CN115883202A - Sequence analysis method, device and equipment for identifying network attack behaviors in real time - Google Patents
Sequence analysis method, device and equipment for identifying network attack behaviors in real time Download PDFInfo
- Publication number
- CN115883202A CN115883202A CN202211519542.0A CN202211519542A CN115883202A CN 115883202 A CN115883202 A CN 115883202A CN 202211519542 A CN202211519542 A CN 202211519542A CN 115883202 A CN115883202 A CN 115883202A
- Authority
- CN
- China
- Prior art keywords
- behavior
- time
- log
- logs
- network attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a sequence analysis method, a device and equipment for identifying network attack behaviors in real time, wherein the method comprises the following steps: collecting audit logs in real time, and filtering the audit logs according to threat response rules to obtain behavior logs; based on a preset sorting rule, sorting the behavior logs according to data time to obtain time sequence behavior logs; partitioning the time sequence behavior log according to a source IP of the behavior log to obtain a plurality of behavior log partitions; and based on the streaming state engine, performing sequence analysis on the behavior log partitions to determine the network attack behavior. The invention relates to a sequence analysis method, a device and equipment for identifying network attack behaviors in real time, which are used for filtering an audit log in real time, performing time sequencing on the behavior log obtained by filtering, and finally performing sequence analysis to determine the network attack behaviors, thereby realizing optimization on time efficiency, improving matching speed and enabling the real-time sequence analysis efficiency to be higher.
Description
Technical Field
The invention relates to the technical field of computer security, in particular to a sequence analysis method, a device and equipment for identifying network attack behaviors in real time.
Background
With the deep application of new-generation IT technologies such as cloud computing and big data in various industries, the IT scale and complexity of government and enterprise institutions are continuously improved, and the scale of various data such as network flow and logs is greatly improved. Threat data is mixed in a large amount of network data, and the security of the government-enterprise network is threatened. Therefore, the data needs to be screened to obtain the relevant data of the threat event and to protect the threat event in time.
The existing network security protection mainly adopts traditional security protection software and hardware devices such as a Firewall, a Web Application Firewall (WAF), an Intrusion Prevention System (IPS), and the like, and detects network attacks by using detection technologies of security features and signatures in the security field. The traditional network attack detection mode mainly comprises the steps of carrying out offline data cleaning on a large amount of collected historical log data, analyzing sample log data obtained by data cleaning, and finally detecting abnormal logs hidden in the historical log data.
However, the detection mode can only detect known threat events, and can be stranded against attacks such as threat event variants or abnormal flow, and the attacks such as novel trojans, botnets, APTs and the like are carefully planned high-level hidden attacks, and are composed of attacks in multiple stages, so that the detection difficulty is high, and the network attacks can be rapidly diffused among multiple asset devices through a local area network, and a high loss degree is caused.
Disclosure of Invention
In view of this, it is necessary to provide a sequence analysis method, apparatus and device for identifying a network attack behavior in real time, so as to solve the problems in the prior art that a new network attack has high concealment, multiple attack stages, low detection efficiency and high detection difficulty.
In order to achieve the technical purpose, the invention adopts the following technical scheme:
in a first aspect, the present invention provides a sequence analysis method for identifying network attack behaviors in real time, including:
collecting audit logs in real time, and filtering the audit logs according to threat response rules to obtain behavior logs;
based on a preset sorting rule, sorting the behavior logs according to data time to obtain time sequence behavior logs;
partitioning the time sequence behavior logs according to the source IP of the behavior logs to obtain a plurality of behavior log partitions;
and based on the streaming state engine, performing sequence analysis on the behavior log partitions to determine the network attack behavior.
Preferably, the collecting the audit logs in real time, and filtering the audit logs according to the threat response rule to obtain the behavior logs comprises:
establishing a threat response rule according to a threat information library;
and sending the real-time collected audit logs to a threat response rule for filtering to obtain behavior logs.
Preferably, the threat response rule includes a first log filter rule, a second log filter rule, and a third log filter rule; sending the real-time collected audit logs to a threat response rule for filtering to obtain behavior logs, wherein the behavior logs comprise:
filtering the first type log according to a first log filtering rule to obtain a behavior log of the first type log;
filtering the second type of log according to a second log filtering rule to obtain a behavior log of the second type of log;
and filtering the third type log according to a third log filtering rule to obtain a behavior log of the third type log.
