CN114363053A - Attack identification method and device and related equipment - Google Patents
Attack identification method and device and related equipment Download PDFInfo
- Publication number
- CN114363053A CN114363053A CN202111676159.1A CN202111676159A CN114363053A CN 114363053 A CN114363053 A CN 114363053A CN 202111676159 A CN202111676159 A CN 202111676159A CN 114363053 A CN114363053 A CN 114363053A
- Authority
- CN
- China
- Prior art keywords
- network
- attack
- target
- characteristic information
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 59
- 230000006399 behavior Effects 0.000 claims description 18
- 238000004590 computer program Methods 0.000 claims description 10
- 230000009286 beneficial effect Effects 0.000 abstract description 4
- 230000008569 process Effects 0.000 description 8
- 230000004044 response Effects 0.000 description 7
- 238000004891 communication Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 4
- 238000001914 filtration Methods 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 229910017052 cobalt Inorganic materials 0.000 description 2
- 239000010941 cobalt Substances 0.000 description 2
- GUTLYIVDDKVIGB-UHFFFAOYSA-N cobalt atom Chemical compound [Co] GUTLYIVDDKVIGB-UHFFFAOYSA-N 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 230000002354 daily effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 230000003211 malignant effect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses an attack identification method, which comprises the following steps: acquiring information of a preset port of a target IP to obtain characteristic information corresponding to the preset port; wherein the characteristic information comprises C2 server behavior characteristics; and determining whether the network equipment corresponding to the target IP has network attack or not according to the characteristic information. By applying the technical scheme provided by the application, the characteristic information is directly acquired based on the network port of the network equipment, so that the network attack identification is realized, the higher attack identification efficiency and the higher identification accuracy are achieved, in addition, the characteristic information comprises the behavior characteristics of the C2 server, whether the current network equipment is subjected to the network attack from the C2 server or not can be effectively identified, and the safety of the network equipment is effectively ensured. The application also discloses an attack recognition device, a system and a computer readable storage medium, which have the beneficial effects.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to an attack recognition method, an attack recognition apparatus, an attack recognition system, and a computer-readable storage medium.
Background
With the rapid development of internet technology, the internet has been gradually deepened into each part of daily production and life, and the influence of internet security is increasingly deepened. However, as the network attack means becomes more abundant and more hidden, the challenge of network security becomes more serious. Aiming at the problem of network security, firstly, a malicious IP (Internet Protocol Address) with threat needs to be identified, and then the attack behavior is solved by means of interception, blocking and the like, so as to ensure the network security. At present, the existing scheme in the industry has high identification accuracy rate but long identification period or short identification period but low accuracy rate, and the two methods cannot be considered.
Therefore, how to realize fast and accurate attack identification and further ensure network security is a problem to be urgently solved by the technical personnel in the field.
Disclosure of Invention
The method can realize rapid and accurate attack identification and further ensure network security; another object of the present application is to provide an attack recognition apparatus, system and computer readable storage medium, all having the above beneficial effects.
In a first aspect, the present application provides an attack identification method, including:
acquiring information of a preset port of a target IP to obtain characteristic information corresponding to the preset port; wherein the characteristic information comprises C2 server behavior characteristics;
and determining whether the network equipment corresponding to the target IP has network attack or not according to the characteristic information.
Preferably, the C2 server behavior signature includes a malware backhaul signature.
Preferably, before determining whether the network device corresponding to the target IP has a network attack according to the feature information, the method further includes:
constructing an IP portrait of the target IP by using the characteristic information; the IP portrait is used for representing a feature label of network equipment corresponding to the target IP;
correspondingly, the determining whether the network device corresponding to the target IP has a network attack according to the feature information includes:
and determining whether the network equipment corresponding to the target IP has network attack or not by using the IP portrait.
Preferably, the determining whether a network attack exists on the network device corresponding to the target IP according to the feature information includes:
matching the characteristic information with a preset characteristic library;
and if the characteristic information hits the preset characteristic library, determining that the network equipment has network attack.
Preferably, the determining whether a network attack exists on the network device corresponding to the target IP according to the feature information includes:
inputting the characteristic information into a pre-trained network recognition model to obtain a recognition result;
and determining whether the network equipment corresponding to the target IP has network attack according to the identification result.
Preferably, before the collecting information of the preset port of the target IP, the method further includes:
when the target IP does not hit a preset white list, executing the step of acquiring information of the preset port of the target IP and all subsequent steps; the preset white list comprises an IP address white list and/or an IP type white list.
Preferably, the feature information further includes C2 server environment information and/or C2 server certificate information and/or C2 server framework information.
In a second aspect, the present application further discloses an attack recognition apparatus, including:
the system comprises a characteristic information acquisition module, a characteristic information acquisition module and a characteristic information acquisition module, wherein the characteristic information acquisition module is used for acquiring information of a preset port of a target IP and acquiring characteristic information corresponding to the preset port; wherein the characteristic information comprises C2 server behavior characteristics;
and the network attack identification module is used for determining whether the network equipment corresponding to the target IP has network attack or not according to the characteristic information.
In a third aspect, the present application further discloses an attack recognition system, including:
a memory for storing a computer program;
a processor for implementing the steps of any of the attack recognition methods described above when executing the computer program.
In a fourth aspect, the present application also discloses a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of any of the attack recognition methods described above.
The application provides an attack identification method, which comprises the following steps: acquiring information of a preset port of a target IP to obtain characteristic information corresponding to the preset port; wherein the characteristic information comprises C2 server behavior characteristics; and determining whether the network equipment corresponding to the target IP has network attack or not according to the characteristic information.
Therefore, according to the attack identification method provided by the application, information collection is firstly carried out on the preset port of the target IP to obtain corresponding characteristic information, then whether the network equipment corresponding to the target IP is subjected to network attack is determined based on the characteristic information, namely, the characteristic information collection is directly carried out on the network port of the network equipment, so that network attack identification is further achieved, the attack identification efficiency is high, the identification accuracy is high, in addition, the characteristic information comprises the behavior characteristics of the C2 server, whether the current network equipment is subjected to network attack from the C2 server can be effectively identified, and therefore the safety of the network equipment is effectively guaranteed.
The attack recognition device, the attack recognition system and the computer readable storage medium provided by the application all have the beneficial effects, and are not described herein again.
Drawings
In order to more clearly illustrate the technical solutions in the prior art and the embodiments of the present application, the drawings that are needed to be used in the description of the prior art and the embodiments of the present application will be briefly described below. Of course, the following description of the drawings related to the embodiments of the present application is only a part of the embodiments of the present application, and it will be obvious to those skilled in the art that other drawings can be obtained from the provided drawings without any creative effort, and the obtained other drawings also belong to the protection scope of the present application.
Fig. 1 is a schematic flowchart of an attack identification method provided in the present application;
fig. 2 is a schematic structural diagram of an attack recognition apparatus provided in the present application;
fig. 3 is a schematic structural diagram of an attack recognition system provided in the present application.
Detailed Description
The core of the application is to provide an attack identification method, which can realize rapid and accurate attack identification and further ensure network security; another core of the present application is to provide an attack recognition apparatus, system and computer-readable storage medium, which also have the above beneficial effects.
In order to more clearly and completely describe the technical solutions in the embodiments of the present application, the technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application. It is to be understood that the embodiments described are only a few embodiments of the present application and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The embodiment of the application provides an attack identification method.
Referring to fig. 1, fig. 1 is a schematic flowchart illustrating an attack identification method according to the present application, where the attack identification method includes:
s101: acquiring information of a preset port of a target IP to obtain characteristic information corresponding to the preset port; wherein the characteristic information comprises C2 server behavior characteristics;
the step aims to realize the collection of characteristic information, wherein the characteristic information refers to characteristic information corresponding to a preset port of a target IP, the target IP refers to an IP address of network equipment needing attack identification, the preset port is a network port pre-designated in the network equipment, and it can be understood that the preset port is generally a network port in an open state in the network equipment.
In the implementation process, all or part of network ports in the whole network can be scanned according to actual needs to determine network ports in an open state (i.e., obtain preset ports) in all or part of the network ports, and then the respective IP is determined based on the network ports, so that each target IP needing attack identification is obtained. The port scanning process may be implemented based on a corresponding port scanning tool (e.g., Nmap, unicorn scan, Knocker, etc.), and the specific implementation process may refer to the prior art, which is not described herein again.
