CN110351274B

CN110351274B - Network attack surface tracking method, server and system

Info

Publication number: CN110351274B
Application number: CN201910626345.0A
Authority: CN
Inventors: 娈靛浆; 段彬
Original assignee: Wuhan Sipuling Technology Co Ltd
Current assignee: Wuhan Sipuling Technology Co Ltd
Priority date: 2019-07-11
Filing date: 2019-07-11
Publication date: 2021-11-26
Anticipated expiration: 2039-07-11
Also published as: CN110351274A

Abstract

The invention discloses a method, a server and a system for tracking a network attack face, which are characterized in that each network node checks a data segment, extracts an attack vector which can be utilized, collects a data segment copy on each network node, merges the data segment copy with historical big data, analyzes whether the data segment is abnormal or not and whether logical association exists among a plurality of abnormal data segments or not, thereby determining and marking abnormal points and path points to obtain potential attack tracks and security holes of the network nodes, and further realizes the purpose of tracking the attack face in a large number of network nodes.

Description

Network attack surface tracking method, server and system

Technical Field

The present application relates to the field of network security technologies, and in particular, to a method, a server, and a system for tracing a network attack plane.

Background

At present, network communication faces increasingly hidden security problems, many attacks come from hidden and fragmented forms, a vulnerability point and an attack link of a single node can form a plurality of attack faces, and an existing method for preventing network attacks can be invalid. Especially today's networks often have a large number of network nodes and attackers can spread the fragments across various network nodes to avoid discovery. A method for monitoring network attacks, which can detect vulnerabilities and track segment links, is urgently needed.

Disclosure of Invention

The invention aims to provide a method, a device and a system for tracking a network attack surface.

In a first aspect, the present application provides a method for tracing a network attack plane, where the method includes:

the network side server sends an instruction to each network node, wherein the instruction is used for instructing each network node to upload the local data segment to the server;

after each network node receives the instruction, splitting a data stream local to the network node into a plurality of data fragment copies, and extracting an attack vector capable of being utilized from the data fragment copies;

each network node calls a local strategy to scan the data fragment copies, checks whether the usable attack vectors are contained or not, packs the usable attack vectors and the data fragment copies and uploads the packed usable attack vectors and the data fragment copies to a server in service processing interval packaging; the encapsulating comprises inserting a data originator identification in the data segment copy;

after the server receives the encapsulated data fragment copy, merging the analyzed data fragment with the local historical data fragment of the server; the merging comprises merging according to at least one standard of the network node, the sending terminal, the data type and the corresponding access behavior;

the server analyzes the merged data segments by using an analysis model, searches abnormal data segments possibly existing in the merged data segments, marks network nodes or terminals to which a plurality of abnormal data segments belong as abnormal points, and analyzes whether logic association exists among the abnormal data segments;

if the plurality of abnormal data segments have logical association, establishing a front-back association relation of the corresponding abnormal points, and marking the abnormal points as a path point in a potential attack track; if the logical association does not exist among the plurality of abnormal data segments, the front-back association relation among the corresponding abnormal points is disconnected, and the approach points of the abnormal data segments in the potential attack track are deleted;

the server checks the attack vector which can be utilized and judges whether a security vulnerability exists; if the security vulnerability exists, calling a corresponding strategy to execute an action for eliminating the security vulnerability; if the security vulnerability does not exist, informing the corresponding network node that the security vulnerability does not exist;

the server transmits the front-back incidence relation, the passing point, the potential attack track and the security vulnerability to a display processing device;

the server trains the analysis model according to the pre-and-post incidence relation and the abnormal data segment;

after the display processing device receives the front-back incidence relation, the passing points, the potential attack tracks and the security holes, the passing points are marked on a mapped network node architecture diagram, the corresponding front-back incidence relation of each node in the diagram is marked, the potential attack tracks are drawn, the security holes of each node are marked, and a network attack surface is formed by the points and the attack track lines and is displayed on a large screen.

With reference to the first aspect, in a first possible implementation manner of the first aspect, each network node splits a data stream into a plurality of data segments, and the split length may be determined according to a service type and an access action.

With reference to the first aspect, in a second possible implementation manner of the first aspect, the network side server sends the instruction to each network node at a fixed period.

With reference to the first aspect, in a third possible implementation manner of the first aspect, the uploading, by the network node, the copy of the data segment at the service processing interval includes: and preferentially processing the service data, and uploading a data fragment copy to the server when no service data needs to be processed or transmitted.

In a second aspect, the present application provides an apparatus for tracing a network attack plane, which is applied to a network node and performs all or part of the method, where the apparatus includes:

the system comprises an instruction receiving unit, a data processing unit and a data processing unit, wherein the instruction receiving unit is used for receiving an instruction sent by a network side server to each network node, and the instruction is used for instructing each network node to upload a local data fragment to the server;

the data processing unit is used for splitting a data stream local via a network node into a plurality of data fragments, extracting usable attack vectors from the data fragments, calling a local strategy to scan the data fragment copies, and checking whether the usable attack vectors are contained;

the data sending unit is used for packaging the usable attack vectors and the data fragment copies and uploading the packaged usable attack vectors and the data fragment copies to a server in a service processing interval; the encapsulation includes inserting a data originator identification in the data segment copy.

In a third aspect, the present application provides a server for tracing a network attack plane, which is located on a network side and executes all or part of the method, where the server includes:

the instruction sending unit is used for sending an instruction to each network node, and the instruction is used for instructing each network node to upload the local data segment to the server;

the data merging unit is used for merging the analyzed data segment with the local historical data segment of the server after receiving the encapsulated data segment copy; the merging comprises merging according to at least one standard of the network node, the sending terminal, the data type and the corresponding access behavior;

the abnormal analysis unit is used for analyzing the merged data segments by using an analysis model, searching abnormal data segments possibly existing in the merged data segments, marking network nodes or terminals to which a plurality of abnormal data segments belong as abnormal points, and analyzing whether logic association exists among the plurality of abnormal data segments;

the vulnerability checking unit is used for checking the exploitable attack vector and judging whether a security vulnerability exists; if the security vulnerability exists, calling a corresponding strategy to execute an action for eliminating the security vulnerability; if the security vulnerability does not exist, informing the corresponding network node that the security vulnerability does not exist;

the transmission unit is used for transmitting the pre-and-post association relationship, the passing points, the potential attack tracks and the security holes to a display processing device;

and the model training unit is used for training the analysis model according to the pre-and-post incidence relation and the abnormal data segment.

In a fourth aspect, the present application provides a system for network attack surface tracking, where the system includes a plurality of network nodes to which the apparatus according to the second aspect is applied, and a server according to the third aspect, and a display processing apparatus.

The invention provides a method, a device and a system for tracking a network attack surface, which are characterized in that each network node checks a data segment, extracts an attack vector which can be utilized, collects a copy of the data segment on each network node, merges the copy with historical big data, analyzes whether the data segment is abnormal or not and whether logical association exists among a plurality of abnormal data segments or not, thereby determining and marking abnormal points and path points to obtain potential attack tracks and security holes of the network nodes, and further realizes the purpose of tracking the attack surface in a large number of network nodes.

Drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without creative efforts.

FIG. 1 is a flow chart of a method for network attack face tracing according to the present invention;

FIG. 2 is a diagram of the internal structure of the network attack plane tracing apparatus according to the present invention;

FIG. 3 is a diagram of the internal structure of the server for network attack plane tracing according to the present invention;

fig. 4 is an architecture diagram of the system for network attack plane tracing according to the present invention.

Detailed Description

The preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings so that the advantages and features of the present invention can be more easily understood by those skilled in the art, and the scope of the present invention will be more clearly and clearly defined.

Fig. 1 is a flowchart of a method for tracing a network attack plane, where the method includes:

In some preferred embodiments, the network nodes divide the data stream into a plurality of data segments, and the length of the division can be determined according to the service type and the access action.

In some preferred embodiments, the network side server sends the instruction files to each network node at a fixed period.

In some preferred embodiments, the network node uploading the copy of the data segment at the traffic processing gap comprises: and preferentially processing the service data, and uploading a data fragment copy to the server when no service data needs to be processed or transmitted.

Fig. 2 is an internal structure diagram of a network attack plane tracing apparatus provided in the present application, where the apparatus includes:

In some preferred embodiments, the apparatus uploading the copy of the data segment at the traffic processing slot comprises: and preferentially processing the service data, and uploading a data fragment copy to the server when no service data needs to be processed or transmitted.

Fig. 3 is an internal structure diagram of a server for network attack plane tracking provided in the present application, where the server includes:

In some preferred embodiments, the network side server is a cluster server.

Fig. 4 is an architecture diagram of a system for network attack surface tracing provided by the present application, where the system includes a plurality of network nodes to which the apparatus shown in fig. 2 is applied, and a server shown in fig. 3, and a display processing apparatus.

In specific implementation, the present invention further provides a computer storage medium, where the computer storage medium may store a program, and the program may include some or all of the steps in the embodiments of the present invention when executed. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM) or a Random Access Memory (RAM).

Those skilled in the art will readily appreciate that the techniques of the embodiments of the present invention may be implemented as software plus a required general purpose hardware platform. Based on such understanding, the technical solutions in the embodiments of the present invention may be embodied in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.

The same and similar parts in the various embodiments of the present specification may be referred to each other. In particular, for the embodiments, since they are substantially similar to the method embodiments, the description is simple, and the relevant points can be referred to the description in the method embodiments.

The above-described embodiments of the present invention should not be construed as limiting the scope of the present invention.

Claims

1. A method for tracing a network attack plane, comprising:

the network side server sends an instruction to each network node, wherein the instruction is used for instructing each network node to upload the local data segment to the network side server;

after receiving the instruction, each network node splits the local data stream passing through the network node into a plurality of data segments, and extracts an attack vector which can be utilized from the data segments;

each network node calls a local strategy to scan the data fragment, checks whether the data fragment contains a usable attack vector, packs the usable attack vector and the data fragment and uploads the packed usable attack vector and data fragment to a network side server in service processing interval packaging; the encapsulating includes inserting a data originator identification in a data segment;

after the network side server receives the encapsulated data fragments, merging the analyzed data fragments with local historical data fragments of the network side server; the merging comprises merging according to at least one standard of the network node, the sending terminal, the data type and the corresponding access behavior;

the network side server analyzes the merged data segments by using an analysis model, searches abnormal data segments possibly existing in the merged data segments, marks network nodes or terminals to which a plurality of abnormal data segments belong as abnormal points, and analyzes whether logic association exists among the abnormal data segments;

the network side server checks the available attack vector and judges whether a security vulnerability exists; if the security vulnerability exists, calling a corresponding strategy to execute an action for eliminating the security vulnerability; if the security vulnerability does not exist, informing the corresponding network node that the security vulnerability does not exist;

the network side server transmits the pre-and-post association relation, the path point, the potential attack track and the security vulnerability to a display processing device;

the network side server trains the analysis model according to the front-back incidence relation and the abnormal data segment;

and after the display processing device receives the front-back incidence relation, the path points, the potential attack tracks and the security holes, marking the path points on a mapped network node architecture diagram, marking the front-back incidence relation corresponding to each node in the diagram, drawing the potential attack tracks, marking the security holes of each node, and forming a network attack surface by the points and the attack track lines to be displayed on a large screen.

2. The method of claim 1, wherein each network node splits a data stream into a plurality of data segments, and wherein the split length is determined according to a traffic type and an access action.

3. The method according to any of claims 1-2, wherein the network-side server sends instructions to each network node at a fixed period.

4. The method of claim 3, wherein the network node uploading a data segment at a traffic processing gap comprises: and preferentially processing the service data, and uploading the data fragments to the network side server when no service data needs to be processed or transmitted.

5. An apparatus for tracing a network attack plane, applied to a network node, for performing the method according to any one of claims 1 to 4, comprising:

the instruction receiving unit is used for receiving an instruction sent by the network side server to each network node, and the instruction is used for instructing each network node to upload the local data segment to the network side server;

the data processing unit is used for splitting a data stream local via a network node into a plurality of data fragments, extracting an attack vector capable of being utilized from the data fragments, calling a local strategy to scan the data fragments, and checking whether the attack vector capable of being utilized is contained;

the data sending unit is used for packaging the usable attack vectors and the data fragments and uploading the packaged usable attack vectors and the data fragments to a network side server in service processing interval; the encapsulation includes inserting a data originator identification in the data segment.

6. A network side server for network attack surface tracing, which is located on the network side and executes the method according to any one of claims 1-4, and is characterized by comprising:

the instruction sending unit is used for sending an instruction to each network node, and the instruction is used for instructing each network node to upload the local data segment to the network side server;

the data merging unit is used for merging the analyzed data segment with the local historical data segment of the network side server after receiving the encapsulated data segment; the merging comprises merging according to at least one standard of the network node, the sending terminal, the data type and the corresponding access behavior;

the transmission unit is used for transmitting the pre-and-post association relation, the path point, the potential attack track and the security vulnerability to a display processing device;

7. A system for tracing a network attack surface, which comprises a plurality of network nodes applying the device of claim 5, a network side server of claim 6, and a display processing device.