Preferably, based on a preset sorting rule, the behavior logs are sorted according to data time to obtain a time sequence behavior log, including:
dividing the behavior log into a plurality of time windows of the behavior log according to a preset time boundary;
comparing tail time of the time window to determine a sequencing time slot node;
and sequencing the behavior logs according to the time window according to the sequencing time slot node to obtain a time sequence behavior log.
Preferably, comparing the tail time of the time window to determine the node of the ordered time slot includes:
and when the data generation time is slower than the tail time of the corresponding time window, setting the tail time of the corresponding time window as the node of the sequencing time slot.
Preferably, based on the streaming state engine, performing sequence analysis on a plurality of behavior log partitions to determine the network attack behavior, including:
analyzing the data of each behavior log partition through a stream state engine to obtain a code byte code of an abstract syntax tree;
based on the regular expression engine, matching the characters and the character strings according to the code byte codes of the abstract syntax tree to obtain the state information of the regular expression engine;
and determining the occurrence sequence and the occurrence times of the network attack behaviors according to the state information.
Preferably, based on the regular expression engine, matching the characters and the character strings according to the code byte codes of the abstract syntax tree to obtain the state information of the regular expression engine, including:
when the occurrence sequence state of the data of the behavior log partition is uncertain, determining the sequence state of the data through a first regular expression engine;
when determining the occurrence order state of the data of the behavior log partition, determining the number of occurrences by the second regular expression engine.
In a second aspect, the present invention further provides a sequence analysis apparatus for identifying network attack behaviors in real time, including:
the filtering module is used for collecting the audit logs in real time and filtering the audit logs according to the threat response rule to obtain behavior logs;
the sequencing module is used for sequencing the behavior logs according to data time based on a preset sequencing rule to obtain a time sequence behavior log;
the partitioning module is used for partitioning the time sequence behavior logs according to the source IP of the behavior logs to obtain a plurality of behavior log partitions;
and the analysis module is used for performing sequence analysis on the behavior log partitions based on the streaming state engine to determine the network attack behavior.
In a third aspect, the present invention also provides an electronic device comprising a memory and a processor, wherein,
a memory for storing a program;
and the processor is coupled with the memory and used for executing the program stored in the memory so as to realize the steps in the sequence analysis method for identifying the network attack behaviors in real time in any one implementation mode.
In a fourth aspect, the present invention further provides a computer-readable storage medium, configured to store a computer-readable program or instruction, where the program or instruction, when executed by a processor, can implement the steps in the sequence analysis method for identifying a network attack behavior in real time in any one of the above-mentioned implementation manners.
The beneficial effects of adopting the above embodiment are: the invention relates to a sequence analysis method, a device and equipment for identifying network attack behaviors in real time, wherein the method comprises the following steps: collecting audit logs in real time, and filtering the audit logs according to threat response rules to obtain behavior logs; based on a preset sorting rule, sorting the behavior logs according to data time to obtain a time sequence behavior log; partitioning the time sequence behavior log according to a source IP of the behavior log to obtain a plurality of behavior log partitions; and based on the streaming state engine, performing sequence analysis on the behavior log partitions to determine the network attack behavior. The invention relates to a sequence analysis method, a device and equipment for identifying network attack behaviors in real time, wherein audit logs are filtered in real time, logs suffering from the network attack behaviors in each stage can be analyzed, the behavior logs obtained through filtering are subjected to time sequencing, the occurrence sequence of the network attack behaviors is determined, and finally sequence analysis is carried out to determine the network attack behaviors, so that optimization of time efficiency of network attack behavior detection is realized, the matching speed is increased, the real-time sequence analysis efficiency is improved, and the network attack behaviors can be found in time.
Drawings
Fig. 1 is a schematic flowchart of an embodiment of a sequence analysis method for identifying network attack behaviors in real time according to the present invention;
FIG. 2 is a flowchart illustrating an embodiment of step S102 in FIG. 1;
FIG. 3 is a flowchart illustrating an embodiment of step S104 in FIG. 1;
fig. 4 is a schematic structural diagram of an embodiment of a sequence analysis apparatus for identifying network attack behaviors in real time according to the present invention;
fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The accompanying drawings, which are incorporated in and constitute a part of this application, illustrate preferred embodiments of the invention and together with the description, serve to explain the principles of the invention and not to limit the scope of the invention.
In the description of the present application, "a plurality" means two or more unless specifically limited otherwise.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the invention. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is explicitly and implicitly understood by one skilled in the art that the embodiments described herein may be combined with other embodiments.
The invention provides a sequence analysis method, a device and equipment for identifying network attack behaviors in real time, which are respectively explained below.
Referring to fig. 1, fig. 1 is a schematic flowchart of an embodiment of a sequence analysis method for identifying network attack behaviors in real time according to the present invention, and an embodiment of the present invention discloses a sequence analysis method for identifying network attack behaviors in real time, including:
s101, collecting audit logs in real time, and filtering the audit logs according to threat response rules to obtain behavior logs;
s102, based on a preset sorting rule, sorting the behavior logs according to data time to obtain time sequence behavior logs;
s103, partitioning the time sequence behavior logs according to the source IP of the behavior logs to obtain a plurality of behavior log partitions;
and S104, performing sequence analysis on the behavior log partitions based on the streaming state engine to determine the network attack behavior.
In the above embodiment, when the user uses the network application and the service, a trace is left in the system, the audit log is one of the traces left when the user uses the network application and the service, and the hacked attack behavior occurs in the abnormal behavior log in the logs of various assets and devices, so that the abnormal behavior log of the network attack behavior can be found through the audit log.
The behavior logs filtered in real time need to be merged into the same timeline, and due to the fact that the data in the original sequence is changed into disorder due to direct merging, the window cannot be created by the data which is already in disorder, and the data which is randomly out of sequence is lost by the data which is older than the window, so that the behavior logs obtained after filtering need to be subjected to time sequencing.
The time sequence behavior log obtained through time sequencing is data after sequencing is performed, according to the scene requirements, after the initial host of the attack is lost, the host can become an attack source in an intranet to spread to other host assets, and in conclusion, an attack characteristic is obtained in the discussed scene: the same attack event is from the same host IP at first, so that all related data of a certain attack event can be quickly focused in a mass log through the attack source IP, and the tracing behavior in the data can be restored into a complete attack behavior.
Data needs to be grouped by using a source IP, because a multi-intranet host computer diffusion network attack behavior may occur in a 5-minute window, a grouping algorithm can aggregate data in the window according to the same source IP, the data in the window are partitioned into data partitions, the source IPs are the same in description and come from the same sink host computer to initiate intranet diffusion to attack other hosts one or more times, different source IPs represent attack events generated by different attack sources in different data partitions, and the advantages that the attack sources can be more clearly positioned when the attack events are traced, automatic handling is realized, and real-time interception risk is continuously enlarged.
The sequence analysis is carried out on the behavior log partitions through the streaming state engine, and the sequence and the times of the network attack behaviors are determined, namely the process of the network attack behaviors is determined.
Compared with the prior art, the sequence analysis method for identifying the network attack behavior in real time provided by the embodiment comprises the following steps: collecting audit logs in real time, and filtering the audit logs according to threat response rules to obtain behavior logs; based on a preset sorting rule, sorting the behavior logs according to data time to obtain a time sequence behavior log; partitioning the time sequence behavior logs according to the source IP of the behavior logs to obtain a plurality of behavior log partitions; and based on the streaming state engine, performing sequence analysis on the behavior log partitions to determine the network attack behavior. The invention relates to a sequence analysis method, a device and equipment for identifying network attack behaviors in real time, which are used for filtering audit logs in real time, analyzing logs suffering from the network attack behaviors in each stage, performing time sequencing on the behavior logs obtained by filtering, determining the occurrence sequence of the network attack behaviors, and finally performing sequence analysis to determine the network attack behaviors, thereby realizing optimization on the time efficiency of detecting the network attack behaviors, improving the matching speed, improving the real-time sequence analysis efficiency and discovering the network attack behaviors in time.
In some embodiments of the present invention, collecting the audit log in real time, and filtering the audit log according to the threat response rule to obtain the behavior log includes:
establishing a threat response rule according to a threat intelligence library;
and sending the real-time collected audit logs to a threat response rule for filtering to obtain behavior logs.
In the above embodiments, threat intelligence is some evidence-based knowledge, including context, mechanism, notation, meaning, and suggestions that can be performed, that is related to a threat or hazard that the asset is facing, available to provide information support for the asset-related subject's response to the threat or hazard or for processing decisions. The threat information library is a database established according to threat information, and a plurality of open source threat information libraries exist on the network and are directly used by open sources.
In some embodiments of the invention, the threat response rule comprises a first log filter rule, a second log filter rule, and a third log filter rule; sending the real-time collected audit logs to a threat response rule for filtering to obtain behavior logs, wherein the behavior logs comprise:
filtering the first type log according to a first log filtering rule to obtain a behavior log of the first type log;
filtering the second type log according to a second log filtering rule to obtain a behavior log of the second type log;
and filtering the third type of log according to a third log filtering rule to obtain a behavior log of the third type of log.
In the above embodiment, the log conforming to the DNS type is found by the first log filtering rule, and data of a blacklisted domain name (host) whose domain name is listed in threat intelligence is satisfied; finding the host log through a second log filtering rule, wherein a task field in the log is matched with the data of the mssesvc 2; and finding the TCP flow log through a third log filtering rule, wherein the port accords with the data of a common high-risk port. It will be appreciated that the first type of log is a DNS type of log, the second type of log is a host log, and the third type of log is a TCP traffic log.
Referring to fig. 2, fig. 2 is a flowchart illustrating an embodiment of step S102 in fig. 1, in some embodiments of the present invention, sorting behavior logs according to data time based on a preset sorting rule to obtain a time-sequence behavior log, including:
s201, dividing the behavior logs into a plurality of time windows of the behavior logs according to a preset time boundary;
s202, comparing tail time of a time window to determine a sequencing time slot node;
s203, sequencing the behavior logs according to the time window according to the sequencing time slot node to obtain a time sequence behavior log.
In the above embodiment, the preset time boundary is 10 seconds, and the filtered behavior log is divided by taking 10 seconds as the boundary, so that the behavior log becomes a time slot of data, that is, a time window, and the log sorting is realized through the time window.
And (3) dividing the behavior log according to 10 seconds as a boundary, wherein each time window has 10 seconds of data, and the tail time of the time window can judge whether the time is sequential, so that the node of the sequencing time slot is determined.
Once the data to be arrived is found to be out of order compared with the existing data time slot nodes, the positions of the time slot nodes can be directly positioned when out-of-order events are inserted, and the sequenced data is output when the event time of one data is newer than the tail time of a time window.
In some embodiments of the invention, comparing the end times of the time windows determines the ordered time slot nodes, comprising:
and when the data generation time is slower than the tail time of the corresponding time window, setting the tail time of the corresponding time window as the node of the sequencing time slot.
In the above embodiment, that is, there is a data occurrence time when data is generated, where the occurrence time is a time of a data generation time, and if the time is not within a time range, that is, the data occurrence time is slower than a tail time of a corresponding time window, the tail time of the corresponding time window is defined as a node of a sort time slot.
Referring to fig. 3, fig. 3 is a flowchart illustrating an embodiment of step S104 in fig. 1, in some embodiments of the present invention, determining network attack behavior by performing sequence analysis on a plurality of behavior log partitions based on a streaming state engine, including:
s301, analyzing the data of each behavior log partition through a stream state engine to obtain a code byte code of an abstract syntax tree;
s302, matching the characters and the character strings according to the code byte codes of the abstract syntax tree based on the regular expression engine to obtain state information of the regular expression engine;
s303, determining the occurrence sequence and the occurrence frequency of the network attack behavior according to the state information.
In the above embodiment, the data of each behavior log partition is parsed by the event processing statement in the streaming state engine, so that the program can execute the expression statement, obtain the code bytecode of the abstract syntax tree through parsing, and directly use the regular expression engine (NFA/DFA) to complete matching of the number of times of the character and the character string.
The regular expression engine can determine a sequential data state range according to the code byte codes of the abstract syntax tree, and sends a state body set by corresponding times after determining the sequential data state range so as to subsequently determine the times of network attack behaviors.
When the state information of the two regular expression engines simultaneously meets the occurrence sequence and the occurrence frequency, the matching is successful, namely the occurrence sequence and the occurrence frequency of the network attack behavior are determined.
In some embodiments of the present invention, based on the regular expression engine, completing matching between the characters and the character strings according to the code byte codes of the abstract syntax tree to obtain the state information of the regular expression engine, including:
when the occurrence sequence state of the data of the behavior log partition is uncertain, determining the sequence state of the data through a first regular expression engine;
when determining the occurrence sequence state of the data of the behavior log partition, determining the number of occurrences by a second regular expression engine.
In the above embodiment, the first regular expression is an NFA regular expression engine, the second regular expression is a DFA regular expression engine, the NFA regular expression engine is used to determine the sequential data state range when it is not determined whether which data corresponds to what possible sequential state becomes the next data to be analyzed, and after the finite state data is determined, the DFA regular expression engine is used to set the sequence of the group as a transmission medium to a state body set by the corresponding number of times, so as to determine the number of times of occurrence.
In order to better implement the sequence analysis method for identifying the network attack behavior in real time in the embodiment of the present invention, on the basis of the sequence analysis method for identifying the network attack behavior in real time, correspondingly, please refer to fig. 4, where fig. 4 is a schematic structural diagram of an embodiment of the sequence analysis device for identifying the network attack behavior in real time provided by the present invention, and a sequence analysis device 400 for identifying the network attack behavior in real time is provided in the embodiment of the present invention, and includes:
the filtering module 410 is used for collecting the audit logs in real time and filtering the audit logs according to the threat response rule to obtain behavior logs;
the sorting module 420 is configured to sort the behavior logs according to data time based on a preset sorting rule, so as to obtain a time sequence behavior log;
the partitioning module 430 is configured to partition the time sequence behavior log according to a source IP of the behavior log to obtain a plurality of behavior log partitions;
and the analysis module 440 is configured to perform sequence analysis on the plurality of behavior log partitions based on the streaming state engine to determine a network attack behavior.
Here, it should be noted that: the apparatus 400 provided in the foregoing embodiments may implement the technical solutions described in the foregoing method embodiments, and the specific implementation principles of the modules or units may refer to the corresponding contents in the foregoing method embodiments, which are not described herein again.
Referring to fig. 5, fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present invention. Based on the sequence analysis method for identifying the network attack behavior in real time, the invention also correspondingly provides sequence analysis equipment for identifying the network attack behavior in real time, and the sequence analysis equipment for identifying the network attack behavior in real time can be computing equipment such as a mobile terminal, a desktop computer, a notebook computer, a palm computer, a server and the like. The sequence analysis device for real-time identification of network attack behavior comprises a processor 510, a memory 520 and a display 530. Fig. 5 shows only some of the components of the electronic device, but it is to be understood that not all of the shown components are required to be implemented, and that more or fewer components may be implemented instead.
The storage 520 may be an internal storage unit of the sequence analysis apparatus for identifying the cyber attack behavior in real time in some embodiments, for example, a hard disk or a memory of the sequence analysis apparatus for identifying the cyber attack behavior in real time. The memory 520 may also be an external storage device of the sequential analysis device for real-time identification of the cyber attack behavior in other embodiments, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like, provided on the sequential analysis device for real-time identification of the cyber attack behavior. Further, the memory 520 may also include both an internal storage unit of the sequence analysis device that recognizes the network attack behavior in real time and an external storage device. The memory 520 is used for storing application software installed in the sequence analysis device for identifying the network attack behavior in real time and various data, such as program codes installed in the sequence analysis device for identifying the network attack behavior in real time. The memory 520 may also be used to temporarily store data that has been output or is to be output. In an embodiment, the memory 520 stores a sequence analysis program 540 for identifying the cyber attack behavior in real time, and the sequence analysis program 540 for identifying the cyber attack behavior in real time can be executed by the processor 510, so as to implement the sequence analysis method for identifying the cyber attack behavior in real time according to the embodiments of the present application.
The display 530 may be an LED display, a liquid crystal display, a touch-sensitive liquid crystal display, an OLED (Organic Light-Emitting Diode) touch device, and the like in some embodiments. The display 530 is used to display information of the sequence analysis apparatus for identifying the network attack behavior in real time and to display a visualized user interface. The components 510-530 of the sequence analysis device that recognize network attack behavior in real time communicate with each other over a system bus.
In an embodiment, the steps in the above sequence analysis method for identifying cyber attack behaviors in real time are implemented when the processor 510 executes the sequence analysis program 540 for identifying cyber attack behaviors in real time in the memory 520.
The present embodiment also provides a computer-readable storage medium, on which a sequence analysis program for identifying network attack behaviors in real time is stored, and when executed by a processor, the sequence analysis program for identifying network attack behaviors in real time implements the following steps:
collecting audit logs in real time, and filtering the audit logs according to threat response rules to obtain behavior logs;
based on a preset sorting rule, sorting the behavior logs according to data time to obtain time sequence behavior logs;
partitioning the time sequence behavior logs according to the source IP of the behavior logs to obtain a plurality of behavior log partitions;
and based on the streaming state engine, performing sequence analysis on the behavior log partitions to determine the network attack behavior.
In summary, the sequence analysis method, apparatus and device for identifying network attack behaviors in real time provided by this embodiment include: collecting audit logs in real time, and filtering the audit logs according to threat response rules to obtain behavior logs; based on a preset sorting rule, sorting the behavior logs according to data time to obtain a time sequence behavior log; partitioning the time sequence behavior log according to a source IP of the behavior log to obtain a plurality of behavior log partitions; and based on the streaming state engine, performing sequence analysis on the behavior log partitions to determine the network attack behavior. The invention relates to a sequence analysis method, a device and equipment for identifying network attack behaviors in real time, which are used for filtering audit logs in real time, analyzing logs suffering from the network attack behaviors in each stage, performing time sequencing on the behavior logs obtained by filtering, determining the occurrence sequence of the network attack behaviors, and finally performing sequence analysis to determine the network attack behaviors, thereby realizing optimization on the time efficiency of detecting the network attack behaviors, improving the matching speed, improving the real-time sequence analysis efficiency and discovering the network attack behaviors in time.
The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention.
Claims (10)
1. A sequence analysis method for identifying network attack behaviors in real time is characterized by comprising the following steps:
collecting audit logs in real time, and filtering the audit logs according to threat response rules to obtain behavior logs;
based on a preset sorting rule, sorting the behavior logs according to data time to obtain a time sequence behavior log;
partitioning the time sequence behavior logs according to the source IP of the behavior logs to obtain a plurality of behavior log partitions;
and based on the streaming state engine, performing sequence analysis on the behavior log partitions to determine the network attack behavior.
2. The sequence analysis method for real-time identification of network attack behaviors of claim 1, wherein the collecting audit logs in real-time and filtering the audit logs according to threat response rules to obtain behavior logs comprises:
establishing a threat response rule according to a threat information library;
and sending the real-time collected audit logs to the threat response rule for filtering to obtain behavior logs.
3. The sequential analysis method for identifying cyber-attack behavior in real time according to claim 2, wherein the threat response rule includes a first log filter rule, a second log filter rule and a third log filter rule; the sending the real-time collected audit logs to the threat response rule for filtering to obtain behavior logs comprises the following steps:
filtering the first type log according to the first log filtering rule to obtain a behavior log of the first type log;
filtering the second type log according to the second log filtering rule to obtain a behavior log of the second type log;
and filtering the third type log according to the third log filtering rule to obtain a behavior log of the third type log.
4. The sequence analysis method for identifying the network attack behavior in real time according to claim 1, wherein the step of sorting the behavior logs according to data time based on a preset sorting rule to obtain a time sequence behavior log comprises the steps of:
dividing the behavior log into a plurality of time windows of the behavior log according to a preset time boundary;
comparing tail time of the time window to determine a sequencing time slot node;
and sequencing the behavior logs according to the time window according to the sequencing time slot node to obtain a time sequence behavior log.
5. The sequence analysis method for identifying network attack behavior in real time according to claim 4, wherein the comparing the tail time of the time window to determine the node of the ordered time slot comprises:
and when the data generation time is slower than the tail time of the corresponding time window, setting the tail time of the corresponding time window as a sequencing time slot node.
6. The sequential analysis method for identifying the network attack behavior in real time according to claim 1, wherein the determining the network attack behavior by performing the sequential analysis on the behavior log partitions based on the streaming state engine comprises:
analyzing the data of each behavior log partition through a streaming state engine to obtain a code byte code of an abstract syntax tree;
based on the regular expression engine, completing the matching of characters and character strings according to the code byte codes of the abstract syntax tree to obtain the state information of the regular expression engine;
and determining the occurrence sequence and the occurrence frequency of the network attack behavior according to the state information.
7. The sequence analysis method for identifying network attack behaviors in real time according to claim 1, wherein the obtaining of the state information of the regular expression engine based on the regular expression engine by completing the matching of the characters and the character strings according to the code byte codes of the abstract syntax tree comprises:
when the occurrence sequence state of the data of the behavior log partition is uncertain, determining the sequence state of the data through a first regular expression engine;
determining, by a second regular expression engine, a number of occurrences when determining an order of occurrence state of data of the behavior log partition.
8. A sequence analysis device for identifying network attack behaviors in real time is characterized by comprising:
the filtering module is used for collecting the audit logs in real time and filtering the audit logs according to threat response rules to obtain behavior logs;
the sequencing module is used for sequencing the behavior logs according to data time based on a preset sequencing rule to obtain a time sequence behavior log;
the partitioning module is used for partitioning the time sequence behavior logs according to the source IP of the behavior logs to obtain a plurality of behavior log partitions;
and the analysis module is used for carrying out sequence analysis on the plurality of behavior log partitions based on the streaming state engine to determine the network attack behavior.
9. An electronic device comprising a memory and a processor, wherein,
the memory is used for storing programs;
the processor, coupled to the memory, is configured to execute the program stored in the memory to implement the steps in the sequence analysis method for identifying network attack behaviors in real time according to any one of claims 1 to 7.
10. A computer-readable storage medium for storing a computer-readable program or instructions, which when executed by a processor, implement the steps of the sequence analysis method for identifying network attack behavior in real time according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211519542.0A CN115883202A (en) | 2022-11-30 | 2022-11-30 | Sequence analysis method, device and equipment for identifying network attack behaviors in real time |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211519542.0A CN115883202A (en) | 2022-11-30 | 2022-11-30 | Sequence analysis method, device and equipment for identifying network attack behaviors in real time |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115883202A true CN115883202A (en) | 2023-03-31 |
Family
ID=85764934
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211519542.0A Pending CN115883202A (en) | 2022-11-30 | 2022-11-30 | Sequence analysis method, device and equipment for identifying network attack behaviors in real time |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115883202A (en) |
-
2022
- 2022-11-30 CN CN202211519542.0A patent/CN115883202A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9990583B2 (en) | Match engine for detection of multi-pattern rules | |
| US11218510B2 (en) | Advanced cybersecurity threat mitigation using software supply chain analysis | |
| US7530105B2 (en) | Tactical and strategic attack detection and prediction | |
| EP2939173B1 (en) | Real-time representation of security-relevant system state | |
| CN111400719B (en) | Firmware vulnerability distinguishing method and system based on open source component version identification | |
| US9300682B2 (en) | Composite analysis of executable content across enterprise network | |
| US8769692B1 (en) | System and method for detecting malware by transforming objects and analyzing different views of objects | |
| Xie et al. | Pagoda: A hybrid approach to enable efficient real-time provenance based intrusion detection in big data environments | |
| Han et al. | {SIGL}: Securing software installations through deep graph learning | |
| CN113486334A (en) | Network attack prediction method and device, electronic equipment and storage medium | |
| Kaur et al. | Automatic attack signature generation systems: A review | |
| US20220210202A1 (en) | Advanced cybersecurity threat mitigation using software supply chain analysis | |
| CN109948335B (en) | System and method for detecting malicious activity in a computer system | |
| CN112131571B (en) | Threat tracing method and related equipment | |
| WO2018213061A2 (en) | Timely causality analysis in homegeneous enterprise hosts | |
| CN113987492A (en) | Method and device for determining alarm event | |
| CN112287340B (en) | Evidence obtaining and tracing method and device for terminal attack and computer equipment | |
| CN116319074B (en) | Method and device for detecting collapse equipment based on multi-source log and electronic equipment | |
| Paul et al. | Survey of polymorphic worm signatures | |
| CN113645286B (en) | Data leakage-oriented Web security event evidence obtaining method and system | |
| CN115883202A (en) | Sequence analysis method, device and equipment for identifying network attack behaviors in real time | |
| EP3679506A2 (en) | Advanced cybersecurity threat mitigation for inter-bank financial transactions | |
| Meenakshi et al. | Literature survey on log-based anomaly detection framework in cloud | |
| Rekhis | Theoretical aspects of digital investigation of security incidents | |
| Liu et al. | MalPEFinder: fast and retrospective assessment of data breaches in malware attacks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |