CN110365675B - Method, device and system for network tracking long chain attack - Google Patents
Method, device and system for network tracking long chain attack Download PDFInfo
- Publication number
- CN110365675B CN110365675B CN201910626783.7A CN201910626783A CN110365675B CN 110365675 B CN110365675 B CN 110365675B CN 201910626783 A CN201910626783 A CN 201910626783A CN 110365675 B CN110365675 B CN 110365675B
- Authority
- CN
- China
- Prior art keywords
- network
- data
- abnormal
- side server
- data segments
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a method, a device and a system for tracking a long chain attack by a network, wherein the method comprises the steps of collecting data segment copies on each network node, merging the data segment copies with historical big data, analyzing whether the data segments are abnormal or not, and whether logic association exists among a plurality of abnormal data segments or not, determining and marking abnormal points and path points to obtain potential attack tracks, thereby achieving the purpose of tracking the attack segments in a large number of network nodes.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method, an apparatus, and a system for tracking a long chain attack by a network.
Background
At present, network communication faces increasingly hidden security problems, many attacks come from hidden and fragmented forms, and the existing method for preventing network attacks fails. Especially today's networks often have a large number of network nodes and attackers can spread the fragments across various network nodes to avoid discovery. A method for monitoring attacks on a network based on big data and tracking fragments is urgently needed.
Disclosure of Invention
The invention aims to provide a method, a device and a system for tracking long chain attacks by a network.
In a first aspect, the present application provides a method for network tracing long chain attack, the method comprising:
the network side server sends an instruction to each network node, wherein the instruction is used for instructing each network node to upload the local data segment to the server;
after receiving the instruction, each network node splits the local data stream passing through the network node into a plurality of data segments, stores data segment copies, and packages and uploads the data segment copies to a server at service processing intervals;
after the server receives the encapsulated data fragment copy, merging the analyzed data fragment with the local historical data fragment of the server; the merging comprises merging according to at least one standard of the network node, the sending terminal, the data type and the corresponding access behavior;
the server analyzes the merged data segments by using an analysis model, searches abnormal data segments possibly existing in the merged data segments, marks network nodes or terminals to which a plurality of abnormal data segments belong as abnormal points, and analyzes whether logic association exists among the abnormal data segments;
if the plurality of abnormal data segments have logical association, establishing a front-back association relation of the corresponding abnormal points, and marking the abnormal points as a path point in a potential attack track; if the logical association does not exist among the plurality of abnormal data segments, the front-back association relation among the corresponding abnormal points is disconnected, and the approach points of the abnormal data segments in the potential attack track are deleted;
the server transmits the front-back incidence relation, the passing point and the potential attack track to a display processing device;
the server trains the analysis model according to the pre-and-post incidence relation and the abnormal data segment;
and after receiving the front-back association relationship, the route points and the potential attack tracks, the display processing device marks the route points on a mapped network node architecture diagram, marks the front-back association relationship corresponding to each node in the diagram, draws the potential attack tracks and displays the potential attack tracks on a large screen.
With reference to the first aspect, in a first possible implementation manner of the first aspect, the network-side server is a cluster server.
With reference to the first aspect, in a second possible implementation manner of the first aspect, the network side server sends the instruction to each network node at a fixed period.
With reference to the first aspect, in a third possible implementation manner of the first aspect, the uploading, by the network node, the copy of the data segment at the service processing interval includes: and preferentially processing the service data, and uploading a data fragment copy to the server when no service data needs to be processed or transmitted.
In a second aspect, the present application provides an apparatus for network tracing long chain attack, which is applied to a network node and performs all or part of the method, and the apparatus includes:
the system comprises an instruction receiving unit, a data processing unit and a data processing unit, wherein the instruction receiving unit is used for receiving an instruction sent by a network side server to each network node, and the instruction is used for instructing each network node to upload a local data fragment to the server;
the data processing unit is used for splitting the local data stream passing through the network node into a plurality of data fragments and storing data fragment copies;
and the data sending unit is used for packaging and uploading the data fragment copy to a server at the service processing interval.
In a third aspect, the present application provides a server for network tracing long chain attack, located on a network side, and performing all or part of the method, where the server includes:
the instruction sending unit is used for sending an instruction to each network node, and the instruction is used for instructing each network node to upload the local data segment to the server;
the data merging unit is used for merging the analyzed data segment with the local historical data segment of the server after receiving the encapsulated data segment copy; the merging comprises merging according to at least one standard of the network node, the sending terminal, the data type and the corresponding access behavior;
the abnormal analysis unit is used for analyzing the merged data segments by using an analysis model, searching abnormal data segments possibly existing in the merged data segments, marking network nodes or terminals to which a plurality of abnormal data segments belong as abnormal points, and analyzing whether logic association exists among the plurality of abnormal data segments;
if the plurality of abnormal data segments have logical association, establishing a front-back association relation of the corresponding abnormal points, and marking the abnormal points as a path point in a potential attack track; if the logical association does not exist among the plurality of abnormal data segments, the front-back association relation among the corresponding abnormal points is disconnected, and the approach points of the abnormal data segments in the potential attack track are deleted;
the transmission unit is used for transmitting the front and back incidence relation, the passing point and the potential attack track to a display processing device;
and the model training unit is used for training the analysis model according to the pre-and-post incidence relation and the abnormal data segment.
In a fourth aspect, the present application provides a system for network tracing long chain attacks, the system comprising a plurality of network nodes applying the apparatus according to the second aspect, and a server according to the third aspect.
The invention provides a method, a device and a system for tracking a long chain attack by a network, which are characterized in that data segment copies on each network node are collected and merged with historical big data, whether the data segments are abnormal or not is analyzed, and whether logic association exists among a plurality of abnormal data segments or not is analyzed, so that abnormal points and path points are determined and marked to obtain a potential attack track, and the purpose of tracking the attack segments in a large number of network nodes is realized.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a flow chart of a method for tracking a long chain attack by a network according to the present invention;
FIG. 2 is a diagram of the internal structure of the device for tracking long chain attacks in the network according to the present invention;
FIG. 3 is an internal structure diagram of a server for network tracing long chain attack according to the present invention;
fig. 4 is an architecture diagram of the system for network tracing long chain attack according to the present invention.
Detailed Description
The preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings so that the advantages and features of the present invention can be more easily understood by those skilled in the art, and the scope of the present invention will be more clearly and clearly defined.
Fig. 1 is a flowchart of a method for tracking a long chain attack by a network according to the present application, where the method includes: the network side server sends an instruction to each network node, wherein the instruction is used for instructing each network node to upload the local data segment to the server;
after receiving the instruction, each network node splits the local data stream passing through the network node into a plurality of data segments, stores data segment copies, and packages and uploads the data segment copies to a server at service processing intervals;
after the server receives the encapsulated data fragment copy, merging the analyzed data fragment with the local historical data fragment of the server; the merging comprises merging according to at least one standard of the network node, the sending terminal, the data type and the corresponding access behavior;
the server analyzes the merged data segments by using an analysis model, searches abnormal data segments possibly existing in the merged data segments, marks network nodes or terminals to which a plurality of abnormal data segments belong as abnormal points, and analyzes whether logic association exists among the abnormal data segments;
if the plurality of abnormal data segments have logical association, establishing a front-back association relation of the corresponding abnormal points, and marking the abnormal points as a path point in a potential attack track; if the logical association does not exist among the plurality of abnormal data segments, the front-back association relation among the corresponding abnormal points is disconnected, and the approach points of the abnormal data segments in the potential attack track are deleted;
the server transmits the front-back incidence relation, the passing point and the potential attack track to a display processing device;
the server trains the analysis model according to the pre-and-post incidence relation and the abnormal data segment;
and after receiving the front-back association relationship, the route points and the potential attack tracks, the display processing device marks the route points on a mapped network node architecture diagram, marks the front-back association relationship corresponding to each node in the diagram, draws the potential attack tracks and displays the potential attack tracks on a large screen.
In some preferred embodiments, the network side server is a cluster server.
In some preferred embodiments, the network side server sends the instruction files to each network node at a fixed period.
In some preferred embodiments, the network node uploading the copy of the data segment at the traffic processing gap comprises: and preferentially processing the service data, and uploading a data fragment copy to the server when no service data needs to be processed or transmitted.
Fig. 2 is an internal structural diagram of an apparatus for network tracing long chain attack provided in the present application, the apparatus including:
the system comprises an instruction receiving unit, a data processing unit and a data processing unit, wherein the instruction receiving unit is used for receiving an instruction sent by a network side server to each network node, and the instruction is used for instructing each network node to upload a local data fragment to the server;
the data processing unit is used for splitting the local data stream passing through the network node into a plurality of data fragments and storing data fragment copies;
and the data sending unit is used for packaging and uploading the data fragment copy to a server at the service processing interval.
In some preferred embodiments, the apparatus uploading the copy of the data segment at the traffic processing slot comprises: and preferentially processing the service data, and uploading a data fragment copy to the server when no service data needs to be processed or transmitted.
Fig. 3 is an internal structural diagram of a server for network tracing long chain attack provided in the present application, where the server includes:
the instruction sending unit is used for sending an instruction to each network node, and the instruction is used for instructing each network node to upload the local data segment to the server;
the data merging unit is used for merging the analyzed data segment with the local historical data segment of the server after receiving the encapsulated data segment copy; the merging comprises merging according to at least one standard of the network node, the sending terminal, the data type and the corresponding access behavior;
the abnormal analysis unit is used for analyzing the merged data segments by using an analysis model, searching abnormal data segments possibly existing in the merged data segments, marking network nodes or terminals to which a plurality of abnormal data segments belong as abnormal points, and analyzing whether logic association exists among the plurality of abnormal data segments;
if the plurality of abnormal data segments have logical association, establishing a front-back association relation of the corresponding abnormal points, and marking the abnormal points as a path point in a potential attack track; if the logical association does not exist among the plurality of abnormal data segments, the front-back association relation among the corresponding abnormal points is disconnected, and the approach points of the abnormal data segments in the potential attack track are deleted;
the transmission unit is used for transmitting the front and back incidence relation, the passing point and the potential attack track to a display processing device;
and the model training unit is used for training the analysis model according to the pre-and-post incidence relation and the abnormal data segment.
In some preferred embodiments, the network side server is a cluster server.
In some preferred embodiments, the network side server sends the instruction files to each network node at a fixed period.
Fig. 4 is an architecture diagram of a system for network tracing long chain attack provided by the present application, the system including a plurality of network nodes to which the apparatus shown in fig. 2 is applied, and a server shown in fig. 3.
In specific implementation, the present invention further provides a computer storage medium, where the computer storage medium may store a program, and the program may include some or all of the steps in the embodiments of the present invention when executed. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM) or a Random Access Memory (RAM).
Those skilled in the art will readily appreciate that the techniques of the embodiments of the present invention may be implemented as software plus a required general purpose hardware platform. Based on such understanding, the technical solutions in the embodiments of the present invention may be embodied in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.
The same and similar parts in the various embodiments of the present specification may be referred to each other. In particular, for the embodiments, since they are substantially similar to the method embodiments, the description is simple, and the relevant points can be referred to the description in the method embodiments.
The above-described embodiments of the present invention should not be construed as limiting the scope of the present invention.
Claims (7)
1. A method for tracking long chain attack by a network is characterized by comprising the following steps:
the network side server sends an instruction to each network node, wherein the instruction is used for instructing each network node to upload the local data segment to the network side server;
after receiving the instruction, each network node splits the local data stream passing through the network node into a plurality of data segments, stores the data segments, and packages and uploads the data segments to a network side server at service processing intervals;
after the network side server receives the encapsulated data fragments, merging the analyzed data fragments with local historical data fragments of the network side server; the merging comprises merging according to at least one standard of the network node, the sending terminal, the data type and the corresponding access behavior;
the network side server analyzes the merged data segments by using an analysis model, searches abnormal data segments possibly existing in the merged data segments, marks network nodes or terminals to which a plurality of abnormal data segments belong as abnormal points, and analyzes whether logic association exists among the abnormal data segments;
if the plurality of abnormal data segments have logical association, establishing a front-back association relation of the corresponding abnormal points, and marking the abnormal points as a path point in a potential attack track; if the logical association does not exist among the plurality of abnormal data segments, the front-back association relation among the corresponding abnormal points is disconnected, and the approach points of the abnormal data segments in the potential attack track are deleted;
the network side server transmits the pre-and-post association relation, the approach point and the potential attack track to a display processing device;
the network side server trains the analysis model according to the front-back incidence relation and the abnormal data segment;
and after receiving the pre-and-post association relationship, the path point and the potential attack track, the display processing device marks the path point on a mapped network node architecture diagram, marks the corresponding pre-and-post association relationship on each node in the diagram, draws the potential attack track and displays the potential attack track on a large screen.
2. The method of claim 1, wherein the network-side server is a clustered network-side server.
3. The method according to any of claims 1-2, wherein the network-side server sends instructions to each network node at a fixed period.
4. The method of claim 3, wherein the network node uploading a data segment at a traffic processing gap comprises: and preferentially processing the service data, and uploading the data fragments to the network side server when no service data needs to be processed or transmitted.
5. An apparatus for network tracing long chain attack, applied on a network node, for performing the method according to any one of claims 1-4, comprising:
the instruction receiving unit is used for receiving an instruction sent by the network side server to each network node, and the instruction is used for instructing each network node to upload the local data segment to the network side server;
the data processing unit is used for splitting a data stream local via the network node into a plurality of data fragments and storing the data fragments;
and the data sending unit is used for packaging and uploading the data fragments to a network side server at the service processing interval.
6. A network side server for network tracing long chain attack, which is located at the network side and executes the method according to any one of claims 1-4, and is characterized by comprising:
the instruction sending unit is used for sending an instruction to each network node, and the instruction is used for instructing each network node to upload the local data segment to the network side server;
the data merging unit is used for merging the analyzed data segment with the local historical data segment of the network side server after receiving the encapsulated data segment; the merging comprises merging according to at least one standard of the network node, the sending terminal, the data type and the corresponding access behavior;
the abnormal analysis unit is used for analyzing the merged data segments by using an analysis model, searching abnormal data segments possibly existing in the merged data segments, marking network nodes or terminals to which a plurality of abnormal data segments belong as abnormal points, and analyzing whether logic association exists among the plurality of abnormal data segments;
if the plurality of abnormal data segments have logical association, establishing a front-back association relation of the corresponding abnormal points, and marking the abnormal points as a path point in a potential attack track; if the logical association does not exist among the plurality of abnormal data segments, the front-back association relation among the corresponding abnormal points is disconnected, and the approach points of the abnormal data segments in the potential attack track are deleted;
the transmission unit is used for transmitting the pre-and-post association relation, the approach point and the potential attack track to a display processing device;
and the model training unit is used for training the analysis model according to the pre-and-post incidence relation and the abnormal data segment.
7. A system for network tracing long chain attacks, the system comprising a plurality of network nodes applying the apparatus of claim 5 and a network side server according to claim 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910626783.7A CN110365675B (en) | 2019-07-11 | 2019-07-11 | Method, device and system for network tracking long chain attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910626783.7A CN110365675B (en) | 2019-07-11 | 2019-07-11 | Method, device and system for network tracking long chain attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110365675A CN110365675A (en) | 2019-10-22 |
| CN110365675B true CN110365675B (en) | 2021-09-03 |
Family
ID=68218956
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910626783.7A Active CN110365675B (en) | 2019-07-11 | 2019-07-11 | Method, device and system for network tracking long chain attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110365675B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104539626A (en) * | 2015-01-14 | 2015-04-22 | 中国人民解放军信息工程大学 | Network attack scene generating method based on multi-source alarm logs |
| CN104731816A (en) * | 2013-12-23 | 2015-06-24 | 阿里巴巴集团控股有限公司 | Method and device for processing abnormal business data |
| CN105208000A (en) * | 2015-08-21 | 2015-12-30 | 深信服网络科技(深圳)有限公司 | Network attack retrospective analysis method and network security equipment |
| CN105763529A (en) * | 2015-12-12 | 2016-07-13 | 哈尔滨安天科技股份有限公司 | Attack chain obtaining method and system in network environment |
| CN109067815A (en) * | 2018-11-06 | 2018-12-21 | 深信服科技股份有限公司 | Attack Source Tracing method, system, user equipment and storage medium |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8464221B2 (en) * | 2009-06-16 | 2013-06-11 | Microsoft Corporation | Visualization tool for system tracing infrastructure events |
| US9998480B1 (en) * | 2016-02-29 | 2018-06-12 | Symantec Corporation | Systems and methods for predicting security threats |
| WO2017184233A1 (en) * | 2016-04-18 | 2017-10-26 | Acalvio Technologies, Inc. | Systems and methods for detecting and tracking adversary trajectory |
| CN109688161A (en) * | 2019-02-14 | 2019-04-26 | 上海鹏越惊虹信息技术发展有限公司 | A kind of network trace method, apparatus, system, equipment and storage medium |
-
2019
- 2019-07-11 CN CN201910626783.7A patent/CN110365675B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104731816A (en) * | 2013-12-23 | 2015-06-24 | 阿里巴巴集团控股有限公司 | Method and device for processing abnormal business data |
| CN104539626A (en) * | 2015-01-14 | 2015-04-22 | 中国人民解放军信息工程大学 | Network attack scene generating method based on multi-source alarm logs |
| CN105208000A (en) * | 2015-08-21 | 2015-12-30 | 深信服网络科技(深圳)有限公司 | Network attack retrospective analysis method and network security equipment |
| CN105763529A (en) * | 2015-12-12 | 2016-07-13 | 哈尔滨安天科技股份有限公司 | Attack chain obtaining method and system in network environment |
| CN109067815A (en) * | 2018-11-06 | 2018-12-21 | 深信服科技股份有限公司 | Attack Source Tracing method, system, user equipment and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 基于地图的网络攻击可视化系统设计与实现;李秋霞;《中国优秀硕士学位论文全文数据库》;20180815;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110365675A (en) | 2019-10-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110365674B (en) | Method, server and system for predicting network attack surface | |
| CN108701187A (en) | Mixed hardware software distribution threat analysis | |
| CN108900374B (en) | Data processing method and device applied to DPI equipment | |
| JP2016508353A (en) | Improved streaming method and system for processing network metadata | |
| CN112350854B (en) | Flow fault positioning method, device, equipment and storage medium | |
| CN105743732B (en) | Method and system for recording transmission path and distribution condition of local area network files | |
| KR102221052B1 (en) | Fault Management System for SDN Network Equipment that supports open flow protocol | |
| CN110381047B (en) | Network attack surface tracking method, server and system | |
| CN110365673B (en) | Method, server and system for isolating network attack plane | |
| CN110351273B (en) | Method, device and system for network tracking long chain attack | |
| CN110351274B (en) | Network attack surface tracking method, server and system | |
| CN110213301B (en) | Method, server and system for transferring network attack plane | |
| CN111741328B (en) | Video analysis method, electronic device, storage medium and system | |
| CN110858837A (en) | Network management and control method and device and electronic equipment | |
| CN110365675B (en) | Method, device and system for network tracking long chain attack | |
| CN117914511A (en) | Security audit system based on data exchange and log analysis | |
| CN110378404B (en) | Method, device and system for network tracking long chain attack | |
| CN106855888A (en) | Daily record monitoring system based on Logstash distributed systems | |
| CN110324354B (en) | Method, device and system for network tracking long chain attack | |
| CN110324353B (en) | Method, device and system for network tracking long chain attack | |
| CN114598622B (en) | Data monitoring method and device, storage medium and computer equipment | |
| Priovolos et al. | Using anomaly detection techniques for securing 5G infrastructure and applications | |
| CN102185705B (en) | Intranet video file monitoring method based on information reduction | |
| CN114595761A (en) | Network data intelligent distribution service system | |
| CN102082709B (en) | Monitoring system for internal network video files based on message interception |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |