CN108881294B - Attack source IP portrait generation method and device based on network attack behaviors - Google Patents
Attack source IP portrait generation method and device based on network attack behaviors Download PDFInfo
- Publication number
- CN108881294B CN108881294B CN201810815080.4A CN201810815080A CN108881294B CN 108881294 B CN108881294 B CN 108881294B CN 201810815080 A CN201810815080 A CN 201810815080A CN 108881294 B CN108881294 B CN 108881294B
- Authority
- CN
- China
- Prior art keywords
- attack
- target
- network
- information
- attack source
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/146—Tracing the source of attacks
Abstract
The invention provides an attack source IP portrait generation method and device based on network attack behaviors, and relates to the technical field of network security, wherein the attack source IP portrait generation method based on the network attack behaviors comprises the following steps: determining a target attack source; extracting all data for recording the target attack source from a network security alarm database to obtain target alarm data, wherein the network security alarm database comprises alarm data of a plurality of attack sources; obtaining the attack attribute information of the target attack source based on the target alarm data statistics; and generating the IP portrait of the target attack source according to the attack attribute information, thereby solving the technical problems that the existing network attack behavior in the prior art has limited attack source information acquisition mode and can not effectively know the attack source IP of the network attack behavior.
Description
Technical Field
The invention relates to the technical field of network security, in particular to an attack source IP portrait generation method and device based on network attack behaviors.
Background
The network attack refers to an attack on hardware and software of a network system and data in the system by utilizing vulnerabilities and security flaws existing in the network.
At present, the network attack methods mainly include: password intrusion, trojan horses, e-mail, node attacks, network snooping, network spoofing, hacking software, security holes, port scanning, and the like.
The existing information acquisition mode of the attack source of the network attack behavior is limited, and the address IP of the attack source of the network attack behavior in the network, which is the address IP of a computer, cannot be effectively known.
Disclosure of Invention
In view of the above, an object of the present invention is to provide a method and an apparatus for generating an attack source IP representation based on network attack behaviors, so as to solve the technical problems that in the prior art, an attack source information acquisition manner of a network attack behavior is limited, and an attack source IP of the network attack behavior cannot be effectively known.
In a first aspect, an embodiment of the present invention provides an attack source IP portrait generation method based on network attack behaviors, including:
determining a target attack source;
extracting all data for recording the target attack source from a network security alarm database to obtain target alarm data, wherein the network security alarm database comprises alarm data of a plurality of attack sources;
obtaining the attack attribute information of the target attack source based on the target alarm data statistics;
and generating the IP portrait of the target attack source according to the attack attribute information.
With reference to the first aspect, an embodiment of the present invention provides a first possible implementation manner of the first aspect, where the method further includes:
acquiring network security alarm information from a plurality of servers, wherein the network security alarm information comprises acquired historical alarm information and acquired network security alarm information at the current moment;
and generating a network security alarm database according to the acquired network security alarm information.
With reference to the first aspect, an embodiment of the present invention provides a second possible implementation manner of the first aspect, where the determining a target attack source includes:
acquiring network security alarm information from a plurality of servers, extracting an IP address of an attack source from the network security alarm information, and generating an IP address list based on the IP address;
determining the target attack source based on the IP address list, wherein the IP address list comprises IP addresses of a plurality of attack sources.
With reference to the first aspect, an embodiment of the present invention provides a third possible implementation manner of the first aspect, where the generating an IP representation of the target attack source according to the attack attribute information includes:
determining network attribute data of the target attack source according to the attack attribute information, and obtaining an attribute model of the target attack source based on the network attribute data;
analyzing the network attack behavior and the network attack characteristics of the target attack source according to the attack attribute information to obtain a dimensional model of the target attack source;
and generating the IP portrait of the target attack source according to the attribute model and the dimension model.
With reference to the first aspect, an embodiment of the present invention provides a fourth possible implementation manner of the first aspect, where the obtaining of the attack attribute information of the target attack source based on the target alarm data statistics includes:
acquiring a threat information database;
and counting the information of the target attack source based on the target alarm data and the data in the threat information database to obtain the attack attribute information of the target attack source.
With reference to the first aspect, an embodiment of the present invention provides a fifth possible implementation manner of the first aspect, where the attack attribute information includes an attack intention of a network attack behavior;
the counting the information of the target attack source based on the target alarm data and the data in the threat information database to obtain the attack attribute information of the target attack source comprises the following steps:
acquiring an attack target of the network attack behavior of the target attack source from the target alarm data;
acquiring information of the attack target from the threat intelligence database;
and obtaining the attack intention of the network attack behavior of the attack source according to the information of the attack target.
With reference to the first aspect, an embodiment of the present invention provides a sixth possible implementation manner of the first aspect, where the attack attribute information includes at least one of: attack type of network attack behavior, attack intention, attack target, and attack tool.
In a second aspect, an embodiment of the present invention further provides an attack source IP portrait generation apparatus based on network attack behavior, including:
the determining module is used for determining a target attack source;
the extraction module is used for extracting all data for recording the target attack sources from a network security alarm database to obtain target alarm data, wherein the network security alarm database comprises alarm data of a plurality of attack sources;
the acquisition module is used for obtaining the attack attribute information of the target attack source based on the target alarm data statistics;
and the generating module is used for generating the IP portrait of the target attack source according to the attack attribute information.
In a third aspect, an embodiment of the present invention further provides an electronic device, including a memory and a processor, where the memory stores a computer program operable on the processor, and the processor implements the steps of the method according to the first aspect when executing the computer program.
In a fourth aspect, the present invention also provides a computer-readable medium having non-volatile program code executable by a processor, where the program code causes the processor to execute the method according to the first aspect.
The technical scheme provided by the embodiment of the invention has the following beneficial effects: the attack source IP portrait generation method and device based on the network attack behaviors provided by the embodiment of the invention comprise the following steps: firstly, determining a target attack source, then extracting all data recording the target attack source from a network security alarm database to obtain target alarm data, wherein the network security alarm database comprises alarm data of a plurality of attack sources, then counting the target alarm data to obtain attack attribute information of the target attack source, finally generating an IP image of the target attack source according to the attack attribute information, obtaining the alarm data of the attack source by utilizing the network security alarm database, then counting the alarm data to generate the IP image of the attack source by utilizing the attack attribute information of the attack source obtained by counting, thereby realizing the acquisition of the IP image of the attack source, effectively understanding the IP of the attack source in multiple aspects by the IP image of the attack source, and solving the problem that the acquisition mode of the attack source information of the network attack behavior in the prior art is limited, the technical problem that the attack source IP of the network attack behavior can not be effectively known is solved.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and drawings.
In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
FIG. 1 is a flow chart of an attack source IP representation generation method based on network attack behavior according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating a method for generating an attack source IP representation based on network attack behaviors according to a second embodiment of the present invention;
FIG. 3 is a schematic structural diagram of an attack source IP representation generation apparatus based on network attack behaviors according to a third embodiment of the present invention;
fig. 4 shows a schematic structural diagram of an electronic device according to a fourth embodiment of the present invention.
Icon: 3-attack source IP portrait generating device based on network attack behavior; 31-a determination module; 32-an extraction module; 33-an acquisition module; 34-a generation module; 4-an electronic device; 41-a memory; 42-a processor; 43-bus; 44-communication interface.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
At present, in the transmission of network information data, an IP address plays a vital role, however, the existing information acquisition mode of an attack source of a network attack behavior is limited, and the attack source IP of the network attack behavior cannot be effectively known, so that a specific 'image' corresponding to a certain IP role is often not provided with a concept.
Based on this, the attack source IP portrait generation method and device based on the network attack behavior provided by the embodiment of the invention can solve the technical problems that the acquisition mode of the attack source information of the network attack behavior is limited and the attack source IP of the network attack behavior cannot be effectively known in the prior art.
In order to facilitate understanding of the embodiment, first, a method and an apparatus for generating an attack source IP representation based on network attack behaviors disclosed in the embodiment of the present invention are described in detail.
The first embodiment is as follows:
an attack source IP portrait generation method based on network attack behaviors provided by the embodiment of the invention is shown in figure 1, and the method comprises the following steps:
s11: and determining a target attack source.
S12: and extracting all data for recording the target attack source from the network security alarm database to obtain target alarm data.
In this step, the network security alarm database includes alarm data of a plurality of attack sources. The alarm data may be an alarm log and/or an alarm record.
S13: and obtaining the attack attribute information of the target attack source based on the target alarm data statistics.
S14: and generating an IP portrait of the target attack source according to the attack attribute information.
In the embodiment, the network security alarm database is used for representing the image of the malicious IP address in the network space by counting the attack attribute information of the target attack source, and the generated attack source IP representation can provide high-value threat information and tracing clues, so that the method has important practical significance.
Example two:
an attack source IP portrait generation method based on network attack behaviors provided by the embodiment of the invention is shown in FIG. 2, and the method comprises the following steps:
s21: and acquiring network security alarm information from a plurality of servers, extracting the IP address of an attack source from the network security alarm information, and generating an IP address list based on the IP address.
As a preferred scheme, the network security alarm information is alarm log and record related to network security. In this step, an attack source IP address is extracted from the network security alarm information, and an IP address object list is generated.
S22: and determining a target attack source based on the IP address list.
It should be noted that the IP address list includes IP addresses of several attack sources. In this step, the target attack source is determined from the IP address list, and of course, the IP objects may be obtained from the IP address list one by one.
S23: and acquiring network security alarm information from a plurality of servers.
The network security alarm information comprises the acquired historical alarm information and the network security alarm information acquired at the current moment. In this step, all relevant records of the IP object are extracted from the uploaded log data and the historical log data.
S24: and generating a network security alarm database according to the acquired network security alarm information.
S25: and extracting all data for recording the target attack source from the network security alarm database to obtain target alarm data.
As a preferred implementation of this embodiment, the network security alarm database includes alarm data of a plurality of attack sources.
S26: and obtaining the attack attribute information of the target attack source based on the target alarm data statistics.
Specifically, the step may include: firstly, acquiring a threat information database; then, the information of the target attack source is counted based on the target alarm data and the data in the threat information database to obtain the attack attribute information of the target attack source. Therefore, the attribute and dimension information of each aspect of the IP object can be counted by combining the threat intelligence data and the existing alarm log data.
In practical application, the attack attribute information includes at least one of the following: attack type of network attack behavior, attack intention, attack target, and attack tool. Thus, the statistical range includes, but is not limited to, attack type, attack intent, attack target, attack tool, whether IDC segment, whether proxy, physical address, reverse domain name, browser information, number of attacks, regional language, etc.
If the attack intention of the network attack behavior is counted, the steps may specifically include: firstly, acquiring an attack target of a network attack behavior of a target attack source from target alarm data; then, obtaining information of an attack target from a threat intelligence database; and then, obtaining the attack intention of the network attack behavior of the attack source according to the information of the attack target.
Further, during statistics, the judgment of the attack intention can be further judged according to information such as an attack target, an industry where the target is located, the threat degree of the attack load and the like, wherein the attack intention includes but is not limited to stealing system data, acquiring system authority, executing system commands and the like.
In addition, when the reverse domain name is counted, it is necessary to determine the status by combining the HOST field of the HTTP request header in the threat information data and the log. In addition, when the judgment of whether the IP object is the Proxy is carried out, fingerprint information of the Proxy server in the data packet, such as Proxy, X-Forwarded-For, X-Real-IP and the like, is preferentially checked. In addition, when the judgment of IDC is carried out, the judgment can be carried out by combining IDC network segment information in threat information.
S27: and determining network attribute data of the target attack source according to the attack attribute information, and obtaining an attribute model of the target attack source based on the network attribute data.
S28: and analyzing the network attack behavior and the network attack characteristics of the target attack source according to the attack attribute information to obtain a dimensional model of the target attack source.
S29: and generating an IP portrait of the target attack source according to the attribute model and the dimension model.
In the IP image, multidimensional information related to an IP address is obtained by counting various behaviors and characteristics of the IP address.
As another embodiment of this embodiment, after obtaining the IP image, the IP image result may be saved in a database.
Therefore, by the attack source IP portrait generation method based on network attack behaviors provided by this embodiment, information such as an attack source IP, an attack source port, an attack type, an attack target, and PAYLOAD (that is, a core and an effective attack load carried in an attack data packet) can be extracted from a network attack related log, similar features of the attack log are statistically sorted, and a portrait of an IP address is obtained through statistics and analysis calculation, where the portrait includes an attack type related to the attack source IP, an attack target range, attack times, a physical location, a reverse domain name, a domain language, browser information, IDC information, agent information, an attack tool, and the like. The attack source IP image finally generated by the embodiment can provide high-value threat information and tracing clues, so that the method has important practical significance.
For the prior art, the image of a certain IP address is known only by inquiring open source threat information, and because the open source threat information is not completely recorded, the image information of a certain malicious IP address cannot be comprehensively known. Moreover, the method also excessively depends on open source information, actual attack data is deviated, and important clues are easy to ignore under the condition that the open source information has errors. Furthermore, the reliability of the open source threat intelligence cannot be guaranteed.
The real portrait of the attack source IP address in the log is subjected to multi-dimensional statistics by combining the existing network security attack related alarm log and record and the open source threat information, so that the generated portrait information has higher accuracy, the data support of portrait attribute analysis is actively grasped, and the credibility of the portrait result is ensured.
Therefore, what malicious behaviors exist in an IP address is an important network space security threat intelligence, and the technical support of portraying the malicious IP address cannot be kept away in the process of collecting the threat intelligence. In the embodiment, malicious and harmful attack records are extracted from network security related logs, comprehensive statistics and analysis are carried out by taking an attack source IP address as an object, analysis results are taken as attributes of the IP address in various aspects, such as attack types, attack intentions and target ranges on space-time dimensions, used attack tools, IDC network segments, proxy, physical addresses, reverse domain names, browser fingerprints and the like, and after the attributes of the malicious attack source IP address are filled and portrayed, security workers can know the IP address more intuitively and vividly, and the method has important practical significance.
Example three:
as shown in fig. 3, the device for generating an IP portrait of an attack source based on a network attack behavior according to an embodiment of the present invention includes: a determination module 31, an extraction module 32, an acquisition module 33, and a generation module 34.
Preferably, the determination module is used for determining the target attack source. The extraction module is used for extracting all data for recording the target attack sources from a network security alarm database to obtain target alarm data, wherein the network security alarm database comprises alarm data of a plurality of attack sources.
As a preferred scheme, the acquisition module is used for obtaining the attack attribute information of the target attack source based on the target alarm data statistics. And the generation module is used for generating the IP portrait of the target attack source according to the attack attribute information.
The attack source IP portrait generating device based on the network attack behaviors provided by the embodiment of the invention has the same technical characteristics as the attack source IP portrait generating method based on the network attack behaviors provided by the embodiment, so the same technical problems can be solved, and the same technical effect is achieved.
Example four:
as shown in fig. 4, the electronic device 4 includes a memory 41 and a processor 42, where the memory stores a computer program that can run on the processor, and the processor executes the computer program to implement the steps of the method provided in the first embodiment or the second embodiment.
Referring to fig. 4, the electronic device further includes: a bus 43 and a communication interface 44, the processor 42, the communication interface 44 and the memory 41 being connected by the bus 43; the processor 42 is for executing executable modules, such as computer programs, stored in the memory 41.
The Memory 41 may include a high-speed Random Access Memory (RAM) and may also include a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. The communication connection between the network element of the system and at least one other network element is realized through at least one communication interface 44 (which may be wired or wireless), and the internet, a wide area network, a local network, a metropolitan area network, and the like can be used.
The bus 43 may be an ISA bus, a PCI bus, an EISA bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one double-headed arrow is shown in FIG. 4, but that does not indicate only one bus or one type of bus.
The memory 41 is used for storing a program, the processor 42 executes the program after receiving an execution instruction, and the method executed by the apparatus defined by the flow process disclosed in any of the foregoing embodiments of the present invention may be applied to the processor 42, or implemented by the processor 42.
The processor 42 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by instructions in the form of hardware, integrated logic circuits, or software in the processor 42. The Processor 42 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the device can also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field-Programmable Gate Array (FPGA), or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components. The various methods, steps and logic blocks disclosed in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in a memory 41, and a processor 42 reads information in the memory 41 and performs the steps of the method in combination with hardware thereof.
Example five:
the computer-readable medium provided by the embodiment of the invention has a non-volatile program code executable by a processor, and the program code causes the processor to execute the method provided by the first embodiment or the second embodiment.
Unless specifically stated otherwise, the relative steps, numerical expressions, and values of the components and steps set forth in these embodiments do not limit the scope of the present invention.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the system and the apparatus described above may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In all examples shown and described herein, any particular value should be construed as merely exemplary, and not as a limitation, and thus other examples of example embodiments may have different values.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The computer readable medium having the processor executable nonvolatile program code provided by the embodiment of the present invention has the same technical features as the method, the apparatus, and the electronic device for generating an attack source IP representation based on network attack behaviors provided by the above embodiment, so that the same technical problems can be solved, and the same technical effects can be achieved.
The computer program product for performing the method for generating an IP representation of an attack source based on a network attack behavior according to the embodiment of the present invention includes a computer-readable storage medium storing a nonvolatile program code executable by a processor, where instructions included in the program code may be used to execute the method described in the foregoing method embodiment, and specific implementation may refer to the method embodiment, and will not be described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present invention, which are used for illustrating the technical solutions of the present invention and not for limiting the same, and the protection scope of the present invention is not limited thereto, although the present invention is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the embodiments of the present invention, and they should be construed as being included therein. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (8)
1. An attack source IP portrait generation method based on network attack behaviors is characterized by comprising the following steps:
determining a target attack source;
extracting all data for recording the target attack source from a network security alarm database to obtain target alarm data, wherein the network security alarm database comprises alarm data of a plurality of attack sources;
obtaining the attack attribute information of the target attack source based on the target alarm data statistics;
generating an IP portrait of the target attack source according to the attack attribute information;
the generating the IP portrait of the target attack source according to the attack attribute information comprises the following steps:
determining network attribute data of the target attack source according to the attack attribute information, and obtaining an attribute model of the target attack source based on the network attribute data;
analyzing the network attack behavior and the network attack characteristics of the target attack source according to the attack attribute information to obtain a dimensional model of the target attack source;
and generating the IP portrait of the target attack source according to the attribute model and the dimension model.
2. The method of claim 1, further comprising:
acquiring network security alarm information from a plurality of servers, wherein the network security alarm information comprises acquired historical alarm information and acquired network security alarm information at the current moment;
and generating a network security alarm database according to the acquired network security alarm information.
3. The method of claim 1 or 2, wherein the determining a target attack source comprises:
acquiring network security alarm information from a plurality of servers, extracting an IP address of an attack source from the network security alarm information, and generating an IP address list based on the IP address;
determining the target attack source based on the IP address list, wherein the IP address list comprises IP addresses of a plurality of attack sources.
4. The method of claim 1, wherein the obtaining the attack attribute information of the target attack source based on the target alarm data statistics comprises:
acquiring a threat information database;
and counting the information of the target attack source based on the target alarm data and the data in the threat information database to obtain the attack attribute information of the target attack source.
5. The method of claim 4, wherein the attack attribute information includes an attack intention of a network attack behavior;
the counting the information of the target attack source based on the target alarm data and the data in the threat information database to obtain the attack attribute information of the target attack source comprises the following steps:
acquiring an attack target of the network attack behavior of the target attack source from the target alarm data;
acquiring information of the attack target from the threat intelligence database;
and obtaining the attack intention of the network attack behavior of the attack source according to the information of the attack target.
6. The method of claim 1, wherein the attack attribute information comprises at least one of: attack type of network attack behavior, attack intention, attack target, and attack tool.
7. An electronic device comprising a memory and a processor, wherein the memory stores a computer program operable on the processor, and wherein the processor implements the steps of the method of any of claims 1 to 6 when executing the computer program.
8. A computer-readable medium having non-volatile program code executable by a processor, wherein the program code causes the processor to perform the method of any of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810815080.4A CN108881294B (en) | 2018-07-23 | 2018-07-23 | Attack source IP portrait generation method and device based on network attack behaviors |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810815080.4A CN108881294B (en) | 2018-07-23 | 2018-07-23 | Attack source IP portrait generation method and device based on network attack behaviors |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108881294A CN108881294A (en) | 2018-11-23 |
| CN108881294B true CN108881294B (en) | 2021-05-25 |
Family
ID=64304699
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810815080.4A Active CN108881294B (en) | 2018-07-23 | 2018-07-23 | Attack source IP portrait generation method and device based on network attack behaviors |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108881294B (en) |
Families Citing this family (32)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109873811A (en) * | 2019-01-16 | 2019-06-11 | 光通天下网络科技股份有限公司 | Network safety protection method and its network security protection system based on attack IP portrait |
| CN109729095B (en) * | 2019-02-13 | 2021-08-24 | 奇安信科技集团股份有限公司 | Data processing method, data processing device, computing equipment and media |
| CN111030974A (en) * | 2019-03-29 | 2020-04-17 | 北京安天网络安全技术有限公司 | APT attack event detection method, device and storage medium |
| CN111030834B (en) * | 2019-04-26 | 2023-09-05 | 北京安天网络安全技术有限公司 | Threat prediction method and device based on load propagation behavior and storage equipment |
| CN110311890B (en) * | 2019-05-22 | 2023-06-27 | 中国平安财产保险股份有限公司 | Visualized attack and defense graph generation method and device, computer equipment and storage medium |
| CN110351280B (en) * | 2019-07-15 | 2022-05-27 | 杭州安恒信息技术股份有限公司 | Method, system, equipment and readable storage medium for extracting threat information |
| CN110535866B (en) * | 2019-09-02 | 2022-01-28 | 杭州安恒信息技术股份有限公司 | System portrait generation method and device and server |
| CN110708292A (en) * | 2019-09-11 | 2020-01-17 | 光通天下网络科技股份有限公司 | IP processing method, device, medium and electronic equipment |
| CN110764969A (en) * | 2019-10-25 | 2020-02-07 | 新华三信息安全技术有限公司 | Network attack tracing method and device |
| CN111079137A (en) * | 2019-11-19 | 2020-04-28 | 泰康保险集团股份有限公司 | Anti-virus processing method and device |
| CN110830500B (en) * | 2019-11-20 | 2022-03-11 | 北京天融信网络安全技术有限公司 | Network attack tracking method and device, electronic equipment and readable storage medium |
| CN110740144B (en) * | 2019-11-27 | 2022-09-16 | 腾讯科技(深圳)有限公司 | Method, device, equipment and storage medium for determining attack target |
| CN111083157B (en) * | 2019-12-25 | 2022-01-25 | 杭州迪普科技股份有限公司 | Method and device for processing message filtering rules |
| CN111198900B (en) * | 2019-12-31 | 2023-06-09 | 成都烽创科技有限公司 | Data caching method and device for industrial control network, terminal equipment and medium |
| CN113496179B (en) * | 2020-04-08 | 2023-12-26 | 中国电信股份有限公司 | Attacker analysis method and device |
| CN111641619B (en) * | 2020-05-21 | 2022-06-17 | 杭州安恒信息技术股份有限公司 | Method and device for constructing hacker portrait based on big data and computer equipment |
| CN111787000B (en) * | 2020-06-30 | 2022-03-25 | 绿盟科技集团股份有限公司 | Network security evaluation method and electronic equipment |
| CN111885034B (en) * | 2020-07-15 | 2022-09-13 | 杭州安恒信息技术股份有限公司 | Internet of things attack event tracking method and device and computer equipment |
| CN112153002B (en) * | 2020-08-24 | 2023-04-18 | 杭州安恒信息技术股份有限公司 | Alarm information analysis method, device, computer equipment and storage medium |
| CN112134897B (en) * | 2020-09-27 | 2023-04-18 | 奇安信科技集团股份有限公司 | Network attack data processing method and device |
| CN112131249A (en) * | 2020-09-28 | 2020-12-25 | 绿盟科技集团股份有限公司 | Attack intention identification method and device |
| CN112241439B (en) * | 2020-10-12 | 2023-07-21 | 绿盟科技集团股份有限公司 | Attack organization discovery method, device, medium and equipment |
| CN112217828A (en) * | 2020-10-16 | 2021-01-12 | 深信服科技股份有限公司 | Attack detection method and device, electronic equipment and storage medium |
| CN112351031B (en) * | 2020-11-05 | 2023-05-05 | 中国电子信息产业集团有限公司 | Method and device for generating attack behavior portraits, electronic equipment and storage medium |
| CN112738071B (en) * | 2020-12-25 | 2023-07-28 | 中能融合智慧科技有限公司 | Method and device for constructing attack chain topology |
| CN112887285B (en) * | 2021-01-15 | 2022-03-11 | 中国科学院地理科学与资源研究所 | Cross-space layer mapping network behavior intelligent portrait analysis method |
| CN113626509A (en) * | 2021-08-09 | 2021-11-09 | 杭州安恒信息技术股份有限公司 | Data access method and device, electronic equipment and readable storage medium |
| CN113923009A (en) * | 2021-09-30 | 2022-01-11 | 中通服创立信息科技有限责任公司 | Network security event traceability analysis method, device, medium and electronic equipment |
| CN114186232A (en) * | 2021-12-13 | 2022-03-15 | 南方电网科学研究院有限责任公司 | Network attack team identification method and device, electronic equipment and storage medium |
| CN114598507B (en) * | 2022-02-22 | 2023-06-30 | 烽台科技(北京)有限公司 | Attacker figure generation method and device, terminal equipment and storage medium |
| CN115001791B (en) * | 2022-05-27 | 2024-02-06 | 北京天融信网络安全技术有限公司 | Attack resource labeling method and device |
| CN115102778A (en) * | 2022-07-11 | 2022-09-23 | 深信服科技股份有限公司 | State determination method, device, equipment and medium |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2007251866A (en) * | 2006-03-20 | 2007-09-27 | Kyocera Mita Corp | Electronic equipment device |
| CN101267313B (en) * | 2008-04-23 | 2010-10-27 | 成都市华为赛门铁克科技有限公司 | Flooding attack detection method and detection device |
| CN103746961B (en) * | 2013-12-12 | 2017-03-15 | 中国人民解放军63928部队 | A kind of causal knowledge method for digging of cyber attack scenarios, device and server |
| CN104539626A (en) * | 2015-01-14 | 2015-04-22 | 中国人民解放军信息工程大学 | Network attack scene generating method based on multi-source alarm logs |
| CN104866765B (en) * | 2015-06-03 | 2017-11-10 | 康绯 | The malicious code homology analysis method of Behavior-based control characteristic similarity |
| CN107046543A (en) * | 2017-04-26 | 2017-08-15 | 国家电网公司 | A kind of threat intelligence analysis system traced to the source towards attack |
| CN108073808B (en) * | 2017-12-21 | 2021-10-15 | 安天科技集团股份有限公司 | Method and system for generating attacker portrait based on pdb debugging information |
| CN108270620B (en) * | 2018-01-15 | 2020-07-31 | 深圳市联软科技股份有限公司 | Network anomaly detection method, device, equipment and medium based on portrait technology |
-
2018
- 2018-07-23 CN CN201810815080.4A patent/CN108881294B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN108881294A (en) | 2018-11-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108881294B (en) | Attack source IP portrait generation method and device based on network attack behaviors | |
| CN113489713B (en) | Network attack detection method, device, equipment and storage medium | |
| US20100169973A1 (en) | System and Method For Detecting Unknown Malicious Code By Analyzing Kernel Based System Actions | |
| CN107241296B (en) | Webshell detection method and device | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| KR101676366B1 (en) | Attacks tracking system and method for tracking malware path and behaviors for the defense against cyber attacks | |
| JP6656211B2 (en) | Information processing apparatus, information processing method, and information processing program | |
| CN108600172B (en) | Method, device and equipment for detecting database collision attack and computer readable storage medium | |
| CN110474900B (en) | Game protocol testing method and device | |
| CN108881271B (en) | Reverse tracing method and device for proxy host | |
| JP6717206B2 (en) | Anti-malware device, anti-malware system, anti-malware method, and anti-malware program | |
| CN107332804B (en) | Method and device for detecting webpage bugs | |
| CN107395650B (en) | Method and device for identifying Trojan back connection based on sandbox detection file | |
| CN114003903B (en) | Network attack tracing method and device | |
| CN114006778B (en) | Threat information identification method and device, electronic equipment and storage medium | |
| CN107426196B (en) | Method and system for identifying WEB invasion | |
| CN111183620B (en) | Intrusion investigation | |
| US10742668B2 (en) | Network attack pattern determination apparatus, determination method, and non-transitory computer readable storage medium thereof | |
| CN110941632A (en) | Database auditing method, device and equipment | |
| CN114461864A (en) | Alarm tracing method and device | |
| CN112966264A (en) | XSS attack detection method, device, equipment and machine-readable storage medium | |
| CN117201273A (en) | Automatic analysis and noise reduction method and device for safety alarm and server | |
| CN111885088A (en) | Log monitoring method and device based on block chain | |
| CN115643044A (en) | Data processing method, device, server and storage medium | |
| CN115827379A (en) | Abnormal process detection method, device, equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: No. 188, Lianhui street, Xixing street, Binjiang District, Hangzhou, Zhejiang Province, 310000 Applicant after: Hangzhou Anheng Information Technology Co.,Ltd. Address before: 310000 15-storey Zhejiang Zhongcai Building, No. 68 Tonghe Road, Binjiang District, Hangzhou City, Zhejiang Province Applicant before: Hangzhou Anheng Information Technology Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |