
Network traffic, the collection of data packets generated on the network by the devices connected to the network (including various network devices, security devices, servers, etc.).
And alarm data, analysis conclusion of network flow, log, scanning detection return information and other data on the safety equipment or the safety platform, or information which is generated based on machine learning, engine equipment, tools and component association analysis and describes abnormal network conditions, abnormal system access or system vulnerability.
The network security event, due to human and software and hardware defects or faults, may cause potential damage to the information system, and even affect the normal service provision of the information system. Network security events often have a negative impact on society and are a confirmation of the fact that certain measures of disposal are required.
The association analysis is a rule that a user defines the association between various security events (log information, alarm information and the like) in terms of occurrence sequence, after-the-fact influence and the like according to the actual environment, and then makes a preventive response according to a known situation. Some association analysis rules such as the following: taking partial content of a single log as alarm information, wherein login, startup and shutdown occurring in the log can be taken as the alarm information; according to the frequency of special events in unit time, if the user password error occurs 3 times in 1 minute in the log, the user password can be cracked by brute force; the correlation analysis among the logs of the multiple devices can be used as a DDOS attack if a plurality of logs with the same IP address and different IP addresses are used as the logs.
Threat intelligence, a knowledge based on evidence, contains context, attack mechanisms, attack indicators, heuristics, and actionable suggestions. Threat intelligence describes an existing, or imminent, threat or danger to an asset and may be used to notify a subject to take some response to the relevant threat or danger. Threat intelligence is intended to provide a body of assets (typically an enterprise or organization to which the assets belong) that is exposed to threats with comprehensive, accurate, relevant knowledge and information that can be executed and decided upon. The main content of threat intelligence in narrow sense is a fail flag for identifying and detecting threats, such as files HASH, IP, domain name, program running path, registry entry, etc., and related home tags.
The network situation, the current state and the variation trend of the whole network are formed by the factors such as the running state of various network devices, the network behavior, the user behavior and the like.
A network security situation perception system analyzes network security conditions and predicts network security trends by collecting, extracting and fusing network environment elements (such as assets, network flow, operation state, equipment alarm, vulnerability, security events, threat information and other data) which can cause network security state and trend change in a large-scale network environment and utilizing analysis technologies such as data mining and the like, so as to assist products of emergency disposal and security decision. Traditional security heterogeneous defense mainly based on IDS, Firewall, VDS and other single-point defense actually divides network security into various security islands, and mutual correlation and cooperation are lacked. The situation awareness system is mainly characterized in that a network system is regarded as a whole, various attack detection, positioning, tracking and other methods in the traditional network security theory are integrated, the network is comprehensively and intensively analyzed in security management and intelligent comprehensive, and security components in different fields are integrated into a seamless security system, so that a macroscopic network security management system is formed, the security condition of the network is analyzed, the future trend is mastered, a user can intuitively perceive the network condition on the whole, a reliable basis is provided for accurate operation, and the risk and loss brought by the network security problem are reduced.
Advanced Persistent Threat Attacks (APT), which target stealing of information assets, are generally directed attacks implemented with unknown threats, consisting of multiple stages. For example, one of the dividing methods of the attack stage (link):
Figure DEST_PATH_IMAGE002
the detection and tracking process includes that an attacker knows personnel information, an IT framework, defense measures and the like of a target organization through social networks, social engineering and other modes, the process is a 'step point' stage before the attack, common behavior characteristics such as port scanning, network scanning, system scanning, Vulnerability scanning, SSH scanning and the like, commonly used scanners for system vulnerabilities comprise NESSUS, SSS, ISS, X-Scan, Retha and the like, scanners for service ports comprise Nmap, SuperScan, Amap and the like, scanners for WEB page eye services comprise SQ L scanners, PHP scanners, upload Vulnerability scanners and the like, WEB site scanning tools such as Scan, Acunetix Vulnerability Scanner, Jsky and the like, and scanning passwords for databases comprise shadow Database Scanner, NGSSQuirre L, SQ L weak scanners and the like.
An attacker collects information such as a target network topology structure, IP distribution condition, network connection equipment information, eye server distribution condition and the like through Google Hacking, WHOIS, DNS query and a network topology scanner (such as solarwind and the like).
Figure DEST_PATH_IMAGE004
Load delivery: based on the detection and tracking result of the target, purchasing or writing malicious codes aiming at the existing loopholes of the attack target, and performing escape test to ensure that the attack can successfully bypass the existing protection system of the target organization; launching a spear attack by means of phishing mails, phishing webpages, USB storage and the like, inducing attack targets to click and downloading malicious codes prepared in advance;
common ways are a DOS possible Memcached DDoS amplify query (set), a VOIP REGISTER message FloodUDP, a VOIP INVITE message flood UDP, a GP L VOIP SIP INVITE message flood, a DOS possible Sentinal L M amplify attack (request) inbound, a DOS DNS amplify attack inbound, a DOS possible NTP DDoS inbound frequent unverified MON _ L IST request IMP L0 x03, etc.
Figure DEST_PATH_IMAGE006
And (3) emergent defense utilization: the malicious codes are successfully implanted into equipment and a system of an attack target, and higher execution authority is obtained by utilizing vulnerabilities existing in the target equipment and the system; common ways are: brute force cracking, harpoon attack, water pit attack, U disk ferry, access malicious links and malicious mails.
Figure DEST_PATH_IMAGE008
Installing and implanting: and controlling the target equipment to download malicious software with richer functions by using the successfully obtained execution authority, and installing and starting the software.
Figure DEST_PATH_IMAGE010
And (3) communication control: command and control to be deployed remotely from an attacker after malware launch (C)&C) The server actively establishes connection and receives C&C, control signaling sent by the server; common are as follows: DNS covert channel detection (base line of legitimate DNS requests, frequency sumRules, entropy, semantic recognition), privilege exception promotion, service monitoring, etc.
Figure DEST_PATH_IMAGE012
And (3) osmotic destruction: attacker pass through C&The C server controls the target equipment to initiate further malicious behaviors, such as scanning bugs of other equipment in the intranet, invading a new target, mining valuable data or externally transmitting stolen data;
common penetration methods are TROJAN Windows executable base64 encoding, INFO suspected Mozilla user agent-possible forgery (Mozilla/4.0), MA L war suspected user agent, ETPO L ICYWin32/Sogou user agent (Sogou _ UPDATER), MA L war-CNC win.
When the behavior characteristics of the attack accord with the last two stages (namely, the "communication control" or "penetration damage" stage), the equipment can be defined as being lost, and the equipment has a larger threat; the devices conforming to the first two stages (i.e., "investigation and tracking" or "load delivery" stage) are relatively less threatening and belong to low suspicious devices; and the devices conforming to the two intermediate stages (i.e., the "defense utilization" and "installation placement" stages) are mostly between low suspicious and lost, and are defined as high suspicious. It should be noted here that the foregoing attacking or attacked device includes various network accessible devices such as a server, a router, a switch, and a PC.
In order to timely and accurately locate an attack source, grasp the state, the influence range and the degree of the attack and reduce the loss caused by the attack to the maximum extent, the embodiment of the invention provides a source tracing analysis method of the network attack.
As shown in the overall process of fig. 1, the source tracing analysis is based on a known security threat event, traces back a threat path, a threat process, an attack technique and a virtual identity, and finds out useful information such as a source IP and a physical location of an attack quickly. When the correlation analysis or the abnormal analysis generates an alarm or discovers a suspected attack behavior, the alarm is stored in an alarm library, a traceability analysis engine acquires alarm data to perform detailed analysis, firstly, alarm correlation is performed according to a source IP, a target IP and ports thereof, including merging and removing, relevant alarm data are screened out, then, attack source analysis is performed according to a threat information library cached to the local, then, the attack stage where the alarm is located, the time when the alarm occurs and process deduction performed on an attack chain in the alarm are analyzed by combining asset service data, vulnerability data and the like, the time line of the whole attack process is reduced, the attack reason analysis is performed, the attack influence range and the attack source are judged, and the purpose of providing a basis for strengthening a security strategy for the network operation and maintenance personnel to process the problems.
In the above tracing analysis, the tracing result of each alarm is stored in the alarm tracing record, so that the subsequent alarm tracing is compared.
The technical scheme of the embodiment of the invention mainly comprises the following steps: obtaining threat intelligence of a specified type, and caching the threat intelligence to a local threat intelligence database; obtaining the current alarm information and the local threat information, and judging the attack source of the alarm; respectively performing alarm association according to the equipment identification of the attack source and/or the attack destination, determining the attack stage of the equipment and judging the equipment collapse level according to the attack stage; and acquiring asset information of the equipment, and determining the attack influence range according to the alarm correlation result. The specific steps of the analysis are described in detail with reference to the accompanying drawings.
As shown in fig. 2, the alarm association includes:
all alarms consistent with the source IP or the destination IP of the alarm are obtained according to specified conditions, for example, the alarm in a certain time period, the alarm from a certain physical area, and the alarm of a certain type of threat or attack.
Comparing other alarms with the IP related to the alarm, and carrying out alarm combination and alarm removal according to the association rule, specifically comprising the following steps:
if the source IP is consistent with the target IP of the alarm: when the source port and the destination port of the two alarms are consistent, combining the two alarms; when the source ports of the two alarms are not consistent and the destination ports of the two alarms are consistent, judging the two alarms as associated alarms;
if the destination IP is consistent with the source IP of the alarm: when the destination ports of other alarms are consistent with the source port of the alarm, judging the two alarms as associated alarms;
if the source IP and the destination IP are respectively consistent with the source IP and the destination IP of the alarm: when the source port and the destination port of the two alarms are consistent, the two alarms are combined.
And after the alarm is closed, collecting and storing the related alarms in a database.
As shown in fig. 3, the analysis of the attack source is to obtain the attack source IP in the alarm, determine whether the source IP belongs to the intranet or the extranet according to the DNS log and the threat information base, and further determine the geographic information if the source IP is the extranet, and the specific analysis process distinguishes the intranet attack source from the extranet attack source:
if the attack is judged to be from the intranet according to the alarm source IP, inquiring the initial collapse certainty factor of the source IP in the alarm tracing record,
if the source IP is highly suspicious or is lost, performing alarm correlation according to the target IP, determining the attack stage of the target IP, and determining the level of the target IP lost according to the attack stage;
if the source IP is low and suspicious or the tracing record of the source IP is not inquired, performing alarm association according to the source IP and the target IP, determining the attack stage of the source IP and the target IP, and determining the collapse grade of the source IP and the target IP according to the attack stage;
and updating the collapse levels of the source IP and the destination IP to an alarm tracing record.
If the attack is judged to be from the external network according to the source IP of the alarm,
marking an attack source according to geographic information of local threat intelligence, and listing the geographic mark in an alarm tracing record; the geographic information comprises a corresponding relation between a domain name, an IP and belonged country/city information, and the belonged country/city information comprises longitude and latitude information;
obtaining DNS log, inquiring attack source IP or domain name in local threat intelligence: if the attack source is malicious, marking the initial defect certainty degree of the target IP as high suspicious or defect; if the attack source is not malicious, marking the initial collapse certainty factor of the target IP as low suspicious;
performing alarm correlation according to the target IP, determining the attack stage of the target IP, and determining the collapse grade of the target IP according to the attack stage;
and listing the collapse grade of the target IP into an alarm tracing record.
The above technical solution for determining the IP attack stage and the fail-over level is described in the following analysis of the attack process.
As shown in fig. 4, the attack process analysis includes determination of attack stage and collapse level:
determining the attack stage of the IP, specifically comprising: and inquiring an alarm library according to the IP to obtain all alarm records of the IP experience, thereby obtaining all alarms related to the IP.
Extracting attack behavior characteristics in all alarm information, and determining the attack stage of each alarm according to the corresponding relation between the preset attack behavior characteristics and the attack stage (such as the common attack characteristics of each attack stage).
Taking out the highest attack stage from all the attack stages of the alarm as the attack stage where the IP (actually corresponding to the internet access equipment of the outer network or the inner network, and the equipment in the inner network can also be called as the asset) of the query is currently located; and listing the obtained attack stage into an alarm tracing record table.
Further, determining the collapse level according to the attack stage of the IP, specifically comprising: when the system is in the stage of detection, tracking and load delivery, determining that the defect level is low and suspicious; when the stage of the emergency defense utilization and installation implantation is in the process, determining that the collapse grade is high and suspicious; when the communication control and infiltration damage stage is in the stage, determining the defect level as the defect; similarly, the result of the collapse level is listed in the alarm tracing record.
Further, according to the alarm correlation result, correcting the alarm time sequence to obtain an attack process, specifically comprising:
dividing the associated alarms according to the determined attack stages, and sequencing the alarms in each attack stage according to time to obtain an attack stage sequence of the alarms;
acquiring alarm occurrence time according to data such as flow logs, safety logs, audit logs and the like, and sequencing alarms to obtain an initial time sequence of the alarms;
comparing the attack phase sequence of the alarm with the initial time sequence of the alarm, and if the alarms from different sources have misjudgment in a certain proportion, removing the alarms with inconsistent sequences; the suspicious inner network alarm with low threat needs further other safety monitoring to be determined, and in order to avoid misjudgment to influence service operation, the alarm with the attack source being the inner network and in the stages of investigation tracking and load delivery is removed;
and obtaining the propagation path of the attack according to the corrected alarm time sequence, and determining the IP and the collapse grade influenced by the attack.
As a preferred implementation mode, the service range influenced by the attack is determined according to asset information (including asset attributes including regions, departments and responsible persons), vulnerability, risk, service bearing state and operation state, and the alarm time sequence.
An example is given for explanation: obtaining four alarm events A, B, C and D through alarm correlation, determining according to an attack analysis process that A is in second-stage load delivery, B, C is in fourth-stage installation and placement, D is in sixth-stage osmotic destruction, and B and C in the fourth stage are sequenced into B before and C after according to occurrence time, so that the attack stage sequence of the four correlated alarms is ABCD; the initial time sequence of the alarm occurrence obtained according to the log data analysis is the BACD, so that it can be determined that the attack phase sequence of A, B is inconsistent with the initial time sequence thereof, and thus the two alarms may generate an error alarm for a certain security device or system and need further determination. Through the above process, it can be determined that the occurrence sequence of the associated alarm is CD, the propagation path is the source IP and the destination IP of C, and the source IP and the destination IP of D, and the IPs are all within the range affected by the attack, and the defect level of each IP is further determined according to the defect level determination method.
As a preferred implementation mode, when the safety disposal suggestion is made, firstly, alarm extraction is carried out in an alarm library through an asset IP, then, all alarms of the asset are traversed to find out the type and source distribution of threats, finally, the problem is respectively determined to be located, wherein the problem comprises system safety, application safety, data safety, network safety, configuration safety, equipment safety and other safety levels, and finally, reasonable safety protection suggestion is given according to the vulnerability information of the asset.
Those skilled in the art will appreciate that the steps or components for implementing the above embodiments may be implemented by a program to instruct associated hardware to implement the steps or components, and the program may be stored in a computer readable storage medium, such as: ROM/RAM, magnetic disk, optical disk, etc.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (9)

1. A method for analyzing the source of a network attack is characterized by comprising the following steps:
obtaining threat intelligence of a specified type, and caching the threat intelligence to a local threat intelligence database;
obtaining the current alarm information and the local threat information, and judging the attack source of the alarm;
respectively performing alarm association according to the equipment identification of the attack source and/or the attack destination, determining the attack stage of the equipment and judging the equipment collapse level according to the attack stage;
and acquiring asset information of the equipment, and determining the attack influence range according to the alarm correlation result.
2. The traceability analysis method of claim 1, wherein the alarm association comprises:
acquiring all alarms consistent with a source IP or a target IP of the alarm according to specified conditions;
if the source IP is consistent with the target IP of the alarm: when the source port and the destination port of the two alarms are consistent, combining the two alarms; when the source ports of the two alarms are not consistent and the destination ports of the two alarms are consistent, judging the two alarms as associated alarms;
if the destination IP is consistent with the source IP of the alarm: when the destination ports of other alarms are consistent with the source port of the alarm, judging the two alarms as associated alarms;
if the source IP and the destination IP are respectively consistent with the source IP and the destination IP of the alarm: when the source port and the destination port of the two alarms are consistent, the two alarms are combined.
3. The method according to claim 2, wherein the determining the attack stage where the IP is located specifically includes: inquiring all alarms according to the IP, acquiring all alarm records of the IP experience, extracting attack behavior characteristics in alarm information, and determining the attack stage of each alarm according to the corresponding relation between the preset attack behavior characteristics and the attack stage; taking the highest attack stage in the alarm as the current attack stage of the IP; and listing the attack stage into an alarm tracing record.
4. The method of claim 3, wherein the determining the level of the breach according to the attack stage of the IP comprises: determining the corresponding relation between the attack stage and the defect level, and determining that the defect level is low suspicious, high suspicious or lost according to the attack stage where the IP is located; and (5) listing the collapse grade into an alarm tracing record.
5. The tracing analysis method according to claim 4, wherein if the attack is judged to originate from the intranet according to the alarm source IP, the initial failure certainty degree of the source IP in the alarm tracing record is inquired,
if the source IP is highly suspicious or is lost, performing alarm correlation according to the target IP, determining the attack stage of the target IP, and determining the level of the target IP lost according to the attack stage;
if the source IP is low and suspicious or the tracing record of the source IP is not inquired, performing alarm association according to the source IP and the target IP, determining the attack stage of the source IP and the target IP, and determining the collapse grade of the source IP and the target IP according to the attack stage;
and updating the collapse levels of the source IP and the destination IP to an alarm tracing record.
6. The tracing analysis method according to any one of claims 4, wherein if it is determined that the attack originates from an external network according to the source IP of the alarm,
marking an attack source according to geographic information of local threat intelligence, and listing the geographic mark in an alarm tracing record; the geographic information comprises a corresponding relation between a domain name, an IP and belonged country/city information, and the belonged country/city information comprises longitude and latitude information;
obtaining DNS log, inquiring attack source IP or domain name in local threat intelligence: if the attack source is malicious, marking the initial defect certainty degree of the target IP as high suspicious or defect; if the attack source is not malicious, marking the initial collapse certainty factor of the target IP as low suspicious;
performing alarm correlation according to the target IP, determining the attack stage of the target IP, and determining the collapse grade of the target IP according to the attack stage;
and listing the collapse grade of the target IP into an alarm tracing record.
7. The tracing analysis method according to any one of claims 1 to 6, wherein the time sequence of the alarm is modified according to the alarm correlation result to obtain an attack process, and specifically comprises:
dividing the associated alarms according to the attack stages, and sequencing the alarms in each attack stage according to time to obtain an attack stage sequence of the alarms;
according to the alarm occurrence time, sequencing the alarms to obtain an initial time sequence of the alarms;
comparing the attack stage sequence of the alarm with the initial time sequence of the alarm, and removing the alarm with inconsistent sequence; removing the alarm of which the attack source is an internal network and is in a stage of investigation, tracking and load delivery;
and obtaining the propagation path of the attack according to the corrected alarm time sequence, and determining the IP and the collapse grade influenced by the attack.
8. The traceability analysis method of claim 7, wherein the asset information of the device comprises asset attributes, vulnerabilities, risks, bearer service status, and operation status; the asset attributes include region, department, and responsible person.
9. The traceability analysis method of claim 8, wherein the service scope of the attack influence is determined according to the corrected alarm time series and asset information.
CN202010101374.8A 2020-02-19 2020-02-19 Tracing analysis method for network attack Pending CN111490970A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010101374.8A CN111490970A (en) 2020-02-19 2020-02-19 Tracing analysis method for network attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010101374.8A CN111490970A (en) 2020-02-19 2020-02-19 Tracing analysis method for network attack

Publications (1)

Publication Number Publication Date
CN111490970A true CN111490970A (en) 2020-08-04

Family

ID=71794421

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010101374.8A Pending CN111490970A (en) 2020-02-19 2020-02-19 Tracing analysis method for network attack

Country Status (1)

Country Link
CN (1) CN111490970A (en)

Cited By (33)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111917793A (en) * 2020-08-10 2020-11-10 武汉思普崚技术有限公司 Attack chain information analysis method and system
CN112003854A (en) * 2020-08-20 2020-11-27 中国人民解放军战略支援部队信息工程大学 Network security dynamic defense decision method based on space-time game
CN112187720A (en) * 2020-09-01 2021-01-05 杭州安恒信息技术股份有限公司 Method and device for generating secondary attack chain, electronic device and storage medium
CN112187710A (en) * 2020-08-17 2021-01-05 杭州安恒信息技术股份有限公司 Method and device for sensing threat intelligence data, electronic device and storage medium
CN112269316A (en) * 2020-10-28 2021-01-26 中国科学院信息工程研究所 High-robustness threat hunting system and method based on graph neural network
CN112333166A (en) * 2020-10-27 2021-02-05 国网重庆市电力公司电力科学研究院 Attack mode automatic identification system based on Internet of things
CN112351008A (en) * 2020-10-27 2021-02-09 杭州安恒信息技术股份有限公司 Network attack analysis method and device, readable storage medium and computer equipment
CN112491817A (en) * 2020-11-12 2021-03-12 中国联合网络通信集团有限公司 Honeypot technology-based tracing method and device and honeypot equipment
CN112615857A (en) * 2020-12-17 2021-04-06 杭州迪普科技股份有限公司 Network data processing method, device and system
CN112738071A (en) * 2020-12-25 2021-04-30 中能融合智慧科技有限公司 Method and device for constructing attack chain topology
CN112995359A (en) * 2021-04-27 2021-06-18 南京华飞数据技术有限公司 Network identity traceability system and method based on DNS
CN113449290A (en) * 2021-06-16 2021-09-28 中国工程物理研究院计算机应用研究所 Intranet multi-metadata correlation analysis engine software
CN113794696A (en) * 2021-08-27 2021-12-14 北京航空航天大学杭州创新研究院 Network security information processing method and system based on causal model
CN113890758A (en) * 2021-09-27 2022-01-04 深信服科技股份有限公司 Threat information method, device, equipment and computer storage medium
CN114124552A (en) * 2021-11-29 2022-03-01 恒安嘉新(北京)科技股份公司 Network attack threat level obtaining method, device and storage medium
CN114143064A (en) * 2021-11-26 2022-03-04 国网四川省电力公司信息通信公司 Multi-source network security alarm event tracing and automatic processing method and device
CN114244809A (en) * 2021-12-24 2022-03-25 北京天融信网络安全技术有限公司 Method and device for detecting host computer failure level in target network
CN114301796A (en) * 2021-12-20 2022-04-08 上海纽盾科技股份有限公司 Verification method, device and system for predicting situation awareness
CN114422240A (en) * 2022-01-19 2022-04-29 湖南警察学院 Internet of things cross-layer attack path identification method based on attack behavior analysis
CN114422257A (en) * 2022-01-24 2022-04-29 中国工商银行股份有限公司 Information processing method, device, equipment and medium
CN114499959A (en) * 2021-12-24 2022-05-13 北京网神洞鉴科技有限公司 Server attack tracing method and device
CN114584401A (en) * 2022-05-06 2022-06-03 国家计算机网络与信息安全管理中心江苏分中心 Tracing system and method for large-scale network attack
CN114598506A (en) * 2022-02-22 2022-06-07 烽台科技(北京)有限公司 Industrial control network security risk tracing method and device, electronic equipment and storage medium
CN114760189A (en) * 2022-03-30 2022-07-15 深信服科技股份有限公司 Information determination method, equipment and computer readable storage medium
CN114793168A (en) * 2022-03-15 2022-07-26 上海聚水潭网络科技有限公司 Logging log and IP-based lost user tracing method, system and equipment
CN114884712A (en) * 2022-04-26 2022-08-09 绿盟科技集团股份有限公司 Network asset risk level information determination method, device, equipment and medium
CN115001724A (en) * 2021-03-01 2022-09-02 腾讯科技(深圳)有限公司 Network threat intelligence management method, device, computing equipment and computer readable storage medium
CN115242608A (en) * 2022-07-12 2022-10-25 广东润联信息技术有限公司 Method, device and equipment for generating alarm information and storage medium
CN115333814A (en) * 2022-08-02 2022-11-11 哈尔滨工业大学(威海) Industrial control system alarm data oriented analysis system and method
CN115460023A (en) * 2022-11-14 2022-12-09 国能大渡河大数据服务有限公司 Method and system for integrally guaranteeing network security
CN115834219A (en) * 2022-11-29 2023-03-21 中国联合网络通信集团有限公司 Network asset evaluation processing method, device, server and medium
CN116112295A (en) * 2023-04-12 2023-05-12 北京长亭未来科技有限公司 Method and device for researching and judging external connection type attack result
CN116112222A (en) * 2022-12-27 2023-05-12 安天科技集团股份有限公司 Method, device, equipment and medium for judging feasibility of network attack and defense deduction attack

Cited By (53)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111917793A (en) * 2020-08-10 2020-11-10 武汉思普崚技术有限公司 Attack chain information analysis method and system
CN112187710A (en) * 2020-08-17 2021-01-05 杭州安恒信息技术股份有限公司 Method and device for sensing threat intelligence data, electronic device and storage medium
CN112003854A (en) * 2020-08-20 2020-11-27 中国人民解放军战略支援部队信息工程大学 Network security dynamic defense decision method based on space-time game
CN112003854B (en) * 2020-08-20 2023-03-24 中国人民解放军战略支援部队信息工程大学 Network security dynamic defense decision method based on space-time game
CN112187720A (en) * 2020-09-01 2021-01-05 杭州安恒信息技术股份有限公司 Method and device for generating secondary attack chain, electronic device and storage medium
CN112187720B (en) * 2020-09-01 2022-11-15 杭州安恒信息技术股份有限公司 Method and device for generating secondary attack chain, electronic device and storage medium
CN112333166A (en) * 2020-10-27 2021-02-05 国网重庆市电力公司电力科学研究院 Attack mode automatic identification system based on Internet of things
CN112351008A (en) * 2020-10-27 2021-02-09 杭州安恒信息技术股份有限公司 Network attack analysis method and device, readable storage medium and computer equipment
CN112351008B (en) * 2020-10-27 2022-07-22 杭州安恒信息技术股份有限公司 Network attack analysis method and device, readable storage medium and computer equipment
CN112269316A (en) * 2020-10-28 2021-01-26 中国科学院信息工程研究所 High-robustness threat hunting system and method based on graph neural network
CN112491817B (en) * 2020-11-12 2023-04-18 中国联合网络通信集团有限公司 Honeypot technology-based tracing method and device and honeypot equipment
CN112491817A (en) * 2020-11-12 2021-03-12 中国联合网络通信集团有限公司 Honeypot technology-based tracing method and device and honeypot equipment
CN112615857A (en) * 2020-12-17 2021-04-06 杭州迪普科技股份有限公司 Network data processing method, device and system
CN112738071B (en) * 2020-12-25 2023-07-28 中能融合智慧科技有限公司 Method and device for constructing attack chain topology
CN112738071A (en) * 2020-12-25 2021-04-30 中能融合智慧科技有限公司 Method and device for constructing attack chain topology
CN115001724B (en) * 2021-03-01 2023-04-07 腾讯科技(深圳)有限公司 Network threat intelligence management method, device, computing equipment and computer readable storage medium
CN115001724A (en) * 2021-03-01 2022-09-02 腾讯科技(深圳)有限公司 Network threat intelligence management method, device, computing equipment and computer readable storage medium
CN112995359B (en) * 2021-04-27 2021-08-13 南京华飞数据技术有限公司 Network identity traceability system and method based on DNS
CN112995359A (en) * 2021-04-27 2021-06-18 南京华飞数据技术有限公司 Network identity traceability system and method based on DNS
CN113449290A (en) * 2021-06-16 2021-09-28 中国工程物理研究院计算机应用研究所 Intranet multi-metadata correlation analysis engine software
CN113794696B (en) * 2021-08-27 2023-04-28 北京航空航天大学杭州创新研究院 Network security information processing method and system based on causal model
CN113794696A (en) * 2021-08-27 2021-12-14 北京航空航天大学杭州创新研究院 Network security information processing method and system based on causal model
CN113890758B (en) * 2021-09-27 2024-04-12 深信服科技股份有限公司 Threat information method, threat information device, threat information equipment and computer storage medium
CN113890758A (en) * 2021-09-27 2022-01-04 深信服科技股份有限公司 Threat information method, device, equipment and computer storage medium
CN114143064A (en) * 2021-11-26 2022-03-04 国网四川省电力公司信息通信公司 Multi-source network security alarm event tracing and automatic processing method and device
CN114124552A (en) * 2021-11-29 2022-03-01 恒安嘉新(北京)科技股份公司 Network attack threat level obtaining method, device and storage medium
CN114301796A (en) * 2021-12-20 2022-04-08 上海纽盾科技股份有限公司 Verification method, device and system for predicting situation awareness
CN114301796B (en) * 2021-12-20 2023-10-03 上海纽盾科技股份有限公司 Verification method, device and system for prediction situation awareness
CN114244809B (en) * 2021-12-24 2024-05-17 北京天融信网络安全技术有限公司 Method and device for detecting host computer collapse level in target network
CN114499959B (en) * 2021-12-24 2024-04-16 北京网神洞鉴科技有限公司 Server attack tracing method and device
CN114499959A (en) * 2021-12-24 2022-05-13 北京网神洞鉴科技有限公司 Server attack tracing method and device
CN114244809A (en) * 2021-12-24 2022-03-25 北京天融信网络安全技术有限公司 Method and device for detecting host computer failure level in target network
CN114422240A (en) * 2022-01-19 2022-04-29 湖南警察学院 Internet of things cross-layer attack path identification method based on attack behavior analysis
CN114422240B (en) * 2022-01-19 2024-03-15 湖南警察学院 Internet of things cross-layer attack path identification method based on attack behavior analysis
CN114422257B (en) * 2022-01-24 2024-05-14 中国工商银行股份有限公司 Information processing method, device, equipment and medium
CN114422257A (en) * 2022-01-24 2022-04-29 中国工商银行股份有限公司 Information processing method, device, equipment and medium
CN114598506A (en) * 2022-02-22 2022-06-07 烽台科技(北京)有限公司 Industrial control network security risk tracing method and device, electronic equipment and storage medium
CN114793168A (en) * 2022-03-15 2022-07-26 上海聚水潭网络科技有限公司 Logging log and IP-based lost user tracing method, system and equipment
CN114793168B (en) * 2022-03-15 2024-04-23 上海聚水潭网络科技有限公司 Method, system and equipment for tracing source of subsided user based on log and IP
CN114760189A (en) * 2022-03-30 2022-07-15 深信服科技股份有限公司 Information determination method, equipment and computer readable storage medium
CN114884712A (en) * 2022-04-26 2022-08-09 绿盟科技集团股份有限公司 Network asset risk level information determination method, device, equipment and medium
CN114884712B (en) * 2022-04-26 2023-11-07 绿盟科技集团股份有限公司 Method, device, equipment and medium for determining risk level information of network asset
CN114584401B (en) * 2022-05-06 2022-07-12 国家计算机网络与信息安全管理中心江苏分中心 Tracing system and method for large-scale network attack
CN114584401A (en) * 2022-05-06 2022-06-03 国家计算机网络与信息安全管理中心江苏分中心 Tracing system and method for large-scale network attack
CN115242608A (en) * 2022-07-12 2022-10-25 广东润联信息技术有限公司 Method, device and equipment for generating alarm information and storage medium
CN115333814A (en) * 2022-08-02 2022-11-11 哈尔滨工业大学(威海) Industrial control system alarm data oriented analysis system and method
CN115460023A (en) * 2022-11-14 2022-12-09 国能大渡河大数据服务有限公司 Method and system for integrally guaranteeing network security
CN115460023B (en) * 2022-11-14 2023-03-17 国能大渡河大数据服务有限公司 Method and system for integrally guaranteeing network security
CN115834219A (en) * 2022-11-29 2023-03-21 中国联合网络通信集团有限公司 Network asset evaluation processing method, device, server and medium
CN115834219B (en) * 2022-11-29 2024-05-17 中国联合网络通信集团有限公司 Network asset evaluation processing method, device, server and medium
CN116112222B (en) * 2022-12-27 2024-05-14 安天科技集团股份有限公司 Method, device, equipment and medium for judging feasibility of network attack and defense deduction attack
CN116112222A (en) * 2022-12-27 2023-05-12 安天科技集团股份有限公司 Method, device, equipment and medium for judging feasibility of network attack and defense deduction attack
CN116112295A (en) * 2023-04-12 2023-05-12 北京长亭未来科技有限公司 Method and device for researching and judging external connection type attack result

Similar Documents

Publication Publication Date Title
CN111490970A (en) Tracing analysis method for network attack
CN106790186B (en) Multi-step attack detection method based on multi-source abnormal event correlation analysis
EP3588898B1 (en) Defense against apt attack
CN107888607B (en) Network threat detection method and device and network management equipment
US7281270B2 (en) Attack impact prediction system
CN111245787A (en) Method and device for equipment defect identification and equipment defect degree evaluation
CN108092948B (en) Network attack mode identification method and device
CN112383503A (en) Network security event processing method
Kholidy et al. A finite state hidden markov model for predicting multistage attacks in cloud systems
US20170061126A1 (en) Process Launch, Monitoring and Execution Control
Cho et al. Cyber kill chain based threat taxonomy and its application on cyber common operational picture
CN112637220A (en) Industrial control system safety protection method and device
CN110868403B (en) Method and equipment for identifying advanced persistent Attack (APT)
Bisio et al. Real-time behavioral DGA detection through machine learning
GB2545480A (en) Detection of coordinated cyber-attacks
Kholidy et al. Online risk assessment and prediction models for Autonomic Cloud Intrusion srevention systems
KR20170091989A (en) System and method for managing and evaluating security in industry control network
CN113660222A (en) Situation awareness defense method and system based on mandatory access control
Davanian et al. MalNet: A binary-centric network-level profiling of IoT malware
CN115913634A (en) Network security abnormity detection method and system based on deep learning
Georgina et al. Deception Based Techniques Against Ransomwares: a Systematic Review
KR102377784B1 (en) Network security system that provides security optimization function of internal network
CN114372269A (en) Risk assessment method based on system network topological structure
CN111147491B (en) Vulnerability repairing method, device, equipment and storage medium
Anwar et al. Understanding internet of things malware by analyzing endpoints in their static artifacts

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination