WO2020107446A1 - Method and apparatus for obtaining attacker information, device, and storage medium - Google Patents

Method and apparatus for obtaining attacker information, device, and storage medium Download PDF

Info

Publication number
WO2020107446A1
WO2020107446A1 PCT/CN2018/118691 CN2018118691W WO2020107446A1 WO 2020107446 A1 WO2020107446 A1 WO 2020107446A1 CN 2018118691 W CN2018118691 W CN 2018118691W WO 2020107446 A1 WO2020107446 A1 WO 2020107446A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
attacker
virtual network
target
collected
Prior art date
Application number
PCT/CN2018/118691
Other languages
French (fr)
Chinese (zh)
Inventor
郝志向
Original Assignee
北京比特大陆科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京比特大陆科技有限公司 filed Critical 北京比特大陆科技有限公司
Priority to CN201880098313.1A priority Critical patent/CN112789835A/en
Priority to PCT/CN2018/118691 priority patent/WO2020107446A1/en
Publication of WO2020107446A1 publication Critical patent/WO2020107446A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • This application relates to the field of computer technology, for example, to an attacker information acquisition method, device, device, and storage medium.
  • the attacker usually obtains the information of the attacker at the Transmission Control Protocol (TCP)/Internet Protocol (IP) level, including the IP address and port number, and the attacker generally uses fake IP Address, so it is impossible to obtain valuable information related to the attacker, and thus cannot implement targeted protection strategies.
  • TCP Transmission Control Protocol
  • IP Internet Protocol
  • Embodiments of the present disclosure provide an attacker information acquisition method, device, device, and storage medium to acquire information related to the attacker, and can implement a targeted protection strategy.
  • An embodiment of the present disclosure provides an attacker information acquisition method, including:
  • the information of the target attacker in the virtual network and the information of the attacker that can be collected is obtained.
  • the method before acquiring the information of the target attacker in the actual environment, the method further includes:
  • the acquiring the information of the target attacker in the virtual network includes:
  • the attack event information includes at least one of the following: the name of the attack event, the time when the attack event occurred, the location where the attack event occurred, and the identification information of the attack event.
  • the information of the attacker that can be collected includes: information of the attacker that has been collected, or information of the attacker that is not currently collected, and the attacker that can be collected Information.
  • the acquiring the information of the target attacker in the actual environment according to the information of the target attacker in the virtual network and the information of the attacker that can be collected includes:
  • the information about the target attacker in the virtual network exists in the information about the attacker that can be collected, according to the information about the target attacker in the virtual network and the information about the attacker that can be collected To obtain information about the target attacker in the actual environment.
  • the information of the target attacker in the virtual network and the information of the attacker that can be collected, before obtaining the information of the target attacker in the actual environment further includes :
  • the collected information of the attacker is stored in a database; the information of the attacker includes at least one of the following: information of the attacker in the virtual network or information of the attacker in the actual environment.
  • the acquiring the information of the target attacker in the actual environment according to the information of the target attacker in the virtual network and the information of the attacker that can be collected includes:
  • the information of the target attacker in the virtual network exists in the database, the information of the target attacker in the actual environment is obtained from the database according to the information of the target attacker in the virtual network.
  • the collected information of the attacker can be stored in the database, and the information of the target attacker in the actual environment can be obtained by querying the database, and the efficiency is high.
  • the method further includes:
  • the information of the target attacker in the virtual network does not exist in the database, the information of the target attacker in the virtual network is stored in the database.
  • the database includes: at least one piece of information, and each piece of information includes at least one of the following: information of an attacker in a virtual network, and information of the attacker in an actual environment.
  • the information of any attacker in the virtual network includes at least one of the following: the attacker's identity in the virtual network, domain name, IP address, media access control MAC address, and attack method 3.
  • the information of any attacker in the actual environment includes at least one of the following: the attacker's identity, age, attack record, and location of the network attack in the actual environment, and the attack The background and purpose of the occurrence.
  • the method further includes:
  • the deleting the information that the usage frequency is less than the preset frequency includes:
  • An embodiment of the present disclosure also provides an attacker information acquisition device, including:
  • the first acquiring module is configured to acquire information of the target attacker in the actual environment according to the information of the target attacker in the virtual network and the information of the attacker that can be collected.
  • the device further includes:
  • the second obtaining module is configured to obtain information of the target attacker in the virtual network.
  • the second acquisition module is configured to:
  • the attack event information includes at least one of the following: the name of the attack event, the time when the attack event occurred, the location where the attack event occurred, and the identification information of the attack event.
  • the information of the attacker that can be collected includes: information of the attacker that has been collected, or information of the attacker that is not currently collected, and the attacker that can be collected Information.
  • the first acquisition module is configured to:
  • the information about the target attacker in the virtual network exists in the information about the attacker that can be collected, according to the information about the target attacker in the virtual network and the information about the attacker that can be collected To obtain information about the target attacker in the actual environment.
  • the device further includes:
  • the storage module is configured to store the collected information of the attacker in a database; the information of the attacker includes at least one of the following: information of the attacker in the virtual network or the attacker in the actual environment Information.
  • the first acquisition module is configured to:
  • the information of the target attacker in the virtual network exists in the database, the information of the target attacker in the actual environment is obtained from the database according to the information of the target attacker in the virtual network.
  • the storage module is configured to:
  • the information of the target attacker in the virtual network does not exist in the database, the information of the target attacker in the virtual network is stored in the database.
  • the database includes: at least one piece of information, and each piece of information includes at least one of the following: information of an attacker in a virtual network, and information of the attacker in an actual environment.
  • the information of any attacker in the virtual network includes at least one of the following: the attacker's identity in the virtual network, domain name, IP address, media access control MAC address, and attack method 3.
  • the information of any attacker in the actual environment includes at least one of the following: the identity, age, attack record, and location of the attacker in the actual environment.
  • the device further includes:
  • the third obtaining module is configured to: if the number of information items included in the database is greater than a preset threshold, obtain the frequency of use of each piece of information in the database;
  • the processing module is configured to delete information whose usage frequency is less than a preset frequency.
  • the processing module is configured to:
  • An embodiment of the present disclosure also provides a computer that includes the above attacker information acquisition device.
  • An embodiment of the present disclosure also provides a computer-readable storage medium that stores computer-executable instructions that are configured to perform the above-mentioned method for acquiring attacker information.
  • An embodiment of the present disclosure also provides a computer program product.
  • the computer program product includes a computer program stored on a computer-readable storage medium.
  • the computer program includes program instructions. When the program instructions are executed by a computer, the The computer executes the aforementioned method for acquiring attacker information.
  • An embodiment of the present disclosure also provides an electronic device, including:
  • At least one processor At least one processor
  • a memory communicatively connected to the at least one processor; wherein,
  • the memory stores instructions executable by the at least one processor, and when the instructions are executed by the at least one processor, the at least one processor executes the above-mentioned method for acquiring attacker information.
  • the method, device, equipment and storage medium for obtaining attacker information provided by the embodiments of the present disclosure obtain the target attacker's actual environment in accordance with the information of the target attacker in the virtual network and the information of the attacker that can be collected Information, you can get the information of the target attacker in the actual environment, you can implement targeted protection strategies, which helps to improve the security of the network.
  • FIG. 1 is a diagram of an application scenario provided by an embodiment of the present disclosure
  • FIG. 2 is a schematic flowchart of a method for obtaining attacker information according to an embodiment of the present disclosure
  • FIG. 3 is a schematic flowchart of a method for obtaining attacker information according to another embodiment of the present disclosure
  • FIG. 4 is a schematic structural diagram of an apparatus for obtaining attacker information according to an embodiment of the present disclosure
  • FIG. 5 is a schematic structural diagram of an apparatus for acquiring attacker information according to another embodiment of the present disclosure.
  • FIG. 6 is a schematic structural diagram of an electronic device provided by an embodiment of the present disclosure.
  • the method for obtaining attacker information is applied to network traceability, and is used to determine the information of the network attacker, for example, including identity, location, etc.
  • the identity includes, for example, name and account number
  • the location includes, for example, its geographic location Virtual locations, such as IP addresses, MAC addresses, etc., can be used to obtain information about a cyber attacker after the cyber attack is carried out.
  • FIG. 1 is an application scenario diagram provided by an embodiment of the present disclosure.
  • the method provided by the present disclosure may be implemented by an electronic device 12 such as a processor of an electronic device, or may be implemented by the electronic device 12 through data interaction with a server 11. Alternatively, it can be implemented by the server.
  • the electronic device 12 and the server 11 may be connected via a network, such as 3G, 4G, or wireless fidelity (Wireless Fidelity, WIFI), wired network, and other communication networks.
  • a network such as 3G, 4G, or wireless fidelity (Wireless Fidelity, WIFI), wired network, and other communication networks.
  • WIFI wireless Fidelity
  • the above electronic devices may include: smart phones, tablet computers, intelligent robots, wearable devices, computers and other devices.
  • the execution subject of the embodiment of the present disclosure may be an electronic device or an attacker information acquisition device provided in the electronic device.
  • the attacker information acquisition device can be implemented by software, or by a combination of software and hardware.
  • FIG. 2 is a schematic flowchart of a method for acquiring attacker information provided by an embodiment of the present disclosure. As shown in FIG. 2, the method provided in this embodiment includes:
  • Step 201 Obtain the information of the target attacker in the virtual network.
  • the target attacker may be an attacker who is currently to be investigated or locked, for example, an attacker who currently carries out a network attack.
  • the information of the target attacker in the virtual network can be obtained from other devices, or the electronic device can directly obtain the information of the target attacker in the virtual network, such as the system generated during the attack process of the target attacker Logs to obtain information about the target attacker in the virtual network.
  • Other devices such as other electronic devices or servers.
  • other devices may obtain the information of the target attacker who carried out the network attack in the virtual network and send it to the electronic device.
  • the system log includes, for example, the time when the network attack occurred, the hacking tool used for the network attack, the IP address, and the Media Access Control (Media Access Control, MAC for short) address.
  • step 201 may be implemented as follows:
  • the attack event information corresponding to the target attacker obtain the information of the target attacker in the virtual network.
  • the attack event information may include at least one of the following: the name of the attack event, the time when the attack event occurred, the location where the attack event occurred, and the identification information of the attack event.
  • the attack event information can be obtained from the system log.
  • Step 202 Obtain the information of the target attacker in the actual environment according to the information of the target attacker in the virtual network and the information of the attacker that can be collected.
  • the information of the target attacker in the actual environment is obtained based on the obtained information of the target attacker in the virtual network and the information of the attacker that can be collected.
  • the information of the attacker that can be collected may be information of the attacker that has been collected, or information of the attacker that is not currently collected, and information of the attacker that can be collected.
  • the information of the attacker includes: information of the attacker in the virtual network, and/or information of the attacker in the actual environment.
  • the attacker can include the target attacker at any time.
  • the information of the attacker that is not currently collected may be, for example, information of the attacker that has been collected in other devices.
  • the information of the target attacker in the virtual network includes at least one of the following: the identity of the target attacker in the virtual network, domain name, IP address, attack method, hacking tool used
  • the information of the target attacker in the actual environment includes at least one of the following: the identity of the target attacker in the actual environment, age, attack record, location of the network attack, background and purpose of the attack.
  • the purpose of the attack may be that the target attacker wants to obtain economic benefits, etc.
  • the background of the attack may be that the target attacker is under poor economic conditions and is stimulated by external factors.
  • step 202 may be implemented as follows:
  • the information about the target attacker in the virtual network exists in the information about the attacker that can be collected, according to the information about the target attacker in the virtual network and the information about the attacker that can be collected To obtain information about the target attacker in the actual environment.
  • the information of the attacker that can be collected includes the information of the target attacker, for example, the information of the target attacker in the virtual network
  • the information of the target attacker in the virtual network and the information that can be collected The information of the attacker is related to the information of the target attacker in the actual environment. Among them, the information of the attacker that can be collected can be analyzed, filtered, and other operations to obtain the information of the target attacker in the actual environment
  • the information of the target attacker in the virtual network can be queried from the information of the attacker that can be collected.
  • the method for obtaining the attacker information in this embodiment can obtain the information of the target attacker in the actual environment according to the information of the target attacker in the virtual network and the information of the attacker that can be collected, and the target attacker can be obtained
  • the information in the actual environment can be implemented with targeted protection strategies, which helps to improve the security of the network.
  • FIG. 3 is a schematic flowchart of a method for acquiring attacker information according to another embodiment of the present disclosure. Based on the above embodiment, as shown in FIG. 3, the method provided in this embodiment includes:
  • Step 301 Store the collected information of the attacker in a database; the information of the attacker includes at least one of the following: information of the attacker in the virtual network or information of the attacker in the actual environment.
  • the collected information of the attacker can be stored in a database, and relevant information can be recorded and stored when a network attack occurs, or the collected information of the attacker can be obtained from other devices or networks.
  • Step 302 Determine whether the information of the target attacker in the virtual network exists in the database.
  • Step 303 If the information of the target attacker in the virtual network exists in the database, obtain the information of the target attacker in the actual environment from the database according to the information of the target attacker in the virtual network.
  • the information of the target attacker in the virtual network can be associated from the database Query the information of the target attacker in the actual environment.
  • Step 304 If the information of the target attacker in the virtual network does not exist in the database, store the information of the target attacker in the virtual network into the database.
  • the information about the target attacker is not stored in the database, for example, the information of the target attacker in the virtual network, the information of the target attacker in the virtual network is stored in the database for subsequent use.
  • various attack data may be integrated into the database in advance.
  • the attack data may include the attacker ID, domain name, attack method, hacking tool used, etc.
  • the database may include: at least one piece of information, and each piece of information includes at least one of the following: information of an attacker in the virtual network, and information of the attacker in the actual environment.
  • the collected attacker information stored in the database includes multiple pieces of attacker information, each piece of information includes: information of an attacker in a virtual network, and/or information of the attacker in the actual environment .
  • the information of any attacker in the virtual network includes at least one of the following: the attacker's identity ID, domain name, IP address, attack method, and hacking tool used in the virtual network.
  • the identity can be the attacker's account and password in the virtual network
  • the IP address can be the IP address of the attacker's device in the virtual network
  • the MAC address can be the MAC of the attacker's device
  • the address is the hardware address of the device and is used to define the network location of the device. Attack methods include, for example, denial of service attacks, physical layer line interception, and fragmented IP packet attacks.
  • the information of any attacker in the actual environment includes at least one of the following: the identity, age, attack record, and location of the attacker in the actual environment.
  • the attack record includes, for example, the historical record of the attacker's participation in the network attack, such as the time of the attack, the location of the network attack, the hacking tool used, and so on.
  • the method in this embodiment may further include:
  • the frequency of use of each piece of information in the database is obtained
  • deleting the information whose usage frequency is less than the preset frequency may be implemented as follows:
  • the database data may be maintained periodically, or after receiving the user's instruction.
  • the usage frequency of each piece of information in the database is obtained; information whose usage frequency is less than the preset frequency is deleted. For example, there is a lot of information that has not been used by attackers, or is used less frequently, such as once every few years, or used less often, etc., and the information can be deleted.
  • the collected information of the attacker can be stored in the database, and the information of the target attacker in the actual environment can be obtained by querying the database, and the efficiency is high.
  • the apparatus for obtaining attacker information includes:
  • the first obtaining module 401 is configured to obtain the information of the target attacker in the actual environment according to the information of the target attacker in the virtual network and the information of the attacker that can be collected.
  • the device further includes:
  • the second obtaining module 402 is configured to obtain information of the target attacker in the virtual network.
  • the second obtaining module 402 is configured to:
  • the attack event information includes at least one of the following: the name of the attack event, the time when the attack event occurred, the location where the attack event occurred, and the identification information of the attack event.
  • the information of the attacker that can be collected includes: information of the attacker that has been collected, or information of the attacker that is not currently collected, and the attacker that can be collected Information.
  • the first obtaining module 401 is configured to:
  • the information about the target attacker in the virtual network exists in the information about the attacker that can be collected, according to the information about the target attacker in the virtual network and the information about the attacker that can be collected To obtain information about the target attacker in the actual environment.
  • the device further includes:
  • the storage module 403 is configured to store the collected information of the attacker in a database; the information of the attacker includes at least one of the following: the information of the attacker in the virtual network or the actual environment of the attacker in the actual environment Information.
  • the first obtaining module 401 is configured to:
  • the information of the target attacker in the virtual network exists in the database, the information of the target attacker in the actual environment is obtained from the database according to the information of the target attacker in the virtual network.
  • the storage module 403 is configured to:
  • the information of the target attacker in the virtual network does not exist in the database, the information of the target attacker in the virtual network is stored in the database.
  • the database includes: at least one piece of information, and each piece of information includes at least one of the following: information of an attacker in a virtual network, and information of the attacker in an actual environment.
  • the information of any attacker in the virtual network includes at least one of the following: the attacker's identity in the virtual network, domain name, IP address, media access control MAC address, and attack method 3.
  • the information of any attacker in the actual environment includes at least one of the following: the identity, age, attack record, and location of the attacker in the actual environment.
  • the device further includes:
  • the third obtaining module 404 is configured to: if the number of information items included in the database is greater than a preset threshold, obtain the frequency of use of each piece of information in the database;
  • the processing module 405 is configured to delete information whose usage frequency is less than a preset frequency.
  • the processing module 405 is configured to:
  • the device of this embodiment may be used to execute the technical solutions of the above method embodiments, and its implementation principles and technical effects are similar, and will not be repeated here.
  • An embodiment of the present disclosure also provides a computer that includes the above attacker information acquisition device.
  • An embodiment of the present disclosure also provides a computer-readable storage medium that stores computer-executable instructions that are configured to perform the above-mentioned attacker information acquisition method.
  • An embodiment of the present disclosure also provides a computer program product.
  • the computer program product includes a computer program stored on a computer-readable storage medium.
  • the computer program includes program instructions. When the program instructions are executed by a computer, the The computer executes the above method for acquiring attacker information.
  • the aforementioned computer-readable storage medium may be a transient computer-readable storage medium or a non-transitory computer-readable storage medium.
  • An embodiment of the present disclosure also provides an electronic device, whose structure is shown in FIG. 6, the electronic device includes:
  • At least one processor (processor) 100 one processor 100 is taken as an example in FIG. 6; and the memory 101 may further include a communication interface (Communication) 102 and a bus 103.
  • the processor 100, the communication interface 102, and the memory 101 can complete communication with each other through the bus 103.
  • the communication interface 102 can be used for information transmission.
  • the processor 100 may call logical instructions in the memory 101 to execute the method for acquiring attacker information in the foregoing embodiment.
  • logic instructions in the above-mentioned memory 101 may be implemented in the form of software functional units and sold or used as independent products, and may be stored in a computer-readable storage medium.
  • the memory 101 is a computer-readable storage medium and can be used to store software programs and computer-executable programs, such as program instructions/modules corresponding to the methods in the embodiments of the present disclosure.
  • the processor 100 executes functional applications and data processing by running software programs, instructions, and modules stored in the memory 101, that is, implementing the attacker information acquisition method in the foregoing method embodiments.
  • the memory 101 may include a storage program area and a storage data area, wherein the storage program area may store an operating system and application programs required for at least one function; the storage data area may store data created according to the use of a terminal device and the like.
  • the memory 101 may include a high-speed random access memory, and may also include a non-volatile memory.
  • the technical solutions of the embodiments of the present disclosure may be embodied in the form of software products, which are stored in a storage medium and include one or more instructions to make a computer device (which may be a personal computer, server, or network) Equipment, etc.) to perform all or part of the steps of the method described in the embodiments of the present disclosure.
  • the aforementioned storage medium may be a non-transitory storage medium, including: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or optical disk, etc.
  • a medium that can store program codes may also be a transient storage medium.
  • first, second, etc. may be used in this application to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element from another.
  • the first element can be called the second element, and likewise, the second element can be called the first element, as long as all occurrences of the "first element” are consistently renamed and all occurrences of The “second component” can be renamed consistently.
  • the first element and the second element are both elements, but they may not be the same element.
  • the various aspects, implementations, implementations or features in the described embodiments can be used alone or in any combination.
  • Various aspects in the described embodiments may be implemented by software, hardware, or a combination of software and hardware.
  • the described embodiments may also be embodied by a computer-readable medium that stores computer-readable code including instructions executable by at least one computing device.
  • the computer-readable medium can be associated with any data storage device capable of storing data, which can be read by a computer system.
  • Computer-readable media used for examples may include read-only memory, random access memory, CD-ROM, HDD, DVD, magnetic tape, optical data storage devices, and the like.
  • the computer-readable medium may also be distributed in computer systems connected through a network, so that computer-readable codes can be stored and executed in a distributed manner.

Abstract

Embodiments of the present invention relate to a method and apparatus for obtaining attacker information, a device, and a storage medium. The method comprises: obtaining information of a target attacker in an actual environment according to information of the target attacker in a virtual network and collectable information of the attacker. According to the embodiments of the present invention, the information of the target attacker in the actual environment can be obtained, and a targeted protection strategy can be implemented, thereby helping improve network security.

Description

攻击者信息的获取方法、装置、设备和存储介质Method, device, equipment and storage medium for acquiring attacker information 技术领域Technical field
本申请涉及计算机技术领域,例如涉及一种攻击者信息的获取方法、装置、设备和存储介质。This application relates to the field of computer technology, for example, to an attacker information acquisition method, device, device, and storage medium.
背景技术Background technique
随着互联网覆盖面的不断扩大,网络安全的重要性不断增加。面对层出不穷的新型网络入侵技术和频率越来越高的网络入侵行为,对网络攻击溯源的需求日益迫切。As the coverage of the Internet continues to expand, the importance of network security continues to increase. Facing endless new network intrusion technologies and increasingly frequent network intrusion behaviors, the demand for the source of network attacks is increasingly urgent.
相关技术中,通常通过获取传输控制协议(Transmission Control Protocol,简称TCP)/网络协议(Internet Protocol,简称IP)层面攻击者的信息,例如包括IP地址和端口号,而攻击者一般使用伪造的IP地址,因此无法获得与攻击者有关的有价值信息,进而无法实施有针对性的防护策略。In related technologies, the attacker usually obtains the information of the attacker at the Transmission Control Protocol (TCP)/Internet Protocol (IP) level, including the IP address and port number, and the attacker generally uses fake IP Address, so it is impossible to obtain valuable information related to the attacker, and thus cannot implement targeted protection strategies.
发明内容Summary of the invention
本公开实施例提供了一种攻击者信息的获取方法、装置、设备和存储介质,以获取与攻击者有关的信息,可以实施有针对性的防护策略。Embodiments of the present disclosure provide an attacker information acquisition method, device, device, and storage medium to acquire information related to the attacker, and can implement a targeted protection strategy.
本公开实施例提供了一种攻击者信息的获取方法,包括:An embodiment of the present disclosure provides an attacker information acquisition method, including:
根据目标攻击者在虚拟网络中的信息,以及可搜集到的攻击者的信息,获取所述目标攻击者在实际环境中的信息。According to the information of the target attacker in the virtual network and the information of the attacker that can be collected, the information of the target attacker in the actual environment is obtained.
在一种可能的实施方式中,所述获取所述目标攻击者在实际环境中的信息之前,还包括:In a possible implementation manner, before acquiring the information of the target attacker in the actual environment, the method further includes:
获取所述目标攻击者在虚拟网络中的信息。Obtain the information of the target attacker in the virtual network.
在一种可能的实施方式中,所述获取所述目标攻击者在虚拟网络中的信息,包括:In a possible implementation manner, the acquiring the information of the target attacker in the virtual network includes:
根据所述目标攻击者对应的攻击事件信息,获取所述目标攻击者在虚拟网络中的信息。Obtain the information of the target attacker in the virtual network according to the attack event information corresponding to the target attacker.
在一种可能的实施方式中,所述攻击事件信息,包括以下至少一项:攻 击事件名称、攻击事件发生的时间、攻击事件发生的位置、攻击事件的标识信息。In a possible implementation manner, the attack event information includes at least one of the following: the name of the attack event, the time when the attack event occurred, the location where the attack event occurred, and the identification information of the attack event.
在一种可能的实施方式中,所述可搜集到的攻击者的信息,包括:已搜集到的攻击者的信息,或,当前未搜集到的攻击者的信息,且可搜集到的攻击者的信息。In a possible implementation manner, the information of the attacker that can be collected includes: information of the attacker that has been collected, or information of the attacker that is not currently collected, and the attacker that can be collected Information.
在一种可能的实施方式中,所述根据所述目标攻击者在虚拟网络中的信息,以及可搜集到的攻击者的信息,获取所述目标攻击者在实际环境中的信息,包括:In a possible implementation manner, the acquiring the information of the target attacker in the actual environment according to the information of the target attacker in the virtual network and the information of the attacker that can be collected includes:
判断可搜集到的攻击者的信息中是否存在所述目标攻击者在虚拟网络中的信息;Determine whether the information of the attacker that can be collected exists in the virtual network of the target attacker;
若所述可搜集到的攻击者的信息中存在所述目标攻击者在虚拟网络中的信息,则根据所述目标攻击者在虚拟网络中的信息,以及所述可搜集到的攻击者的信息,获取所述目标攻击者在实际环境中的信息。If the information about the target attacker in the virtual network exists in the information about the attacker that can be collected, according to the information about the target attacker in the virtual network and the information about the attacker that can be collected To obtain information about the target attacker in the actual environment.
在一种可能的实施方式中,所述根据所述目标攻击者在虚拟网络中的信息,以及可搜集到的攻击者的信息,获取所述目标攻击者在实际环境中的信息之前,还包括:In a possible implementation, according to the information of the target attacker in the virtual network and the information of the attacker that can be collected, before obtaining the information of the target attacker in the actual environment, further includes :
将搜集到的攻击者的信息存储在数据库中;所述攻击者的信息包括以下至少一项:所述攻击者在虚拟网络中的信息或所述攻击者在实际环境中的信息。The collected information of the attacker is stored in a database; the information of the attacker includes at least one of the following: information of the attacker in the virtual network or information of the attacker in the actual environment.
在一种可能的实施方式中,所述根据所述目标攻击者在虚拟网络中的信息,以及可搜集到的攻击者的信息,获取所述目标攻击者在实际环境中的信息,包括:In a possible implementation manner, the acquiring the information of the target attacker in the actual environment according to the information of the target attacker in the virtual network and the information of the attacker that can be collected includes:
判断所述数据库中是否存在所述目标攻击者在虚拟网络中的信息;Determine whether the information of the target attacker in the virtual network exists in the database;
若所述数据库中存在所述目标攻击者在虚拟网络中的信息,则根据所述目标攻击者在虚拟网络中的信息,从所述数据库中获取所述目标攻击者在实际环境中的信息。If the information of the target attacker in the virtual network exists in the database, the information of the target attacker in the actual environment is obtained from the database according to the information of the target attacker in the virtual network.
上述实施方式中,可以将搜集到的攻击者的信息存储在数据库中,通过从数据库中查询获取到目标攻击者在实际环境中的信息,效率较高。In the above embodiment, the collected information of the attacker can be stored in the database, and the information of the target attacker in the actual environment can be obtained by querying the database, and the efficiency is high.
在一种可能的实施方式中,还包括:In a possible implementation manner, the method further includes:
若所述数据库中不存在所述目标攻击者在虚拟网络中的信息,则将所述 目标攻击者在虚拟网络中的信息存储至所述数据库中。If the information of the target attacker in the virtual network does not exist in the database, the information of the target attacker in the virtual network is stored in the database.
在一种可能的实施方式中,所述数据库包括:至少一条信息,每条信息包括以下至少一项:一个攻击者在虚拟网络中的信息,该攻击者在实际环境中的信息。In a possible implementation manner, the database includes: at least one piece of information, and each piece of information includes at least one of the following: information of an attacker in a virtual network, and information of the attacker in an actual environment.
在一种可能的实施方式中,任一个攻击者在虚拟网络中的信息包括以下至少一项:该攻击者在虚拟网络中的身份标识ID、域名、IP地址、媒体访问控制MAC地址、攻击方式、所使用的黑客工具。In a possible implementation, the information of any attacker in the virtual network includes at least one of the following: the attacker's identity in the virtual network, domain name, IP address, media access control MAC address, and attack method 3. The hacking tools used.
在一种可能的实施方式中,任一个攻击者在实际环境中的信息包括以下至少一项:该攻击者在实际环境中的身份、年龄、攻击记录以及进行网络攻击时所处的位置、攻击发生的背景和目的。In a possible implementation, the information of any attacker in the actual environment includes at least one of the following: the attacker's identity, age, attack record, and location of the network attack in the actual environment, and the attack The background and purpose of the occurrence.
在一种可能的实施方式中,还包括:In a possible implementation manner, the method further includes:
若所述数据库中包括的信息条目数大于预设阈值,则获取所述数据库中每条信息的使用频率;If the number of information entries included in the database is greater than a preset threshold, the frequency of use of each piece of information in the database is obtained;
删除使用频率小于预设频率的信息。Delete the information whose usage frequency is less than the preset frequency.
在一种可能的实施方式中,所述删除使用频率小于预设频率的信息,包括:In a possible implementation manner, the deleting the information that the usage frequency is less than the preset frequency includes:
获取用户的操作指令;Obtain the user's operation instructions;
根据所述用户的操作指令,删除使用频率小于预设频率的信息。According to the user's operation instruction, delete the information whose usage frequency is less than the preset frequency.
本公开实施例还提供了一种攻击者信息的获取装置,包括:An embodiment of the present disclosure also provides an attacker information acquisition device, including:
第一获取模块,配置为:根据目标攻击者在虚拟网络中的信息,以及可搜集到的攻击者的信息,获取所述目标攻击者在实际环境中的信息。The first acquiring module is configured to acquire information of the target attacker in the actual environment according to the information of the target attacker in the virtual network and the information of the attacker that can be collected.
在一种可能的实施方式中,该装置还包括:In a possible implementation manner, the device further includes:
第二获取模块,配置为:获取所述目标攻击者在虚拟网络中的信息。The second obtaining module is configured to obtain information of the target attacker in the virtual network.
在一种可能的实施方式中,所述第二获取模块,配置为:In a possible implementation manner, the second acquisition module is configured to:
根据所述目标攻击者对应的攻击事件信息,获取所述目标攻击者在虚拟网络中的信息。Obtain the information of the target attacker in the virtual network according to the attack event information corresponding to the target attacker.
在一种可能的实施方式中,所述攻击事件信息,包括以下至少一项:攻击事件名称、攻击事件发生的时间、攻击事件发生的位置、攻击事件的标识信息。In a possible implementation manner, the attack event information includes at least one of the following: the name of the attack event, the time when the attack event occurred, the location where the attack event occurred, and the identification information of the attack event.
在一种可能的实施方式中,所述可搜集到的攻击者的信息,包括:已搜 集到的攻击者的信息,或,当前未搜集到的攻击者的信息,且可搜集到的攻击者的信息。In a possible implementation manner, the information of the attacker that can be collected includes: information of the attacker that has been collected, or information of the attacker that is not currently collected, and the attacker that can be collected Information.
在一种可能的实施方式中,所述第一获取模块,配置为:In a possible implementation manner, the first acquisition module is configured to:
判断可搜集到的攻击者的信息中是否存在所述目标攻击者在虚拟网络中的信息;Determine whether the information of the attacker that can be collected exists in the virtual network of the target attacker;
若所述可搜集到的攻击者的信息中存在所述目标攻击者在虚拟网络中的信息,则根据所述目标攻击者在虚拟网络中的信息,以及所述可搜集到的攻击者的信息,获取所述目标攻击者在实际环境中的信息。If the information about the target attacker in the virtual network exists in the information about the attacker that can be collected, according to the information about the target attacker in the virtual network and the information about the attacker that can be collected To obtain information about the target attacker in the actual environment.
在一种可能的实施方式中,该装置还包括:In a possible implementation manner, the device further includes:
存储模块,配置为:将搜集到的攻击者的信息存储在数据库中;所述攻击者的信息包括以下至少一项:所述攻击者在虚拟网络中的信息或所述攻击者在实际环境中的信息。The storage module is configured to store the collected information of the attacker in a database; the information of the attacker includes at least one of the following: information of the attacker in the virtual network or the attacker in the actual environment Information.
在一种可能的实施方式中,所述第一获取模块,配置为:In a possible implementation manner, the first acquisition module is configured to:
判断所述数据库中是否存在所述目标攻击者在虚拟网络中的信息;Determine whether the information of the target attacker in the virtual network exists in the database;
若所述数据库中存在所述目标攻击者在虚拟网络中的信息,则根据所述目标攻击者在虚拟网络中的信息,从所述数据库中获取所述目标攻击者在实际环境中的信息。If the information of the target attacker in the virtual network exists in the database, the information of the target attacker in the actual environment is obtained from the database according to the information of the target attacker in the virtual network.
在一种可能的实施方式中,所述存储模块,配置为:In a possible implementation manner, the storage module is configured to:
若所述数据库中不存在所述目标攻击者在虚拟网络中的信息,则将所述目标攻击者在虚拟网络中的信息存储至所述数据库中。If the information of the target attacker in the virtual network does not exist in the database, the information of the target attacker in the virtual network is stored in the database.
在一种可能的实施方式中,所述数据库包括:至少一条信息,每条信息包括以下至少一项:一个攻击者在虚拟网络中的信息,该攻击者在实际环境中的信息。In a possible implementation manner, the database includes: at least one piece of information, and each piece of information includes at least one of the following: information of an attacker in a virtual network, and information of the attacker in an actual environment.
在一种可能的实施方式中,任一个攻击者在虚拟网络中的信息包括以下至少一项:该攻击者在虚拟网络中的身份标识ID、域名、IP地址、媒体访问控制MAC地址、攻击方式、所使用的黑客工具。In a possible implementation, the information of any attacker in the virtual network includes at least one of the following: the attacker's identity in the virtual network, domain name, IP address, media access control MAC address, and attack method 3. The hacking tools used.
在一种可能的实施方式中,任一个攻击者在实际环境中的信息包括以下至少一项:该攻击者在实际环境中的身份、年龄、攻击记录以及进行网络攻击时所处的位置。In a possible implementation manner, the information of any attacker in the actual environment includes at least one of the following: the identity, age, attack record, and location of the attacker in the actual environment.
在一种可能的实施方式中,该装置还包括:In a possible implementation manner, the device further includes:
第三获取模块,配置为:若所述数据库中包括的信息条目数大于预设阈值,则获取所述数据库中每条信息的使用频率;The third obtaining module is configured to: if the number of information items included in the database is greater than a preset threshold, obtain the frequency of use of each piece of information in the database;
处理模块,配置为:删除使用频率小于预设频率的信息。The processing module is configured to delete information whose usage frequency is less than a preset frequency.
在一种可能的实施方式中,所述处理模块,配置为:In a possible implementation manner, the processing module is configured to:
获取用户的操作指令;Obtain the user's operation instructions;
根据所述用户的操作指令,删除使用频率小于预设频率的信息。According to the user's operation instruction, delete the information whose usage frequency is less than the preset frequency.
本公开实施例还提供了一种计算机,包含上述的攻击者信息的获取装置。An embodiment of the present disclosure also provides a computer that includes the above attacker information acquisition device.
本公开实施例还提供了一种计算机可读存储介质,存储有计算机可执行指令,所述计算机可执行指令设置为执行上述的攻击者信息的获取方法。An embodiment of the present disclosure also provides a computer-readable storage medium that stores computer-executable instructions that are configured to perform the above-mentioned method for acquiring attacker information.
本公开实施例还提供了一种计算机程序产品,所述计算机程序产品包括存储在计算机可读存储介质上的计算机程序,所述计算机程序包括程序指令,当所述程序指令被计算机执行时,使所述计算机执行上述的攻击者信息的获取方法。An embodiment of the present disclosure also provides a computer program product. The computer program product includes a computer program stored on a computer-readable storage medium. The computer program includes program instructions. When the program instructions are executed by a computer, the The computer executes the aforementioned method for acquiring attacker information.
本公开实施例还提供了一种电子设备,包括:An embodiment of the present disclosure also provides an electronic device, including:
至少一个处理器;以及At least one processor; and
与所述至少一个处理器通信连接的存储器;其中,A memory communicatively connected to the at least one processor; wherein,
所述存储器存储有可被所述至少一个处理器执行的指令,所述指令被所述至少一个处理器执行时,使所述至少一个处理器执行上述的攻击者信息的获取方法。The memory stores instructions executable by the at least one processor, and when the instructions are executed by the at least one processor, the at least one processor executes the above-mentioned method for acquiring attacker information.
本公开实施例提供的攻击者信息的获取方法、装置、设备和存储介质,根据目标攻击者在虚拟网络中的信息,以及可搜集到的攻击者的信息,获取目标攻击者在实际环境中的信息,可以获取到目标攻击者在实际环境中的信息,可以实施有针对性的防护策略,有助于提高网络的安全性。The method, device, equipment and storage medium for obtaining attacker information provided by the embodiments of the present disclosure obtain the target attacker's actual environment in accordance with the information of the target attacker in the virtual network and the information of the attacker that can be collected Information, you can get the information of the target attacker in the actual environment, you can implement targeted protection strategies, which helps to improve the security of the network.
附图说明BRIEF DESCRIPTION
一个或多个实施例通过与之对应的附图进行示例性说明,这些示例性说明和附图并不构成对实施例的限定,附图中具有相同参考数字标号的元件示为类似的元件,附图不构成比例限制,并且其中:One or more embodiments are exemplified by the corresponding drawings. These exemplary descriptions and the drawings do not constitute a limitation on the embodiments. Elements with the same reference numerals in the drawings are shown as similar elements. The drawings do not constitute a proportional limitation, and among them:
图1为本公开一实施例提供的应用场景图;1 is a diagram of an application scenario provided by an embodiment of the present disclosure;
图2为本公开一实施例提供的攻击者信息的获取方法的流程示意图;2 is a schematic flowchart of a method for obtaining attacker information according to an embodiment of the present disclosure;
图3为本公开另一实施例提供的攻击者信息的获取方法的流程示意图;3 is a schematic flowchart of a method for obtaining attacker information according to another embodiment of the present disclosure;
图4为本公开一实施例提供的攻击者信息的获取装置的结构示意图;4 is a schematic structural diagram of an apparatus for obtaining attacker information according to an embodiment of the present disclosure;
图5为本公开另一实施例提供的攻击者信息的获取装置的结构示意图;5 is a schematic structural diagram of an apparatus for acquiring attacker information according to another embodiment of the present disclosure;
图6为本公开实施例提供的电子设备的结构示意图。6 is a schematic structural diagram of an electronic device provided by an embodiment of the present disclosure.
具体实施方式detailed description
为了能够更加详尽地了解本公开实施例的特点与技术内容,下面结合附图对本公开实施例的实现进行详细阐述,所附附图仅供参考说明之用,并非用来限定本公开实施例。在以下的技术描述中,为方便解释起见,通过多个细节以提供对所披露实施例的充分理解。然而,在没有这些细节的情况下,一个或多个实施例仍然可以实施。在其它情况下,为简化附图,熟知的结构和装置可以简化展示。In order to understand the features and technical contents of the embodiments of the present disclosure in more detail, the following describes the implementation of the embodiments of the present disclosure in detail with reference to the drawings. The accompanying drawings are for reference only and are not intended to limit the embodiments of the present disclosure. In the following technical description, for convenience of explanation, various details are provided to provide a sufficient understanding of the disclosed embodiments. However, without these details, one or more embodiments can still be implemented. In other cases, to simplify the drawings, well-known structures and devices can be simplified.
首先对本公开实施例所涉及的应用场景进行介绍:First, the application scenarios involved in the embodiments of the present disclosure are introduced:
本公开实施例提供的攻击者信息的获取方法,应用于网络溯源中,用于确定网络攻击者的信息,例如包括身份、位置等,身份例如包括姓名、账号等,位置例如包括其地理位置或虚拟位置,如IP地址、MAC地址等,可以用于在网络攻击者实施网络攻击后获取该攻击者的信息。The method for obtaining attacker information provided by the embodiments of the present disclosure is applied to network traceability, and is used to determine the information of the network attacker, for example, including identity, location, etc. The identity includes, for example, name and account number, and the location includes, for example, its geographic location Virtual locations, such as IP addresses, MAC addresses, etc., can be used to obtain information about a cyber attacker after the cyber attack is carried out.
图1为本公开一实施例提供的应用场景图,本公开提供的方法可由电子设备12如电子设备的处理器实现,也可由该电子设备12通过和服务器11进行数据交互来实现。或者,可以由服务器实现。电子设备12和服务器11之间可以通过网络连接,例如3G、4G或无线保真(Wireless Fidelity,WIFI)、有线网络等通信网络。FIG. 1 is an application scenario diagram provided by an embodiment of the present disclosure. The method provided by the present disclosure may be implemented by an electronic device 12 such as a processor of an electronic device, or may be implemented by the electronic device 12 through data interaction with a server 11. Alternatively, it can be implemented by the server. The electronic device 12 and the server 11 may be connected via a network, such as 3G, 4G, or wireless fidelity (Wireless Fidelity, WIFI), wired network, and other communication networks.
上述电子设备可以包括:智能手机、平板电脑、智能机器人、可穿戴设备、计算机等设备。The above electronic devices may include: smart phones, tablet computers, intelligent robots, wearable devices, computers and other devices.
下面,通过如下的实施例对本申请所示的技术方案进行详细说明。The technical solution shown in the present application will be described in detail below through the following examples.
下面几个实施例可以相互结合,对于相同或相似的概念或过程可能在某些实施例不再赘述。The following several embodiments may be combined with each other, and the same or similar concepts or processes may not be repeated in some embodiments.
以下以电子设备为执行主体进行说明。本公开实施例的执行主体可以为电子设备,也可以为设置在电子设备中的攻击者信息的获取装置。其中,攻击者信息的获取装置可以通过软件实现,也可以通过软件和硬件的结合实现。The following uses electronic devices as the main body for explanation. The execution subject of the embodiment of the present disclosure may be an electronic device or an attacker information acquisition device provided in the electronic device. Among them, the attacker information acquisition device can be implemented by software, or by a combination of software and hardware.
图2为本公开实施例提供的攻击者信息的获取方法的流程示意图。如图2所示,本实施例提供的方法,包括:FIG. 2 is a schematic flowchart of a method for acquiring attacker information provided by an embodiment of the present disclosure. As shown in FIG. 2, the method provided in this embodiment includes:
步骤201、获取目标攻击者在虚拟网络中的信息。Step 201: Obtain the information of the target attacker in the virtual network.
本公开实施例中,目标攻击者可以是当前要调查或锁定的攻击者,例如当前实施网络攻击的攻击者。In the embodiment of the present disclosure, the target attacker may be an attacker who is currently to be investigated or locked, for example, an attacker who currently carries out a network attack.
本步骤中,可以从其他设备中获取目标攻击者在虚拟网络中的信息,也可以由该电子设备直接获取目标攻击者在虚拟网络中的信息,如根据目标攻击者实施攻击过程中产生的系统日志,获取目标攻击者在虚拟网络中的信息。其他设备如其他的电子设备或服务器等。其他设备可以在网络攻击发生时,获取实施该网络攻击的目标攻击者在虚拟网络中的信息,发送给该电子设备。In this step, the information of the target attacker in the virtual network can be obtained from other devices, or the electronic device can directly obtain the information of the target attacker in the virtual network, such as the system generated during the attack process of the target attacker Logs to obtain information about the target attacker in the virtual network. Other devices such as other electronic devices or servers. When a network attack occurs, other devices may obtain the information of the target attacker who carried out the network attack in the virtual network and send it to the electronic device.
其中,系统日志例如包括网络攻击的发生时间、网络攻击所使用的黑客工具、IP地址、媒体访问控制(Media Access Control,简称MAC)地址等。Among them, the system log includes, for example, the time when the network attack occurred, the hacking tool used for the network attack, the IP address, and the Media Access Control (Media Access Control, MAC for short) address.
在本公开的其他实施方式中,步骤201可以通过如下方式实现:In other embodiments of the present disclosure, step 201 may be implemented as follows:
根据目标攻击者对应的攻击事件信息,获取目标攻击者在虚拟网络中的信息。According to the attack event information corresponding to the target attacker, obtain the information of the target attacker in the virtual network.
其中,攻击事件信息,可以包括以下至少一项:攻击事件名称、攻击事件发生的时间、攻击事件发生的位置、攻击事件的标识信息。The attack event information may include at least one of the following: the name of the attack event, the time when the attack event occurred, the location where the attack event occurred, and the identification information of the attack event.
其中,攻击事件信息可以从系统日志中获取到。Among them, the attack event information can be obtained from the system log.
步骤202、根据目标攻击者在虚拟网络中的信息,以及可搜集到的攻击者的信息,获取目标攻击者在实际环境中的信息。Step 202: Obtain the information of the target attacker in the actual environment according to the information of the target attacker in the virtual network and the information of the attacker that can be collected.
本步骤中,根据已获取到的目标攻击者在虚拟网络中的信息,以及可搜集到的攻击者的信息,获取目标攻击者在实际环境中的信息。In this step, the information of the target attacker in the actual environment is obtained based on the obtained information of the target attacker in the virtual network and the information of the attacker that can be collected.
其中,可搜集到的攻击者的信息可以是已搜集到的攻击者的信息,或者是当前未搜集到的攻击者的信息,且可搜集到的攻击者的信息。攻击者的信息包括:该攻击者在虚拟网络中的信息,和/或,该攻击者在实际环境中的信息。随时攻击者可以包括目标攻击者。The information of the attacker that can be collected may be information of the attacker that has been collected, or information of the attacker that is not currently collected, and information of the attacker that can be collected. The information of the attacker includes: information of the attacker in the virtual network, and/or information of the attacker in the actual environment. The attacker can include the target attacker at any time.
当前未搜集到的攻击者的信息,例如可以是存储在其他设备中已搜集到的攻击者的信息。The information of the attacker that is not currently collected may be, for example, information of the attacker that has been collected in other devices.
目标攻击者在虚拟网络中的信息包括以下至少一项:该目标攻击者在虚拟网络中的身份标识ID、域名、IP地址、攻击方式、所使用的黑客工具The information of the target attacker in the virtual network includes at least one of the following: the identity of the target attacker in the virtual network, domain name, IP address, attack method, hacking tool used
目标攻击者在实际环境中的信息包括以下至少一项:该目标攻击者在实际环境中的身份、年龄、攻击记录、进行网络攻击时所处的位置、攻击发生的背景和目的。The information of the target attacker in the actual environment includes at least one of the following: the identity of the target attacker in the actual environment, age, attack record, location of the network attack, background and purpose of the attack.
例如攻击发生的目的可以是该目标攻击者想要获取到经济利益等,攻击发生的背景可以是该目标攻击者在经济状况条件较差,受到外界因素的刺激。For example, the purpose of the attack may be that the target attacker wants to obtain economic benefits, etc. The background of the attack may be that the target attacker is under poor economic conditions and is stimulated by external factors.
在本公开的一实施方式中,步骤202可以通过如下方式实现:In an embodiment of the present disclosure, step 202 may be implemented as follows:
判断可搜集到的攻击者的信息中是否存在所述目标攻击者在虚拟网络中的信息;Determine whether the information of the attacker that can be collected exists in the virtual network of the target attacker;
若所述可搜集到的攻击者的信息中存在所述目标攻击者在虚拟网络中的信息,则根据所述目标攻击者在虚拟网络中的信息,以及所述可搜集到的攻击者的信息,获取所述目标攻击者在实际环境中的信息。If the information about the target attacker in the virtual network exists in the information about the attacker that can be collected, according to the information about the target attacker in the virtual network and the information about the attacker that can be collected To obtain information about the target attacker in the actual environment.
若可搜集到的攻击者的信息中包含了该目标攻击者的信息,例如该目标攻击者在虚拟网络中的信息,则可以通过该目标攻击者在虚拟网络中的信息,以及可搜集到的攻击者的信息,关联查询目标攻击者在实际环境中的信息。其中,可以对可搜集到的攻击者的信息进行分析处理、筛选等操作,获取目标攻击者在实际环境中的信息If the information of the attacker that can be collected includes the information of the target attacker, for example, the information of the target attacker in the virtual network, then the information of the target attacker in the virtual network and the information that can be collected The information of the attacker is related to the information of the target attacker in the actual environment. Among them, the information of the attacker that can be collected can be analyzed, filtered, and other operations to obtain the information of the target attacker in the actual environment
也可以根据该目标攻击者在虚拟网络中的信息,从可搜集到的攻击者的信息中,关联查询目标攻击者在实际环境中的信息。According to the information of the target attacker in the virtual network, the information of the target attacker in the actual environment can be queried from the information of the attacker that can be collected.
本实施例的攻击者信息的获取方法,根据目标攻击者在虚拟网络中的信息,以及可搜集到的攻击者的信息,获取目标攻击者在实际环境中的信息,可以获取到目标攻击者在实际环境中的信息,可以实施有针对性的防护策略,有助于提高网络的安全性。The method for obtaining the attacker information in this embodiment can obtain the information of the target attacker in the actual environment according to the information of the target attacker in the virtual network and the information of the attacker that can be collected, and the target attacker can be obtained The information in the actual environment can be implemented with targeted protection strategies, which helps to improve the security of the network.
图3为本公开另一实施例提供的攻击者信息的获取方法的流程示意图。在上述实施例的基础上,如图3所示,本实施例提供的方法,包括:FIG. 3 is a schematic flowchart of a method for acquiring attacker information according to another embodiment of the present disclosure. Based on the above embodiment, as shown in FIG. 3, the method provided in this embodiment includes:
步骤301、将搜集到的攻击者的信息存储在数据库中;攻击者的信息包括以下至少一项:攻击者在虚拟网络中的信息或攻击者在实际环境中的信息。Step 301: Store the collected information of the attacker in a database; the information of the attacker includes at least one of the following: information of the attacker in the virtual network or information of the attacker in the actual environment.
本步骤中,可以将搜集到的攻击者的信息存储在数据库中,可以在发生网络攻击时,记录相关信息并存储,或者从其他设备或网络中获取搜集到的攻击者的信息。In this step, the collected information of the attacker can be stored in a database, and relevant information can be recorded and stored when a network attack occurs, or the collected information of the attacker can be obtained from other devices or networks.
步骤302、判断数据库中是否存在目标攻击者在虚拟网络中的信息。Step 302: Determine whether the information of the target attacker in the virtual network exists in the database.
步骤303、若数据库中存在目标攻击者在虚拟网络中的信息,则根据目标攻击者在虚拟网络中的信息,从数据库中获取目标攻击者在实际环境中的信息。Step 303: If the information of the target attacker in the virtual network exists in the database, obtain the information of the target attacker in the actual environment from the database according to the information of the target attacker in the virtual network.
本步骤中,若数据库中预先存储了搜集到的该目标攻击者的信息,例如该目标攻击者在虚拟网络中的信息,则可以通过该目标攻击者在虚拟网络中的信息,从数据库中关联查询目标攻击者在实际环境中的信息。In this step, if the collected information of the target attacker is pre-stored in the database, for example, the information of the target attacker in the virtual network, then the information of the target attacker in the virtual network can be associated from the database Query the information of the target attacker in the actual environment.
步骤304、若数据库中不存在目标攻击者在虚拟网络中的信息,则将目标攻击者在虚拟网络中的信息存储至数据库中。Step 304: If the information of the target attacker in the virtual network does not exist in the database, store the information of the target attacker in the virtual network into the database.
本步骤中,若数据库中未存储关于该目标攻击者的信息,例如该目标攻击者在虚拟网络中的信息,则目标攻击者在虚拟网络中的信息存储至数据库中,便于后续使用。In this step, if the information about the target attacker is not stored in the database, for example, the information of the target attacker in the virtual network, the information of the target attacker in the virtual network is stored in the database for subsequent use.
在本公开的其他实施例中,可以预先将多种攻击数据整合到数据库中,该攻击数据可包括攻击者ID、域名、攻击方式、所使用的黑客工具等,当访问者访问网络时,首先将访问者的相关信息与该数据库中的数据进行比对,如果该访问者的相关信息与该数据库中的数据相符合,可认为该访问者是攻击者,可以对该攻击者进行拦截等操作。In other embodiments of the present disclosure, various attack data may be integrated into the database in advance. The attack data may include the attacker ID, domain name, attack method, hacking tool used, etc. When the visitor accesses the network, first Compare the visitor's relevant information with the data in the database. If the visitor's relevant information matches the data in the database, the visitor can be considered as an attacker, and the attacker can be intercepted. .
在上述实施例的基础上,数据库可以包括:至少一条信息,每条信息包括以下至少一项:一个攻击者在虚拟网络中的信息,该攻击者在实际环境中的信息。Based on the above embodiment, the database may include: at least one piece of information, and each piece of information includes at least one of the following: information of an attacker in the virtual network, and information of the attacker in the actual environment.
数据库中存储的已搜集到的攻击者的信息,包括多条攻击者的信息,每条信息,包括:一个攻击者在虚拟网络中的信息,和/或,该攻击者在实际环境中的信息。The collected attacker information stored in the database includes multiple pieces of attacker information, each piece of information includes: information of an attacker in a virtual network, and/or information of the attacker in the actual environment .
其中,任一个攻击者在虚拟网络中的信息包括以下至少一项:该攻击者在虚拟网络中的身份标识ID、域名、IP地址、攻击方式、所使用的黑客工具。The information of any attacker in the virtual network includes at least one of the following: the attacker's identity ID, domain name, IP address, attack method, and hacking tool used in the virtual network.
其中,身份标识可以是该攻击者在虚拟网络中的账号、密码等信息,IP地址可以是该攻击者使用的设备在虚拟网络中的IP地址,MAC地址可以是该攻击者使用的设备的MAC地址,是该设备的硬件地址,用于定义该设备的网络位置。攻击方式例如包括拒绝服务攻击、物理层的线路侦听、分片IP报文攻击等。Among them, the identity can be the attacker's account and password in the virtual network, the IP address can be the IP address of the attacker's device in the virtual network, and the MAC address can be the MAC of the attacker's device The address is the hardware address of the device and is used to define the network location of the device. Attack methods include, for example, denial of service attacks, physical layer line interception, and fragmented IP packet attacks.
其中,任一个攻击者在实际环境中的信息包括以下至少一项:该攻击者在实际环境中的身份、年龄、攻击记录以及进行网络攻击时所处的位置。Among them, the information of any attacker in the actual environment includes at least one of the following: the identity, age, attack record, and location of the attacker in the actual environment.
攻击记录例如包括该攻击者参与网络攻击的历史记录,例如攻击时间、进行网络攻击时所处的位置、所使用的黑客工具等。The attack record includes, for example, the historical record of the attacker's participation in the network attack, such as the time of the attack, the location of the network attack, the hacking tool used, and so on.
在上述实施例的基础上,本实施例的方法还可以包括:Based on the above embodiment, the method in this embodiment may further include:
若数据库中包括的信息条目数大于预设阈值,则获取数据库中每条信息的使用频率;If the number of information items included in the database is greater than the preset threshold, the frequency of use of each piece of information in the database is obtained;
删除使用频率小于预设频率的信息。Delete the information whose usage frequency is less than the preset frequency.
其中,所述删除使用频率小于预设频率的信息,可以采用如下方式实现:Wherein, deleting the information whose usage frequency is less than the preset frequency may be implemented as follows:
获取用户的操作指令;Obtain the user's operation instructions;
根据所述用户的操作指令,删除使用频率小于预设频率的信息。According to the user's operation instruction, delete the information whose usage frequency is less than the preset frequency.
本实施例中,可以周期性的对数据库的数据进行维护,或者在接收到用户的指令后对数据库的数据进行维护。In this embodiment, the database data may be maintained periodically, or after receiving the user's instruction.
若检测到数据库中包括的信息条目数大于预设阈值,则为了减少不必要的空间占用,则获取数据库中每条信息的使用频率;删除使用频率小于预设频率的信息。例如有很对攻击者的信息未使用过,或使用频率较低,如几年一次,或使用的次数较少等均可将该信息进行删除。If it is detected that the number of information entries included in the database is greater than the preset threshold, in order to reduce unnecessary space occupation, the usage frequency of each piece of information in the database is obtained; information whose usage frequency is less than the preset frequency is deleted. For example, there is a lot of information that has not been used by attackers, or is used less frequently, such as once every few years, or used less often, etc., and the information can be deleted.
本实施例中,可以将搜集到的攻击者的信息存储在数据库中,通过从数据库中查询获取到目标攻击者在实际环境中的信息,效率较高。In this embodiment, the collected information of the attacker can be stored in the database, and the information of the target attacker in the actual environment can be obtained by querying the database, and the efficiency is high.
图4为本公开一实施例提供的攻击者信息的获取装置的结构示意图。如图4所示,本实施例提供的攻击者信息的获取装置,包括:4 is a schematic structural diagram of an apparatus for acquiring attacker information according to an embodiment of the present disclosure. As shown in FIG. 4, the apparatus for obtaining attacker information provided in this embodiment includes:
第一获取模块401,配置为:根据目标攻击者在虚拟网络中的信息,以及可搜集到的攻击者的信息,获取所述目标攻击者在实际环境中的信息。The first obtaining module 401 is configured to obtain the information of the target attacker in the actual environment according to the information of the target attacker in the virtual network and the information of the attacker that can be collected.
在一种可能的实施方式中,如图5所示,该装置还包括:In a possible implementation manner, as shown in FIG. 5, the device further includes:
第二获取模块402,配置为:获取所述目标攻击者在虚拟网络中的信息。The second obtaining module 402 is configured to obtain information of the target attacker in the virtual network.
在一种可能的实施方式中,所述第二获取模块402,配置为:In a possible implementation manner, the second obtaining module 402 is configured to:
根据所述目标攻击者对应的攻击事件信息,获取所述目标攻击者在虚拟网络中的信息。Obtain the information of the target attacker in the virtual network according to the attack event information corresponding to the target attacker.
在一种可能的实施方式中,所述攻击事件信息,包括以下至少一项:攻 击事件名称、攻击事件发生的时间、攻击事件发生的位置、攻击事件的标识信息。In a possible implementation manner, the attack event information includes at least one of the following: the name of the attack event, the time when the attack event occurred, the location where the attack event occurred, and the identification information of the attack event.
在一种可能的实施方式中,所述可搜集到的攻击者的信息,包括:已搜集到的攻击者的信息,或,当前未搜集到的攻击者的信息,且可搜集到的攻击者的信息。In a possible implementation manner, the information of the attacker that can be collected includes: information of the attacker that has been collected, or information of the attacker that is not currently collected, and the attacker that can be collected Information.
在一种可能的实施方式中,所述第一获取模块401,配置为:In a possible implementation manner, the first obtaining module 401 is configured to:
判断可搜集到的攻击者的信息中是否存在所述目标攻击者在虚拟网络中的信息;Determine whether the information of the attacker that can be collected exists in the virtual network of the target attacker;
若所述可搜集到的攻击者的信息中存在所述目标攻击者在虚拟网络中的信息,则根据所述目标攻击者在虚拟网络中的信息,以及所述可搜集到的攻击者的信息,获取所述目标攻击者在实际环境中的信息。If the information about the target attacker in the virtual network exists in the information about the attacker that can be collected, according to the information about the target attacker in the virtual network and the information about the attacker that can be collected To obtain information about the target attacker in the actual environment.
在一种可能的实施方式中,该装置还包括:In a possible implementation manner, the device further includes:
存储模块403,配置为:将搜集到的攻击者的信息存储在数据库中;所述攻击者的信息包括以下至少一项:所述攻击者在虚拟网络中的信息或所述攻击者在实际环境中的信息。The storage module 403 is configured to store the collected information of the attacker in a database; the information of the attacker includes at least one of the following: the information of the attacker in the virtual network or the actual environment of the attacker in the actual environment Information.
在一种可能的实施方式中,所述第一获取模块401,配置为:In a possible implementation manner, the first obtaining module 401 is configured to:
判断所述数据库中是否存在所述目标攻击者在虚拟网络中的信息;Determine whether the information of the target attacker in the virtual network exists in the database;
若所述数据库中存在所述目标攻击者在虚拟网络中的信息,则根据所述目标攻击者在虚拟网络中的信息,从所述数据库中获取所述目标攻击者在实际环境中的信息。If the information of the target attacker in the virtual network exists in the database, the information of the target attacker in the actual environment is obtained from the database according to the information of the target attacker in the virtual network.
在一种可能的实施方式中,所述存储模块403,配置为:In a possible implementation manner, the storage module 403 is configured to:
若所述数据库中不存在所述目标攻击者在虚拟网络中的信息,则将所述目标攻击者在虚拟网络中的信息存储至所述数据库中。If the information of the target attacker in the virtual network does not exist in the database, the information of the target attacker in the virtual network is stored in the database.
在一种可能的实施方式中,所述数据库包括:至少一条信息,每条信息包括以下至少一项:一个攻击者在虚拟网络中的信息,该攻击者在实际环境中的信息。In a possible implementation manner, the database includes: at least one piece of information, and each piece of information includes at least one of the following: information of an attacker in a virtual network, and information of the attacker in an actual environment.
在一种可能的实施方式中,任一个攻击者在虚拟网络中的信息包括以下至少一项:该攻击者在虚拟网络中的身份标识ID、域名、IP地址、媒体访问控制MAC地址、攻击方式、所使用的黑客工具。In a possible implementation, the information of any attacker in the virtual network includes at least one of the following: the attacker's identity in the virtual network, domain name, IP address, media access control MAC address, and attack method 3. The hacking tools used.
在一种可能的实施方式中,任一个攻击者在实际环境中的信息包括以下 至少一项:该攻击者在实际环境中的身份、年龄、攻击记录以及进行网络攻击时所处的位置。In a possible implementation manner, the information of any attacker in the actual environment includes at least one of the following: the identity, age, attack record, and location of the attacker in the actual environment.
在一种可能的实施方式中,该装置还包括:In a possible implementation manner, the device further includes:
第三获取模块404,配置为:若所述数据库中包括的信息条目数大于预设阈值,则获取所述数据库中每条信息的使用频率;The third obtaining module 404 is configured to: if the number of information items included in the database is greater than a preset threshold, obtain the frequency of use of each piece of information in the database;
处理模块405,配置为:删除使用频率小于预设频率的信息。The processing module 405 is configured to delete information whose usage frequency is less than a preset frequency.
在一种可能的实施方式中,所述处理模块405,配置为:In a possible implementation manner, the processing module 405 is configured to:
获取用户的操作指令;Obtain the user's operation instructions;
根据所述用户的操作指令,删除使用频率小于预设频率的信息。According to the user's operation instruction, delete the information whose usage frequency is less than the preset frequency.
本实施例的装置,可以用于执行上述方法实施例的技术方案,其实现原理和技术效果类似,此处不再赘述。The device of this embodiment may be used to execute the technical solutions of the above method embodiments, and its implementation principles and technical effects are similar, and will not be repeated here.
本公开实施例还提供了一种计算机,包含上述的攻击者信息的获取装置。An embodiment of the present disclosure also provides a computer that includes the above attacker information acquisition device.
本公开实施例还提供了一种计算机可读存储介质,存储有计算机可执行指令,所述计算机可执行指令设置为执行上述攻击者信息的获取方法。An embodiment of the present disclosure also provides a computer-readable storage medium that stores computer-executable instructions that are configured to perform the above-mentioned attacker information acquisition method.
本公开实施例还提供了一种计算机程序产品,所述计算机程序产品包括存储在计算机可读存储介质上的计算机程序,所述计算机程序包括程序指令,当所述程序指令被计算机执行时,使所述计算机执行上述攻击者信息的获取方法。An embodiment of the present disclosure also provides a computer program product. The computer program product includes a computer program stored on a computer-readable storage medium. The computer program includes program instructions. When the program instructions are executed by a computer, the The computer executes the above method for acquiring attacker information.
上述的计算机可读存储介质可以是暂态计算机可读存储介质,也可以是非暂态计算机可读存储介质。The aforementioned computer-readable storage medium may be a transient computer-readable storage medium or a non-transitory computer-readable storage medium.
本公开实施例还提供了一种电子设备,其结构如图6所示,该电子设备包括:An embodiment of the present disclosure also provides an electronic device, whose structure is shown in FIG. 6, the electronic device includes:
至少一个处理器(processor)100,图6中以一个处理器100为例;和存储器(memory)101,还可以包括通信接口(Communication Interface)102和总线103。其中,处理器100、通信接口102、存储器101可以通过总线103完成相互间的通信。通信接口102可以用于信息传输。处理器100可以调用存储器101中的逻辑指令,以执行上述实施例的攻击者信息的获取方法。At least one processor (processor) 100, one processor 100 is taken as an example in FIG. 6; and the memory 101 may further include a communication interface (Communication) 102 and a bus 103. The processor 100, the communication interface 102, and the memory 101 can complete communication with each other through the bus 103. The communication interface 102 can be used for information transmission. The processor 100 may call logical instructions in the memory 101 to execute the method for acquiring attacker information in the foregoing embodiment.
此外,上述的存储器101中的逻辑指令可以通过软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质 中。In addition, the logic instructions in the above-mentioned memory 101 may be implemented in the form of software functional units and sold or used as independent products, and may be stored in a computer-readable storage medium.
存储器101作为一种计算机可读存储介质,可用于存储软件程序、计算机可执行程序,如本公开实施例中的方法对应的程序指令/模块。处理器100通过运行存储在存储器101中的软件程序、指令以及模块,从而执行功能应用以及数据处理,即实现上述方法实施例中的攻击者信息的获取方法。The memory 101 is a computer-readable storage medium and can be used to store software programs and computer-executable programs, such as program instructions/modules corresponding to the methods in the embodiments of the present disclosure. The processor 100 executes functional applications and data processing by running software programs, instructions, and modules stored in the memory 101, that is, implementing the attacker information acquisition method in the foregoing method embodiments.
存储器101可包括存储程序区和存储数据区,其中,存储程序区可存储操作系统、至少一个功能所需的应用程序;存储数据区可存储根据终端设备的使用所创建的数据等。此外,存储器101可以包括高速随机存取存储器,还可以包括非易失性存储器。The memory 101 may include a storage program area and a storage data area, wherein the storage program area may store an operating system and application programs required for at least one function; the storage data area may store data created according to the use of a terminal device and the like. In addition, the memory 101 may include a high-speed random access memory, and may also include a non-volatile memory.
本公开实施例的技术方案可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括一个或多个指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本公开实施例所述方法的全部或部分步骤。而前述的存储介质可以是非暂态存储介质,包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等多种可以存储程序代码的介质,也可以是暂态存储介质。The technical solutions of the embodiments of the present disclosure may be embodied in the form of software products, which are stored in a storage medium and include one or more instructions to make a computer device (which may be a personal computer, server, or network) Equipment, etc.) to perform all or part of the steps of the method described in the embodiments of the present disclosure. The aforementioned storage medium may be a non-transitory storage medium, including: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or optical disk, etc. A medium that can store program codes may also be a transient storage medium.
当用于本申请中时,虽然术语“第一”、“第二”等可能会在本申请中使用以描述各元件,但这些元件不应受到这些术语的限制。这些术语仅用于将一个元件与另一个元件区别开。比如,在不改变描述的含义的情况下,第一元件可以叫做第二元件,并且同样第,第二元件可以叫做第一元件,只要所有出现的“第一元件”一致重命名并且所有出现的“第二元件”一致重命名即可。第一元件和第二元件都是元件,但可以不是相同的元件。When used in this application, although the terms "first", "second", etc. may be used in this application to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element from another. For example, without changing the meaning of the description, the first element can be called the second element, and likewise, the second element can be called the first element, as long as all occurrences of the "first element" are consistently renamed and all occurrences of The "second component" can be renamed consistently. The first element and the second element are both elements, but they may not be the same element.
本申请中使用的用词仅用于描述实施例并且不用于限制权利要求。如在实施例以及权利要求的描述中使用的,除非上下文清楚地表明,否则单数形式的“一个”(a)、“一个”(an)和“所述”(the)旨在同样包括复数形式。类似地,如在本申请中所使用的术语“和/或”是指包含一个或一个以上相关联的列出的任何以及所有可能的组合。另外,当用于本申请中时,术语“包括”(comprise)及其变型“包括”(comprises)和/或包括(comprising)等指陈述的特征、整体、步骤、操作、元素,和/或组件的存在,但不排除一个或一个以上其它特征、整体、步骤、操作、元素、组件和/或这些的分组的存在 或添加。The terms used in this application are only used to describe the embodiments and are not used to limit the claims. As used in the description of the embodiments and claims, unless the context clearly indicates otherwise, the singular forms "a", "an" and "said" are intended to include plural forms as well . Similarly, the term "and/or" as used in this application is meant to include any and all possible combinations of one or more associated lists. In addition, when used in this application, the term "comprise" and its variations "comprises" and/or includes etc. refer to the stated features, wholes, steps, operations, elements, and/or The presence of components does not exclude the presence or addition of one or more other features, wholes, steps, operations, elements, components, and/or groups of these.
所描述的实施例中的各方面、实施方式、实现或特征能够单独使用或以任意组合的方式使用。所描述的实施例中的各方面可由软件、硬件或软硬件的结合实现。所描述的实施例也可以由存储有计算机可读代码的计算机可读介质体现,该计算机可读代码包括可由至少一个计算装置执行的指令。所述计算机可读介质可与任何能够存储数据的数据存储装置相关联,该数据可由计算机系统读取。用于举例的计算机可读介质可以包括只读存储器、随机存取存储器、CD-ROM、HDD、DVD、磁带以及光数据存储装置等。所述计算机可读介质还可以分布于通过网络联接的计算机系统中,这样计算机可读代码就可以分布式存储并执行。The various aspects, implementations, implementations or features in the described embodiments can be used alone or in any combination. Various aspects in the described embodiments may be implemented by software, hardware, or a combination of software and hardware. The described embodiments may also be embodied by a computer-readable medium that stores computer-readable code including instructions executable by at least one computing device. The computer-readable medium can be associated with any data storage device capable of storing data, which can be read by a computer system. Computer-readable media used for examples may include read-only memory, random access memory, CD-ROM, HDD, DVD, magnetic tape, optical data storage devices, and the like. The computer-readable medium may also be distributed in computer systems connected through a network, so that computer-readable codes can be stored and executed in a distributed manner.
上述技术描述可参照附图,这些附图形成了本申请的一部分,并且通过描述在附图中示出了依照所描述的实施例的实施方式。虽然这些实施例描述的足够详细以使本领域技术人员能够实现这些实施例,但这些实施例是非限制性的;这样就可以使用其它的实施例,并且在不脱离所描述的实施例的范围的情况下还可以做出变化。比如,流程图中所描述的操作顺序是非限制性的,因此在流程图中阐释并且根据流程图描述的两个或两个以上操作的顺序可以根据若干实施例进行改变。作为另一个例子,在若干实施例中,在流程图中阐释并且根据流程图描述的一个或一个以上操作是可选的,或是可删除的。另外,某些步骤或功能可以添加到所公开的实施例中,或两个以上的步骤顺序被置换。所有这些变化被认为包含在所公开的实施例以及权利要求中。The above technical description may refer to the accompanying drawings, which form a part of the present application, and the description shows an implementation according to the described embodiments in the drawings. Although these embodiments are described in sufficient detail to enable those skilled in the art to implement these embodiments, these embodiments are non-limiting; so that other embodiments can be used without departing from the scope of the described embodiments Changes can also be made under circumstances. For example, the sequence of operations described in the flowchart is non-limiting, so the sequence of two or more operations explained in the flowchart and described according to the flowchart may be changed according to several embodiments. As another example, in several embodiments, one or more operations illustrated in the flowchart and described in accordance with the flowchart are optional or may be deleted. In addition, certain steps or functions may be added to the disclosed embodiments, or two or more steps may be replaced in sequence. All these changes are considered to be included in the disclosed embodiments and claims.
另外,上述技术描述中使用术语以提供所描述的实施例的透彻理解。然而,并不需要过于详细的细节以实现所描述的实施例。因此,实施例的上述描述是为了阐释和描述而呈现的。上述描述中所呈现的实施例以及根据这些实施例所公开的例子是单独提供的,以添加上下文并有助于理解所描述的实施例。上述说明书不用于做到无遗漏或将所描述的实施例限制到本公开的精确形式。根据上述教导,若干修改、选择适用以及变化是可行的。在某些情况下,没有详细描述为人所熟知的处理步骤以避免不必要地影响所描述的实施例。In addition, terminology is used in the above technical description to provide a thorough understanding of the described embodiments. However, no excessively detailed details are required to implement the described embodiments. Therefore, the above description of the embodiments is presented for explanation and description. The embodiments presented in the above description and the examples disclosed according to these embodiments are provided separately to add context and help to understand the described embodiments. The above description is not intended to be without omission or to limit the described embodiments to the precise form of this disclosure. Based on the above teachings, several modifications, choices and changes are possible. In some cases, well-known processing steps are not described in detail to avoid unnecessarily affecting the described embodiments.

Claims (32)

  1. 一种攻击者信息的获取方法,其特征在于,包括:An attacker information acquisition method, which is characterized by:
    根据目标攻击者在虚拟网络中的信息,以及可搜集到的攻击者的信息,获取所述目标攻击者在实际环境中的信息。According to the information of the target attacker in the virtual network and the information of the attacker that can be collected, the information of the target attacker in the actual environment is obtained.
  2. 根据权利要求1所述的方法,其特征在于,所述获取所述目标攻击者在实际环境中的信息之前,还包括:The method according to claim 1, wherein before acquiring the information of the target attacker in the actual environment, further comprising:
    获取所述目标攻击者在虚拟网络中的信息。Obtain the information of the target attacker in the virtual network.
  3. 根据权利要求2所述的方法,其特征在于,所述获取所述目标攻击者在虚拟网络中的信息,包括:The method according to claim 2, wherein the acquiring the information of the target attacker in the virtual network includes:
    根据所述目标攻击者对应的攻击事件信息,获取所述目标攻击者在虚拟网络中的信息。Obtain the information of the target attacker in the virtual network according to the attack event information corresponding to the target attacker.
  4. 根据权利要求3所述的方法,其特征在于,所述攻击事件信息,包括以下至少一项:攻击事件名称、攻击事件发生的时间、攻击事件发生的位置、攻击事件的标识信息。The method according to claim 3, wherein the attack event information includes at least one of the following: the name of the attack event, the time when the attack event occurred, the location where the attack event occurred, and the identification information of the attack event.
  5. 根据权利要求1-4任一项所述的方法,其特征在于,所述可搜集到的攻击者的信息,包括:已搜集到的攻击者的信息,或,当前未搜集到的攻击者的信息,且可搜集到的攻击者的信息。The method according to any one of claims 1 to 4, wherein the information of the attacker that can be collected includes: information of the attacker that has been collected, or, of the attacker that is not currently collected Information, and information about attackers that can be collected.
  6. 根据权利要求1-4任一项所述的方法,其特征在于,所述根据所述目标攻击者在虚拟网络中的信息,以及可搜集到的攻击者的信息,获取所述目标攻击者在实际环境中的信息,包括:The method according to any one of claims 1 to 4, wherein the target attacker is acquired based on the information of the target attacker in the virtual network and the information of the attacker that can be collected. Information in the actual environment, including:
    判断可搜集到的攻击者的信息中是否存在所述目标攻击者在虚拟网络中的信息;Determine whether the information of the attacker that can be collected exists in the virtual network of the target attacker;
    若所述可搜集到的攻击者的信息中存在所述目标攻击者在虚拟网络中的信息,则根据所述目标攻击者在虚拟网络中的信息,以及所述可搜集到的攻击者的信息,获取所述目标攻击者在实际环境中的信息。If the information about the target attacker in the virtual network exists in the information about the attacker that can be collected, according to the information about the target attacker in the virtual network and the information about the attacker that can be collected To obtain information about the target attacker in the actual environment.
  7. 根据权利要求1-4任一项所述的方法,其特征在于,所述根据所述目标攻击者在虚拟网络中的信息,以及可搜集到的攻击者的信息,获取所述目标攻击者在实际环境中的信息之前,还包括:The method according to any one of claims 1 to 4, wherein the target attacker is acquired based on the information of the target attacker in the virtual network and the information of the attacker that can be collected. Before the information in the actual environment, it also includes:
    将搜集到的攻击者的信息存储在数据库中;所述攻击者的信息包括以下至少一项:所述攻击者在虚拟网络中的信息或所述攻击者在实际环境中的信 息。The collected information of the attacker is stored in a database; the information of the attacker includes at least one of the following: information of the attacker in the virtual network or information of the attacker in the actual environment.
  8. 根据权利要求7所述的方法,其特征在于,所述根据所述目标攻击者在虚拟网络中的信息,以及可搜集到的攻击者的信息,获取所述目标攻击者在实际环境中的信息,包括:The method according to claim 7, characterized in that, based on the information of the target attacker in the virtual network and the information of the attacker that can be collected, the information of the target attacker in the actual environment is obtained ,include:
    判断所述数据库中是否存在所述目标攻击者在虚拟网络中的信息;Determine whether the information of the target attacker in the virtual network exists in the database;
    若所述数据库中存在所述目标攻击者在虚拟网络中的信息,则根据所述目标攻击者在虚拟网络中的信息,从所述数据库中获取所述目标攻击者在实际环境中的信息。If the information of the target attacker in the virtual network exists in the database, the information of the target attacker in the actual environment is obtained from the database according to the information of the target attacker in the virtual network.
  9. 根据权利要求8所述的方法,其特征在于,还包括:The method of claim 8, further comprising:
    若所述数据库中不存在所述目标攻击者在虚拟网络中的信息,则将所述目标攻击者在虚拟网络中的信息存储至所述数据库中。If the information of the target attacker in the virtual network does not exist in the database, the information of the target attacker in the virtual network is stored in the database.
  10. 根据权利要求7所述的方法,其特征在于,所述数据库包括:至少一条信息,每条信息包括以下至少一项:一个攻击者在虚拟网络中的信息,该攻击者在实际环境中的信息。The method according to claim 7, wherein the database includes: at least one piece of information, and each piece of information includes at least one of the following: information of an attacker in the virtual network, information of the attacker in the actual environment .
  11. 根据权利要求10所述的方法,其特征在于,The method according to claim 10, characterized in that
    任一个攻击者在虚拟网络中的信息包括以下至少一项:该攻击者在虚拟网络中的身份标识ID、域名、IP地址、媒体访问控制MAC地址、攻击方式、所使用的黑客工具。The information of any attacker in the virtual network includes at least one of the following: the attacker's identity ID, domain name, IP address, media access control MAC address, attack method, and hacking tool used in the virtual network.
  12. 根据权利要求10所述的方法,其特征在于,The method according to claim 10, characterized in that
    任一个攻击者在实际环境中的信息包括以下至少一项:该攻击者在实际环境中的身份、年龄、攻击记录以及进行网络攻击时所处的位置、攻击发生的背景和目的。The information of any attacker in the actual environment includes at least one of the following: the identity of the attacker in the actual environment, age, attack record, and the location of the network attack, the background and purpose of the attack.
  13. 根据权利要求10所述的方法,其特征在于,还包括:The method according to claim 10, further comprising:
    若所述数据库中包括的信息条目数大于预设阈值,则获取所述数据库中每条信息的使用频率;If the number of information entries included in the database is greater than a preset threshold, the frequency of use of each piece of information in the database is obtained;
    删除使用频率小于预设频率的信息。Delete the information whose usage frequency is less than the preset frequency.
  14. 根据权利要求13所述的方法,其特征在于,所述删除使用频率小于预设频率的信息,包括:The method according to claim 13, wherein the deleting the information that the usage frequency is less than the preset frequency includes:
    获取用户的操作指令;Obtain the user's operation instructions;
    根据所述用户的操作指令,删除使用频率小于预设频率的信息。According to the user's operation instruction, delete the information whose usage frequency is less than the preset frequency.
  15. 一种攻击者信息的获取装置,其特征在于,包括:An attacker information acquisition device, which is characterized by comprising:
    第一获取模块,配置为:根据目标攻击者在虚拟网络中的信息,以及可搜集到的攻击者的信息,获取所述目标攻击者在实际环境中的信息。The first acquiring module is configured to acquire information of the target attacker in the actual environment according to the information of the target attacker in the virtual network and the information of the attacker that can be collected.
  16. 根据权利要求15所述的装置,其特征在于,还包括:The device according to claim 15, further comprising:
    第二获取模块,配置为:获取所述目标攻击者在虚拟网络中的信息。The second obtaining module is configured to obtain information of the target attacker in the virtual network.
  17. 根据权利要求16所述的装置,其特征在于,所述第二获取模块,配置为:The apparatus according to claim 16, wherein the second acquisition module is configured to:
    根据所述目标攻击者对应的攻击事件信息,获取所述目标攻击者在虚拟网络中的信息。Obtain the information of the target attacker in the virtual network according to the attack event information corresponding to the target attacker.
  18. 根据权利要求17所述的装置,其特征在于,所述攻击事件信息,包括以下至少一项:攻击事件名称、攻击事件发生的时间、攻击事件发生的位置、攻击事件的标识信息。The apparatus according to claim 17, wherein the attack event information includes at least one of the following: the name of the attack event, the time when the attack event occurred, the location where the attack event occurred, and the identification information of the attack event.
  19. 根据权利要求15-18任一项所述的装置,其特征在于,所述可搜集到的攻击者的信息,包括:已搜集到的攻击者的信息,或,当前未搜集到的攻击者的信息,且可搜集到的攻击者的信息。The device according to any one of claims 15 to 18, wherein the information of the attacker that can be collected includes: information of the attacker that has been collected, or, of the attacker that is not currently collected Information, and information about attackers that can be collected.
  20. 根据权利要求15-18任一项所述的装置,其特征在于,所述第一获取模块,配置为:The apparatus according to any one of claims 15 to 18, wherein the first acquisition module is configured to:
    判断可搜集到的攻击者的信息中是否存在所述目标攻击者在虚拟网络中的信息;Determine whether the information of the attacker that can be collected exists in the virtual network of the target attacker;
    若所述可搜集到的攻击者的信息中存在所述目标攻击者在虚拟网络中的信息,则根据所述目标攻击者在虚拟网络中的信息,以及所述可搜集到的攻击者的信息,获取所述目标攻击者在实际环境中的信息。If the information about the target attacker in the virtual network exists in the information about the attacker that can be collected, according to the information about the target attacker in the virtual network and the information about the attacker that can be collected To obtain information about the target attacker in the actual environment.
  21. 根据权利要求15-18任一项所述的装置,其特征在于,还包括:The device according to any one of claims 15 to 18, further comprising:
    存储模块,配置为:将搜集到的攻击者的信息存储在数据库中;所述攻击者的信息包括以下至少一项:所述攻击者在虚拟网络中的信息或所述攻击者在实际环境中的信息。The storage module is configured to store the collected information of the attacker in a database; the information of the attacker includes at least one of the following: information of the attacker in the virtual network or the attacker in the actual environment Information.
  22. 根据权利要求21所述的装置,其特征在于,所述第一获取模块,配置为:The apparatus according to claim 21, wherein the first acquisition module is configured to:
    判断所述数据库中是否存在所述目标攻击者在虚拟网络中的信息;Determine whether the information of the target attacker in the virtual network exists in the database;
    若所述数据库中存在所述目标攻击者在虚拟网络中的信息,则根据所述 目标攻击者在虚拟网络中的信息,从所述数据库中获取所述目标攻击者在实际环境中的信息。If the information of the target attacker in the virtual network exists in the database, the information of the target attacker in the actual environment is obtained from the database according to the information of the target attacker in the virtual network.
  23. 根据权利要求22所述的装置,其特征在于,所述存储模块,配置为:The apparatus according to claim 22, wherein the storage module is configured to:
    若所述数据库中不存在所述目标攻击者在虚拟网络中的信息,则将所述目标攻击者在虚拟网络中的信息存储至所述数据库中。If the information of the target attacker in the virtual network does not exist in the database, the information of the target attacker in the virtual network is stored in the database.
  24. 根据权利要求21所述的装置,其特征在于,所述数据库包括:至少一条信息,每条信息包括以下至少一项:一个攻击者在虚拟网络中的信息,该攻击者在实际环境中的信息。The apparatus according to claim 21, wherein the database includes: at least one piece of information, and each piece of information includes at least one of the following: information of an attacker in a virtual network, information of the attacker in an actual environment .
  25. 根据权利要求24所述的装置,其特征在于,The device according to claim 24, characterized in that
    任一个攻击者在虚拟网络中的信息包括以下至少一项:该攻击者在虚拟网络中的身份标识ID、域名、IP地址、媒体访问控制MAC地址、攻击方式、所使用的黑客工具。The information of any attacker in the virtual network includes at least one of the following: the attacker's identity in the virtual network, domain name, IP address, media access control MAC address, attack method, and hacking tools used.
  26. 根据权利要求24所述的装置,其特征在于,The device according to claim 24, characterized in that
    任一个攻击者在实际环境中的信息包括以下至少一项:该攻击者在实际环境中的身份、年龄、攻击记录以及进行网络攻击时所处的位置。The information of any attacker in the actual environment includes at least one of the following: the identity, age, attack record, and location of the attacker in the actual environment.
  27. 根据权利要求21所述的装置,其特征在于,还包括:The device according to claim 21, further comprising:
    第三获取模块,配置为:若所述数据库中包括的信息条目数大于预设阈值,则获取所述数据库中每条信息的使用频率;The third obtaining module is configured to: if the number of information items included in the database is greater than a preset threshold, obtain the frequency of use of each piece of information in the database;
    处理模块,配置为:删除使用频率小于预设频率的信息。The processing module is configured to delete information whose usage frequency is less than a preset frequency.
  28. 根据权利要求27所述的装置,其特征在于,所述处理模块,配置为:The apparatus according to claim 27, wherein the processing module is configured to:
    获取用户的操作指令;Obtain the user's operation instructions;
    根据所述用户的操作指令,删除使用频率小于预设频率的信息。According to the user's operation instruction, delete the information whose usage frequency is less than the preset frequency.
  29. 一种计算机,其特征在于,包含权利要求15-28任一项所述的装置。A computer, characterized by comprising the device according to any one of claims 15-28.
  30. 一种电子设备,其特征在于,包括:An electronic device, characterized in that it includes:
    至少一个处理器;以及At least one processor; and
    与所述至少一个处理器通信连接的存储器;其中,A memory communicatively connected to the at least one processor; wherein,
    所述存储器存储有可被所述至少一个处理器执行的指令,所述指令被所述至少一个处理器执行时,使所述至少一个处理器执行权利要求1-14任一项所述的方法。The memory stores instructions executable by the at least one processor, and when the instructions are executed by the at least one processor, causes the at least one processor to perform the method of any one of claims 1-14 .
  31. 一种计算机可读存储介质,其特征在于,存储有计算机可执行指令, 所述计算机可执行指令设置为执行权利要求1-14任一项所述的方法。A computer-readable storage medium, characterized in that computer-executable instructions are stored, and the computer-executable instructions are configured to perform the method of any one of claims 1-14.
  32. 一种计算机程序产品,其特征在于,所述计算机程序产品包括存储在计算机可读存储介质上的计算机程序,所述计算机程序包括程序指令,当所述程序指令被计算机执行时,使所述计算机执行权利要求1-14任一项所述的方法。A computer program product, characterized in that the computer program product includes a computer program stored on a computer-readable storage medium, the computer program includes program instructions, and when the program instructions are executed by a computer, the computer Performing the method of any one of claims 1-14.
PCT/CN2018/118691 2018-11-30 2018-11-30 Method and apparatus for obtaining attacker information, device, and storage medium WO2020107446A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201880098313.1A CN112789835A (en) 2018-11-30 2018-11-30 Method, device, equipment and storage medium for acquiring attacker information
PCT/CN2018/118691 WO2020107446A1 (en) 2018-11-30 2018-11-30 Method and apparatus for obtaining attacker information, device, and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2018/118691 WO2020107446A1 (en) 2018-11-30 2018-11-30 Method and apparatus for obtaining attacker information, device, and storage medium

Publications (1)

Publication Number Publication Date
WO2020107446A1 true WO2020107446A1 (en) 2020-06-04

Family

ID=70852658

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/118691 WO2020107446A1 (en) 2018-11-30 2018-11-30 Method and apparatus for obtaining attacker information, device, and storage medium

Country Status (2)

Country Link
CN (1) CN112789835A (en)
WO (1) WO2020107446A1 (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112182567A (en) * 2020-09-29 2021-01-05 西安电子科技大学 Multi-step attack tracing method, system, terminal and readable storage medium
CN112839061A (en) * 2021-03-04 2021-05-25 哈尔滨安天科技集团股份有限公司 Tracing method and device based on regional characteristics
CN114363053A (en) * 2021-12-31 2022-04-15 深信服科技股份有限公司 Attack identification method and device and related equipment
CN114826880A (en) * 2022-03-21 2022-07-29 云南电网有限责任公司信息中心 Method and system for online monitoring of data safe operation
CN115277127A (en) * 2022-07-12 2022-11-01 清华大学 Attack detection method and device for searching matching attack mode based on system tracing graph
CN115622802A (en) * 2022-12-02 2023-01-17 北京志翔科技股份有限公司 Attack tracing method, device, equipment and storage medium

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113918795B (en) * 2021-12-15 2022-04-12 连连(杭州)信息技术有限公司 Method and device for determining target label, electronic equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101014047A (en) * 2007-02-06 2007-08-08 华为技术有限公司 Method for locating the attack source of multimedia subsystem network, system and anti-attack system
CN107222462A (en) * 2017-05-08 2017-09-29 汕头大学 A kind of LAN internals attack being automatically positioned of source, partition method
CN108334529A (en) * 2017-03-31 2018-07-27 北京安天网络安全技术有限公司 It is a kind of to utilize the method and system for disclosing big data acquisition attacker's information
US20180219880A1 (en) * 2017-01-27 2018-08-02 Rapid7, Inc. Reactive virtual security appliances

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101014047A (en) * 2007-02-06 2007-08-08 华为技术有限公司 Method for locating the attack source of multimedia subsystem network, system and anti-attack system
US20180219880A1 (en) * 2017-01-27 2018-08-02 Rapid7, Inc. Reactive virtual security appliances
CN108334529A (en) * 2017-03-31 2018-07-27 北京安天网络安全技术有限公司 It is a kind of to utilize the method and system for disclosing big data acquisition attacker's information
CN107222462A (en) * 2017-05-08 2017-09-29 汕头大学 A kind of LAN internals attack being automatically positioned of source, partition method

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112182567A (en) * 2020-09-29 2021-01-05 西安电子科技大学 Multi-step attack tracing method, system, terminal and readable storage medium
CN112182567B (en) * 2020-09-29 2022-12-27 西安电子科技大学 Multi-step attack tracing method, system, terminal and readable storage medium
CN112839061A (en) * 2021-03-04 2021-05-25 哈尔滨安天科技集团股份有限公司 Tracing method and device based on regional characteristics
CN112839061B (en) * 2021-03-04 2022-11-25 安天科技集团股份有限公司 Tracing method and device based on regional characteristics
CN114363053A (en) * 2021-12-31 2022-04-15 深信服科技股份有限公司 Attack identification method and device and related equipment
CN114826880A (en) * 2022-03-21 2022-07-29 云南电网有限责任公司信息中心 Method and system for online monitoring of data safe operation
CN114826880B (en) * 2022-03-21 2023-09-12 云南电网有限责任公司信息中心 Data safety operation on-line monitoring system
CN115277127A (en) * 2022-07-12 2022-11-01 清华大学 Attack detection method and device for searching matching attack mode based on system tracing graph
CN115622802A (en) * 2022-12-02 2023-01-17 北京志翔科技股份有限公司 Attack tracing method, device, equipment and storage medium

Also Published As

Publication number Publication date
CN112789835A (en) 2021-05-11

Similar Documents

Publication Publication Date Title
WO2020107446A1 (en) Method and apparatus for obtaining attacker information, device, and storage medium
CN109829310B (en) Similar attack defense method, device, system, storage medium and electronic device
US10929538B2 (en) Network security protection method and apparatus
US9256739B1 (en) Systems and methods for using event-correlation graphs to generate remediation procedures
CN105939326B (en) Method and device for processing message
US11671402B2 (en) Service resource scheduling method and apparatus
US20170034189A1 (en) Remediating ransomware
US10218717B1 (en) System and method for detecting a malicious activity in a computing environment
CN114145004B (en) System and method for using DNS messages to selectively collect computer forensic data
CN111274583A (en) Big data computer network safety protection device and control method thereof
WO2021139643A1 (en) Method and apparatus for detecting encrypted network attack traffic, and electronic device
US9137245B2 (en) Login method, apparatus, and system
US9195826B1 (en) Graph-based method to detect malware command-and-control infrastructure
CN105429953B (en) A kind of methods, devices and systems for accessing website
JP2016046654A (en) Security system, security method, security device, and program
WO2014172956A1 (en) Login method,apparatus, and system
CN101783801A (en) Software protection method based on network, client side and server
EP3509001B1 (en) Method and apparatus for detecting zombie feature
EP3270317B1 (en) Dynamic security module server device and operating method thereof
CN107566401B (en) Protection method and device for virtualized environment
WO2015138517A1 (en) A method and system for generating durable host identifiers using network artifacts
US9622081B1 (en) Systems and methods for evaluating reputations of wireless networks
EP3579523A1 (en) System and method for detection of malicious interactions in a computer network
CN113179266A (en) Service request processing method and device, electronic equipment and storage medium
CN110581835B (en) Vulnerability detection method and device and terminal equipment

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18941889

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205 DATED 08/09/2021)

122 Ep: pct application non-entry in european phase

Ref document number: 18941889

Country of ref document: EP

Kind code of ref document: A1