CN108881294A - Attack source IP portrait generation method and device based on attack - Google Patents

Attack source IP portrait generation method and device based on attack Download PDF

Info

Publication number
CN108881294A
CN108881294A CN201810815080.4A CN201810815080A CN108881294A CN 108881294 A CN108881294 A CN 108881294A CN 201810815080 A CN201810815080 A CN 201810815080A CN 108881294 A CN108881294 A CN 108881294A
Authority
CN
China
Prior art keywords
attack
target
source
information
attack source
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810815080.4A
Other languages
Chinese (zh)
Other versions
CN108881294B (en
Inventor
王世晋
范渊
黄进
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Hangzhou Dbappsecurity Technology Co Ltd
Original Assignee
Hangzhou Dbappsecurity Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Dbappsecurity Technology Co Ltd filed Critical Hangzhou Dbappsecurity Technology Co Ltd
Priority to CN201810815080.4A priority Critical patent/CN108881294B/en
Publication of CN108881294A publication Critical patent/CN108881294A/en
Application granted granted Critical
Publication of CN108881294B publication Critical patent/CN108881294B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides a kind of attack source IP portrait generation method and device based on attack, are related to technical field of network security, and the attack source IP portrait generation method based on attack includes:Determine target attack source;All data for recording the target attack source are extracted from network security record alert database, obtain target alarms data, wherein the network security record alert database includes the alarm data of multiple attack sources;The attack attribute information in the target attack source is obtained based on the target alarms data statistics;According to the attack attribute information, generate the IP portrait in the target attack source, the technical issues of attack source information acquiring pattern for solving existing attack existing in the prior art is limited, can not effectively be understood the attack source IP of network attack.

Description

Attack source IP portrait generation method and device based on attack
Technical field
The present invention relates to technical field of network security, draw more particularly, to a kind of attack source IP based on attack As generation method and device.
Background technique
Network attack refers to using loophole existing for network and safety defect to the hardware of network system, software and its is The attack that data in system carry out.
Currently, the method for network attack mainly has:Password invasion, Trojan Horse, Email, node attack, network Monitoring, network cheating, hacker software, security breaches, port scan etc. many types.
The information acquiring pattern of the attack source of existing attack is limited, can not be to the attack source of network attack IP is that your address ip of computer in a network is effectively understood.
Summary of the invention
The generation side in view of this, the attack source IP that the purpose of the present invention is to provide a kind of based on attack draws a portrait Method and device, it is limited with the attack source information acquiring pattern for solving attack existing in the prior art, it can not be right The technical issues of attack source IP of network attack is effectively understood.
The generation side in a first aspect, the attack source IP that the embodiment of the invention provides a kind of based on attack draws a portrait Method, including:
Determine target attack source;
All data for recording the target attack source are extracted from network security record alert database, obtain target alarms number According to, wherein the network security record alert database includes the alarm data of multiple attack sources;
The attack attribute information in the target attack source is obtained based on the target alarms data statistics;
According to the attack attribute information, the IP portrait in the target attack source is generated.
With reference to first aspect, the embodiment of the invention provides the first possible embodiments of first aspect, wherein institute The method of stating further includes:
Network security warning information is obtained from multiple servers, wherein the network security warning information includes obtaining To the network security warning information that gets of history alarm information and current time;
Network security record alert database is generated according to the network security warning information got.
With reference to first aspect, the embodiment of the invention provides second of possible embodiments of first aspect, wherein institute Determining target attack source is stated, including:
Network security warning information, the extracting attack source from the network security warning information are obtained from multiple servers IP address, and based on the IP address generate IP address list;
The target attack source is determined based on the IP address list, wherein the IP address list includes that several are attacked Hit the IP address in source.
With reference to first aspect, the embodiment of the invention provides the third possible embodiments of first aspect, wherein institute The IP portrait that the target attack source is generated according to the attack attribute information is stated, including:
The network attribute data in the target attack source are determined according to the attack attribute information, and are based on the network category Property data obtain the attribute model in the target attack source;
The attack in the target attack source and network attack characteristic are carried out according to the attack attribute information Analysis, obtains the dimensional model in the target attack source;
According to the attribute model and the dimensional model, the IP portrait in the target attack source is generated.
With reference to first aspect, the embodiment of the invention provides the 4th kind of possible embodiments of first aspect, wherein institute It states and the attack attribute information in the target attack source is obtained based on the target alarms data statistics, including:
It obtains and threatens information database;
Based on the target alarms data and the data threatened in information database, to the target attack source Information is counted, and the attack attribute information in the target attack source is obtained.
With reference to first aspect, the embodiment of the invention provides the 5th kind of possible embodiments of first aspect, wherein institute State the attack intension that attack attribute information includes attack;
The data based on the target alarms data and in the threat information database, to the target attack The information in source is counted, and the attack attribute information in the target attack source is obtained, including:
The target of attack of the attack in the target attack source is obtained from the target alarms data;
The information of the target of attack is obtained from the threat information database;
According to the information of the target of attack, the attack intension of the attack of the attack source is obtained.
With reference to first aspect, the embodiment of the invention provides the 6th kind of possible embodiments of first aspect, wherein institute Stating attack attribute information includes at least one of:It the attack type of attack, attack intension, target of attack and attacks Hit tool.
Second aspect, the embodiment of the present invention also provide a kind of attack source IP portrait generation dress based on attack It sets, including:
Determining module, for determining target attack source;
Extraction module, for extracting all data for recording the target attack source from network security record alert database, Obtain target alarms data, wherein the network security record alert database includes the alarm data of multiple attack sources;
Module is obtained, the attack attribute for being obtained the target attack source based on the target alarms data statistics is believed Breath;
Generation module, for generating the IP portrait in the target attack source according to the attack attribute information.
The third aspect, the embodiment of the present invention also provide a kind of electronic equipment, including memory, processor, the memory In be stored with the computer program that can be run on the processor, the processor is realized when executing the computer program The step of stating method as described in relation to the first aspect.
Fourth aspect, the embodiment of the present invention also provide a kind of meter of non-volatile program code that can be performed with processor Calculation machine readable medium, said program code make the method for the processor execution as described in relation to the first aspect.
Technical solution provided in an embodiment of the present invention brings following beneficial effect:It is provided in an embodiment of the present invention to be based on net Network attack attack source IP portrait generation method and device include:Firstly, target attack source is determined, then, from network The data in all record target attack sources are extracted in security alarm database to obtain target alarms data, wherein network peace Full record alert database includes that the alarm data of multiple attack sources obtains target attack source based on target alarms data statistics later Attack attribute information, finally, according to attack attribute information, generate target attack source IP portrait, by utilize network security Record alert database obtains the alarm data of attack source, then by counting to alarm data, so that is obtained using statistics is attacked The IP portrait that source attack attribute information generates attack source is hit, realizes the acquisition of attack source IP portrait, therefore attack can be passed through Source IP portrait carries out various aspects to attack source IP and effectively understands, to solve attack existing in the prior art Attack source information acquiring pattern it is limited, the technical issues of can not effectively be understood the attack source IP of network attack.
Other features and advantages of the present invention will illustrate in the following description, also, partly become from specification It obtains it is clear that understand through the implementation of the invention.The objectives and other advantages of the invention are in specification and attached drawing Specifically noted structure is achieved and obtained.
To enable the above objects, features and advantages of the present invention to be clearer and more comprehensible, preferred embodiment is cited below particularly, and cooperate Appended attached drawing, is described in detail below.
Detailed description of the invention
It, below will be to specific in order to illustrate more clearly of the specific embodiment of the invention or technical solution in the prior art Embodiment or attached drawing needed to be used in the description of the prior art be briefly described, it should be apparent that, it is described below Attached drawing is some embodiments of the present invention, for those of ordinary skill in the art, before not making the creative labor It puts, is also possible to obtain other drawings based on these drawings.
Fig. 1 shows the attack source IP portrait generation method provided by the embodiment of the present invention one based on attack Flow chart;
Fig. 2 shows the attack source IP portrait generation methods provided by the embodiment of the present invention two based on attack Flow chart;
Fig. 3 shows kind of the attack source IP portrait based on attack provided by the embodiment of the present invention three and generates dress The structural schematic diagram set;
Fig. 4 shows the structural schematic diagram of a kind of electronic equipment provided by the embodiment of the present invention four.
Icon:Attack source IP portrait generating means of the 3- based on attack;31- determining module;32- extracts mould Block;33- obtains module;34- generation module;4- electronic equipment;41- memory;42- processor;43- bus;44- communication connects Mouthful.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with attached drawing to the present invention Technical solution be clearly and completely described, it is clear that described embodiments are some of the embodiments of the present invention, rather than Whole embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art are not making creative work premise Under every other embodiment obtained, shall fall within the protection scope of the present invention.
Currently, in the transmission of network information data, the vital role of IP address performer, however, existing net The information acquiring pattern of the attack source of network attack is limited, can not effectively be understood the attack source IP of network attack, Therefore we usually do not have concept to specific " image " corresponding to some IP role.
Based on this, it is provided in an embodiment of the present invention it is a kind of based on attack attack source IP portrait generation method with And device, the attack source information acquiring pattern that can solve attack existing in the prior art is limited, can not be to network The technical issues of attack source IP of attack is effectively understood.
To be based on network attack row to one kind disclosed in the embodiment of the present invention first convenient for understanding the present embodiment For draw a portrait generation method and device of attack source IP describe in detail.
Embodiment one:
A kind of attack source IP portrait generation method based on attack provided in an embodiment of the present invention, such as Fig. 1 institute Show, this method includes:
S11:Determine target attack source.
S12:The data that all record target attack sources are extracted from network security record alert database, obtain target alarms number According to.
In this step, network security record alert database includes the alarm data of multiple attack sources.The alarm data can be Alarm log and/or alarm record.
S13:The attack attribute information in target attack source is obtained based on target alarms data statistics.
S14:According to attack attribute information, the IP portrait in target attack source is generated.
In the present embodiment, pass through the attack attribute information in statistics target attack source, energy using network security record alert database Enough realize draws a portrait to " image " of malicious IP addresses in cyberspace, and IP portrait in attack source generated is capable of providing high price The clue that the threat information of value and tracking are traced to the source, has important practical significance.
Embodiment two:
A kind of attack source IP portrait generation method based on attack provided in an embodiment of the present invention, such as Fig. 2 institute Show, this method includes:
S21:Network security warning information, the extracting attack source from network security warning information are obtained from multiple servers IP address, and based on IP address generate IP address list.
As a preferred embodiment, network security warning information therein is the relevant alarm log of network security and note Record.In this step, the extracting attack source IP address from network security warning information generates IP address list object.
S22:Target attack source is determined based on IP address list.
It should be noted that IP address list therein includes the IP address of several attack sources.In this step, from IP Target attack source is determined in the list of location, naturally it is also possible to obtain IP object in secondary IP address list one by one.
S23:Network security warning information is obtained from multiple servers.
Wherein, network security warning information includes the history alarm information got and the network peace that current time gets Full warning information.In this step, from the existing daily record data of daily record data and history uploaded, all IP objects are extracted Relative recording.
S24:Network security record alert database is generated according to the network security warning information got.
S25:The data that all record target attack sources are extracted from network security record alert database, obtain target alarms number According to.
As the preferred embodiment of the present embodiment, network security record alert database includes the alarm number of multiple attack sources According to.
S26:The attack attribute information in target attack source is obtained based on target alarms data statistics.
Specifically, this step may include:Information database is threatened firstly, obtaining;Then, based on target alarms data with And the data in threat information database, the information in target attack source is counted, the attack attribute in target attack source is obtained Information.It therefore, can be in conjunction with information data and existing alarm log data be threatened, to the attribute and dimension of the IP object various aspects Degree information is counted.
In practical applications, attack attribute information therein includes at least one of:The attack class of attack Type, attack intension, target of attack and attack tool.Therefore, the range counted includes but is not limited to attack type, attack meaning Figure, target of attack, attack tool, whether IDC network segment, whether act on behalf of, physical address, reversed domain name, browser information, attack time Number, region language etc..
If the attack intension to attack counts, step be can specifically include:Firstly, being accused from target The target of attack of the attack in target attack source is obtained in alert data;Then, it obtains and attacks from threat information database Hit the information of target;Later, according to the information of target of attack, the attack intension of the attack of attack source is obtained.
Further, the judgement of attack intension can be according to industry, attack where target of attack, target in statistics The information such as the threat degree of load further judge that attack intension includes but is not limited to steal system data, acquisition system power Limit, execution system command etc..
In addition, needing to combine HTTP request head in threat information data and log when carrying out the statistics of reversed domain name HOST field judges.In addition, when whether carry out IP object is the judgement of agency, proxy server in priority check data packet Finger print information, such as " Proxy ", " X-Forwarded-For ", " X-Real-IP ".In addition, when being made whether sentencing for IDC When disconnected, it can judge in conjunction with the IDC network segment information threatened in information.
S27:The network attribute data in target attack source are determined according to attack attribute information, and are obtained based on network attribute data To the attribute model in target attack source.
S28:The attack in target attack source and network attack characteristic are analyzed according to attack attribute information, Obtain the dimensional model in target attack source.
S29:According to attribute model and dimensional model, the IP portrait in target attack source is generated.
It it should be noted that drawing a portrait for IP, is counted by various aspects behavior to some IP address and feature Afterwards, various dimensions information relevant to the IP address is obtained.
As the another embodiment of the present embodiment, after obtaining IP portrait, result that IP can also draw a portrait is saved To database.
Therefore, the attack source IP portrait generation method based on attack provided through this embodiment, Neng Goucong Extracting attack source IP, attack source port, attack type, target of attack, PAYLOAD (i.e. attack number in network attack correlation log According to the core carried in packet, effectively attack load) etc. information, sorting-out in statistics is carried out to the similar features of attack logs, is passed through Statistics, analytical calculation obtain the portrait to some IP address, wherein including attack type involved in the IP of the attack source, attack Target zone, number of times of attack, physical location, reversed domain name, region language, browser information, IDC information, proxy information, attack Hit tool etc..Finally IP portrait in attack source generated is capable of providing the threat information of high value to the present embodiment and tracking is traced back Therefore the clue in source has important practical significance.
For the prior art, " image " for threatening information to understand some IP address of increasing income only by inquiry, by Information incomplete recording is threatened in open source, therefore, it is impossible to comprehensively understand the portrait information of some malicious IP addresses.Moreover, the party Method also depends on open source information unduly, deviates from true attack data, it is assumed that there are in the case where error, be easy to ignore for open source information Important clue.Furthermore open source threatens the confidence level of information not can guarantee.
By being based not only on existing network security attacks correlation alarm log and record, but also open source is combined to threaten feelings Report carries out various dimensions statistics to the true portrait for attacking source IP address in log, and portrait information accuracy generated is higher, And the data supporting of analysis portrait attribute is actively held, it ensure that the confidence level of portrait result.
Therefore, once there is any malicious act in an IP address " it is an important cyberspace security threat Information, for be unableing to do without the technical support drawn a portrait to malicious IP addresses during threatening the collection of information.In the present embodiment, By extracting the harmful attack record of malice from network security correlation log, carried out comprehensively using attacking source IP address as object Statistics and analysis analyzes various aspects attribute of the result as the IP address, as on Spatial dimensionality attack type, attack intension and Target zone, used attack tool, whether IDC network segment, whether act on behalf of, physical address, reversed domain name, browser fingerprint Deng carrying out attribute filling to malicious attack source IP address, after portrait, safety workers can allowed to have more the IP address Intuitively " image " recognizes, and has important practical significance.
Embodiment three:
A kind of attack source IP portrait generating means based on attack provided in an embodiment of the present invention, such as Fig. 3 institute Show, the attack source IP portrait generating means 3 based on attack include:Determining module 31, obtains module at extraction module 32 33 and generation module 34.
Preferably, determining module is for determining target attack source.Extraction module is used for from network security record alert database The data for extracting all record target attack sources, obtain target alarms data, wherein network security record alert database includes multiple The alarm data of attack source.
As a preferred embodiment, obtains module and be used to obtain the attack in target attack source based on target alarms data statistics Attribute information.Generation module is used to generate the IP portrait in target attack source according to attack attribute information.
Attack source IP portrait generating means provided in an embodiment of the present invention based on attack, with above-described embodiment The attack source IP portrait generation method technical characteristic having the same based on attack provided, so also can solve phase Same technical problem, reaches identical technical effect.
Example IV:
A kind of electronic equipment provided in an embodiment of the present invention, as shown in figure 4, electronic equipment 4 includes memory 41, processor 42, the computer program that can be run on the processor is stored in the memory, the processor executes the calculating The step of method that above-described embodiment one or embodiment two provide is realized when machine program.
Referring to fig. 4, electronic equipment further includes:Bus 43 and communication interface 44, processor 42, communication interface 44 and memory 41 are connected by bus 43;Processor 42 is for executing the executable module stored in memory 41, such as computer program.
Wherein, memory 41 may include high-speed random access memory (RAM, Random Access Memory), It may further include nonvolatile memory (non-volatile memory), for example, at least a magnetic disk storage.By at least One communication interface 44 (can be wired or wireless) realizes the communication between the system network element and at least one other network element Connection, can be used internet, wide area network, local network, Metropolitan Area Network (MAN) etc..
Bus 43 can be isa bus, pci bus or eisa bus etc..The bus can be divided into address bus, data Bus, control bus etc..Only to be indicated with a four-headed arrow convenient for indicating, in Fig. 4, it is not intended that an only bus or A type of bus.
Wherein, memory 41 is for storing program, and the processor 42 executes the journey after receiving and executing instruction Sequence, method performed by the device that the stream process that aforementioned any embodiment of the embodiment of the present invention discloses defines can be applied to handle In device 42, or realized by processor 42.
Processor 42 may be a kind of IC chip, the processing capacity with signal.During realization, above-mentioned side Each step of method can be completed by the integrated logic circuit of the hardware in processor 42 or the instruction of software form.Above-mentioned Processor 42 can be general processor, including central processing unit (Central Processing Unit, abbreviation CPU), network Processor (Network Processor, abbreviation NP) etc.;It can also be digital signal processor (Digital Signal Processing, abbreviation DSP), specific integrated circuit (Application Specific Integrated Circuit, referred to as ASIC), ready-made programmable gate array (Field-Programmable Gate Array, abbreviation FPGA) or other are programmable Logical device, discrete gate or transistor logic, discrete hardware components.It may be implemented or execute in the embodiment of the present invention Disclosed each method, step and logic diagram.General processor can be microprocessor or the processor is also possible to appoint What conventional processor etc..The step of method in conjunction with disclosed in the embodiment of the present invention, can be embodied directly in hardware decoding processing Device executes completion, or in decoding processor hardware and software module combination execute completion.Software module can be located at Machine memory, flash memory, read-only memory, programmable read only memory or electrically erasable programmable memory, register etc. are originally In the storage medium of field maturation.The storage medium is located at memory 41, and processor 42 reads the information in memory 41, in conjunction with Its hardware completes the step of above method.
Embodiment five:
It is provided in an embodiment of the present invention it is a kind of with processor can be performed non-volatile program code it is computer-readable Medium, said program code make the method that the processor executes above-described embodiment one or embodiment two provides.
Unless specifically stated otherwise, the opposite step of the component and step that otherwise illustrate in these embodiments, digital table It is not limit the scope of the invention up to formula and numerical value.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description It with the specific work process of device, can refer to corresponding processes in the foregoing method embodiment, details are not described herein.
In all examples being illustrated and described herein, any occurrence should be construed as merely illustratively, without It is as limitation, therefore, other examples of exemplary embodiment can have different values.
It should be noted that:Similar label and letter indicate similar terms in following attached drawing, therefore, once a certain Xiang Yi It is defined in a attached drawing, does not then need that it is further defined and explained in subsequent attached drawing.
The flow chart and block diagram in the drawings show the system of multiple embodiments according to the present invention, method and computer journeys The architecture, function and operation in the cards of sequence product.In this regard, each box in flowchart or block diagram can generation A part of one module, section or code of table, a part of the module, section or code include one or more use The executable instruction of the logic function as defined in realizing.It should also be noted that in some implementations as replacements, being marked in box The function of note can also occur in a different order than that indicated in the drawings.For example, two continuous boxes can actually base Originally it is performed in parallel, they can also be executed in the opposite order sometimes, and this depends on the function involved.It is also noted that It is the combination of each box in block diagram and or flow chart and the box in block diagram and or flow chart, can uses and execute rule The dedicated hardware based system of fixed function or movement is realized, or can use the group of specialized hardware and computer instruction It closes to realize.
The computer-readable medium of the non-volatile program code provided in an embodiment of the present invention that can be performed with processor, Have with attack source IP portrait generation method, device and the electronic equipment provided by the above embodiment based on attack Identical technical characteristic reaches identical technical effect so also can solve identical technical problem.
The calculating of the attack source IP portrait generation method based on attack is carried out provided by the embodiment of the present invention Machine program product, the computer readable storage medium including storing the executable non-volatile program code of processor are described The instruction that program code includes can be used for executing previous methods method as described in the examples, and specific implementation can be found in method and implement Example, details are not described herein.
In several embodiments provided herein, it should be understood that disclosed systems, devices and methods, it can be with It realizes by another way.The apparatus embodiments described above are merely exemplary, for example, the division of the unit, Only a kind of logical function partition, there may be another division manner in actual implementation, in another example, multiple units or components can To combine or be desirably integrated into another system, or some features can be ignored or not executed.Another point, it is shown or beg for The mutual coupling, direct-coupling or communication connection of opinion can be through some communication interfaces, device or unit it is indirect Coupling or communication connection can be electrical property, mechanical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme 's.
It, can also be in addition, the functional units in various embodiments of the present invention may be integrated into one processing unit It is that each unit physically exists alone, can also be integrated in one unit with two or more units.
It, can be with if the function is realized in the form of SFU software functional unit and when sold or used as an independent product It is stored in a computer readable storage medium.Based on this understanding, technical solution of the present invention is substantially in other words The part of the part that contributes to existing technology or the technical solution can be embodied in the form of software products, the meter Calculation machine software product is stored in a storage medium, including some instructions are used so that a computer equipment (can be a People's computer, server or network equipment etc.) it performs all or part of the steps of the method described in the various embodiments of the present invention. And storage medium above-mentioned includes:USB flash disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), arbitrary access are deposited The various media that can store program code such as reservoir (RAM, Random Access Memory), magnetic or disk.
Finally it should be noted that:Embodiment described above, only a specific embodiment of the invention, to illustrate the present invention Technical solution, rather than its limitations, scope of protection of the present invention is not limited thereto, although with reference to the foregoing embodiments to this hair It is bright to be described in detail, those skilled in the art should understand that:Anyone skilled in the art In the technical scope disclosed by the present invention, it can still modify to technical solution documented by previous embodiment or can be light It is readily conceivable that variation or equivalent replacement of some of the technical features;And these modifications, variation or replacement, do not make The essence of corresponding technical solution is detached from the spirit and scope of technical solution of the embodiment of the present invention, should all cover in protection of the invention Within the scope of.Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (10)

  1. The generation method 1. a kind of attack source IP based on attack draws a portrait, which is characterized in that including:
    Determine target attack source;
    All data for recording the target attack source are extracted from network security record alert database, obtain target alarms data, Wherein, the network security record alert database includes the alarm data of multiple attack sources;
    The attack attribute information in the target attack source is obtained based on the target alarms data statistics;
    According to the attack attribute information, the IP portrait in the target attack source is generated.
  2. 2. the method according to claim 1, wherein the method also includes:
    Network security warning information is obtained from multiple servers, wherein the network security warning information includes getting The network security warning information that history alarm information and current time get;
    Network security record alert database is generated according to the network security warning information got.
  3. 3. method according to claim 1 or 2, which is characterized in that the determining target attack source, including:
    Network security warning information, the IP in extracting attack source from the network security warning information are obtained from multiple servers Address, and IP address list is generated based on the IP address;
    The target attack source is determined based on the IP address list, wherein the IP address list includes several attack sources IP address.
  4. 4. generating the mesh the method according to claim 1, wherein described according to the attack attribute information The IP portrait of attack source is marked, including:
    The network attribute data in the target attack source are determined according to the attack attribute information, and are based on the network attribute number According to obtaining the attribute model in the target attack source;
    The attack in the target attack source and network attack characteristic are analyzed according to the attack attribute information, Obtain the dimensional model in the target attack source;
    According to the attribute model and the dimensional model, the IP portrait in the target attack source is generated.
  5. 5. the method according to claim 1, wherein it is described obtained based on the target alarms data statistics it is described The attack attribute information in target attack source, including:
    It obtains and threatens information database;
    Based on the target alarms data and the data threatened in information database, to the information in the target attack source It is counted, obtains the attack attribute information in the target attack source.
  6. 6. according to the method described in claim 5, it is characterized in that, the attack attribute information includes attacking for attack Hit intention;
    The data based on the target alarms data and in the threat information database, to the target attack source Information is counted, and the attack attribute information in the target attack source is obtained, including:
    The target of attack of the attack in the target attack source is obtained from the target alarms data;
    The information of the target of attack is obtained from the threat information database;
    According to the information of the target of attack, the attack intension of the attack of the attack source is obtained.
  7. 7. the method according to claim 1, wherein the attack attribute information includes at least one of:Net Attack type, attack intension, target of attack and the attack tool of network attack.
  8. The generating means 8. a kind of attack source IP based on attack draws a portrait, which is characterized in that including:
    Determining module, for determining target attack source;
    Extraction module is obtained for extracting all data for recording the target attack source from network security record alert database Target alarms data, wherein the network security record alert database includes the alarm data of multiple attack sources;
    Module is obtained, for obtaining the attack attribute information in the target attack source based on the target alarms data statistics;
    Generation module, for generating the IP portrait in the target attack source according to the attack attribute information.
  9. 9. a kind of electronic equipment, including memory, processor, be stored in the memory to run on the processor Computer program, which is characterized in that the processor realizes that the claims 1 to 7 are any when executing the computer program The step of method described in item.
  10. 10. a kind of computer-readable medium for the non-volatile program code that can be performed with processor, which is characterized in that described Program code makes the processor execute described any the method for claim 1 to 7.
CN201810815080.4A 2018-07-23 2018-07-23 Attack source IP portrait generation method and device based on network attack behaviors Active CN108881294B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810815080.4A CN108881294B (en) 2018-07-23 2018-07-23 Attack source IP portrait generation method and device based on network attack behaviors

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810815080.4A CN108881294B (en) 2018-07-23 2018-07-23 Attack source IP portrait generation method and device based on network attack behaviors

Publications (2)

Publication Number Publication Date
CN108881294A true CN108881294A (en) 2018-11-23
CN108881294B CN108881294B (en) 2021-05-25

Family

ID=64304699

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810815080.4A Active CN108881294B (en) 2018-07-23 2018-07-23 Attack source IP portrait generation method and device based on network attack behaviors

Country Status (1)

Country Link
CN (1) CN108881294B (en)

Cited By (32)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109729095A (en) * 2019-02-13 2019-05-07 北京奇安信科技有限公司 Data processing method, device and calculating equipment and medium
CN109873811A (en) * 2019-01-16 2019-06-11 光通天下网络科技股份有限公司 Network safety protection method and its network security protection system based on attack IP portrait
CN110311890A (en) * 2019-05-22 2019-10-08 中国平安财产保险股份有限公司 Visualize attacking and defending drawing generating method, device, computer equipment and storage medium
CN110351280A (en) * 2019-07-15 2019-10-18 杭州安恒信息技术股份有限公司 A kind of method, system, equipment and readable storage medium storing program for executing for threatening information to extract
CN110535866A (en) * 2019-09-02 2019-12-03 杭州安恒信息技术股份有限公司 Generation method, device and the server of system portrait
CN110708292A (en) * 2019-09-11 2020-01-17 光通天下网络科技股份有限公司 IP processing method, device, medium and electronic equipment
CN110740144A (en) * 2019-11-27 2020-01-31 腾讯科技(深圳)有限公司 Method, device, equipment and storage medium for determining attack target
CN110764969A (en) * 2019-10-25 2020-02-07 新华三信息安全技术有限公司 Network attack tracing method and device
CN110830500A (en) * 2019-11-20 2020-02-21 北京天融信网络安全技术有限公司 Network attack tracking method and device, electronic equipment and readable storage medium
CN111030834A (en) * 2019-04-26 2020-04-17 北京安天网络安全技术有限公司 Load propagation behavior-based threat prediction method and device and storage equipment
CN111030974A (en) * 2019-03-29 2020-04-17 北京安天网络安全技术有限公司 APT attack event detection method, device and storage medium
CN111079137A (en) * 2019-11-19 2020-04-28 泰康保险集团股份有限公司 Anti-virus processing method and device
CN111083157A (en) * 2019-12-25 2020-04-28 杭州迪普科技股份有限公司 Method and device for processing message filtering rules
CN111198900A (en) * 2019-12-31 2020-05-26 成都烽创科技有限公司 Data caching method and device for industrial control network, terminal equipment and medium
CN111641619A (en) * 2020-05-21 2020-09-08 杭州安恒信息技术股份有限公司 Method and device for constructing hacker portrait based on big data and computer equipment
CN111787000A (en) * 2020-06-30 2020-10-16 绿盟科技集团股份有限公司 Network security evaluation method and electronic equipment
CN111885034A (en) * 2020-07-15 2020-11-03 杭州安恒信息技术股份有限公司 Internet of things attack event tracking method and device and computer equipment
CN112131249A (en) * 2020-09-28 2020-12-25 绿盟科技集团股份有限公司 Attack intention identification method and device
CN112134897A (en) * 2020-09-27 2020-12-25 奇安信科技集团股份有限公司 Network attack data processing method and device
CN112153002A (en) * 2020-08-24 2020-12-29 杭州安恒信息技术股份有限公司 Alarm information analysis method and device, computer equipment and storage medium
CN112217828A (en) * 2020-10-16 2021-01-12 深信服科技股份有限公司 Attack detection method and device, electronic equipment and storage medium
CN112241439A (en) * 2020-10-12 2021-01-19 绿盟科技集团股份有限公司 Attack organization discovery method, device, medium and equipment
CN112351031A (en) * 2020-11-05 2021-02-09 中国电子信息产业集团有限公司 Generation method and device of attack behavior portrait, electronic equipment and storage medium
CN112738071A (en) * 2020-12-25 2021-04-30 中能融合智慧科技有限公司 Method and device for constructing attack chain topology
CN112887285A (en) * 2021-01-15 2021-06-01 中国科学院地理科学与资源研究所 Cross-space layer mapping network behavior intelligent portrait analysis method
CN113496179A (en) * 2020-04-08 2021-10-12 中国电信股份有限公司 Attacker analysis method and device
CN113626509A (en) * 2021-08-09 2021-11-09 杭州安恒信息技术股份有限公司 Data access method and device, electronic equipment and readable storage medium
CN113923009A (en) * 2021-09-30 2022-01-11 中通服创立信息科技有限责任公司 Network security event traceability analysis method, device, medium and electronic equipment
CN114186232A (en) * 2021-12-13 2022-03-15 南方电网科学研究院有限责任公司 Network attack team identification method and device, electronic equipment and storage medium
CN114598507A (en) * 2022-02-22 2022-06-07 烽台科技(北京)有限公司 Attacker portrait generation method and device, terminal equipment and storage medium
CN115001791A (en) * 2022-05-27 2022-09-02 北京天融信网络安全技术有限公司 Attack resource marking method and device
CN115102778A (en) * 2022-07-11 2022-09-23 深信服科技股份有限公司 State determination method, device, equipment and medium

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070220256A1 (en) * 2006-03-20 2007-09-20 Toru Yasui Electronic mechanical device
US20090271865A1 (en) * 2008-04-23 2009-10-29 Huawei Technologies Co., Ltd. Method and device for detecting flood attacks
CN103746961A (en) * 2013-12-12 2014-04-23 中国人民解放军63928部队 Method, apparatus and server for mining causal knowledge of network attack scenario
CN104539626A (en) * 2015-01-14 2015-04-22 中国人民解放军信息工程大学 Network attack scene generating method based on multi-source alarm logs
CN104866765A (en) * 2015-06-03 2015-08-26 康绯 Behavior characteristic similarity-based malicious code homology analysis method
CN107046543A (en) * 2017-04-26 2017-08-15 国家电网公司 A kind of threat intelligence analysis system traced to the source towards attack
CN108073808A (en) * 2017-12-21 2018-05-25 哈尔滨安天科技股份有限公司 Method and system based on pdb Debugging message generation attacker's portrait
CN108270620A (en) * 2018-01-15 2018-07-10 深圳市联软科技股份有限公司 Network anomaly detection method, device, equipment and medium based on Portrait brand technology

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070220256A1 (en) * 2006-03-20 2007-09-20 Toru Yasui Electronic mechanical device
US20090271865A1 (en) * 2008-04-23 2009-10-29 Huawei Technologies Co., Ltd. Method and device for detecting flood attacks
CN103746961A (en) * 2013-12-12 2014-04-23 中国人民解放军63928部队 Method, apparatus and server for mining causal knowledge of network attack scenario
CN104539626A (en) * 2015-01-14 2015-04-22 中国人民解放军信息工程大学 Network attack scene generating method based on multi-source alarm logs
CN104866765A (en) * 2015-06-03 2015-08-26 康绯 Behavior characteristic similarity-based malicious code homology analysis method
CN107046543A (en) * 2017-04-26 2017-08-15 国家电网公司 A kind of threat intelligence analysis system traced to the source towards attack
CN108073808A (en) * 2017-12-21 2018-05-25 哈尔滨安天科技股份有限公司 Method and system based on pdb Debugging message generation attacker's portrait
CN108270620A (en) * 2018-01-15 2018-07-10 深圳市联软科技股份有限公司 Network anomaly detection method, device, equipment and medium based on Portrait brand technology

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
吕宗平,钟友兵,顾兆军: "基于攻击链和网络流量检测的威胁情报分析研究", 《计算机应用研究》 *

Cited By (47)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109873811A (en) * 2019-01-16 2019-06-11 光通天下网络科技股份有限公司 Network safety protection method and its network security protection system based on attack IP portrait
CN109729095B (en) * 2019-02-13 2021-08-24 奇安信科技集团股份有限公司 Data processing method, data processing device, computing equipment and media
CN109729095A (en) * 2019-02-13 2019-05-07 北京奇安信科技有限公司 Data processing method, device and calculating equipment and medium
CN111030974A (en) * 2019-03-29 2020-04-17 北京安天网络安全技术有限公司 APT attack event detection method, device and storage medium
CN111030834B (en) * 2019-04-26 2023-09-05 北京安天网络安全技术有限公司 Threat prediction method and device based on load propagation behavior and storage equipment
CN111030834A (en) * 2019-04-26 2020-04-17 北京安天网络安全技术有限公司 Load propagation behavior-based threat prediction method and device and storage equipment
CN110311890A (en) * 2019-05-22 2019-10-08 中国平安财产保险股份有限公司 Visualize attacking and defending drawing generating method, device, computer equipment and storage medium
CN110351280A (en) * 2019-07-15 2019-10-18 杭州安恒信息技术股份有限公司 A kind of method, system, equipment and readable storage medium storing program for executing for threatening information to extract
CN110535866B (en) * 2019-09-02 2022-01-28 杭州安恒信息技术股份有限公司 System portrait generation method and device and server
CN110535866A (en) * 2019-09-02 2019-12-03 杭州安恒信息技术股份有限公司 Generation method, device and the server of system portrait
CN110708292A (en) * 2019-09-11 2020-01-17 光通天下网络科技股份有限公司 IP processing method, device, medium and electronic equipment
CN110764969A (en) * 2019-10-25 2020-02-07 新华三信息安全技术有限公司 Network attack tracing method and device
CN111079137A (en) * 2019-11-19 2020-04-28 泰康保险集团股份有限公司 Anti-virus processing method and device
CN110830500A (en) * 2019-11-20 2020-02-21 北京天融信网络安全技术有限公司 Network attack tracking method and device, electronic equipment and readable storage medium
CN110830500B (en) * 2019-11-20 2022-03-11 北京天融信网络安全技术有限公司 Network attack tracking method and device, electronic equipment and readable storage medium
CN110740144A (en) * 2019-11-27 2020-01-31 腾讯科技(深圳)有限公司 Method, device, equipment and storage medium for determining attack target
CN111083157B (en) * 2019-12-25 2022-01-25 杭州迪普科技股份有限公司 Method and device for processing message filtering rules
CN111083157A (en) * 2019-12-25 2020-04-28 杭州迪普科技股份有限公司 Method and device for processing message filtering rules
CN111198900A (en) * 2019-12-31 2020-05-26 成都烽创科技有限公司 Data caching method and device for industrial control network, terminal equipment and medium
CN111198900B (en) * 2019-12-31 2023-06-09 成都烽创科技有限公司 Data caching method and device for industrial control network, terminal equipment and medium
CN113496179A (en) * 2020-04-08 2021-10-12 中国电信股份有限公司 Attacker analysis method and device
CN113496179B (en) * 2020-04-08 2023-12-26 中国电信股份有限公司 Attacker analysis method and device
CN111641619A (en) * 2020-05-21 2020-09-08 杭州安恒信息技术股份有限公司 Method and device for constructing hacker portrait based on big data and computer equipment
CN111787000A (en) * 2020-06-30 2020-10-16 绿盟科技集团股份有限公司 Network security evaluation method and electronic equipment
CN111885034A (en) * 2020-07-15 2020-11-03 杭州安恒信息技术股份有限公司 Internet of things attack event tracking method and device and computer equipment
CN112153002A (en) * 2020-08-24 2020-12-29 杭州安恒信息技术股份有限公司 Alarm information analysis method and device, computer equipment and storage medium
CN112153002B (en) * 2020-08-24 2023-04-18 杭州安恒信息技术股份有限公司 Alarm information analysis method, device, computer equipment and storage medium
CN112134897B (en) * 2020-09-27 2023-04-18 奇安信科技集团股份有限公司 Network attack data processing method and device
CN112134897A (en) * 2020-09-27 2020-12-25 奇安信科技集团股份有限公司 Network attack data processing method and device
CN112131249A (en) * 2020-09-28 2020-12-25 绿盟科技集团股份有限公司 Attack intention identification method and device
CN112241439A (en) * 2020-10-12 2021-01-19 绿盟科技集团股份有限公司 Attack organization discovery method, device, medium and equipment
CN112241439B (en) * 2020-10-12 2023-07-21 绿盟科技集团股份有限公司 Attack organization discovery method, device, medium and equipment
CN112217828A (en) * 2020-10-16 2021-01-12 深信服科技股份有限公司 Attack detection method and device, electronic equipment and storage medium
CN112351031A (en) * 2020-11-05 2021-02-09 中国电子信息产业集团有限公司 Generation method and device of attack behavior portrait, electronic equipment and storage medium
CN112738071A (en) * 2020-12-25 2021-04-30 中能融合智慧科技有限公司 Method and device for constructing attack chain topology
CN112738071B (en) * 2020-12-25 2023-07-28 中能融合智慧科技有限公司 Method and device for constructing attack chain topology
CN112887285A (en) * 2021-01-15 2021-06-01 中国科学院地理科学与资源研究所 Cross-space layer mapping network behavior intelligent portrait analysis method
CN112887285B (en) * 2021-01-15 2022-03-11 中国科学院地理科学与资源研究所 Cross-space layer mapping network behavior intelligent portrait analysis method
CN113626509A (en) * 2021-08-09 2021-11-09 杭州安恒信息技术股份有限公司 Data access method and device, electronic equipment and readable storage medium
CN113923009A (en) * 2021-09-30 2022-01-11 中通服创立信息科技有限责任公司 Network security event traceability analysis method, device, medium and electronic equipment
CN114186232A (en) * 2021-12-13 2022-03-15 南方电网科学研究院有限责任公司 Network attack team identification method and device, electronic equipment and storage medium
CN114598507B (en) * 2022-02-22 2023-06-30 烽台科技(北京)有限公司 Attacker figure generation method and device, terminal equipment and storage medium
CN114598507A (en) * 2022-02-22 2022-06-07 烽台科技(北京)有限公司 Attacker portrait generation method and device, terminal equipment and storage medium
CN115001791A (en) * 2022-05-27 2022-09-02 北京天融信网络安全技术有限公司 Attack resource marking method and device
CN115001791B (en) * 2022-05-27 2024-02-06 北京天融信网络安全技术有限公司 Attack resource labeling method and device
CN115102778A (en) * 2022-07-11 2022-09-23 深信服科技股份有限公司 State determination method, device, equipment and medium
CN115102778B (en) * 2022-07-11 2024-05-24 深信服科技股份有限公司 State determination method, device, equipment and medium

Also Published As

Publication number Publication date
CN108881294B (en) 2021-05-25

Similar Documents

Publication Publication Date Title
CN108881294A (en) Attack source IP portrait generation method and device based on attack
US11218510B2 (en) Advanced cybersecurity threat mitigation using software supply chain analysis
CN110602029B (en) Method and system for identifying network attack
CN113489713B (en) Network attack detection method, device, equipment and storage medium
CN108092962A (en) A kind of malice URL detection method and device
CN108763274B (en) Access request identification method and device, electronic equipment and storage medium
CN111090807B (en) Knowledge graph-based user identification method and device
CN108600172B (en) Method, device and equipment for detecting database collision attack and computer readable storage medium
Zhu et al. Android malware detection based on multi-head squeeze-and-excitation residual network
CN105302815B (en) The filter method and device of the uniform resource position mark URL of webpage
JP2019028891A (en) Information processing device, information processing method and information processing program
CN113935028A (en) Method and device for identifying attack behaviors
CN114528457A (en) Web fingerprint detection method and related equipment
CN111600894A (en) Network attack detection method and device
CN111460011A (en) Page data display method and device, server and storage medium
CN110598959A (en) Asset risk assessment method and device, electronic equipment and storage medium
CN107231383A (en) The detection method and device of CC attacks
CN109446807A (en) The method, apparatus and electronic equipment of malicious robot are intercepted for identification
CN113709147A (en) Network security event response method, device and equipment
CN113765850A (en) Internet of things anomaly detection method and device, computing equipment and computer storage medium
Barrionuevo et al. An anomaly detection model in a lan using k-nn and high performance computing techniques
CN116108880A (en) Training method of random forest model, malicious website detection method and device
CN116389148A (en) Network security situation prediction system based on artificial intelligence
CN114741426B (en) Brain-like storage and calculation integration-based business behavior detection method and device
CN115643044A (en) Data processing method, device, server and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: No. 188, Lianhui street, Xixing street, Binjiang District, Hangzhou, Zhejiang Province, 310000

Applicant after: Hangzhou Anheng Information Technology Co.,Ltd.

Address before: 310000 15-storey Zhejiang Zhongcai Building, No. 68 Tonghe Road, Binjiang District, Hangzhou City, Zhejiang Province

Applicant before: Hangzhou Anheng Information Technology Co.,Ltd.

GR01 Patent grant
GR01 Patent grant