Further, since there may be multiple network ports in one IP, there may be a case where multiple preset ports belong to the same IP in all the preset ports determined by port scanning, however, repeatedly recording the same IP only brings extra and unnecessary identification work, reduces the identification efficiency, and thus, the same IP may be recorded only once. Of course, in order to avoid recording duplication, after recording all the IPs to which the preset port belongs, an IP deduplication operation may be performed once, so as to obtain each target IP without duplication.
In addition, for convenience of subsequent IP query and retrieval, the determined target IPs may be recorded in a list form, that is, after the IPs to which the open ports belong are obtained, the obtained IPs may be recorded in a preset list, so as to generate an IP list with the port opening characteristics. Furthermore, in the IP list, the mapping relationship between the IP and the open port may also be recorded at the same time, so as to facilitate the execution of the subsequent feature information collection operation.
Finally, for any target IP in the IP list, information acquisition can be carried out on each mapped open port of the target IP to obtain corresponding characteristic information. The characteristic information may include a C2 server behavior characteristic, and based on the C2 server behavior characteristic, it may be effectively identified whether the current network device is under a network attack from a C2 server, where the C2 server is a command and control server, and after the virus trojan controls a target host (i.e., a network device in this application), an attacker may forward a command through the C2 server. In one embodiment of the present application, the C2 server behavior signature may include a malware passback signature, i.e., signature information that is passed back by malware on the C2 server when the current network device is interacting with the C2 server, such as a Beacon signature, i.e., a Payload (part of virus code that implements harmful or malignant actions) that runs on the target host by the cobolt, i.e., the C2 server, which can serve attackers over covert channels for long-term control of infected hosts.
Of course, the specific content of the feature information is not limited to this, and may also include other types of feature data, which is specifically set by a technician according to actual needs, and this is not limited in this application. In an embodiment of the present application, the feature information may further include C2 server environment information (e.g., fingerprint information (jam fingerprint, JA3 fingerprint, JA3S fingerprint, etc.), hosted service information, running application information, etc.) and/or C2 server certificate information (e.g., SSL (Secure Sockets Layer) certificate chain information) and/or C2 server framework information (e.g., information about port numbers, port addresses, etc. of the preset ports).
The collection of the characteristic information can adopt a mode of collecting self information of the preset port and a mode of analyzing a circulating data packet in the preset port, and corresponding collected information or analyzed information is obtained and used as the characteristic information corresponding to the preset port. The collecting operation may be specifically implemented by a collecting command, for example, it is determined IP8.140.19.121 that 443 port is opened by port scanning, the 443 port is a common HTTPS (Hyper Text Transfer Protocol over Secure Socket Layer, hypertext Transfer Protocol) service port, and the HTTPS service needs to bind an SSL certificate, at this time, SSL certificate information may be obtained by a command "openssl _ client-connect 45.251.243.147: 443".
S102: and determining whether the network equipment corresponding to the target IP has network attack or not according to the characteristic information.
The step aims to realize network attack identification, namely whether network attack exists in the network equipment corresponding to the target IP is identified based on the acquired characteristic information, the network attack identification process can be specifically realized in various modes such as characteristic matching, network identification and the like, and the method is not limited in the application.
Further, when it is determined that the network device corresponding to the target IP has the network attack, an alarm prompt can be output at the same time, and a technician can be reminded that the current network device has the attack risk. The alarm prompt can be specifically an indicator light prompt, a buzzer prompt and the like, the specific implementation mode can be set by combining the actual situation of a technician, and the application does not limit the alarm prompt.
Therefore, according to the attack identification method provided by the application, information collection is firstly carried out on the preset port of the target IP to obtain corresponding characteristic information, then whether the network equipment corresponding to the target IP is subjected to network attack is determined based on the characteristic information, namely, the characteristic information collection is directly carried out on the network port of the network equipment, so that network attack identification is further achieved, the attack identification efficiency is high, the identification accuracy is high, in addition, the characteristic information comprises the behavior characteristics of the C2 server, whether the current network equipment is subjected to network attack from the C2 server can be effectively identified, and therefore the safety of the network equipment is effectively guaranteed.
In an embodiment of the application, before determining whether a network attack exists on the network device corresponding to the target IP according to the feature information, the method may further include: constructing an IP portrait of a target IP by utilizing the characteristic information; the IP portrait is used for representing a feature label of the network equipment corresponding to the target IP;
accordingly, the determining whether the network device corresponding to the target IP has a network attack according to the feature information may include: and determining whether the network equipment corresponding to the target IP has network attack by using the IP portrait.
The network identification method provided by the embodiment of the application can realize network attack identification through the IP portrait. Specifically, after obtaining the feature information corresponding to the target IP, before determining whether the network device corresponding to the target IP has a network attack based on the feature information, the IP representation of the target IP may be constructed by using the feature information. The IP portrait can be similar to a user portrait, the user portrait refers to abstracting each concrete information of a user into tags, the tags are utilized to embody a user image, and accordingly, a targeted service is provided for the user. That is, the collected characteristic information is utilized to label the corresponding target IP, for example, the target IP "belongs to a web server", or the target IP "is hacked/black-owned", or the hacking tool associated with the target IP "is a Cobalt Strike (a hacking tool)", and so on. Thus, the IP portrait is constructed based on the characteristic information.
Further, after the construction of the IP portrait is completed, whether a network attack exists on a network device corresponding to the target IP can be determined based on the IP portrait. For example, a tag library may be constructed in advance for storing feature tags corresponding to various types of attack devices, so that when an IP image of a certain IP hits the tag library, that is, when the IP image matches a feature tag in the tag library, it can be said that a network device corresponding to the IP has a network attack.
In an embodiment of the application, the determining whether a network attack exists on the network device corresponding to the target IP according to the feature information may include: matching the characteristic information with a preset characteristic library; and if the characteristic information hits the preset characteristic library, determining that the network equipment has network attack.
The network identification method provided by the embodiment of the application can realize network attack identification through feature matching. Specifically, a feature library may be pre-constructed and used to store feature information corresponding to various attack devices, so that when feature information corresponding to an IP hits the preset feature library, it may be indicated that a network device corresponding to the IP has a network attack.
In order to improve the accuracy of the identification result, a large amount of feature information corresponding to the attack device can be collected in advance and stored in a preset feature library. Taking Cobalt Strike as an example, the feature information that can be used to implement attack identification may include JRAM fingerprint features, SSL certificate chain features, Beacon features, and the like, and when the feature information of a certain IP hits the feature information of the preset feature library, it may be determined that the network device corresponding to the IP has a greater risk of being attacked.
The acquisition of the characteristic information in the preset characteristic library can be obtained by setting up an experimental environment in advance and carrying out a large number of tests and acquisitions, and it can be understood that the more the number of the characteristic information in the preset characteristic library is, the higher the accuracy of the attack recognition result is. Based on the method, the preset feature library can be updated regularly or in real time in the actual operation process, so that the comprehensiveness of feature information in the preset feature library is effectively ensured, and the accuracy of an attack identification result is further improved.
In an embodiment of the application, the determining whether a network attack exists on the network device corresponding to the target IP according to the feature information may include: inputting the characteristic information into a pre-trained network recognition model to obtain a recognition result; and determining whether the network equipment corresponding to the target IP has network attack according to the identification result.
The network identification method provided by the embodiment of the application can realize network attack identification through the network model. Specifically, the network identification model may be trained in advance based on sample data (such as the feature information corresponding to each type of attack device described above), and then, after the feature information corresponding to the target IP is obtained, the feature information may be input into the trained network identification model to be processed, so as to obtain a corresponding identification result, thereby determining whether the network device corresponding to the target IP has a network attack according to the identification result.
It can be understood that the greater the number of sample data, the higher the accuracy of the network identification model constructed based on the sample data, and the more accurate the corresponding attack identification result. Based on the method, in the actual operation process, the network identification model can be optimized in a timing or real-time mode, so that the model precision is further improved, and the accuracy of the attack identification result is ensured.
In an embodiment of the application, before the collecting information of the preset port of the target IP, the method may further include: when the target IP does not hit the preset white list, executing a step of acquiring information of a preset port of the target IP and all subsequent steps; the preset white list comprises an IP address white list and/or an IP type white list.
In order to effectively improve the attack recognition efficiency, a white list filtering mechanism can be additionally arranged. Specifically, a white list can be constructed in advance and used for storing or recording legal IPs, so that after each target is obtained and before characteristic information is acquired, each target IP can be filtered by using the preset white list, when a certain target IP hits the preset white list, the target IP is a legal IP, and at this moment, the target IP can be filtered; when a certain target IP misses the white list, whether the target IP is a legal IP cannot be determined, and at the moment, the characteristic information can be collected so as to realize network attack identification based on the characteristic information.
Furthermore, in the actual working process, the preset white list can be updated regularly or in real time, so that the comprehensiveness of legal IP in the white list is effectively ensured, and the IP identification efficiency is further improved. For example, when the feature information of the target IP misses the preset feature library and it is determined that the target IP is not an abnormal IP, it may be added to the preset white list. In order to effectively ensure the accuracy of the target IP, before the target IP is added to the white list, the target IP can be further tested and checked, and after the target IP is ensured to be a legal IP, the target IP is added to the white list.
The preset white list may specifically include an IP address white list and/or an IP type white list, where the IP address white list is used to store an IP address of a legal IP, and may include an IP with a high activity in a global scope, such as a Domain Name System (DNS) IP, a known website resolution IP, and the like; the IP type white list is used to store legal IP types, and may include public export IPs of types such as school, mobile Network, and CDN (Content Delivery Network). Thus, when the target IP hits the IP address white list and/or the IP type white list, the target IP can be removed.
Therefore, legal IP is directly filtered through a white list filtering mechanism, the workload of subsequent functional modules is effectively reduced, and the overall efficiency is further improved.
In one embodiment of the present application, the process of determining the preset port through the port scan may include: and determining the designated network ports according to the scanning instruction, and performing port scanning on all the designated network ports to obtain preset ports.
The embodiment of the application takes a preset port as an open port as an example, and provides a method for determining the preset port. Specifically, the port scanning operation may be specifically implemented based on a scanning instruction, and when the scanning instruction is received, a designated network port may be determined according to the scanning instruction, where the designated network port is a network port that needs to be subjected to port scanning and is pre-designated according to actual requirements, and may be all network ports of a whole network or a part of network ports, for example, it may be set to scan a designated port of IPv4 of the whole network; furthermore, port scanning is performed on all the designated network ports, so that the preset ports can be determined from all the designated network ports.
In an embodiment of the application, the performing port scanning on all the designated network ports to obtain the preset ports may include: sending a request data packet to each appointed network port; and when a response data packet fed back by the designated network port based on the request data packet is received, determining the designated network port as a preset port.
The embodiment of the application provides a port scanning method, which is used for determining whether a network port is in an open state or not so as to obtain a preset port. Specifically, for each designated network port, a request packet may be sent to the designated network port, and if the designated network port is in an open state, the designated network port feeds back a response packet based on the request packet; if the designated network port is in the off state, the designated network port will not respond, i.e. will not feed back any response packet. Therefore, whether the designated network port is in an open state can be determined by checking whether the designated network port feeds back a response data packet corresponding to the request data packet, and when the response data packet is received, the designated network port which feeds back the response data packet is determined to be an open port, namely a preset port.
In an embodiment of the application, before determining the designated network port according to the scan instruction, the method may further include: and automatically responding to the scanning command according to a preset time interval.
The embodiment of the application provides a method for acquiring a scanning instruction, namely, the scanning instruction is automatically triggered based on a timing mechanism, so that timing port scanning is realized, and timing IP identification is also realized. Specifically, an automatic response time interval of the scan instruction, that is, the preset time interval may be preset, so that the scan instruction may be automatically responded according to the preset time interval, and then the port scan operation may be performed based on the scan instruction.
The specific value of the preset time interval does not affect the implementation of the technical scheme, and the specific value is set by a technician according to the actual requirement, which is not limited in the present application, for example, the preset time interval can be set to 24 hours, so that the IP list updated every day can be obtained.
Referring to fig. 2, fig. 2 is a schematic structural diagram of an attack recognition apparatus provided in the present application, where the attack recognition apparatus may include:
the system comprises a characteristic information acquisition module 1, a characteristic information acquisition module and a control module, wherein the characteristic information acquisition module is used for acquiring information of a preset port of a target IP and acquiring characteristic information corresponding to the preset port; wherein the characteristic information comprises C2 server behavior characteristics;
and the network attack identification module 2 is used for determining whether the network equipment corresponding to the target IP has network attack or not according to the characteristic information.
It can be seen that, the attack recognition apparatus provided in the embodiment of the present application, first performs information collection on a preset port of a target IP to obtain corresponding feature information, and then determines whether a network device corresponding to the target IP is under a network attack based on the feature information, that is, directly performs feature information collection on the network port of the network device, thereby implementing network attack recognition, and having higher attack recognition efficiency and higher recognition accuracy, in addition, the feature information includes a C2 server behavior feature, and can effectively recognize whether the current network device is under a network attack from a C2 server, thereby effectively ensuring the security of the network device.
In one embodiment of the present application, the C2 server behavior signature described above may include a malware passback signature.
In an embodiment of the application, the attack recognition apparatus may further include an IP portrait construction module, configured to construct an IP portrait of the target IP using the feature information before determining whether the network device corresponding to the target IP has a network attack according to the feature information; the IP portrait is used for representing a feature label of the network equipment corresponding to the target IP;
accordingly, the network attack recognition module 2 can be specifically used for determining whether a network attack exists on a network device corresponding to a target IP by using an IP portrait.
In an embodiment of the present application, the network attack recognition module 2 may be specifically configured to match feature information with a preset feature library; and if the characteristic information hits the preset characteristic library, determining that the network equipment has network attack.
In an embodiment of the present application, the network attack recognition module 2 may be specifically configured to input the feature information into a pre-trained network recognition model to obtain a recognition result; and determining whether the network equipment corresponding to the target IP has network attack according to the identification result.
In an embodiment of the application, the attack recognition apparatus may further include a white list filtering module, configured to execute the step of performing information acquisition on the preset port of the target IP and all subsequent steps when the target IP does not hit the preset white list before performing information acquisition on the preset port of the target IP; the preset white list comprises an IP address white list and/or an IP type white list.
In an embodiment of the present application, the characteristic information may further include C2 server environment information and/or C2 server certificate information and/or C2 server framework information.
For the introduction of the apparatus provided in the present application, please refer to the above method embodiments, which are not described herein again.
Referring to fig. 3, fig. 3 is a schematic structural diagram of an attack recognition system provided in the present application, where the attack recognition system may include:
a memory for storing a computer program;
a processor, configured to execute a computer program, may implement the steps of any of the above-described attack recognition system methods.
As shown in fig. 3, in order to illustrate the structure of the attack recognition system, the attack recognition system may include: a processor 10, a memory 11, a communication interface 12 and a communication bus 13. The processor 10, the memory 11 and the communication interface 12 all communicate with each other through a communication bus 13.
In the embodiment of the present application, the processor 10 may be a Central Processing Unit (CPU), an application specific integrated circuit, a digital signal processor, a field programmable gate array or other programmable logic device, etc.
The processor 10 may call a program stored in the memory 11, and in particular, the processor 10 may perform operations in an embodiment of the attack recognition method.
The memory 11 is used for storing one or more programs, the program may include program codes, the program codes include computer operation instructions, in this embodiment, the memory 11 stores at least the program for implementing the following functions:
acquiring information of a preset port of a target IP to obtain characteristic information corresponding to the preset port; wherein the characteristic information comprises C2 server behavior characteristics;
and determining whether the network equipment corresponding to the target IP has network attack or not according to the characteristic information.
In one possible implementation, the memory 11 may include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required for at least one function, and the like; the storage data area may store data created during use.
Further, the memory 11 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device or other volatile solid state storage device.
The communication interface 12 may be an interface of a communication module for connecting with other devices or systems.
Of course, it should be noted that the structure shown in fig. 3 does not constitute a limitation of the attack recognition system in the embodiment of the present application, and in practical applications, the attack recognition system may include more or less components than those shown in fig. 3, or some components may be combined.
The present application also provides a computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, is capable of implementing the steps of any of the attack recognition methods described above.
The computer-readable storage medium may include: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
For the introduction of the computer-readable storage medium provided in the present application, please refer to the above method embodiments, which are not described herein again.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The technical solutions provided by the present application are described in detail above. The principles and embodiments of the present application are explained herein using specific examples, which are provided only to help understand the method and the core idea of the present application. It should be noted that, for those skilled in the art, without departing from the principle of the present application, several improvements and modifications can be made to the present application, and these improvements and modifications also fall into the protection scope of the present application.
Claims (10)
1. An attack recognition method, comprising:
acquiring information of a preset port of a target IP to obtain characteristic information corresponding to the preset port; wherein the characteristic information comprises C2 server behavior characteristics;
and determining whether the network equipment corresponding to the target IP has network attack or not according to the characteristic information.
2. The attack recognition method according to claim 1, wherein the C2 server behavior signature comprises a malware passback signature.
3. The attack recognition method according to claim 1, wherein before determining whether the network device corresponding to the target IP has a network attack according to the feature information, the method further comprises:
constructing an IP portrait of the target IP by using the characteristic information; the IP portrait is used for representing a feature label of network equipment corresponding to the target IP;
correspondingly, the determining whether the network device corresponding to the target IP has a network attack according to the feature information includes:
and determining whether the network equipment corresponding to the target IP has network attack or not by using the IP portrait.
4. The attack recognition method according to claim 1, wherein the determining whether the network device corresponding to the target IP has a network attack according to the feature information includes:
matching the characteristic information with a preset characteristic library;
and if the characteristic information hits the preset characteristic library, determining that the network equipment has network attack.
5. The attack recognition method according to claim 1, wherein the determining whether the network device corresponding to the target IP has a network attack according to the feature information includes:
inputting the characteristic information into a pre-trained network recognition model to obtain a recognition result;
and determining whether the network equipment corresponding to the target IP has network attack according to the identification result.
6. The attack recognition method according to any one of claims 1 to 5, wherein before collecting information of the preset port of the target IP, the method further comprises:
when the target IP does not hit a preset white list, executing the step of acquiring information of the preset port of the target IP and all subsequent steps; the preset white list comprises an IP address white list and/or an IP type white list.
7. The attack recognition method according to claim 1, wherein the feature information further includes C2 server environment information and/or C2 server certificate information and/or C2 server framework information.
8. An attack recognition apparatus, comprising:
the system comprises a characteristic information acquisition module, a characteristic information acquisition module and a characteristic information acquisition module, wherein the characteristic information acquisition module is used for acquiring information of a preset port of a target IP and acquiring characteristic information corresponding to the preset port; wherein the characteristic information comprises C2 server behavior characteristics;
and the network attack identification module is used for determining whether the network equipment corresponding to the target IP has network attack or not according to the characteristic information.
9. An attack recognition system, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the attack recognition method according to any one of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, carries out the steps of the attack recognition method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111676159.1A CN114363053A (en) | 2021-12-31 | 2021-12-31 | Attack identification method and device and related equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111676159.1A CN114363053A (en) | 2021-12-31 | 2021-12-31 | Attack identification method and device and related equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114363053A true CN114363053A (en) | 2022-04-15 |
Family
ID=81105836
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111676159.1A Pending CN114363053A (en) | 2021-12-31 | 2021-12-31 | Attack identification method and device and related equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114363053A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115150159B (en) * | 2022-06-30 | 2023-11-10 | 深信服科技股份有限公司 | Flow detection method, device, equipment and readable storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9514248B1 (en) * | 2015-10-07 | 2016-12-06 | Drawbridge, Inc. | System to group internet devices based upon device usage |
| US20190207973A1 (en) * | 2016-11-23 | 2019-07-04 | Tencent Technology (Shenzhen) Company Limited | Website attack detection and protection method and system |
| CN110708292A (en) * | 2019-09-11 | 2020-01-17 | 光通天下网络科技股份有限公司 | IP processing method, device, medium and electronic equipment |
| WO2020107446A1 (en) * | 2018-11-30 | 2020-06-04 | 北京比特大陆科技有限公司 | Method and apparatus for obtaining attacker information, device, and storage medium |
| CN111786966A (en) * | 2020-06-15 | 2020-10-16 | 中国建设银行股份有限公司 | Method and device for browsing webpage |
| CN112217828A (en) * | 2020-10-16 | 2021-01-12 | 深信服科技股份有限公司 | Attack detection method and device, electronic equipment and storage medium |
| CN113239137A (en) * | 2021-05-20 | 2021-08-10 | 北京智慧图科技有限责任公司 | Method for fingerprint generation and maintenance of Wi-Fi SLAM |
-
2021
- 2021-12-31 CN CN202111676159.1A patent/CN114363053A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9514248B1 (en) * | 2015-10-07 | 2016-12-06 | Drawbridge, Inc. | System to group internet devices based upon device usage |
| US20190207973A1 (en) * | 2016-11-23 | 2019-07-04 | Tencent Technology (Shenzhen) Company Limited | Website attack detection and protection method and system |
| WO2020107446A1 (en) * | 2018-11-30 | 2020-06-04 | 北京比特大陆科技有限公司 | Method and apparatus for obtaining attacker information, device, and storage medium |
| CN110708292A (en) * | 2019-09-11 | 2020-01-17 | 光通天下网络科技股份有限公司 | IP processing method, device, medium and electronic equipment |
| CN111786966A (en) * | 2020-06-15 | 2020-10-16 | 中国建设银行股份有限公司 | Method and device for browsing webpage |
| CN112217828A (en) * | 2020-10-16 | 2021-01-12 | 深信服科技股份有限公司 | Attack detection method and device, electronic equipment and storage medium |
| CN113239137A (en) * | 2021-05-20 | 2021-08-10 | 北京智慧图科技有限责任公司 | Method for fingerprint generation and maintenance of Wi-Fi SLAM |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115150159B (en) * | 2022-06-30 | 2023-11-10 | 深信服科技股份有限公司 | Flow detection method, device, equipment and readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10601848B1 (en) | Cyber-security system and method for weak indicator detection and correlation to generate strong indicators | |
| CN110855676B (en) | Network attack processing method and device and storage medium | |
| KR101883400B1 (en) | detecting methods and systems of security vulnerability using agentless | |
| US11882137B2 (en) | Network security blacklist derived from honeypot statistics | |
| US9411957B2 (en) | Method and device for optimizing and configuring detection rule | |
| EP2947595A1 (en) | Attack analysis system, coordination device, attack analysis coordination method, and program | |
| CN110266670A (en) | A kind of processing method and processing device of terminal network external connection behavior | |
| US20150096019A1 (en) | Software network behavior analysis and identification system | |
| CN112688932A (en) | Honeypot generation method, honeypot generation device, honeypot generation equipment and computer readable storage medium | |
| US20220407875A1 (en) | System and method for detection of malicious network resources | |
| CN107231364B (en) | Website vulnerability detection method and device, computer device and storage medium | |
| CN112887333A (en) | Abnormal equipment detection method and device, electronic equipment and readable storage medium | |
| CN112261046A (en) | Industrial control honeypot identification method based on machine learning | |
| Zamiri-Gourabi et al. | Gas what? I can see your GasPots. Studying the fingerprintability of ICS honeypots in the wild | |
| CN114363053A (en) | Attack identification method and device and related equipment | |
| CN112784268A (en) | Method, device, equipment and storage medium for analyzing host behavior data | |
| CN115865525A (en) | Log data processing method and device, electronic equipment and storage medium | |
| CN114363059A (en) | Attack identification method and device and related equipment | |
| CN115102785A (en) | Automatic tracing system and method for network attack | |
| CN111385293B (en) | Network risk detection method and device | |
| Mutiara et al. | Digital forensics random access memory using live technique based on network attacked | |
| CN109274676B (en) | Method, system and storage device for acquiring IP address of Trojan control terminal based on self-learning mode | |
| CN113238971A (en) | Automatic penetration testing system and method based on state machine | |
| CN114363058B (en) | Equipment detection method and device and related equipment | |
| CN113704749A (en) | Malicious excavation detection processing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |