CN111726357A - Attack behavior detection method and device, computer equipment and storage medium - Google Patents
Attack behavior detection method and device, computer equipment and storage medium Download PDFInfo
- Publication number
- CN111726357A CN111726357A CN202010561912.1A CN202010561912A CN111726357A CN 111726357 A CN111726357 A CN 111726357A CN 202010561912 A CN202010561912 A CN 202010561912A CN 111726357 A CN111726357 A CN 111726357A
- Authority
- CN
- China
- Prior art keywords
- attack
- data
- log data
- detection
- node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the invention discloses an attack behavior detection method, an attack behavior detection device, computer equipment and a storage medium. The method comprises the following steps: acquiring log information of nodes in a target network, and counting continuous log data from the log information, wherein the target network comprises at least one node; according to a preset attack database, continuous log data matched with each node are subjected to correlation analysis, and attack behavior data are determined; and generating an attack detection result according to the attack behavior data. The embodiment of the invention can reduce the labor cost of the detection of the attack behavior and improve the efficiency of the detection of the attack behavior.
Description
Technical Field
The embodiment of the invention relates to the field of networks, in particular to an attack behavior detection method and device, computer equipment and a storage medium.
Background
In recent years, the informatization construction of various industries is continuously perfected, and services are more and more dependent on an information system. However, the defects and the facing threats of the network and the information system themselves cause potential risks in the operation of the information system, and how to quickly and correctly find the network security problems encountered by the information system also becomes one of the working key points of security personnel.
At present, a framework of MITRE ATT & CK can be adopted to match with the attack behaviors counted in advance, and the possible attack behaviors are displayed. Therefore, enterprises can find attack organizations intending to invade in the framework of the MITER ATT & CK, and the enterprises can make responses of security events in a targeted manner.
However, the above-mentioned tool is dependent on the manual experience of security personnel for dealing with the security problem, and cannot be applied to a large-scale network environment.
Disclosure of Invention
Embodiments of the present invention provide an attack behavior detection method, an attack behavior detection device, a computer device, and a storage medium, which can reduce labor cost for determining an attack mode and improve analysis efficiency of the attack mode.
In a first aspect, an embodiment of the present invention provides an attack behavior detection method, including:
acquiring log information of nodes in a target network, and counting continuous log data from the log information, wherein the target network comprises at least one node;
according to a preset attack database, continuous log data matched with each node are subjected to correlation analysis, and attack behavior data are determined;
and generating an attack detection result according to the attack behavior data.
In a second aspect, an embodiment of the present invention further provides an attack behavior detection apparatus, including:
the system comprises a log information acquisition module, a log information acquisition module and a log information processing module, wherein the log information acquisition module is used for acquiring log information of nodes in a target network and counting continuous log data from the log information, and the target network comprises at least one node;
the attack behavior data acquisition module is used for analyzing the continuous log data matched with each node in a correlation manner according to a preset attack database and determining attack behavior data;
and the attack detection result generation module is used for generating an attack detection result according to the attack behavior data.
In a third aspect, an embodiment of the present invention further provides a computer device, including a memory, a processor, and a computer program that is stored in the memory and is executable on the processor, where when the processor executes the computer program, the attack behavior detection method according to any one of the embodiments of the present invention is implemented.
In a fourth aspect, the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the attack behavior detection method according to any one of the embodiments of the present invention.
According to the embodiment of the invention, by acquiring the log information of the nodes in the target network, extracting the continuous log data, performing correlation comparison analysis according to the preset attack database, determining the attack behavior data and generating the attack detection result, the problems of subjective detection result and low efficiency caused by the safety problem of manual detection in the prior art are solved, the objective attack behavior data can be ensured, the accuracy of attack behavior detection is improved, the labor cost for determining the attack mode is reduced, and the analysis efficiency of the attack mode is improved.
Drawings
Fig. 1 is a flowchart of an attack behavior detection method according to a first embodiment of the present invention;
fig. 2 is a flowchart of an attack behavior detection method in the second embodiment of the present invention;
fig. 3 is a schematic structural diagram of an attack behavior detection apparatus in a third embodiment of the present invention;
fig. 4 is a schematic structural diagram of a computer device in the fourth embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
Example one
Fig. 1 is a flowchart of an attack behavior detection method in an embodiment of the present invention, where this embodiment is applicable to a situation of detecting whether an attack behavior exists in a network, and the method may be executed by an attack behavior detection apparatus provided in an embodiment of the present invention, and the apparatus may be implemented in a software and/or hardware manner, and may generally be integrated with a computer device, and may specifically be in a node in a target network. As shown in fig. 1, the method of this embodiment specifically includes:
s110, obtaining the log information of the nodes in the target network, and counting continuous log data from the log information, wherein the target network comprises at least one node.
The target network may be comprised of at least one node, wherein the node may be a physical device. Each node is in network communication with at least one other node if the number of nodes is at least two. The log information is used for recording events occurring in the operation system or other software of the node or messages communicated with other nodes so as to analyze attack behaviors and the like. The log information may include log information of the local device and may also include log information of other nodes in the target network. The local device may be any node in the target network.
The method can collect log information of each node in the target network in real time and analyze whether each node is attacked or not, so that whether the target network is attacked or not is analyzed, and the real-time performance of attack behavior detection is improved. As an example, the attack behavior suffered by a node may be: the mail attached with the virus attachment is received on the node, and the virus attachment is operated in the node, so that the node is attacked, and even the node is propagated to other nodes along the interaction process of the node and other nodes.
In addition, by acquiring the log information of each node of the target network, the resource calling path among a plurality of nodes can be determined, and a link is formed. Therefore, when an abnormal event is found locally, the regression log can be subjected to tracing analysis to restore an attack chain, the existing log data can be effectively used for finding the abnormality in the network environment, active inquiry and tracking threats are not required to be passively waited and responded, and threat information is found in a kill chain (kill chain) as early as possible.
The continuous log data is used for inquiring the attack behavior data. In fact, the attack means may be a continuous multi-step attack means, in which case, the attacked node may have abnormal events in a continuous period of time, and thus, the data of the attack behavior matched with the continuous multi-step attack means may be determined by obtaining log data of the node in the continuous period of time for analysis. The continuous log data may be time-continuous data filtered from log information. Illustratively, the continuous log data is data of changes of access rights of nodes in the period from X month and X day of XX year to X month and X +1 day of XX year.
Optionally, the extracting continuous log data from the log information includes: analyzing the log information, and inquiring data associated with security parameters to obtain log data, wherein the security parameters comprise at least one of the following items: access parameters, permission parameters, and error parameters; and arranging the log data according to the time sequence and the type to generate continuous log data.
The log information parsing and querying is used to extract the required log data from the log information. The log information analysis is used for converting the log information into recognizable log data and screening the recognizable log data to extract needed data from the recognizable log data. The log information may be analyzed by using an existing log analysis tool, and the analysis data may be screened according to a preset screening rule to obtain the log data, where both the analysis method and the screening method may be set as required, and thus, embodiments of the present invention are not limited specifically.
The security parameters are used as query keywords for screening data in the log information and determining log data. In general, data related to security parameters may change when an anomaly occurs, for example, when a network connection anomaly occurs at a node, the number of accesses to the node may change suddenly.
The access parameters are used for inquiring the access number of the nodes related to the log information, the authority parameters are used for inquiring authority change data of the nodes, and the error parameters are used for inquiring data related to the operation errors of the nodes. The access amount, the authority change data and the data related to the operation error are generally data recorded according to a time dimension. For example, in XX year X month X day X time-Y, the number of visits by a node is 300. And if the access authority of the node is changed in XX year, X month, X time and X minute. And if the connection is abnormal, the node network is abnormal, and the like, the X time is X in XX year, X month and X day. In addition, the security parameter may also include other parameters, and the embodiment of the present invention is not particularly limited.
For each node, the log data can be stored in a classified manner according to time sequence and data type to form continuous log data. For example, a storage space may be configured for each node, in the storage space, the storage is classified and stored according to data types, and in each type of log data, each piece of log data is sequentially stored according to a time-sequence formation list.
Furthermore, historical continuous log data is locally stored, and the generated continuous log data can be added to the historical continuous log data according to the type and the time sequence.
The log information is analyzed and screened to generate log data, abnormal log data are quickly positioned in the screened log data, and the attack behavior detection is carried out according to the abnormal log data, so that the data volume of the attack behavior detection is reduced, and the efficiency and the accuracy of the attack behavior detection are improved.
And S120, analyzing the continuous log data matched with each node in a correlation manner according to a preset attack database, and determining attack behavior data.
The attack database is used for inquiring attack behavior data in log data of a target network, and the attack database can comprise attack behavior description information, attack means, attackers, program examples, defense measures, relieving measures, detection modes, reference documents and other data. The attack behavior data is used for determining whether any node is attacked or not and at least one of attack means, attackers, program examples, defense measures, mitigation measures, detection modes, references and the like.
In fact, the attack database stores a plurality of attack means. Detection conditions can be configured according to each attack means, and inquiry is carried out in continuous log data in the whole network range based on the detection conditions, so that whether abnormal events matched with the detection conditions exist or not. Illustratively, if all the abnormal events included in the detection condition exist, the node matched with the abnormal event is determined to have the attack behavior, and thus the attack behavior data is determined.
In addition, the attack means can realize penetration attack, and continuous log data of a plurality of nodes need to be comprehensively considered to perform correlation analysis so as to determine penetration attack behaviors.
Alternatively, the attack database may be the ATT & CK knowledge base. The ATT & CK knowledge base subdivides the situations that may occur during the attack of an attacker, for example, 11 policy stages are divided. The method comprises the following steps: the system comprises an intrusion initial stage, an execution stage, a permission promotion stage, a defense escape stage, a credential access stage, a discovery stage, a lateral movement stage, a collection stage, a penetration stage, a command stage, a control stage and the like. Meanwhile, the ATT & CK knowledge base also stores tools and the like used by the attacker aiming at each stage. Illustratively, the name of the Advanced Persistent Threat (APT) organization stored in the ATT & CK knowledge base serves as an attacker. The attack means stored in the ATT & CK knowledge base may be in the form of T1085-rudll 32, APT29 has used ruddlell 32.exe for execution, T1023-short Modification, APT29drops a Windows short file for execution and T1095-Standard Non-application layer Protocol, APT29 uses TCP for C2 communications, and others, and the embodiments of the present invention are not limited in particular.
Optionally, the attack database includes: the attack database includes: and the corresponding relation between the attacker and the attack means.
An attacker may be the user who initiated the attack. The attack means may be an attack mode, and an attack result of the attack means is shown in the form of continuous log data in the log information, that is, the attack means is associated with the continuous log data.
By configuring the attack database, an attacker and an attack means can be accurately and quickly determined, so that vulnerability positioning can be quickly carried out according to the attack means, vulnerabilities are solved, and network security and system security are improved.
And S130, generating an attack detection result according to the attack behavior data.
And if the attack behavior data is null, determining that the attack detection result is that no attack behavior exists, namely that the attack detection result is null. And if the attack behavior data is not null, taking the attack means included in the attack behavior data as an attack detection result. In addition, according to the attack database, the attack behavior description information, the attackers, the program examples, the defense measures, the relief measures, the detection modes, the reference documents and other data matched with the attack means can be determined and used as the attack detection result. That is, the attack detection result may include at least one of attack behavior description information, an attacker, an attack means, a program example, a defense means, a mitigation means, a detection method, a reference document, and the like. In this regard, the embodiments of the present invention are not particularly limited.
Optionally, after determining the attack detection result, the method further includes: and displaying the attack detection result, wherein the attack detection result comprises the detection result of the attacked node and the attacker or the detection result of the unapproved node.
By displaying the attack detection result, the user can quickly browse the strategy and the method used by the attacker, so that the full view of the network security event can be quickly examined, and the network defense can be quickly improved.
In addition, there may be multiple attack behaviors, which may be presented in the form of the framework of ATT & CK. Or may be displayed in the form of a list, a diagram, or the like, and the embodiments of the present invention are not particularly limited thereto.
The framework of ATT & CK may be as shown in table 1 below:
TABLE 1
According to the embodiment of the invention, by acquiring the log information of the nodes in the target network, extracting the continuous log data, performing correlation comparison analysis according to the preset attack database, determining the attack behavior data and generating the attack detection result, the problems of subjective detection result and low efficiency caused by the safety problem of manual detection in the prior art are solved, the objective attack behavior data can be ensured, the accuracy of attack behavior detection is improved, the labor cost for determining the attack mode is reduced, and the analysis efficiency of the attack mode is improved.
Example two
Fig. 2 is a flowchart of an attack behavior detection method in the second embodiment of the present invention, which is embodied based on the above embodiment, and the embodiment performs association analysis on continuous log data matched with each node according to a preset attack database to determine attack behavior data, and is embodied as: selecting an attack means included in the attack database as a target attack means, and determining a detection condition matched with the target attack means; inquiring abnormal log data matched with the detection condition in the continuous log data matched with each node; and if the abnormal log data in the continuous log data are determined to meet the detection conditions, the detection conditions are matched with a target attack means to serve as attack behavior data.
As shown in fig. 2, the method of this embodiment specifically includes:
s210, obtaining the log information of the nodes in the target network, and counting continuous log data from the log information, wherein the target network comprises at least one node.
Non-exhaustive descriptions of embodiments of the present invention may be had with reference to the foregoing embodiments.
S220, selecting the attack means included in the attack database as target attack means, and determining the detection condition matched with the target attack means.
Any one attack means can be selected as a target attack means in sequence until all attack means are selected. Or the matched attack means can be selected according to the configuration information. In addition, there are other ways to select an attack means, and thus, the embodiment of the present invention is not particularly limited.
Target attack means are used to determine the detection conditions. The detection condition is used for detecting abnormal events caused by the target attack means so as to judge whether attack behaviors occur in the network, and the attack behaviors are formed by attacking nodes through the target attack means. In fact, the node is attacked by the target attack means, and an abnormal event can occur in the node. Whether the node is attacked or not can be judged by detecting abnormal events of the node. Generally, one attack means corresponds to one detection condition. The detection condition may be considered as a detection rule configured for a certain attack means or a certain type of attack means.
And S230, inquiring abnormal log data matched with the detection condition from the continuous log data matched with each node.
The exception log data is used to determine the occurrence of an exception event. And inquiring whether abnormal log data matched with the abnormal event exists in the continuous log data so as to judge whether the abnormal event occurs. An attack or a class of attacks may generate abnormal events at a plurality of nodes, and accordingly generate abnormal log data in the continuous log data of the plurality of nodes.
Optionally, the querying the abnormal log data matched with the detection condition includes: adopting a query statement matched with the node to query abnormal log data matched with the detection condition; the query statement is matched with the node operating system type, which includes: windows system type or Linux system type.
In fact, different operating systems, formats and key characters of log information are different, and thus different detection conditions need to be configured for different node operating system types for detection. The detection conditions correspond to different query statements. The Query statement may be a Structured Query Language (SQL). The query statement is matched with the type of the node operating system, and the types of the node operating systems matched with different query statements are different. Specifically, a query statement matched with the node operating system type may be called by a pre-configured query module to perform a query. In addition, the node operating system type may also include other operating systems, and thus, embodiments of the present invention are not particularly limited.
Illustratively, the query statement is as follows:
appname:windows AND json.event_id:1AND(json.event_data.Image:*a.exe*OR json.event_data.Image:*b.exe*OR……OR json.event_data.Image:*10.exe*)
|stats count()as cnt by ip,json.event_data.User,json.event_data.Image
|eval src_addr=ip
|eval dst_addr=ip
|eval user=json.event_data.User
"T0000_ Suspicious _ Filename _ Used: a program with a suspect file name followed by exe is used.
For example, abnormal log data matching abnormal events such as T1223_ Compiled _ HTML _ File, T1218_ Signed _ Binary _ Proxy _ Execution _ Network, and T1216_ Signed _ Script _ Proxy _ Execution are found according to the search result. According to the identification information T1223, T1218 and T1216 of the abnormal event, the attack database may be queried for attack behavior data matching the identification information of the abnormal event.
In addition, exceptions may also include T1015- -access properties, APT29 use-key to object unauthorized, privileged contact access, T1088- -bypass Account Control, APT29 has bypass UAC, and the like. In this regard, the embodiments of the present invention are not particularly limited.
The abnormal log data is inquired by configuring the inquiry statement through the adaptive operating system, so that the detection accuracy of the abnormal log data is improved.
S240, if the abnormal log data in the continuous log data are determined to meet the detection conditions, the detection conditions are matched with a target attack means to serve as attack behavior data.
And the abnormal log data meet the detection condition, which indicates that the target attack means matched with the detection condition of at least one node is determined to attack. The detection condition may define at least one of the abnormal event, the timing of each abnormal event, and the permeation path of each abnormal event.
Optionally, the determining that abnormal log data in each piece of continuous log data meets the detection condition includes: determining abnormal operation data according to each abnormal log data; and if the abnormal operation data is determined to be matched with the standard operation data in the detection condition, determining that the abnormal log data in the continuous log data meets the detection condition.
The abnormal operation data is used for describing at least one of abnormal events occurring in the target network, the occurrence time sequence of the abnormal events, the penetration path and the like. At least one abnormal event, the occurrence timing of each abnormal event, and the data of the permeation path of each abnormal event may be determined from the abnormal log data, and abnormal operation data may be generated.
The standard operational data may be operational data caused by a target attack means. At least one of data of at least one abnormal event specified by the detection condition, a timing of each abnormal event, and a permeation path of each abnormal event may be included. The standard operation data is used for judging whether the abnormal log data meets the detection condition.
The abnormal operation data is matched with the standard operation data specified by the detection condition, and the abnormal operation data is indicated to be the operation data caused by the target attack means, so that the abnormal operation data can be determined to meet the detection condition.
By configuring the detection conditions, acquiring abnormal operation data and comparing the abnormal operation data with operation data specified by the detection conditions to judge whether the abnormal log data meets the detection conditions, the detection accuracy of the attack behavior data can be improved.
And S250, generating an attack detection result according to the attack behavior data.
According to the embodiment of the invention, the detection condition is determined according to the attack means of the attack database, the abnormal log data is inquired in the log data according to the detection condition, and whether the abnormal log data meets the detection condition is analyzed to judge whether the attack behavior of the target attack means occurs in the target network, so that the attack behavior can be objectively detected, the accuracy rate of attack behavior detection is improved, meanwhile, the automatic detection of the attack behavior is realized, and the efficiency of attack behavior detection is improved.
EXAMPLE III
Fig. 3 is a schematic diagram of an attack behavior detection apparatus in a third embodiment of the present invention. The third embodiment is a corresponding device for implementing the attack behavior detection method provided by the above embodiments of the present invention, and the device may be implemented in a software and/or hardware manner, and may be generally integrated into a computer device, and the like.
Accordingly, the apparatus of the present embodiment may include:
a log information obtaining module 310, configured to obtain log information of a node in a target network, and count continuous log data from the log information, where the target network includes at least one node;
the attack behavior data acquisition module 320 is configured to perform correlation analysis on continuous log data matched with each node according to a preset attack database, and determine attack behavior data;
and an attack detection result generation module 330, configured to generate an attack detection result according to the attack behavior data.
According to the embodiment of the invention, by acquiring the log information of the nodes in the target network, extracting the continuous log data, performing correlation comparison analysis according to the preset attack database, determining the attack behavior data and generating the attack detection result, the problems of subjective detection result and low efficiency caused by the safety problem of manual detection in the prior art are solved, the objective attack behavior data can be ensured, the accuracy of attack behavior detection is improved, the labor cost for determining the attack mode is reduced, and the analysis efficiency of the attack mode is improved.
Further, the log information obtaining module 310 includes: the log information analyzing and screening unit is used for analyzing the log information and inquiring data associated with security parameters to obtain log data, wherein the security parameters comprise at least one of the following items: access parameters, permission parameters, and error parameters; and arranging the log data according to the time sequence and the type to generate continuous log data.
Further, the attack behavior data obtaining module 320 includes: a detection condition detection unit for selecting an attack means included in the attack database as a target attack means and determining a detection condition matching the target attack means; inquiring abnormal log data matched with the detection condition in the continuous log data matched with each node; and if the abnormal log data in the continuous log data are determined to meet the detection conditions, the detection conditions are matched with a target attack means to serve as attack behavior data.
Further, the detection condition detection unit includes: the operating system type query subunit is used for querying abnormal log data matched with the detection condition by adopting a query statement matched with the node; the query statement is matched with the node operating system type, which includes: windows system type or Linux system type.
Further, the detection condition detection unit includes: a detection condition judgment subunit, configured to determine abnormal operation data according to each of the abnormal log data; and if the abnormal operation data is determined to be matched with the standard operation data in the detection condition, determining that the abnormal log data in the continuous log data meets the detection condition.
Further, the attack database includes: and the corresponding relation between an attacker and an attack means, wherein the attack means is associated with the abnormal log data.
Further, the attack behavior detection apparatus further includes: and the attack detection result display module is used for displaying the attack detection result after determining the attack detection result, wherein the attack detection result comprises the detection result of the attacked node and the attacker or the detection result of the unapproved node.
The attack behavior detection device can execute any one of the attack behavior detection methods provided by the embodiments of the present invention, and has functional modules and beneficial effects corresponding to the executed attack behavior detection method.
Example four
Fig. 4 is a schematic structural diagram of a computer device according to a fourth embodiment of the present invention. FIG. 4 illustrates a block diagram of an exemplary computer device 12 suitable for use in implementing embodiments of the present invention. The computer device 12 shown in FIG. 4 is only one example and should not bring any limitations to the functionality or scope of use of embodiments of the present invention.
As shown in FIG. 4, computer device 12 is in the form of a general purpose computing device. The components of computer device 12 may include, but are not limited to: one or more processors or processing units 16, a system memory 28, and a bus 18 that couples various system components including the system memory 28 and the processing unit 16. The computer device 12 may be a device that is attached to a bus.
Computer device 12 typically includes a variety of computer system readable media. Such media may be any available media that is accessible by computer device 12 and includes both volatile and nonvolatile media, removable and non-removable media.
The system memory 28 may include computer system readable media in the form of volatile memory, such as Random Access Memory (RAM)30 and/or cache memory 32. Computer device 12 may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, storage system 34 may be used to read from and write to non-removable, nonvolatile magnetic media (not shown in FIG. 4, and commonly referred to as a "hard drive"). Although not shown in FIG. 4, a magnetic disk drive for reading from and writing to a removable, nonvolatile magnetic disk (e.g., a "floppy disk") and an optical disk drive for reading from or writing to a removable, nonvolatile optical disk (e.g., a Compact disk Read-Only Memory (CD-ROM), Digital Video disk (DVD-ROM), or other optical media) may be provided. In these cases, each drive may be connected to bus 18 by one or more data media interfaces. System memory 28 may include at least one program product having a set (e.g., at least one) of program modules that are configured to carry out the functions of embodiments of the invention.
A program/utility 40 having a set (at least one) of program modules 42 may be stored, for example, in system memory 28, such program modules 42 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each of which examples or some combination thereof may comprise an implementation of a network environment. Program modules 42 generally carry out the functions and/or methodologies of the described embodiments of the invention.
Computer device 12 may also communicate with one or more external devices 14 (e.g., keyboard, pointing device, display 24, etc.), with one or more devices that enable a user to interact with computer device 12, and/or with any devices (e.g., network card, modem, etc.) that enable computer device 12 to communicate with one or more other computing devices. Such communication may be through an Input/Output (I/O) interface 22. Also, computer device 12 may communicate with one or more networks (e.g., Local Area Network (LAN), Wide Area Network (WAN)) via Network adapter 20. As shown, Network adapter 20 communicates with other modules of computer device 12 via bus 18. it should be understood that although not shown in FIG. 4, other hardware and/or software modules may be used in conjunction with computer device 12, including but not limited to microcode, device drivers, Redundant processing units, external disk drive Arrays, (Redundant Arrays of Inesponsive Disks, RAID) systems, tape drives, data backup storage systems, and the like.
The processing unit 16 executes various functional applications and data processing by executing programs stored in the system memory 28, for example, to implement an attack detection method provided by any of the embodiments of the present invention.
EXAMPLE five
An embodiment five of the present invention provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the attack behavior detection method provided in all the inventive embodiments of the present application:
that is, the program when executed by the processor implements: acquiring log information of nodes in a target network, and counting continuous log data from the log information, wherein the target network comprises at least one node; according to a preset attack database, continuous log data matched with each node are subjected to correlation analysis, and attack behavior data are determined; and generating an attack detection result according to the attack behavior data.
Computer storage media for embodiments of the invention may employ any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a RAM, a Read-Only Memory (ROM), an Erasable Programmable Read-Only Memory (EPROM), a flash Memory, an optical fiber, a portable CD-ROM, an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, Radio Frequency (RF), etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a LAN or a WAN, or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.
Claims (10)
1. An attack behavior detection method, comprising:
acquiring log information of nodes in a target network, and counting continuous log data from the log information, wherein the target network comprises at least one node;
according to a preset attack database, continuous log data matched with each node are subjected to correlation analysis, and attack behavior data are determined;
and generating an attack detection result according to the attack behavior data.
2. The method of claim 1, wherein extracting continuous log data from the log information comprises:
analyzing the log information, and inquiring data associated with security parameters to obtain log data, wherein the security parameters comprise at least one of the following items: access parameters, permission parameters, and error parameters;
and arranging the log data according to the time sequence and the type to generate continuous log data.
3. The method according to claim 1, wherein the correlation analysis of the continuous log data matched with each node according to a preset attack database to determine attack behavior data comprises:
selecting an attack means included in the attack database as a target attack means, and determining a detection condition matched with the target attack means;
inquiring abnormal log data matched with the detection condition in the continuous log data matched with each node;
and if the abnormal log data in the continuous log data are determined to meet the detection conditions, the detection conditions are matched with a target attack means to serve as attack behavior data.
4. The method of claim 3, wherein querying for abnormal log data that matches the detected condition comprises:
adopting a query statement matched with the node to query abnormal log data matched with the detection condition; the query statement is matched with the node operating system type, which includes: windows system type or Linux system type.
5. The method of claim 3, wherein the determining that abnormal log data in each of the continuous log data satisfies the detection condition comprises:
determining abnormal operation data according to each abnormal log data;
and if the abnormal operation data is determined to be matched with the standard operation data in the detection condition, determining that the abnormal log data in the continuous log data meets the detection condition.
6. The method of claim 1, wherein the attack database comprises: and the corresponding relation between the attacker and the attack means.
7. The method of claim 1, after determining the attack detection result, further comprising:
and displaying the attack detection result, wherein the attack detection result comprises the detection result of the attacked node and the attacker or the detection result of the unapproved node.
8. An attack behavior detection apparatus, comprising:
the system comprises a log information acquisition module, a log information acquisition module and a log information processing module, wherein the log information acquisition module is used for acquiring log information of nodes in a target network and counting continuous log data from the log information, and the target network comprises at least one node;
the attack behavior data acquisition module is used for analyzing the continuous log data matched with each node in a correlation manner according to a preset attack database and determining attack behavior data;
and the attack detection result generation module is used for generating an attack detection result according to the attack behavior data.
9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the attack behavior detection method according to any one of claims 1-7 when executing the program.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the attack behavior detection method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010561912.1A CN111726357A (en) | 2020-06-18 | 2020-06-18 | Attack behavior detection method and device, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010561912.1A CN111726357A (en) | 2020-06-18 | 2020-06-18 | Attack behavior detection method and device, computer equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111726357A true CN111726357A (en) | 2020-09-29 |
Family
ID=72567539
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010561912.1A Pending CN111726357A (en) | 2020-06-18 | 2020-06-18 | Attack behavior detection method and device, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111726357A (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112217828A (en) * | 2020-10-16 | 2021-01-12 | 深信服科技股份有限公司 | Attack detection method and device, electronic equipment and storage medium |
| CN112272186A (en) * | 2020-10-30 | 2021-01-26 | 深信服科技股份有限公司 | Network flow detection framework, method, electronic equipment and storage medium |
| CN112328688A (en) * | 2020-11-09 | 2021-02-05 | 广州虎牙科技有限公司 | Data storage method and device, computer equipment and storage medium |
| CN112565271A (en) * | 2020-12-07 | 2021-03-26 | 瑞数信息技术(上海)有限公司 | Web attack detection method and device |
| CN113111098A (en) * | 2021-06-11 | 2021-07-13 | 阿里云计算有限公司 | Method and device for detecting query of time sequence data and time sequence database system |
| CN113221103A (en) * | 2021-05-08 | 2021-08-06 | 山东英信计算机技术有限公司 | Container safety protection method, system and medium |
| CN113255118A (en) * | 2021-05-11 | 2021-08-13 | 上海机电工程研究所 | Weapon equipment system optimization method and system based on killer chain |
| CN113536234A (en) * | 2021-07-14 | 2021-10-22 | 广西柳工机械股份有限公司 | Mining area transportation frequency detection method and device, computer equipment and storage medium |
| CN113824730A (en) * | 2021-09-29 | 2021-12-21 | 恒安嘉新(北京)科技股份公司 | Attack analysis method, device, equipment and storage medium |
| CN114205128A (en) * | 2021-12-01 | 2022-03-18 | 北京安天网络安全技术有限公司 | Network attack analysis method and device, electronic equipment and storage medium |
| CN117034261A (en) * | 2023-10-08 | 2023-11-10 | 深圳安天网络安全技术有限公司 | Exception detection method and device based on identifier, medium and electronic equipment |
| CN117909978A (en) * | 2024-03-14 | 2024-04-19 | 福建银数信息技术有限公司 | Analysis management method and system based on big data security |
| CN114205128B (en) * | 2021-12-01 | 2024-05-24 | 北京安天网络安全技术有限公司 | Network attack analysis method, device, electronic equipment and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101316187A (en) * | 2007-06-01 | 2008-12-03 | 杭州华三通信技术有限公司 | Network management method and network management system |
| CN106790186A (en) * | 2016-12-30 | 2017-05-31 | 中国人民解放军信息工程大学 | Multi-step attack detection method based on multi-source anomalous event association analysis |
| CN110430190A (en) * | 2019-08-05 | 2019-11-08 | 北京经纬信安科技有限公司 | Duplicity system of defense, construction method and full link based on ATT&CK defend implementation method |
| US10630726B1 (en) * | 2018-11-18 | 2020-04-21 | Bank Of America Corporation | Cybersecurity threat detection and mitigation system |
| CN111147504A (en) * | 2019-12-26 | 2020-05-12 | 深信服科技股份有限公司 | Threat detection method, apparatus, device and storage medium |
| CN111259204A (en) * | 2020-01-13 | 2020-06-09 | 深圳市联软科技股份有限公司 | APT detection correlation analysis method based on graph algorithm |
-
2020
- 2020-06-18 CN CN202010561912.1A patent/CN111726357A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101316187A (en) * | 2007-06-01 | 2008-12-03 | 杭州华三通信技术有限公司 | Network management method and network management system |
| CN106790186A (en) * | 2016-12-30 | 2017-05-31 | 中国人民解放军信息工程大学 | Multi-step attack detection method based on multi-source anomalous event association analysis |
| US10630726B1 (en) * | 2018-11-18 | 2020-04-21 | Bank Of America Corporation | Cybersecurity threat detection and mitigation system |
| CN110430190A (en) * | 2019-08-05 | 2019-11-08 | 北京经纬信安科技有限公司 | Duplicity system of defense, construction method and full link based on ATT&CK defend implementation method |
| CN111147504A (en) * | 2019-12-26 | 2020-05-12 | 深信服科技股份有限公司 | Threat detection method, apparatus, device and storage medium |
| CN111259204A (en) * | 2020-01-13 | 2020-06-09 | 深圳市联软科技股份有限公司 | APT detection correlation analysis method based on graph algorithm |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112217828A (en) * | 2020-10-16 | 2021-01-12 | 深信服科技股份有限公司 | Attack detection method and device, electronic equipment and storage medium |
| CN112272186A (en) * | 2020-10-30 | 2021-01-26 | 深信服科技股份有限公司 | Network flow detection framework, method, electronic equipment and storage medium |
| CN112328688A (en) * | 2020-11-09 | 2021-02-05 | 广州虎牙科技有限公司 | Data storage method and device, computer equipment and storage medium |
| CN112328688B (en) * | 2020-11-09 | 2023-10-13 | 广州虎牙科技有限公司 | Data storage method, device, computer equipment and storage medium |
| CN112565271A (en) * | 2020-12-07 | 2021-03-26 | 瑞数信息技术(上海)有限公司 | Web attack detection method and device |
| CN113221103B (en) * | 2021-05-08 | 2022-09-20 | 山东英信计算机技术有限公司 | Container safety protection method, system and medium |
| CN113221103A (en) * | 2021-05-08 | 2021-08-06 | 山东英信计算机技术有限公司 | Container safety protection method, system and medium |
| CN113255118A (en) * | 2021-05-11 | 2021-08-13 | 上海机电工程研究所 | Weapon equipment system optimization method and system based on killer chain |
| CN113111098A (en) * | 2021-06-11 | 2021-07-13 | 阿里云计算有限公司 | Method and device for detecting query of time sequence data and time sequence database system |
| CN113536234B (en) * | 2021-07-14 | 2023-04-07 | 广西柳工机械股份有限公司 | Mining area transportation frequency detection method and device, computer equipment and storage medium |
| CN113536234A (en) * | 2021-07-14 | 2021-10-22 | 广西柳工机械股份有限公司 | Mining area transportation frequency detection method and device, computer equipment and storage medium |
| CN113824730A (en) * | 2021-09-29 | 2021-12-21 | 恒安嘉新(北京)科技股份公司 | Attack analysis method, device, equipment and storage medium |
| CN114205128A (en) * | 2021-12-01 | 2022-03-18 | 北京安天网络安全技术有限公司 | Network attack analysis method and device, electronic equipment and storage medium |
| CN114205128B (en) * | 2021-12-01 | 2024-05-24 | 北京安天网络安全技术有限公司 | Network attack analysis method, device, electronic equipment and storage medium |
| CN117034261A (en) * | 2023-10-08 | 2023-11-10 | 深圳安天网络安全技术有限公司 | Exception detection method and device based on identifier, medium and electronic equipment |
| CN117034261B (en) * | 2023-10-08 | 2023-12-08 | 深圳安天网络安全技术有限公司 | Exception detection method and device based on identifier, medium and electronic equipment |
| CN117909978A (en) * | 2024-03-14 | 2024-04-19 | 福建银数信息技术有限公司 | Analysis management method and system based on big data security |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111726357A (en) | Attack behavior detection method and device, computer equipment and storage medium | |
| US11785040B2 (en) | Systems and methods for cyber security alert triage | |
| EP3291120B1 (en) | Graph database analysis for network anomaly detection systems | |
| US10601848B1 (en) | Cyber-security system and method for weak indicator detection and correlation to generate strong indicators | |
| Bhatt et al. | The operational role of security information and event management systems | |
| EP3349414B1 (en) | Malicious tunneling handling system | |
| EP3079337B1 (en) | Event correlation across heterogeneous operations | |
| CN112953933A (en) | Abnormal attack behavior detection method, device, equipment and storage medium | |
| US20140337974A1 (en) | System and method for semantic integration of heterogeneous data sources for context aware intrusion detection | |
| US10462170B1 (en) | Systems and methods for log and snort synchronized threat detection | |
| US20220210202A1 (en) | Advanced cybersecurity threat mitigation using software supply chain analysis | |
| US20150172302A1 (en) | Interface for analysis of malicious activity on a network | |
| US10262133B1 (en) | System and method for contextually analyzing potential cyber security threats | |
| CN116827697B (en) | Push method of network attack event, electronic equipment and storage medium | |
| Hermanowski | Open source security information management system supporting it security audit | |
| Hyun et al. | Security operation implementation through big data analysis by using open source ELK stack | |
| KR101968633B1 (en) | Method for providing real-time recent malware and security handling service | |
| Masduki et al. | Leverage intrusion detection system framework for cyber situational awareness system | |
| Nikolaienko et al. | Application of the Threat Intelligence platformto increase the security of governmentinformation resources | |
| EP3220303B1 (en) | Selective extended archiving of data | |
| US9853985B2 (en) | Device time accumulation | |
| Sani | Improved Log Monitoring using Host-based Intrusion Detection System | |
| CN116915459B (en) | Network threat analysis method based on large language model | |
| Ussath et al. | Concept for a security investigation framework | |
| Bouhlal et al. | User-agent as a Cyber Intrusion Artifact: Detection of APT Activity using minimal Anomalies on the User-agent String Traffic |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200929 |
|
| RJ01 | Rejection of invention patent application after publication |