CN113676484A - Attack tracing method and device and electronic equipment - Google Patents
Attack tracing method and device and electronic equipment Download PDFInfo
- Publication number
- CN113676484A CN113676484A CN202110993536.8A CN202110993536A CN113676484A CN 113676484 A CN113676484 A CN 113676484A CN 202110993536 A CN202110993536 A CN 202110993536A CN 113676484 A CN113676484 A CN 113676484A
- Authority
- CN
- China
- Prior art keywords
- attack
- candidate
- log data
- feature
- graph
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/146—Tracing the source of attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
In the embodiment of the application, redundant log data are removed in a mode of constructing a baseline model, so that the problem of explosion of the dependency relationship between terminal side data is solved, the operation load is reduced, representative fields are extracted from the log data of a network side and the terminal side, a time sequence heterogeneous graph is constructed by defining the dependency relationship between the log data, and a complete attack traceability graph is constructed by defining the dependency relationship between nodes in the knowledge graph and nodes in the time sequence heterogeneous graph through the constructed knowledge graph. The attack tracing method, the attack tracing device and the electronic equipment provided by the embodiment of the application can obtain a more complete attack path with higher accuracy from the attack tracing graph based on the relevant information of the attack source and the target object in the scene associated with the network side and the terminal side.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to an attack tracing method, an attack tracing apparatus, and an electronic device.
Background
In recent years, with the expansion of cyberspace attack surfaces, new generation attack threats have frequently occurred. In order to deal with the attack threats, besides preventing various security accidents in advance, the method also comprises the step of carrying out post response on various security accidents, wherein the attack tracing is an important component for carrying out post response in various security accidents, and the method is a method for restoring the attack path and the attack technique of an attacker to a certain extent by analyzing the flow of the damaged asset and the intranet. By the attack tracing method, the attack source and the corresponding path of the attack can be determined, so that a defender specifies a better protection and countercheck scheme. Attack tracing is an important ring for constructing a network security defense system.
In the occurring attack events, the attack behaviors of attackers have causal association relationship, and the attack tracing is to associate the information related to the attack together to construct an attack tracing graph based on the causal association relationship, and find the attackers and attack paths from the attack tracing graph. In general, the causal association relationship needs to be set based on the dependency relationship between the historical alarm data and the historical log data, and a corresponding attack tracing graph needs to be constructed.
Generally, the attack tracing technology is built on the analysis processing of the attack tracing graph. In the related art, the construction of the attack tracing graph is mainly divided into three cases:
1. and constructing a source tracing graph on the host side.
2. And constructing an attack tracing graph related to the system log and the application program log.
3. And constructing an attack tracing graph associated with the network side and the terminal side.
The construction technology of the attack tracing source diagram on the host side and the construction technology of the attack tracing source diagram associated with the system log and the application program log are relatively perfect, but the construction technology of the attack tracing source diagram associated with the network side and the terminal side is not mature, and the following technical defects exist:
1) determining the attack path results in a large computational load.
Specifically, the construction of the attack tracing graph on the host side and the construction of the attack tracing graph associated with the system log and the application log are all performed on a single device, while a complete attack process usually spans multiple devices, and only the attack tracing graph associated with the network side and the terminal side is constructed to be possible to trace to a complete attack path.
However, in this case, the historical log data related to the attack flow across multiple devices is massive, which may cause the dependency relationship between the data to be too complex, and thus the constructed attack tracing graph may be too huge, and therefore, the complexity of the flow for determining the attack path is significantly increased to a certain extent, and a large amount of computation load is caused.
2) The accuracy of the acquired attack path is not high.
In particular, when an attacker uses some attack means, there may be a problem that the acquired attack path is incomplete or not accurate.
For example, an attacker uploads Webshell on a certain device, and then acquires the host authority through an SQL Server weak password, and then creates a new user. Because the network connection from the middleware to the database is more, the corresponding connection cannot be found accurately by manual judgment, and the acquired attack path is incomplete.
In this case, setting the causal association relationship may cause that the constructed attack tracing graph associated with the network side and the terminal side is not accurate, and further cause that the attack path obtained from the attack tracing graph is incomplete or the accuracy is not high.
Disclosure of Invention
The embodiment of the invention provides an attack tracing method, an attack tracing device and electronic equipment, which are used for improving the accuracy of an acquired target attack path and reducing the operation load generated when the target attack path is determined in an attack tracing scene associated with a network side and a terminal side.
In a first aspect, an embodiment of the present application provides an attack tracing method, where the method includes:
the method comprises the steps of obtaining first historical log data of a target object, and determining an attack target and an attack source based on the first historical log data.
Acquiring second historical log data of each device associated with the target object, extracting each target feature from the first historical log data and the second historical log data based on the data type of the second historical log data, and generating a corresponding feature time sequence abnormal graph based on each target feature.
And generating a corresponding attack tracing graph based on the characteristic time sequence abnormal graph and by combining a preset knowledge graph.
And obtaining each candidate attack path comprising the attack target and the attack source based on the attack tracing graph.
And screening target attack paths meeting preset path conditions from the candidate attack paths based on the preset path conditions.
In a second aspect, an embodiment of the present application further provides an attack tracing apparatus, including:
and the alarm module is used for acquiring first historical log data of the target object and determining an attack target and an attack source based on the first historical log data.
The first generation module is used for acquiring second historical log data of each device associated with the target object, extracting each target feature from the first historical log data and the second historical log data based on the data type of the second historical log data, and generating a corresponding feature time sequence abnormal graph based on each target feature.
And the second generation module is used for generating a corresponding attack tracing graph based on the characteristic time sequence difference graph and by combining a preset knowledge graph.
And the searching module is used for obtaining each candidate attack path comprising the attack target and the attack source based on the attack tracing source diagram, and screening the target attack path which meets the preset path condition from each candidate attack path based on the preset path condition.
Optionally, the attack tracing apparatus further includes a removing module, configured to remove, based on a preset baseline model, second historical log data whose related predetermined parameter is lower than a preset threshold from each second historical log data, respectively.
In an optional embodiment, the first historical log data of the target object at least includes alarm data recorded by performing an illegal operation on the target object, and when determining an attack target and an attack source based on the first historical log data, the alarm module is specifically configured to:
and determining an event described by the alarm data as an attack event when the alarm data is determined to meet a preset alarm condition based on the alarm data recorded by executing illegal operation on the target object in the first historical log data, and determining an attack target and an attack source of the attack event based on the alarm data.
In an optional embodiment, when second history log data of each device associated with the target object is acquired, each target feature is extracted from the first history log data and the second history log data based on a data type of the second history log data, and a corresponding feature timing difference graph is generated based on each target feature, the first generating module is specifically configured to:
second historical log data of each device associated with the target object is obtained.
And determining a data type corresponding to the target feature based on the data type of the attack source and the log data types of the first historical log data and the second historical log data.
And extracting the target features containing preset feature fields from the first historical log data and the second historical log data of the corresponding data types respectively based on the data types corresponding to the target features, wherein the feature fields are set aiming at an attack tracing scene and are used for representing relevant fields of an attack path.
And respectively taking each target feature as a corresponding feature node, and respectively setting the association mode between every two feature nodes as a feature association mode.
And based on each feature node, respectively taking each corresponding feature association mode as a corresponding feature edge to generate a corresponding feature time sequence differential graph.
In an optional embodiment, when the corresponding attack tracing graph is generated based on the feature timing difference graph and by combining a preset knowledge graph, the second generating module is specifically configured to:
and respectively setting the association mode between each feature node and each rule node as a complementary association mode, wherein each rule node corresponds to each preset knowledge base rule one by one, and each rule node is set based on the corresponding knowledge base rule.
And based on the characteristic time sequence abnormal graph and the preset knowledge graph, taking each completion association mode as a corresponding completion edge for connecting the characteristic time sequence abnormal graph and the preset knowledge graph, and generating a corresponding attack tracing graph.
In an optional embodiment, before the association manner between each feature node and each rule node is set as a complementary association manner, the second generating module is further configured to:
the method comprises the steps of obtaining preset knowledge base rules, taking the preset knowledge base rules as corresponding rule nodes, setting the association mode between every two rule nodes as a rule association mode, taking the corresponding rule association modes as corresponding rule edges on the basis of the rule nodes, and generating a corresponding knowledge graph.
Alternatively, the first and second electrodes may be,
the method comprises the steps of obtaining a preset knowledge base, generating each knowledge base rule based on the preset knowledge base by adopting a preset knowledge map algorithm, generating an association mode between every two knowledge base rules into a rule association mode, taking each generated knowledge base rule as a corresponding rule node, and taking each corresponding rule association mode as a corresponding rule edge to generate a corresponding knowledge map.
In an optional embodiment, when obtaining, based on the attack tracing source map, each candidate attack path including the attack target and the attack source, and screening, based on a preset path condition, a target attack path that meets the preset path condition from the candidate attack paths, the search module is specifically configured to:
for each candidate attack path, performing the following operations:
obtaining each candidate node in one candidate attack path, and determining a candidate edge between every two candidate nodes, wherein each candidate node is any one feature node or any one rule node in the attack tracing graph; the association mode corresponding to each candidate edge is determined based on the node types of the two candidate nodes connected by the candidate edge.
Respectively extracting the association modes corresponding to the candidate edges, and respectively executing the following operations aiming at the candidate edges: and obtaining candidate feature vectors corresponding to one candidate edge based on an association mode corresponding to the candidate edge, wherein each candidate feature vector comprises a plurality of dimension elements, and each dimension element represents one attribute of the association mode.
Aiming at the obtained candidate feature vectors corresponding to the candidate edges respectively, the following operations are respectively executed: respectively obtaining preset dimension weights corresponding to all dimension elements contained in one candidate feature vector, and performing weighted summation based on the values of the dimension elements and the corresponding dimension weights to obtain edge weights of candidate edges corresponding to the candidate feature vector, wherein each dimension weight represents the occurrence probability of the corresponding dimension element.
And carrying out weighted summation based on the obtained association mode corresponding to each candidate edge and the corresponding edge weight to obtain the path weight corresponding to the candidate attack path.
And based on the obtained path weights corresponding to the candidate attack paths, taking the candidate attack path with the path weight reaching a path weight threshold as the target attack path.
In an optional embodiment, when obtaining the candidate feature vector corresponding to one candidate edge based on the association manner corresponding to the candidate edge, the search module is specifically configured to:
and respectively setting dimension elements corresponding to the attributes in the candidate feature vector corresponding to the candidate edge based on the attributes of the association mode corresponding to the candidate edge.
In a third aspect, an embodiment of the present application further provides an electronic device, including a memory and a processor, where the memory stores a computer program that is executable on the processor, and when the computer program is executed by the processor, the processor is enabled to implement the attack tracing method according to the first aspect.
For technical effects brought by any one implementation manner of the second aspect and the third aspect, reference may be made to technical effects brought by a corresponding implementation manner of the first aspect, and details are not described here.
In the embodiment of the application, redundant log data are removed in a mode of constructing a baseline model, so that the problem of explosion of the dependency relationship between terminal side data is solved, the operation load is reduced, representative fields are extracted from the log data of a network side and the terminal side, a time sequence heterogeneous graph is constructed by defining the dependency relationship between the log data, and a complete attack traceability graph is constructed by defining the dependency relationship between nodes in the knowledge graph and nodes in the time sequence heterogeneous graph through the constructed knowledge graph. By the method, a more complete attack path with higher accuracy can be obtained from the attack tracing graph based on the relevant information of the attack source and the target object in the scene associated with the network side and the terminal side.
Drawings
Fig. 1 is a system architecture diagram of an attack tracing method according to an embodiment of the present application;
fig. 2a, fig. 2b, and fig. 2c are diagrams illustrating a knowledge graph in a local right-granting scenario according to an embodiment of the present application;
fig. 3 is an attack tracing method provided in the embodiment of the present application;
fig. 4 is a timing sequence heterogeneous graph generating method according to an embodiment of the present application;
fig. 5a and 5b are exemplary diagrams of a local authorization attack behavior link in a timing diversity diagram provided in an embodiment of the present application;
fig. 6 is a method for generating an attack tracing graph according to an embodiment of the present application;
fig. 7 is an illustration diagram of an attack tracing graph in a local authorization scenario according to an embodiment of the present application;
fig. 8 is a method for obtaining a path weight corresponding to a candidate attack path according to an embodiment of the present application;
fig. 9a, fig. 9b, and fig. 9c are exemplary diagrams of candidate attack paths provided by an embodiment of the present application;
fig. 10 is a schematic diagram of an attack tracing apparatus according to an embodiment of the present application;
fig. 11 is a schematic diagram of another attack tracing apparatus according to an embodiment of the present application;
fig. 12 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present invention will be described clearly and completely with reference to the accompanying drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In order to improve the accuracy of an acquired attack path and reduce the operation load generated when the attack path is determined in an attack tracing scene associated between a network side and a terminal side, in the embodiment of the application, a baseline model is constructed, logs which cannot be used as attack behaviors in data of the terminal side are filtered, so that the problem of explosion of the dependency relationship between the data of the terminal side is relieved, the operation load is reduced, representative fields are extracted from log data of the network side and the log data of the terminal side, a time sequence heterogeneous graph is constructed by defining the dependency relationship between the log data, the dependency relationship between nodes in the knowledge graph and nodes in the time sequence heterogeneous graph is defined by the constructed knowledge graph, and a complete attack tracing graph is constructed. By the method, the attack path with higher accuracy can be obtained through the attack tracing graph under the scene that the network side is associated with the terminal side.
Referring to fig. 1, in the embodiment of the present application, an attacked target device 100 is associated with a network-side device 110 and a terminal-side device 120, the network-side device 110 and the terminal-side device 120 may have multiple attacked target devices, network connections are established between the attacked target device and the network-side device 110 and the terminal-side device 120, first history log data of the attacked target device is stored in the attacked target device, second history log data of the attacked target device is stored in the network-side device 110 and the terminal-side device 120 associated with the attacked target device, and the attacked target device 100 can extract the corresponding second history log data stored in each of the network-side device 110 and the terminal-side device 120 from the network-side device 110 and the terminal-side device 120 by means of local area network transmission or the like.
In the attack tracing method provided by the embodiment of the application, a preset knowledge graph is required to be utilized, and the knowledge graph can be constructed by, but not limited to, the following methods:
the method comprises the following steps: the method comprises the steps of obtaining preset knowledge base rules, taking the preset knowledge base rules as corresponding rule nodes, setting the association mode between every two rule nodes as a rule association mode, taking the corresponding rule association modes as corresponding rule edges on the basis of the rule nodes, and generating a corresponding knowledge graph.
Optionally, the security expert combines knowledge of itself with an existing public knowledge base, and according to different application scenarios, on one hand, the security expert is compatible with existing standards and architectures, on the other hand, a proper knowledge range is selected according to the application scenarios, data is abstracted and proprialized from a global perspective, a corresponding knowledge base is designed, and each knowledge base rule is acquired from the knowledge base, wherein each rule defines a precondition for occurrence of an attack behavior and a possible behavior or generated influence after execution of the attack behavior.
For example, in a scenario for local right-granting provided by the embodiment of the present application, each acquired knowledge base rule is as shown in table 1:
TABLE 1
| Rule 1 | Establishing foothold on a victim host by writing a file |
| Rule 2 | Non-write file execution instructions directly on victim host |
| Rule 3 | Connecting foothold points on victim host |
| Rule 4 | Promoting user rights |
| Rule 5 | Creating new users |
| Rule 6 | Uploading a scanner on a victim host |
| Rule 7 | Traversing within an intranet |
Referring to fig. 2a, regarding each knowledge base rule as a corresponding rule node, the method includes: regular node 1, regular node 2,. and regular node 7, the corresponding node types are shown in table 2:
TABLE 2
| Regular node type | Rule node |
| Uploading Webshell | Rule node 1 |
| Exploit | Rule node 2 |
| Webshell terminal connection | Rule node 3 |
| Weight raising | Rule node 4 |
| Creating new users | Rule node 5 |
| Upload scanner | Rule node 6 |
| Moving in the transverse direction | Rule node 7 |
Optionally, a rule association manner between each two rule nodes is set through expert definition.
For example, referring to fig. 2b, the directions indicated by arrows in the figure indicate the chronological order, in the embodiment of the present application, the following definitions are given for the rule association manner e1-e8 between each two different rule nodes, as shown in table 3:
TABLE 3
| Rule association mode | Feature representation of rule association |
| e1 | Uploading Webshell-Webshell terminal connection |
| e2 | Webshell terminal connection-privilege escalation |
| e3 | Webshell terminal connection-creation of new user |
| e4 | Webshell terminal connection-uploading scanner |
| e5 | Webshell terminal connection-lateral movement |
| e6 | Right-creation of New user |
| e7 | Creation of New user-upload scanner |
| e8 | Upload scanner-traversing |
In the embodiment of the present application, a knowledge graph applied to a local right-raising scene is generated according to each rule association manner given above, as shown in fig. 2c, in the figure, the direction indicated by an arrow indicates the time sequence.
The method 2 comprises the following steps: the method comprises the steps of obtaining a preset knowledge base, generating each knowledge base rule based on the preset knowledge base by adopting a preset knowledge map algorithm, generating an association mode between every two knowledge base rules into a rule association mode, taking each generated knowledge base rule as a corresponding rule node, and taking each corresponding rule association mode as a corresponding rule edge to generate a corresponding knowledge map.
Optionally, based on the existing public knowledge base or the preset knowledge base, different knowledge map algorithms can be adopted according to the actual application scenario, so that knowledge is extracted from the knowledge base, corresponding knowledge base rules are generated, and meanwhile, the corresponding knowledge maps are automatically generated.
Referring to fig. 3, an attack tracing method provided in the embodiment of the present application is shown:
step 310: the method comprises the steps of obtaining first historical log data of a target object, and determining an attack target and an attack source based on the first historical log data.
Optionally, the first historical log data of the target object at least includes alarm data recorded by performing an illegal operation on the target object, and based on the alarm data recorded by performing the illegal operation on the target object in the first historical log data, when it is determined that the alarm data meets a preset alarm condition, an event described by the alarm data is determined as an attack event, and based on the alarm data, an attack target and an attack source of the attack event are determined.
For example, according to the IPS alarm data, according to a specific scenario, when the IPS alarm is an alarm that is determined to be successful in attack through manual investigation or belongs to a high-confidence rule in a specific occasion, an event described by the IPS alarm data is determined as an attack event, and an attack source IP and an attack target of the attack event are determined according to the IPS alarm data.
Step 320: acquiring second historical log data of each device associated with the target object, extracting each target feature from the first historical log data and the second historical log data based on the data type of the second historical log data, and generating a corresponding feature time sequence abnormal graph based on each target feature.
Specifically, referring to fig. 4, the method includes the following steps:
step 3201: second historical log data of each device associated with the target object is obtained.
Optionally, step 3202: and based on a preset baseline model, respectively removing second historical log data with related preset parameters lower than a preset threshold value from each second historical log data.
For example, second historical log data on a network side device a, a network side device B, a terminal side device a, a terminal side device B, a terminal side device Z, second historical log data of which relevant preset parameters are lower than a preset threshold value in all the second historical log data on the terminal side device Z are obtained, specifically, differences among similar hosts are transversely considered, differences with a historical baseline of the host are longitudinally considered, a baseline model is learned and trained according to a specific scene, and filtering is carried out on the second historical log of which relevant preset parameters are lower than the preset threshold value by using the baseline model, wherein the second historical log which is related to an attacker cannot be related by a security expert manual base line is filtered out, even if log data of non-attack behavior generated by an attacker exists, the corresponding attack tracing source is not influenced by the historical log data.
Optionally, different baseline models are used for different types of second historical log data.
For example, second history log data on the terminal side device a, the terminal side device B, and the terminal side device Z are obtained, and different baseline models are independently learned and trained for history log data of a process type and history log data of a Windows event type in the second history log data on the terminal side devices a to Z.
The second historical log data of each device associated with the target object includes historical log data of each network-side device and historical log data of a plurality of associated terminal-side devices, statistical analysis is performed on the historical process log data of the terminal-side devices, and it can be found that the size of the process behavior set of the user tends to be stable over time on each terminal-side device, which indicates that the user behavior set is limited, so that redundant second historical log data which cannot be used as an attack behavior can be removed by adopting a baseline model filtering manner, in general, each retained second historical log data can be distinguished by a security expert or an alarm program to be related to the attack behavior or the attacker, and each removed second historical log data cannot be distinguished to be related to the attack behavior or the attacker, the method comprises the steps that historical log data with no attack behavior recorded and historical log data with no attack behavior generated by an attacker are recorded, and the removed second historical log data do not influence attack tracing, so that only the part which can be associated with the attack behavior is reserved by screening the extracted second historical log data, and the operation load during the subsequent establishment of an attack tracing graph is reduced.
Step 3203: and determining the data type corresponding to the target characteristic based on the data type of the attack source and the log data types of the first historical log data and the second historical log data.
For example, in a SQL Server right-giving scenario, log data types of historical log data on each network-side device and terminal-side device associated with a target object are: running processes, process activities, file operations and network connections, as shown in table 4 below, L1-L4 correspond to these four log data types, respectively:
TABLE 4
| # | Log data type |
| L1 | Running a process |
| L2 | Process activity |
| L3 | File manipulation |
| L4 | Network connection |
Correspondingly, if the data type of the attack source is an IP type, determining the data type corresponding to the target feature includes: IP type, process type, file type, and user type.
Step 3204: and respectively extracting target characteristics containing preset characteristic fields from the first historical log data and the second historical log data of the corresponding data types based on the data types corresponding to the target characteristics, wherein the characteristic fields are set aiming at the attack tracing scene and are used for representing relevant fields of the attack path.
For example, in the embodiment of the present application, for a scenario in which the SQL Server gives rights, the set feature fields are as shown in table 5 below:
TABLE 5
| Characteristic field | Log data type | Brief introduction to the drawings |
| timestamp | L1-L4 | Time stamp |
| dport | L4 | Destination port |
| log_id | L1-L4 | Log id |
| log_name | L1-L4 | Name of log |
| process_pid | L1-L4 | Process ID |
| process_parent_pid | L1-L2 | PID of process parent process |
| protocol | L4 | Transmission protocol |
| sample_file_path | L3 | File path |
| process_path | L1-L4 | Process path |
| process_user_name | L1-L2 | Process username |
| remote_address | L4 | Remote host ip |
| process_action | L2 | Process actions |
| sip | L1-L4 | Source ip |
| dip | L1-L4 | Destination ip |
And respectively extracting target characteristics containing the characteristic fields based on the characteristic fields.
Step 3205: and respectively taking each target feature as a corresponding feature node, and respectively setting the association mode between every two feature nodes as a feature association mode.
For example, referring to fig. 5a, in the embodiment of the present application, for a scenario in which the SQL Server rights-giving is performed, corresponding feature nodes are set based on the extracted target features, and if the set feature nodes include feature nodes related to an attack path: a feature node 1, a feature node 2, a feature node 6, a feature node 7, and a plurality of other feature nodes unrelated to attack behavior, such as a feature node a, a feature node b, and a feature node c, where the node types of the feature nodes include: IP, process, file, user, as shown in table 6 below:
TABLE 6
| Characteristic node type |
| IP |
| process |
| file |
| user |
Optionally, in this embodiment of the application, the security expert defines an association manner between every two feature nodes in the scenario, that is, each feature association manner d1-d14, as shown in table 7 below:
TABLE 7
In the feature representation of the feature association method d1, the corresponding t represents a time series feature threshold set for the SQL Server weighted scene.
Step 3206: and based on each feature node, respectively taking each corresponding feature association mode as a corresponding feature edge to generate a corresponding feature time sequence abnormal graph.
Optionally, different time sequence feature thresholds t are set through respective corresponding experiments for different security scenes, and corresponding feature time sequence differential graphs meeting the time sequence feature thresholds are generated according to the set time sequence feature thresholds.
On the basis of the feature node 1, the feature node 2, the feature node 7, the corresponding feature association modes are respectively used as corresponding feature edges to generate corresponding feature time sequence abnormal patterns meeting preset time sequence feature thresholds, and since complex time sequence abnormal patterns exist in the SQL Server privilege escalation scene, in order to more clearly see the link representation of an attack path in the graph, only the link describing the attack behavior in the time sequence abnormal patterns is shown, which is shown in fig. 5b, wherein the indication directions of arrows in the graph represent the time sequence.
It can be seen that the host permission is acquired through the SQL Server weak password, and then a new user is created, because the network connection from the middleware to the database is more, and the corresponding connection cannot be found accurately by manual judgment, so that the acquired attack path is incomplete, the node (chopper) of the Webshell cannot be associated with the node of the new user, and therefore, the link between the two corresponding feature nodes is disconnected.
Step 330: and generating a corresponding attack tracing graph by combining a preset knowledge graph based on the characteristic time sequence abnormal graph.
Specifically, referring to fig. 6, the method includes the following steps:
step 3301: and respectively setting the association mode between each characteristic node and each rule node as a complementary association mode, wherein each rule node corresponds to each preset knowledge base rule one by one, and each rule node is set based on the corresponding knowledge base rule.
For example, in the context of the SQL Server right-giving provided in the embodiment of the present application, the set completion association modes and their characteristics are shown in table 8 below:
TABLE 8
| Complementary correlation mode | Feature representation of complementary correlation |
| f1 | Node-upload Webshell |
| f2 | node-Exploit |
| f3 | Webshell terminal connection-node |
| f4 | Node-privilege escalation |
| f5 | Creating a new user-node |
| f6 | Upload scanner-node |
For the complementary correlation methods f1-f6 given above, respective explanations are given as shown in table 9 below:
TABLE 9
Step 3302: and based on the characteristic time sequence abnormal graph and the preset knowledge graph, taking each completion association mode as a corresponding completion edge for connecting the characteristic time sequence abnormal graph and the preset knowledge graph, and generating a corresponding attack tracing graph.
For example, in a scenario of SQL Server extraction, a network side auditing system cannot capture network connections of loopback addresses, because there are many network connections from middleware to a database, and corresponding connections cannot be found accurately by manual judgment, so that an obtained attack path is incomplete, as shown in fig. 5b, a node (chop.) of a Webshell cannot be associated with a node of a new user through knowledge such as an operating system, and a link between two corresponding feature nodes is disconnected, and in combination with a knowledge graph shown in fig. 2c, a complete attack path is constructed by using f4 and f5 in table 8, and the node (chop.) of the Webshell is associated with the new user through the knowledge graph, as shown in fig. 7, and the indication direction of an arrow in the graph represents the sequence of time. Therefore, based on the characteristic time sequence difference graph and the preset knowledge graph, the generated attack tracing graph can complement the broken attack paths in the prior art, and the accuracy of each attack path extracted from the attack tracing graph is higher.
Step 340: and obtaining each candidate attack path comprising an attack target and an attack source based on the attack tracing graph.
For example, in a SQL Server right-lifting scenario, candidate attack paths including feature nodes corresponding to attack source IP information and feature nodes corresponding to users are obtained.
Step 350: and screening target attack paths meeting the preset path conditions from the candidate attack paths based on the preset path conditions.
Specifically, step 3501 and step 3502 are performed.
Step 3501: for each candidate attack path, referring to fig. 8, the following operations are performed:
step 35001: obtaining each candidate node in a candidate attack path, and determining a candidate edge between every two candidate nodes, wherein each candidate node is any one feature node or any one rule node in an attack tracing graph; the association mode corresponding to each candidate edge is determined based on the node types of the two candidate nodes connected by the candidate edge.
Specifically, the association method corresponding to each candidate edge has three cases:
case 1: and if the two candidate nodes are both feature nodes, the association mode corresponding to the candidate edge between the two candidate nodes is a feature association mode.
Case 2: and if the two candidate nodes are both regular nodes, the association mode corresponding to the candidate edge between the two candidate nodes is a regular association mode.
Case 3: if the two candidate nodes are a rule node and a feature node, the association mode between the two candidate nodes is a complementary association mode.
For example, in a SQL Server right-giving scenario, a candidate attack path including a feature node corresponding to the attack source IP information, that is, a feature node acker, a feature node corresponding to the user, and a feature node Tester is obtained, and if the following three candidate attack paths are obtained:
referring to fig. 9a, the direction indicated by the arrow in the figure represents the chronological order, and the candidate attack path 1: feature node Attacker (feature node 1) -feature node httpd. exe (feature node 2) -feature node chopper (feature node 3) -rule node empowers (rule node 4) -rule node creates a new user (rule node 5) -feature node Tester (feature node 7).
Referring to fig. 9b, the direction indicated by the arrow in the figure represents the chronological order, and the candidate attack path 2: feature node Attacker (feature node 1) -feature node httpd.exe (feature node 2) -feature node a-feature node b-feature node chopper (feature node 3) -rule node weighted (rule node 4) -rule node created new user (rule node 5) -feature node Tester (feature node 7).
Referring to fig. 9c, the direction indicated by the arrow in the figure represents the chronological order, and the candidate attack path 3: feature node Attacker (feature node 1) -feature node httpd.exe (feature node 2) -feature node chopper (feature node 3) -feature node c-rule node upload Webshell (rule node 2) -rule node Webshell terminal connection (rule node 3) -rule node privilege (rule node 4) -rule node create new user (rule node 5) -feature node Tester (feature node 7).
Based on the attack tracing graph shown in fig. 7, the association manners of the candidate edges between the candidate nodes of the candidate attack path are shown in fig. 9a, fig. 9b, and fig. 9 c.
Step 35002: respectively extracting the association modes corresponding to the candidate edges, and respectively executing the following operations aiming at the candidate edges: and obtaining a candidate feature vector corresponding to a candidate edge based on an association mode corresponding to the candidate edge, wherein each candidate feature vector comprises a plurality of dimension elements, and each dimension element represents one attribute of the association mode.
Specifically, based on each attribute of the association manner corresponding to one candidate edge, dimension elements corresponding to each attribute in the candidate feature vector corresponding to the candidate edge are respectively set.
Each feature node is denoted as u1, u 2. If both candidate nodes are feature nodes, e.g., u1, u2, the association manner corresponding to the candidate edge u1-u2 between the two candidate nodes is a feature association manner. If the two candidate nodes are both regular nodes, such as v1 and v2, the association manner corresponding to the candidate edge v1-v2 between the two candidate nodes is a regular association manner. If two candidate nodes are a rule node and a feature node, e.g., u1-v1, the association between the two candidate nodes u1-v1 is a complementary association. In the SQL Server weighting scenario, as shown in table 7, the feature association manner includes d1-d14, as shown in table 3, the regular association manner includes e1-e8, as shown in table 8, the complementary association manner includes f1-f6, so that the candidate feature vector corresponding to the candidate edge u2-v 2 has 28 dimension elements n 2-n 2, which may be represented as [ n2, n 2., n2 ], and each dimension element represents the respective association manner d 2., d 2, e 2., e 2, f 2., an attribute of f 2, i.e., whether the respective association manner exists, taking the candidate edge u2-v 2 as an example, if the candidate edge u2-v 2 corresponds to the complementary association manner f 2, if the candidate edge n 2-n., e 2, e.72, e., the candidate edge d 2, e., the n2, e.72, the n., the candidate edge 72, e.72, e. If f6 is in one-to-one correspondence, the value of the dimension element n26 in the dimension corresponding to f4 is set to 1, and the other dimension elements are set to 0, and the candidate eigenvector corresponding to the candidate edge u2-v1 can be represented as [0,0, 0.
Step 35003: aiming at the obtained candidate feature vectors corresponding to the candidate edges respectively, the following operations are respectively executed: respectively obtaining preset dimension weights corresponding to all dimension elements contained in one candidate feature vector, and carrying out weighted summation based on the values of the dimension elements and the corresponding dimension weights to obtain edge weights of candidate edges corresponding to one candidate feature vector, wherein each dimension weight represents the occurrence probability of the corresponding dimension element.
Optionally, the dimension weight may be obtained by counting the occurrence probability of each dimension element according to an actual scene, for example, the occurrence probability of each dimension is represented by the reciprocal of the occurrence frequency of each dimension element in a specific scene. For example, if the number of occurrences of the dimension element n20 in the SQL Server weighting scenario is 5, the corresponding dimension weight of the dimension element n20 is 1/5, and if the number of occurrences of the dimension element n2 in another scenario is 1, the corresponding dimension weight is 1.
Step 35004: and carrying out weighted summation based on the obtained association mode corresponding to each candidate edge and the corresponding edge weight to obtain the path weight corresponding to one candidate attack path.
For example, in a SQL Server weighting scenario, based on the obtained dimensional weights, weighted summation is performed on the candidate feature vectors corresponding to the candidate edges, that is, after the corresponding multiplication is performed on the dimensional weights, each dimension in each edge is summed, and a path weight corresponding to one candidate attack path is obtained.
Step 3502: and based on the obtained path weights corresponding to the candidate attack paths, taking the candidate attack path with the path weight reaching a path weight threshold as the target attack path.
For example, if the path weight of the candidate attack path shown in fig. 9a is 7, the path weight of the candidate attack path shown in fig. 9b is 8, the path weight of the candidate attack path shown in fig. 9c is 5, and the preset path weight threshold is 6, the candidate attack path shown in fig. 9a and fig. 9b is provided to the security analyst as the target attack path.
Referring to fig. 10, an attack tracing apparatus provided in this embodiment of the present application includes an alarm module 1001, a first generation module 1002, a second generation module 1003, a search module 1004, and an optional removal module 1000, where:
the warning module 1001 is configured to obtain first historical log data of a target object, and determine an attack target and an attack source based on the first historical log data.
The first generating module 1002 is configured to acquire second historical log data of each device associated with the target object, extract each target feature from the first historical log data and the second historical log data based on a data type of the second historical log data, and generate a corresponding feature time series abnormal graph based on each target feature.
The second generating module 1003 is configured to generate a corresponding attack tracing graph based on the feature timing difference graph and by combining a preset knowledge graph.
The searching module 1004 is configured to obtain, based on the attack tracing graph, each candidate attack path including the attack target and the attack source, and screen, based on a preset path condition, a target attack path that meets the preset path condition from the candidate attack paths.
As shown in fig. 11, optionally, the attack tracing apparatus further includes a removing module 1000, configured to remove, based on a preset baseline model, second historical log data with a relevant predetermined parameter lower than a preset threshold from each second historical log data, respectively.
In an optional embodiment, if the first historical log data of the target object at least includes alarm data recorded by performing an illegal operation on the target object, when determining an attack target and an attack source based on the first historical log data, the alarm module 1001 is specifically configured to:
and determining an event described by the alarm data as an attack event when the alarm data is determined to meet a preset alarm condition based on the alarm data recorded by executing illegal operation on the target object in the first historical log data, and determining an attack target and an attack source of the attack event based on the alarm data.
In an optional embodiment, when second historical log data of each device associated with the target object is acquired, each target feature is extracted from the first historical log data and the second historical log data based on a data type of the second historical log data, and a corresponding feature time sequence variation graph is generated based on each target feature, the first generating module 1002 is specifically configured to:
second historical log data of each device associated with the target object is obtained.
And determining a data type corresponding to the target feature based on the data type of the attack source and the log data types of the first historical log data and the second historical log data.
And extracting the target features containing preset feature fields from the first historical log data and the second historical log data of the corresponding data types respectively based on the data types corresponding to the target features, wherein the feature fields are set aiming at an attack tracing scene and are used for representing relevant fields of an attack path.
And respectively taking each target feature as a corresponding feature node, and respectively setting the association mode between every two feature nodes as a feature association mode.
And based on each feature node, respectively taking each corresponding feature association mode as a corresponding feature edge to generate a corresponding feature time sequence differential graph.
In an optional embodiment, when generating a corresponding attack tracing graph based on the feature timing difference graph and by combining a preset knowledge graph, the second generating module 1003 is specifically configured to:
and respectively setting the association mode between each feature node and each rule node as a complementary association mode, wherein each rule node corresponds to each preset knowledge base rule one by one, and each rule node is set based on the corresponding knowledge base rule.
And based on the characteristic time sequence abnormal graph and the preset knowledge graph, taking each completion association mode as a corresponding completion edge for connecting the characteristic time sequence abnormal graph and the preset knowledge graph, and generating a corresponding attack tracing graph.
In an optional embodiment, before the association manner between each feature node and each rule node is set as a complementary association manner, the second generating module 1003 is further configured to:
the method comprises the steps of obtaining preset knowledge base rules, taking the preset knowledge base rules as corresponding rule nodes, setting the association mode between every two rule nodes as a rule association mode, taking the corresponding rule association modes as corresponding rule edges on the basis of the rule nodes, and generating a corresponding knowledge graph.
Alternatively, the first and second electrodes may be,
the method comprises the steps of obtaining a preset knowledge base, generating each knowledge base rule based on the preset knowledge base by adopting a preset knowledge map algorithm, generating an association mode between every two knowledge base rules into a rule association mode, taking each generated knowledge base rule as a corresponding rule node, and taking each corresponding rule association mode as a corresponding rule edge to generate a corresponding knowledge map.
In an optional embodiment, when obtaining, based on the attack tracing source map, each candidate attack path including the attack target and the attack source, and screening, based on a preset path condition, a target attack path meeting the preset path condition from the candidate attack paths, the search module 1004 is specifically configured to:
for each candidate attack path, performing the following operations:
obtaining each candidate node in one candidate attack path, and determining a candidate edge between every two candidate nodes, wherein each candidate node is any one feature node or any one rule node in the attack tracing graph; the association mode corresponding to each candidate edge is determined based on the node types of the two candidate nodes connected by the candidate edge.
Respectively extracting the association modes corresponding to the candidate edges, and respectively executing the following operations aiming at the candidate edges: and obtaining candidate feature vectors corresponding to one candidate edge based on an association mode corresponding to the candidate edge, wherein each candidate feature vector comprises a plurality of dimension elements, and each dimension element represents one attribute of the association mode.
Aiming at the obtained candidate feature vectors corresponding to the candidate edges respectively, the following operations are respectively executed: respectively obtaining preset dimension weights corresponding to all dimension elements contained in one candidate feature vector, and performing weighted summation based on the values of the dimension elements and the corresponding dimension weights to obtain edge weights of candidate edges corresponding to the candidate feature vector, wherein each dimension weight represents the occurrence probability of the corresponding dimension element.
And carrying out weighted summation based on the obtained association mode corresponding to each candidate edge and the corresponding edge weight to obtain the path weight corresponding to the candidate attack path.
And based on the obtained path weights corresponding to the candidate attack paths, taking the candidate attack path with the path weight reaching a path weight threshold as the target attack path.
In an alternative embodiment, when obtaining the candidate feature vector corresponding to one candidate edge based on the association manner corresponding to the candidate edge, the searching module 1004 is specifically configured to:
and respectively setting dimension elements corresponding to the attributes in the candidate feature vector corresponding to the candidate edge based on the attributes of the association mode corresponding to the candidate edge.
Based on the same inventive concept as the above-mentioned application embodiment, the embodiment of the present application further provides an electronic device, which can be used for attack tracing. In one embodiment, the electronic device may be a server, a terminal device, or other electronic device. In this embodiment, the electronic device may be configured as shown in fig. 12, and include a memory 1201, a communication interface 1203, and one or more processors 1202.
A memory 1201 for storing computer programs executed by the processor 1202. The memory 1201 may mainly include a storage program area and a storage data area, where the storage program area may store an operating system, a program required for running an instant messaging function, and the like; the storage data area can store various instant messaging information, operation instruction sets and the like.
The processor 1202 may include one or more Central Processing Units (CPUs), a digital Processing Unit, and the like. A processor 1202 for implementing the image search method described above when calling a computer program stored in the memory 1201.
The communication interface 1203 is used for communication with the terminal device and other servers.
In the embodiment of the present application, the specific connection medium between the memory 1201, the communication interface 1203 and the processor 1202 is not limited. In the embodiment of the present application, the memory 1201 and the processor 1202 are connected by the bus 1204 in fig. 12, the bus 1204 is represented by a thick line in fig. 12, and the connection manner between other components is only schematically illustrated and is not limited. The bus 1204 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in FIG. 12, but this is not intended to represent only one bus or type of bus.
In the embodiment of the application, redundant log data are removed in a mode of constructing a baseline model, so that the problem of explosion of the dependency relationship between terminal side data is solved, the operation load is reduced, representative fields are extracted from the log data of a network side and the terminal side, a time sequence heterogeneous graph is constructed by defining the dependency relationship between the log data, and a complete attack traceability graph is constructed by defining the dependency relationship between nodes in the knowledge graph and nodes in the time sequence heterogeneous graph through the constructed knowledge graph. By the method, a more complete attack path with higher accuracy can be obtained from the attack tracing graph based on the relevant information of the attack source and the target object in the scene associated with the network side and the terminal side.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.
Claims (10)
1. An attack tracing method is characterized by comprising the following steps:
acquiring first historical log data of a target object, and determining an attack target and an attack source based on the first historical log data;
acquiring second historical log data of each device associated with the target object, extracting each target feature from the first historical log data and the second historical log data based on the data type of the second historical log data, and generating a corresponding feature time sequence abnormal graph based on each target feature;
generating a corresponding attack tracing graph based on the characteristic time sequence abnormal graph and by combining a preset knowledge graph;
obtaining each candidate attack path comprising the attack target and the attack source based on the attack tracing graph;
and screening target attack paths meeting preset path conditions from the candidate attack paths based on the preset path conditions.
2. The method of claim 1, wherein the first historical log data of the target object at least includes alarm data recorded by performing illegal operations on the target object, and the determining of the attack target and the attack source based on the first historical log data comprises:
and determining an event described by the alarm data as an attack event when the alarm data is determined to meet a preset alarm condition based on the alarm data recorded by executing illegal operation on the target object in the first historical log data, and determining an attack target and an attack source of the attack event based on the alarm data.
3. The method of claim 1 or 2, prior to obtaining the first historical log data of the target object, further comprising:
and based on a preset baseline model, respectively removing second historical log data with related preset parameters lower than a preset threshold value from each second historical log data.
4. The method of claim 3, wherein the knowledge-graph is obtained by:
acquiring preset knowledge base rules, respectively taking the preset knowledge base rules as corresponding rule nodes, respectively setting the association mode between every two rule nodes as a rule association mode, and respectively taking the corresponding rule association modes as corresponding rule edges on the basis of the rule nodes to generate corresponding knowledge maps;
alternatively, the first and second electrodes may be,
the method comprises the steps of obtaining a preset knowledge base, generating each knowledge base rule based on the preset knowledge base by adopting a preset knowledge map algorithm, generating an association mode between every two knowledge base rules into a rule association mode, taking each generated knowledge base rule as a corresponding rule node, and taking each corresponding rule association mode as a corresponding rule edge to generate a corresponding knowledge map.
5. The method of claim 4, wherein obtaining second historical log data for respective devices associated with the target object, extracting respective target features from the first historical log data and the second historical log data based on data types of the second historical log data, and generating respective feature timing anomaly graphs based on the respective target features, comprises:
acquiring second historical log data of each device associated with the target object;
determining a data type corresponding to a target feature based on the data type of the attack source and the log data types of the first historical log data and the second historical log data;
extracting target features containing preset feature fields from the first historical log data and the second historical log data of the corresponding data types respectively based on the data types corresponding to the target features, wherein the feature fields are set aiming at an attack tracing scene and are used for representing relevant fields of an attack path;
respectively taking each target feature as a corresponding feature node, and respectively setting the association mode between every two feature nodes as a feature association mode;
and based on each feature node, respectively taking each corresponding feature association mode as a corresponding feature edge to generate a corresponding feature time sequence differential graph.
6. The method of claim 5, wherein generating a corresponding attack traceability graph based on the feature time series abnormality graph in combination with a preset knowledge graph comprises:
setting the association mode between each feature node and each rule node as a complementary association mode, wherein each rule node corresponds to each preset knowledge base rule one by one, and each rule node is set based on the corresponding knowledge base rule;
and based on the characteristic time sequence abnormal graph and the preset knowledge graph, taking each completion association mode as a corresponding completion edge for connecting the characteristic time sequence abnormal graph and the preset knowledge graph, and generating a corresponding attack tracing graph.
7. The method of claim 6, wherein screening the target attack path meeting a preset path condition from the candidate attack paths based on the preset path condition comprises:
for each candidate attack path, performing the following operations:
obtaining each candidate node in one candidate attack path, and determining a candidate edge between every two candidate nodes, wherein each candidate node is any one feature node or any one rule node in the attack tracing graph; the association mode corresponding to each candidate edge is determined based on the node types of two candidate nodes connected by the candidate edge;
respectively extracting the association modes corresponding to the candidate edges, and respectively executing the following operations aiming at the candidate edges: obtaining candidate feature vectors corresponding to one candidate edge based on an association mode corresponding to the candidate edge, wherein each candidate feature vector comprises a plurality of dimension elements, and each dimension element represents one attribute of the association mode;
aiming at the obtained candidate feature vectors corresponding to the candidate edges respectively, the following operations are respectively executed: respectively obtaining preset dimension weights corresponding to all dimension elements contained in one candidate feature vector, and performing weighted summation based on the values of the dimension elements and the corresponding dimension weights to obtain edge weights of candidate edges corresponding to the candidate feature vector, wherein each dimension weight represents the occurrence probability of the corresponding dimension element;
carrying out weighted summation based on the obtained association mode corresponding to each candidate edge and the corresponding edge weight to obtain the path weight corresponding to the candidate attack path;
and based on the obtained path weights corresponding to the candidate attack paths, taking the candidate attack path with the path weight reaching a path weight threshold as the target attack path.
8. The method of claim 7, wherein obtaining the candidate feature vector corresponding to one candidate edge based on the association manner corresponding to the candidate edge comprises:
and respectively setting dimension elements corresponding to the attributes in the candidate feature vector corresponding to the candidate edge based on the attributes of the association mode corresponding to the candidate edge.
9. An attack tracing apparatus, comprising:
the warning module is used for acquiring first historical log data of a target object and determining an attack target and an attack source based on the first historical log data;
the first generation module is used for acquiring second historical log data of each device related to the target object, extracting each target feature from the first historical log data and the second historical log data based on the data type of the second historical log data, and generating a corresponding feature time sequence abnormal graph based on each target feature;
the second generation module is used for generating a corresponding attack tracing graph based on the characteristic time sequence difference graph and by combining a preset knowledge graph;
the searching module is used for obtaining each candidate attack path comprising the attack target and the attack source based on the attack tracing graph and screening a target attack path meeting preset path conditions from each candidate attack path based on preset path conditions;
optionally, the removing module is configured to remove, based on a preset baseline model, second historical log data of which related predetermined parameters are lower than a preset threshold from each second historical log data, respectively.
10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the attack tracing method according to any one of claims 1-8 when executing the computer program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110993536.8A CN113676484B (en) | 2021-08-27 | 2021-08-27 | Attack tracing method and device and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110993536.8A CN113676484B (en) | 2021-08-27 | 2021-08-27 | Attack tracing method and device and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113676484A true CN113676484A (en) | 2021-11-19 |
| CN113676484B CN113676484B (en) | 2023-04-18 |
Family
ID=78547071
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110993536.8A Active CN113676484B (en) | 2021-08-27 | 2021-08-27 | Attack tracing method and device and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113676484B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114363036A (en) * | 2021-12-30 | 2022-04-15 | 绿盟科技集团股份有限公司 | Network attack path acquisition method and device and electronic equipment |
| CN114826685A (en) * | 2022-03-30 | 2022-07-29 | 深信服科技股份有限公司 | Information analysis method, equipment and computer readable storage medium |
| CN114900364A (en) * | 2022-05-18 | 2022-08-12 | 桂林电子科技大学 | High-level continuous threat detection method based on tracing graph and heterogeneous graph neural network |
| CN115037561A (en) * | 2022-08-10 | 2022-09-09 | 杭州悦数科技有限公司 | Network security detection method and system |
| CN115242614A (en) * | 2022-09-22 | 2022-10-25 | 北京天融信网络安全技术有限公司 | Network information analysis method, device, equipment and medium |
| CN115632888A (en) * | 2022-12-22 | 2023-01-20 | 国家工业信息安全发展研究中心 | Attack path restoration method and system based on graph algorithm |
| CN117009961A (en) * | 2023-09-28 | 2023-11-07 | 北京安天网络安全技术有限公司 | Method, device, equipment and medium for determining behavior detection rule |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108183888A (en) * | 2017-12-15 | 2018-06-19 | 恒安嘉新(北京)科技股份公司 | A kind of social engineering Network Intrusion path detection method based on random forests algorithm |
| US20200284883A1 (en) * | 2019-03-08 | 2020-09-10 | Osram Gmbh | Component for a lidar sensor system, lidar sensor system, lidar sensor device, method for a lidar sensor system and method for a lidar sensor device |
| CN111818103A (en) * | 2020-09-09 | 2020-10-23 | 信联科技(南京)有限公司 | Traffic-based tracing attack path method in network target range |
| CN112131571A (en) * | 2020-11-20 | 2020-12-25 | 腾讯科技(深圳)有限公司 | Threat tracing method and related equipment |
| CN113259316A (en) * | 2021-04-02 | 2021-08-13 | 国家电网有限公司 | Method and system for visualizing attack path in power system and electronic equipment |
-
2021
- 2021-08-27 CN CN202110993536.8A patent/CN113676484B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108183888A (en) * | 2017-12-15 | 2018-06-19 | 恒安嘉新(北京)科技股份公司 | A kind of social engineering Network Intrusion path detection method based on random forests algorithm |
| US20200284883A1 (en) * | 2019-03-08 | 2020-09-10 | Osram Gmbh | Component for a lidar sensor system, lidar sensor system, lidar sensor device, method for a lidar sensor system and method for a lidar sensor device |
| CN111818103A (en) * | 2020-09-09 | 2020-10-23 | 信联科技(南京)有限公司 | Traffic-based tracing attack path method in network target range |
| CN112131571A (en) * | 2020-11-20 | 2020-12-25 | 腾讯科技(深圳)有限公司 | Threat tracing method and related equipment |
| CN113259316A (en) * | 2021-04-02 | 2021-08-13 | 国家电网有限公司 | Method and system for visualizing attack path in power system and electronic equipment |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114363036A (en) * | 2021-12-30 | 2022-04-15 | 绿盟科技集团股份有限公司 | Network attack path acquisition method and device and electronic equipment |
| CN114363036B (en) * | 2021-12-30 | 2023-05-16 | 绿盟科技集团股份有限公司 | Network attack path acquisition method and device and electronic equipment |
| CN114826685A (en) * | 2022-03-30 | 2022-07-29 | 深信服科技股份有限公司 | Information analysis method, equipment and computer readable storage medium |
| CN114900364A (en) * | 2022-05-18 | 2022-08-12 | 桂林电子科技大学 | High-level continuous threat detection method based on tracing graph and heterogeneous graph neural network |
| CN114900364B (en) * | 2022-05-18 | 2024-03-08 | 桂林电子科技大学 | Advanced continuous threat detection method based on traceability graph and heterogeneous graph neural network |
| CN115037561A (en) * | 2022-08-10 | 2022-09-09 | 杭州悦数科技有限公司 | Network security detection method and system |
| CN115242614A (en) * | 2022-09-22 | 2022-10-25 | 北京天融信网络安全技术有限公司 | Network information analysis method, device, equipment and medium |
| CN115242614B (en) * | 2022-09-22 | 2023-01-10 | 北京天融信网络安全技术有限公司 | Network information analysis method, device, equipment and medium |
| CN115632888A (en) * | 2022-12-22 | 2023-01-20 | 国家工业信息安全发展研究中心 | Attack path restoration method and system based on graph algorithm |
| CN115632888B (en) * | 2022-12-22 | 2023-04-07 | 国家工业信息安全发展研究中心 | Attack path restoration method and system based on graph algorithm |
| CN117009961A (en) * | 2023-09-28 | 2023-11-07 | 北京安天网络安全技术有限公司 | Method, device, equipment and medium for determining behavior detection rule |
| CN117009961B (en) * | 2023-09-28 | 2023-12-08 | 北京安天网络安全技术有限公司 | Method, device, equipment and medium for determining behavior detection rule |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113676484B (en) | 2023-04-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113676484B (en) | Attack tracing method and device and electronic equipment | |
| CN109889538B (en) | User abnormal behavior detection method and system | |
| JP6201614B2 (en) | Log analysis apparatus, method and program | |
| Sala et al. | Measurement-calibrated graph models for social network experiments | |
| CN109818961B (en) | Network intrusion detection method, device and equipment | |
| EP3343869A1 (en) | A method for modeling attack patterns in honeypots | |
| Tabash et al. | Intrusion detection model using naive bayes and deep learning technique. | |
| CN114915479B (en) | Web attack stage analysis method and system based on Web log | |
| CN111935064A (en) | Industrial control network threat automatic isolation method and system | |
| CN115277127A (en) | Attack detection method and device for searching matching attack mode based on system tracing graph | |
| CN112632564B (en) | Threat assessment method and device | |
| Zheng et al. | Wmdefense: Using watermark to defense byzantine attacks in federated learning | |
| CN115766258B (en) | Multi-stage attack trend prediction method, equipment and storage medium based on causal relationship graph | |
| CN115827379A (en) | Abnormal process detection method, device, equipment and medium | |
| CN112751863B (en) | Attack behavior analysis method and device | |
| CN117391214A (en) | Model training method and device and related equipment | |
| CN114817928A (en) | Network space data fusion analysis method and system, electronic device and storage medium | |
| CN113297582A (en) | Safety portrait generation method based on information safety big data and big data system | |
| CN115514582B (en) | Industrial Internet attack chain correlation method and system based on ATT & CK | |
| CN113973010B (en) | Network monitoring method, device, computer equipment and storage medium | |
| CN115098602B (en) | Data processing method, device and equipment based on big data platform and storage medium | |
| CN113055396B (en) | Cross-terminal traceability analysis method, device, system and storage medium | |
| CN117407862A (en) | Application program protection method, device, computer equipment and storage medium | |
| CN114186232A (en) | Network attack team identification method and device, electronic equipment and storage medium | |
| CN117278302A (en) | Edge equipment dynamic anomaly detection method based on attack chain knowledge graph technology |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |