CN112789835A - Method, device, equipment and storage medium for acquiring attacker information - Google Patents
Method, device, equipment and storage medium for acquiring attacker information Download PDFInfo
- Publication number
- CN112789835A CN112789835A CN201880098313.1A CN201880098313A CN112789835A CN 112789835 A CN112789835 A CN 112789835A CN 201880098313 A CN201880098313 A CN 201880098313A CN 112789835 A CN112789835 A CN 112789835A
- Authority
- CN
- China
- Prior art keywords
- information
- attacker
- virtual network
- target
- database
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 54
- 238000004590 computer program Methods 0.000 claims description 10
- 238000012545 processing Methods 0.000 claims description 8
- 239000000126 substance Substances 0.000 claims description 2
- 230000009286 beneficial effect Effects 0.000 abstract 1
- 238000010586 diagram Methods 0.000 description 6
- 238000004891 communication Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 5
- 238000013500 data storage Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000012634 fragment Substances 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Abstract
The embodiment of the disclosure relates to a method, a device, equipment and a storage medium for acquiring attacker information, wherein the method comprises the following steps: and acquiring the information of the target attacker in the actual environment according to the information of the target attacker in the virtual network and the information of the attacker which can be collected. The embodiment of the disclosure can acquire the information of the target attacker in the actual environment, can implement a targeted protection strategy, and is beneficial to improving the security of the network.
Description
The present application relates to the field of computer technologies, and for example, to a method, an apparatus, a device, and a storage medium for acquiring attacker information.
With the continuous expansion of internet coverage, the importance of network security is increasing. In the face of the endless new network intrusion technology and the network intrusion behavior with higher and higher frequency, the need for tracing the network attack source is increasingly urgent.
In the related art, information of an attacker on a Transmission Control Protocol (TCP)/network Protocol (IP) layer, for example, including an IP address and a port number, is usually obtained, and the attacker generally uses a forged IP address, so that valuable information related to the attacker cannot be obtained, and a targeted protection strategy cannot be implemented.
Disclosure of Invention
The embodiment of the disclosure provides a method, a device, equipment and a storage medium for acquiring attacker information, so as to acquire information related to an attacker and implement a targeted protection strategy.
The embodiment of the disclosure provides a method for acquiring attacker information, which includes:
and acquiring the information of the target attacker in the actual environment according to the information of the target attacker in the virtual network and the information of the attacker which can be collected.
In a possible implementation manner, before the obtaining of the information of the target attacker in the actual environment, the method further includes:
and acquiring the information of the target attacker in the virtual network.
In a possible implementation manner, the obtaining information of the target attacker in the virtual network includes:
and acquiring the information of the target attacker in the virtual network according to the attack event information corresponding to the target attacker.
In one possible embodiment, the attack event information includes at least one of: the name of the attack event, the time of the attack event, the position of the attack event, and the identification information of the attack event.
In one possible embodiment, the information of the attacker which can be gathered includes: information of the attacker that has been collected, or information of the attacker that is not currently collected, and information of the attacker that can be collected.
In a possible implementation manner, the obtaining information of the target attacker in the actual environment according to the information of the target attacker in the virtual network and the information of the searchable attackers includes:
judging whether the information of the target attacker in the virtual network exists in the information of the attackers which can be collected;
and if the information of the target attacker in the virtual network exists in the collected information of the attacker, acquiring the information of the target attacker in the actual environment according to the information of the target attacker in the virtual network and the collected information of the attacker.
In a possible implementation manner, before the obtaining the information of the target attacker in the actual environment according to the information of the target attacker in the virtual network and the information of the searchable attackers, the method further includes:
storing the collected information of the attacker in a database; the information of the attacker comprises at least one of the following: information of the attacker in a virtual network or information of the attacker in a real environment.
In a possible implementation manner, the obtaining information of the target attacker in the actual environment according to the information of the target attacker in the virtual network and the information of the searchable attackers includes:
judging whether the information of the target attacker in the virtual network exists in the database;
and if the information of the target attacker in the virtual network exists in the database, acquiring the information of the target attacker in the actual environment from the database according to the information of the target attacker in the virtual network.
In the above embodiment, the collected information of the attacker can be stored in the database, and the information of the target attacker in the actual environment is obtained by querying the database, so that the efficiency is high.
In one possible embodiment, the method further comprises:
and if the information of the target attacker in the virtual network does not exist in the database, storing the information of the target attacker in the virtual network into the database.
In one possible embodiment, the database comprises: at least one piece of information, each piece of information comprising at least one of: information of an attacker in the virtual network, information of the attacker in the actual environment.
In one possible embodiment, the information of any attacker in the virtual network comprises at least one of the following: the identity ID, domain name, IP address, media access control MAC address, attack mode and used hacking tool of the attacker in the virtual network.
In one possible embodiment, the information of any attacker in the actual environment comprises at least one of the following: the identity of the attacker in the actual environment, age, attack record and location where the network attack was made, context and purpose of the attack.
In one possible embodiment, the method further comprises:
if the number of the information items in the database is larger than a preset threshold value, acquiring the use frequency of each piece of information in the database;
and deleting the information of which the use frequency is less than the preset frequency.
In a possible implementation manner, the deleting information whose usage frequency is less than a preset frequency includes:
acquiring an operation instruction of a user;
and deleting the information of which the use frequency is less than the preset frequency according to the operation instruction of the user.
The embodiment of the present disclosure further provides an apparatus for acquiring attacker information, including:
a first acquisition module configured to: and acquiring the information of the target attacker in the actual environment according to the information of the target attacker in the virtual network and the information of the attacker which can be collected.
In one possible embodiment, the apparatus further comprises:
a second acquisition module configured to: and acquiring the information of the target attacker in the virtual network.
In a possible implementation, the second obtaining module is configured to:
and acquiring the information of the target attacker in the virtual network according to the attack event information corresponding to the target attacker.
In one possible embodiment, the attack event information includes at least one of: the name of the attack event, the time of the attack event, the position of the attack event and the identification information of the attack event.
In one possible embodiment, the information of the attacker which can be gathered includes: the information of the attackers which are searched or the information of the attackers which are not searched currently can be collected.
In a possible implementation, the first obtaining module is configured to:
judging whether the information of the target attacker in the virtual network exists in the information of the attackers which can be collected;
and if the information of the target attacker in the virtual network exists in the collected information of the attacker, acquiring the information of the target attacker in the actual environment according to the information of the target attacker in the virtual network and the collected information of the attacker.
In one possible embodiment, the apparatus further comprises:
a storage module configured to: storing the collected information of the attacker in a database; the information of the attacker comprises at least one of the following: information of the attacker in a virtual network or information of the attacker in a real environment.
In a possible implementation, the first obtaining module is configured to:
judging whether the information of the target attacker in the virtual network exists in the database;
and if the information of the target attacker in the virtual network exists in the database, acquiring the information of the target attacker in the actual environment from the database according to the information of the target attacker in the virtual network.
In one possible implementation, the storage module is configured to:
and if the information of the target attacker in the virtual network does not exist in the database, storing the information of the target attacker in the virtual network into the database.
In one possible embodiment, the database comprises: at least one piece of information, each piece of information comprising at least one of: information of an attacker in the virtual network, information of the attacker in the actual environment.
In one possible embodiment, the information of any attacker in the virtual network comprises at least one of the following: the identity ID, domain name, IP address, media access control MAC address, attack mode and used hacking tool of the attacker in the virtual network.
In one possible embodiment, the information of any attacker in the actual environment comprises at least one of the following: the identity of the attacker in the actual environment, age, attack record and location where the network attack was made.
In one possible embodiment, the apparatus further comprises:
a third acquisition module configured to: if the number of the information items in the database is larger than a preset threshold value, acquiring the use frequency of each piece of information in the database;
a processing module configured to: and deleting the information of which the use frequency is less than the preset frequency.
In one possible implementation, the processing module is configured to:
acquiring an operation instruction of a user;
and deleting the information of which the use frequency is less than the preset frequency according to the operation instruction of the user.
The embodiment of the disclosure also provides a computer, which comprises the above attacker information acquisition device.
The embodiment of the disclosure also provides a computer-readable storage medium, in which computer-executable instructions are stored, and the computer-executable instructions are configured to execute the above method for acquiring attacker information.
The disclosed embodiments also provide a computer program product including a computer program stored on a computer-readable storage medium, the computer program including program instructions that, when executed by a computer, cause the computer to execute the above-mentioned attacker information acquisition method.
An embodiment of the present disclosure further provides an electronic device, including:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor, and the instructions, when executed by the at least one processor, cause the at least one processor to perform the above-mentioned method for obtaining attacker information.
According to the method, the device, the equipment and the storage medium for acquiring the attacker information, the information of the target attacker in the actual environment is acquired according to the information of the target attacker in the virtual network and the information of the attacker which can be collected, the information of the target attacker in the actual environment can be acquired, a targeted protection strategy can be implemented, and the network security is improved.
One or more embodiments are illustrated by way of example in the accompanying drawings, which correspond to the accompanying drawings and not in limitation thereof, in which elements having the same reference numeral designations are shown as like elements and not in limitation thereof, and wherein:
fig. 1 is an application scenario diagram provided by an embodiment of the present disclosure;
fig. 2 is a schematic flowchart of a method for acquiring attacker information according to an embodiment of the present disclosure;
fig. 3 is a schematic flowchart of a method for acquiring attacker information according to another embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of an apparatus for acquiring attacker information according to an embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of an apparatus for acquiring attacker information according to another embodiment of the present disclosure;
fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure.
So that the manner in which the features and elements of the disclosed embodiments can be understood in detail, a more particular description of the disclosed embodiments, briefly summarized above, may be had by reference to the embodiments, some of which are illustrated in the appended drawings. In the following description of the technology, for purposes of explanation, numerous details are set forth in order to provide a thorough understanding of the disclosed embodiments. However, one or more embodiments may be practiced without these details. In other instances, well-known structures and devices may be shown in simplified form in order to simplify the drawing.
First, an application scenario related to the embodiment of the present disclosure is introduced:
the method for acquiring attacker information provided by the embodiment of the disclosure is applied to network tracing, and is used for determining information of a network attacker, including identity, location and the like, for example, the identity includes name, account number and the like, and the location includes geographic location or virtual location thereof, such as an IP address, a MAC address and the like, for example, and can be used for acquiring the information of the attacker after the network attacker implements network attack.
Fig. 1 is a diagram of an application scenario provided in an embodiment of the present disclosure, and the method provided in the present disclosure may be implemented by an electronic device 12, such as a processor of the electronic device, and may also be implemented by the electronic device 12 through data interaction with a server 11. Alternatively, it may be implemented by a server. The electronic device 12 and the server 11 may be connected via a network, for example, a communication network such as 3G, 4G, Wireless Fidelity (WIFI), wired network, or the like.
The electronic device may include: smart phones, tablet computers, smart robots, wearable devices, computers, and the like.
The technical means shown in the present application will be described in detail by the following examples.
Several of the following embodiments may be combined with each other and some details of the same or similar concepts or processes may not be repeated in some embodiments.
The following description will be made with an electronic device as an execution subject. The execution subject of the embodiment of the present disclosure may be an electronic device, and may also be an obtaining apparatus of attacker information provided in the electronic device. The device for acquiring the attacker information can be realized by software, or by the combination of software and hardware.
Fig. 2 is a schematic flow chart of a method for acquiring attacker information according to an embodiment of the present disclosure. As shown in fig. 2, the method provided by this embodiment includes:
In the embodiment of the present disclosure, the target attacker may be an attacker to be currently investigated or locked, for example, an attacker currently implementing a network attack.
In this step, the information of the target attacker in the virtual network may be obtained from other devices, or the electronic device may directly obtain the information of the target attacker in the virtual network, for example, obtain the information of the target attacker in the virtual network according to a system log generated in the process of implementing the attack by the target attacker. Other devices such as other electronic devices or servers, etc. When the network attack occurs, the other devices can acquire the information of the target attacker implementing the network attack in the virtual network and send the information to the electronic device.
The system log includes, for example, the occurrence time of the network attack, a hacking tool used by the network attack, an IP address, a Media Access Control (MAC) address, and the like.
In other embodiments of the present disclosure, step 201 may be implemented as follows:
and acquiring the information of the target attacker in the virtual network according to the attack event information corresponding to the target attacker.
Wherein, the attack event information may include at least one of the following: the name of the attack event, the time of the attack event, the position of the attack event and the identification information of the attack event.
Wherein, the attack event information can be obtained from the system log.
In this step, the information of the target attacker in the actual environment is obtained according to the obtained information of the target attacker in the virtual network and the information of the attacker which can be collected.
The information of the attacker which can be collected can be the information of the attacker which is collected or the information of the attacker which is not collected currently and can be collected. The information of the attacker includes: information of the attacker in the virtual network, and/or information of the attacker in the real environment. The casual attacker may comprise a target attacker.
The information of the attacker that is not currently collected may be, for example, information of the attacker that is stored in another device.
The information of the target attacker in the virtual network comprises at least one of the following items: the identity ID, domain name, IP address, attack mode and hacker tool of the target attacker in the virtual network
The information of the target attacker in the actual environment comprises at least one of the following items: the identity, age, attack record, location of the target attacker in the actual environment, context and purpose of attack occurrence.
For example, the purpose of the attack occurrence may be that the target attacker wants to obtain economic benefits, and the background of the attack occurrence may be that the target attacker is in poor economic conditions and is stimulated by external factors.
In an embodiment of the present disclosure, step 202 may be implemented by:
judging whether the information of the target attacker in the virtual network exists in the information of the attackers which can be collected;
and if the information of the target attacker in the virtual network exists in the collected information of the attacker, acquiring the information of the target attacker in the actual environment according to the information of the target attacker in the virtual network and the collected information of the attacker.
If the information of the target attacker is included in the information of the searchable attacker, for example, the information of the target attacker in the virtual network, the information of the target attacker in the actual environment may be queried in association with the information of the target attacker in the virtual network and the information of the searchable attacker. Wherein, the operation such as analysis processing, screening and the like can be carried out on the information of the collectable attacker, and the information of the target attacker in the actual environment is obtained
And the information of the target attacker in the actual environment can be associated and inquired from the information of the searchable attackers according to the information of the target attacker in the virtual network.
According to the method for acquiring the attacker information, the information of the target attacker in the actual environment is acquired according to the information of the target attacker in the virtual network and the information of the searchable attacker, the information of the target attacker in the actual environment can be acquired, a targeted protection strategy can be implemented, and the network security can be improved.
Fig. 3 is a schematic flowchart of a method for acquiring attacker information according to another embodiment of the present disclosure. On the basis of the above embodiment, as shown in fig. 3, the method provided by this embodiment includes:
In this step, the collected information of the attacker may be stored in a database, and when a network attack occurs, the relevant information may be recorded and stored, or the collected information of the attacker may be acquired from other devices or networks.
And 303, if the information of the target attacker in the virtual network exists in the database, acquiring the information of the target attacker in the actual environment from the database according to the information of the target attacker in the virtual network.
In this step, if the database stores the collected information of the target attacker in advance, for example, the information of the target attacker in the virtual network, the information of the target attacker in the actual environment may be related and queried from the database through the information of the target attacker in the virtual network.
And step 304, if the information of the target attacker in the virtual network does not exist in the database, storing the information of the target attacker in the virtual network into the database.
In this step, if the database does not store the information about the target attacker, for example, the information about the target attacker in the virtual network is stored in the database, which is convenient for subsequent use.
In other embodiments of the present disclosure, a plurality of attack data may be integrated into a database in advance, where the attack data may include an attacker ID, a domain name, an attack manner, a hacking tool used, and the like, when a visitor accesses a network, relevant information of the visitor is first compared with data in the database, and if the relevant information of the visitor matches the data in the database, the visitor may be considered as an attacker, and the attacker may be intercepted, and the like.
On the basis of the above embodiment, the database may include: at least one piece of information, each piece of information comprising at least one of: information of an attacker in the virtual network, information of the attacker in the actual environment.
The information of the collected attackers stored in the database comprises a plurality of pieces of information of the attackers, and each piece of information comprises: information of an attacker in the virtual network and/or information of the attacker in the real environment.
Wherein the information of any attacker in the virtual network comprises at least one of the following items: the identity ID, domain name, IP address, attack mode, hacking tool used by the attacker in the virtual network.
The identity may be information such as an account number and a password of the attacker in the virtual network, the IP address may be an IP address of the device used by the attacker in the virtual network, and the MAC address may be an MAC address of the device used by the attacker and a hardware address of the device, which is used to define a network location of the device. The attack mode includes, for example, denial of service attack, line interception of a physical layer, fragment IP packet attack, and the like.
Wherein the information of any attacker in the actual environment comprises at least one of the following items: the identity of the attacker in the actual environment, age, attack record and location where the network attack was made.
The attack record includes, for example, a history of the attacker's participation in the network attack, such as attack time, location where the network attack was made, hacking tools used, and the like.
On the basis of the foregoing embodiment, the method of this embodiment may further include:
if the number of the information items in the database is larger than a preset threshold value, acquiring the use frequency of each piece of information in the database;
and deleting the information of which the use frequency is less than the preset frequency.
The deleting of the information with the use frequency less than the preset frequency can be realized by adopting the following mode:
acquiring an operation instruction of a user;
and deleting the information of which the use frequency is less than the preset frequency according to the operation instruction of the user.
In this embodiment, the data of the database may be periodically maintained, or the data of the database may be maintained after receiving an instruction from a user.
If the number of the information items in the database is detected to be larger than a preset threshold value, acquiring the use frequency of each piece of information in the database in order to reduce unnecessary space occupation; and deleting the information of which the use frequency is less than the preset frequency. For example, the information may be deleted if the information is not used for the attacker, or if the frequency of use is low, for example, once in a few years, or if the frequency of use is low.
In the embodiment, the collected information of the attacker can be stored in the database, and the information of the target attacker in the actual environment is acquired by inquiring the database, so that the efficiency is high.
Fig. 4 is a schematic structural diagram of an apparatus for acquiring attacker information according to an embodiment of the present disclosure. As shown in fig. 4, the apparatus for acquiring attacker information provided by this embodiment includes:
a first obtaining module 401 configured to: and acquiring the information of the target attacker in the actual environment according to the information of the target attacker in the virtual network and the information of the attacker which can be collected.
In a possible embodiment, as shown in fig. 5, the apparatus further comprises:
a second obtaining module 402 configured to: and acquiring the information of the target attacker in the virtual network.
In a possible implementation, the second obtaining module 402 is configured to:
and acquiring the information of the target attacker in the virtual network according to the attack event information corresponding to the target attacker.
In one possible embodiment, the attack event information includes at least one of: the name of the attack event, the time of the attack event, the position of the attack event, and the identification information of the attack event.
In one possible embodiment, the information of the attacker which can be gathered includes: information of the attacker that has been collected, or information of the attacker that is not currently collected, and information of the attacker that can be collected.
In a possible implementation, the first obtaining module 401 is configured to:
judging whether the information of the target attacker in the virtual network exists in the information of the attackers which can be collected;
and if the information of the target attacker in the virtual network exists in the collected information of the attacker, acquiring the information of the target attacker in the actual environment according to the information of the target attacker in the virtual network and the collected information of the attacker.
In one possible embodiment, the apparatus further comprises:
a storage module 403 configured to: storing the collected information of the attacker in a database; the information of the attacker comprises at least one of the following: information of the attacker in a virtual network or information of the attacker in a real environment.
In a possible implementation, the first obtaining module 401 is configured to:
judging whether the information of the target attacker in the virtual network exists in the database;
and if the information of the target attacker in the virtual network exists in the database, acquiring the information of the target attacker in the actual environment from the database according to the information of the target attacker in the virtual network.
In a possible implementation, the storage module 403 is configured to:
and if the information of the target attacker in the virtual network does not exist in the database, storing the information of the target attacker in the virtual network into the database.
In one possible embodiment, the database comprises: at least one piece of information, each piece of information comprising at least one of: information of an attacker in the virtual network, information of the attacker in the actual environment.
In one possible embodiment, the information of any attacker in the virtual network comprises at least one of the following: the identity ID, domain name, IP address, media access control MAC address, attack mode and used hacking tool of the attacker in the virtual network.
In one possible embodiment, the information of any attacker in the actual environment comprises at least one of the following: the identity of the attacker in the actual environment, age, attack record and location where the network attack was made.
In one possible embodiment, the apparatus further comprises:
a third obtaining module 404 configured to: if the number of the information items in the database is larger than a preset threshold value, acquiring the use frequency of each piece of information in the database;
a processing module 405 configured to: and deleting the information of which the use frequency is less than the preset frequency.
In one possible implementation, the processing module 405 is configured to:
acquiring an operation instruction of a user;
and deleting the information of which the use frequency is less than the preset frequency according to the operation instruction of the user.
The apparatus of this embodiment may be configured to implement the technical solutions of the above method embodiments, and the implementation principles and technical effects are similar, which are not described herein again.
The embodiment of the disclosure also provides a computer, which comprises the above attacker information acquisition device.
The embodiment of the disclosure also provides a computer-readable storage medium, in which computer-executable instructions are stored, and the computer-executable instructions are configured to execute the method for acquiring the attacker information.
The disclosed embodiments also provide a computer program product, which includes a computer program stored on a computer-readable storage medium, where the computer program includes program instructions, and when the program instructions are executed by a computer, the computer executes the above-mentioned method for acquiring attacker information.
The computer-readable storage medium described above may be a transitory computer-readable storage medium or a non-transitory computer-readable storage medium.
An embodiment of the present disclosure further provides an electronic device, a structure of which is shown in fig. 6, where the electronic device includes:
at least one processor (processor)100, one processor 100 being exemplified in fig. 6; and a memory (memory)101, and may further include a Communication Interface (Communication Interface)102 and a bus 103. The processor 100, the communication interface 102, and the memory 101 may communicate with each other via a bus 103. The communication interface 102 may be used for information transfer. The processor 100 may call the logic instructions in the memory 101 to execute the attacker information acquisition method of the above embodiment.
In addition, the logic instructions in the memory 101 may be implemented in the form of software functional units and stored in a computer readable storage medium when the logic instructions are sold or used as independent products.
The memory 101, which is a computer-readable storage medium, may be used for storing software programs, computer-executable programs, such as program instructions/modules corresponding to the methods in the embodiments of the present disclosure. The processor 100 executes functional applications and data processing by executing software programs, instructions and modules stored in the memory 101, that is, implements the method for acquiring attacker information in the above method embodiments.
The memory 101 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the terminal device, and the like. In addition, the memory 101 may include a high-speed random access memory, and may also include a nonvolatile memory.
The technical solution of the embodiments of the present disclosure may be embodied in the form of a software product, where the computer software product is stored in a storage medium and includes one or more instructions to enable a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method of the embodiments of the present disclosure. And the aforementioned storage medium may be a non-transitory storage medium comprising: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes, and may also be a transient storage medium.
As used in this application, although the terms "first," "second," etc. may be used in this application to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element from another. For example, a first element could be termed a second element, and, similarly, a second element could be termed a first element, unless the meaning of the description changes, so long as all occurrences of the "first element" are renamed consistently and all occurrences of the "second element" are renamed consistently. The first and second elements are both elements, but may not be the same element.
The words used in this application are words of description only and not of limitation of the claims. As used in the description of the embodiments and the claims, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. Similarly, the term "and/or" as used in this application is meant to encompass any and all possible combinations of one or more of the associated listed. Furthermore, the terms "comprises" and/or "comprising," when used in this application, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
The various aspects, implementations, or features of the described embodiments can be used alone or in any combination. Aspects of the described embodiments may be implemented by software, hardware, or a combination of software and hardware. The described embodiments may also be embodied by a computer-readable medium having computer-readable code stored thereon, the computer-readable code comprising instructions executable by at least one computing device. The computer readable medium can be associated with any data storage device that can store data which can be read by a computer system. Exemplary computer readable media can include read-only memory, random-access memory, CD-ROMs, HDDs, DVDs, magnetic tape, and optical data storage devices, among others. The computer readable medium can also be distributed over network coupled computer systems so that the computer readable code is stored and executed in a distributed fashion.
The above description of the technology may refer to the accompanying drawings, which form a part hereof, and in which is shown by way of illustration embodiments in which the described embodiments may be practiced. These embodiments, while described in sufficient detail to enable those skilled in the art to practice them, are non-limiting; other embodiments may be utilized and changes may be made without departing from the scope of the described embodiments. For example, the order of operations described in a flowchart is non-limiting, and thus the order of two or more operations illustrated in and described in accordance with the flowchart may be altered in accordance with several embodiments. As another example, in several embodiments, one or more operations illustrated in and described with respect to the flowcharts are optional or may be eliminated. Additionally, certain steps or functions may be added to the disclosed embodiments, or two or more steps may be permuted in order. All such variations are considered to be encompassed by the disclosed embodiments and the claims.
Additionally, terminology is used in the foregoing description of the technology to provide a thorough understanding of the described embodiments. However, no unnecessary detail is required to implement the described embodiments. Accordingly, the foregoing description of the embodiments has been presented for purposes of illustration and description. The embodiments presented in the foregoing description and the examples disclosed in accordance with these embodiments are provided solely to add context and aid in the understanding of the described embodiments. The above description is not intended to be exhaustive or to limit the described embodiments to the precise form disclosed. Many modifications, alternative uses, and variations are possible in light of the above teaching. In some instances, well known process steps have not been described in detail in order to avoid unnecessarily obscuring the described embodiments.
Claims (32)
- An attacker information acquisition method is characterized by comprising the following steps:and acquiring the information of the target attacker in the actual environment according to the information of the target attacker in the virtual network and the information of the attacker which can be collected.
- The method of claim 1, wherein before obtaining the information that the target attacker is in the actual environment, further comprising:and acquiring the information of the target attacker in the virtual network.
- The method of claim 2, wherein the obtaining information of the target attacker in the virtual network comprises:and acquiring the information of the target attacker in the virtual network according to the attack event information corresponding to the target attacker.
- The method of claim 3, wherein the attack event information comprises at least one of: the name of the attack event, the time of the attack event, the position of the attack event and the identification information of the attack event.
- The method according to any of claims 1-4, wherein the information of the collectable attacker comprises: information of the attacker that has been collected, or information of the attacker that is not currently collected, and information of the attacker that can be collected.
- The method according to any one of claims 1-4, wherein the obtaining the information of the target attacker in the actual environment according to the information of the target attacker in the virtual network and the information of the searchable attacker comprises:judging whether the information of the target attacker in the virtual network exists in the information of the attackers which can be collected;and if the information of the target attacker in the virtual network exists in the collected information of the attacker, acquiring the information of the target attacker in the actual environment according to the information of the target attacker in the virtual network and the collected information of the attacker.
- The method according to any one of claims 1-4, wherein before obtaining the information of the target attacker in the actual environment according to the information of the target attacker in the virtual network and the information of the searchable attackers, the method further comprises:storing the collected information of the attacker in a database; the information of the attacker comprises at least one of the following: information of the attacker in a virtual network or information of the attacker in a real environment.
- The method of claim 7, wherein obtaining the information of the target attacker in the actual environment according to the information of the target attacker in the virtual network and the information of the searchable attackers comprises:judging whether the information of the target attacker in the virtual network exists in the database;and if the information of the target attacker in the virtual network exists in the database, acquiring the information of the target attacker in the actual environment from the database according to the information of the target attacker in the virtual network.
- The method of claim 8, further comprising:and if the information of the target attacker in the virtual network does not exist in the database, storing the information of the target attacker in the virtual network into the database.
- The method of claim 7, wherein the database comprises: at least one piece of information, each piece of information comprising at least one of: information of an attacker in the virtual network, information of the attacker in the actual environment.
- The method of claim 10,the information of any attacker in the virtual network comprises at least one of the following items: the identity ID, domain name, IP address, media access control MAC address, attack mode and used hacking tool of the attacker in the virtual network.
- The method of claim 10,the information of any attacker in the actual environment comprises at least one of the following: the identity of the attacker in the actual environment, age, attack record and location where the network attack was made, context and purpose of the attack.
- The method of claim 10, further comprising:if the number of the information items in the database is larger than a preset threshold value, acquiring the use frequency of each piece of information in the database;and deleting the information of which the use frequency is less than the preset frequency.
- The method of claim 13, wherein deleting information with a frequency less than a preset frequency comprises:acquiring an operation instruction of a user;and deleting the information of which the use frequency is less than the preset frequency according to the operation instruction of the user.
- An attacker information acquisition apparatus, comprising:a first acquisition module configured to: and acquiring the information of the target attacker in the actual environment according to the information of the target attacker in the virtual network and the information of the attacker which can be collected.
- The apparatus of claim 15, further comprising:a second acquisition module configured to: and acquiring the information of the target attacker in the virtual network.
- The apparatus of claim 16, wherein the second obtaining module is configured to:and acquiring the information of the target attacker in the virtual network according to the attack event information corresponding to the target attacker.
- The apparatus of claim 17, wherein the attack event information comprises at least one of: the name of the attack event, the time of the attack event, the position of the attack event and the identification information of the attack event.
- The apparatus of any of claims 15-18, wherein the information of the collectable attacker comprises: information of the attacker that has been collected, or information of the attacker that is not currently collected, and information of the attacker that can be collected.
- The apparatus of any one of claims 15-18, wherein the first obtaining module is configured to:judging whether the information of the target attacker in the virtual network exists in the information of the attackers which can be collected;and if the information of the target attacker in the virtual network exists in the collected information of the attacker, acquiring the information of the target attacker in the actual environment according to the information of the target attacker in the virtual network and the collected information of the attacker.
- The apparatus of any one of claims 15-18, further comprising:a storage module configured to: storing the collected information of the attacker in a database; the information of the attacker comprises at least one of the following: information of the attacker in a virtual network or information of the attacker in a real environment.
- The apparatus of claim 21, wherein the first obtaining module is configured to:judging whether the information of the target attacker in the virtual network exists in the database;and if the information of the target attacker in the virtual network exists in the database, acquiring the information of the target attacker in the actual environment from the database according to the information of the target attacker in the virtual network.
- The apparatus of claim 22, wherein the storage module is configured to:and if the information of the target attacker in the virtual network does not exist in the database, storing the information of the target attacker in the virtual network into the database.
- The apparatus of claim 21, wherein the database comprises: at least one piece of information, each piece of information comprising at least one of: information of an attacker in the virtual network, information of the attacker in the actual environment.
- The apparatus of claim 24,the information of any attacker in the virtual network comprises at least one of the following items: the identity ID, domain name, IP address, media access control MAC address, attack mode and used hacking tool of the attacker in the virtual network.
- The apparatus of claim 24,the information of any attacker in the actual environment comprises at least one of the following: the identity of the attacker in the actual environment, age, attack record and location where the network attack was made.
- The apparatus of claim 21, further comprising:a third acquisition module configured to: if the number of the information items in the database is larger than a preset threshold value, acquiring the use frequency of each piece of information in the database;a processing module configured to: and deleting the information of which the use frequency is less than the preset frequency.
- The apparatus of claim 27, wherein the processing module is configured to:acquiring an operation instruction of a user;and deleting the information of which the use frequency is less than the preset frequency according to the operation instruction of the user.
- A computer comprising the apparatus of any one of claims 15-28.
- An electronic device, comprising:at least one processor; anda memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,the memory stores instructions executable by the at least one processor, the instructions, when executed by the at least one processor, causing the at least one processor to perform the method of any of claims 1-14.
- A computer-readable storage medium having stored thereon computer-executable instructions configured to perform the method of any one of claims 1-14.
- A computer program product, characterized in that the computer program product comprises a computer program stored on a computer-readable storage medium, the computer program comprising program instructions which, when executed by a computer, cause the computer to carry out the method of any one of claims 1-14.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/CN2018/118691 WO2020107446A1 (en) | 2018-11-30 | 2018-11-30 | Method and apparatus for obtaining attacker information, device, and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112789835A true CN112789835A (en) | 2021-05-11 |
Family
ID=70852658
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201880098313.1A Pending CN112789835A (en) | 2018-11-30 | 2018-11-30 | Method, device, equipment and storage medium for acquiring attacker information |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN112789835A (en) |
| WO (1) | WO2020107446A1 (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113918795A (en) * | 2021-12-15 | 2022-01-11 | 连连(杭州)信息技术有限公司 | Method and device for determining target label, electronic equipment and storage medium |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112182567B (en) * | 2020-09-29 | 2022-12-27 | 西安电子科技大学 | Multi-step attack tracing method, system, terminal and readable storage medium |
| CN112839061B (en) * | 2021-03-04 | 2022-11-25 | 安天科技集团股份有限公司 | Tracing method and device based on regional characteristics |
| CN114363053A (en) * | 2021-12-31 | 2022-04-15 | 深信服科技股份有限公司 | Attack identification method and device and related equipment |
| CN114826880B (en) * | 2022-03-21 | 2023-09-12 | 云南电网有限责任公司信息中心 | Data safety operation on-line monitoring system |
| CN115277127A (en) * | 2022-07-12 | 2022-11-01 | 清华大学 | Attack detection method and device for searching matching attack mode based on system tracing graph |
| CN115622802B (en) * | 2022-12-02 | 2023-04-07 | 北京志翔科技股份有限公司 | Attack tracing method, device, equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101014047A (en) * | 2007-02-06 | 2007-08-08 | 华为技术有限公司 | Method for locating the attack source of multimedia subsystem network, system and anti-attack system |
| CN108334529A (en) * | 2017-03-31 | 2018-07-27 | 北京安天网络安全技术有限公司 | It is a kind of to utilize the method and system for disclosing big data acquisition attacker's information |
| US20180219880A1 (en) * | 2017-01-27 | 2018-08-02 | Rapid7, Inc. | Reactive virtual security appliances |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107222462A (en) * | 2017-05-08 | 2017-09-29 | 汕头大学 | A kind of LAN internals attack being automatically positioned of source, partition method |
-
2018
- 2018-11-30 WO PCT/CN2018/118691 patent/WO2020107446A1/en active Application Filing
- 2018-11-30 CN CN201880098313.1A patent/CN112789835A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101014047A (en) * | 2007-02-06 | 2007-08-08 | 华为技术有限公司 | Method for locating the attack source of multimedia subsystem network, system and anti-attack system |
| US20180219880A1 (en) * | 2017-01-27 | 2018-08-02 | Rapid7, Inc. | Reactive virtual security appliances |
| CN108334529A (en) * | 2017-03-31 | 2018-07-27 | 北京安天网络安全技术有限公司 | It is a kind of to utilize the method and system for disclosing big data acquisition attacker's information |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113918795A (en) * | 2021-12-15 | 2022-01-11 | 连连(杭州)信息技术有限公司 | Method and device for determining target label, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2020107446A1 (en) | 2020-06-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112789835A (en) | Method, device, equipment and storage medium for acquiring attacker information | |
| CN105939326B (en) | Method and device for processing message | |
| CN107612924B (en) | Attacker positioning method and device based on wireless network intrusion | |
| US10218717B1 (en) | System and method for detecting a malicious activity in a computing environment | |
| CN110650142B (en) | Access request processing method, device, system, storage medium and computer equipment | |
| CN108259514B (en) | Vulnerability detection method and device, computer equipment and storage medium | |
| EP3509001B1 (en) | Method and apparatus for detecting zombie feature | |
| WO2014172956A1 (en) | Login method,apparatus, and system | |
| CN105429953B (en) | A kind of methods, devices and systems for accessing website | |
| JP2016046654A (en) | Security system, security method, security device, and program | |
| CN104333529A (en) | Detection method and system of HTTP DOS (Denial of Service) attack under cloud computing environment | |
| CN107733725B (en) | Safety early warning method, device, equipment and storage medium | |
| CN107566401B (en) | Protection method and device for virtualized environment | |
| EP3579523A1 (en) | System and method for detection of malicious interactions in a computer network | |
| CN106778229B (en) | VPN-based malicious application downloading interception method and system | |
| WO2012015363A1 (en) | Acquiring information from volatile memory of a mobile device | |
| CN113141335B (en) | Network attack detection method and device | |
| WO2016008212A1 (en) | Terminal as well as method for detecting security of terminal data interaction, and storage medium | |
| CN112804222B (en) | Data transmission method, device, equipment and storage medium based on cloud deployment | |
| CN112398786B (en) | Method and device for identifying penetration attack, system, storage medium and electronic device | |
| US10237287B1 (en) | System and method for detecting a malicious activity in a computing environment | |
| CN111371743A (en) | Security defense method, device and system | |
| CN116049822A (en) | Application program supervision method, system, electronic device and storage medium | |
| JP5743822B2 (en) | Information leakage prevention device and restriction information generation device | |
| CN106803830B (en) | Method, device and system for identifying internet access terminal and User Identity Module (UIM) card |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210511 |