CN110620690A - Network attack event processing method and electronic equipment thereof - Google Patents

Network attack event processing method and electronic equipment thereof Download PDF

Info

Publication number
CN110620690A
CN110620690A CN201910888270.3A CN201910888270A CN110620690A CN 110620690 A CN110620690 A CN 110620690A CN 201910888270 A CN201910888270 A CN 201910888270A CN 110620690 A CN110620690 A CN 110620690A
Authority
CN
China
Prior art keywords
alarm data
data
alarm
processing
statistical analysis
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910888270.3A
Other languages
Chinese (zh)
Inventor
刘圣龙
李祉岐
王利斌
尹琴
杨阳
王秋明
李宁
刘晓蕾
宋洁
焦腾
霍钰
冯磊
任磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National Networks Network An (beijing) Technology Co Ltd
State Grid Network Technology (beijing) Co Ltd
State Grid Information and Telecommunication Co Ltd
National Network Information and Communication Industry Group Co Ltd
Original Assignee
National Networks Network An (beijing) Technology Co Ltd
State Grid Network Technology (beijing) Co Ltd
National Network Information and Communication Industry Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National Networks Network An (beijing) Technology Co Ltd, State Grid Network Technology (beijing) Co Ltd, National Network Information and Communication Industry Group Co Ltd filed Critical National Networks Network An (beijing) Technology Co Ltd
Priority to CN201910888270.3A priority Critical patent/CN110620690A/en
Publication of CN110620690A publication Critical patent/CN110620690A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/142Network analysis or design using statistical or mathematical methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Abstract

The invention discloses a method for processing a network attack event and electronic equipment thereof. Specifically, the processing method comprises the following steps: acquiring first alarm data of security equipment in a network to be monitored and storing the first alarm data in a database, wherein the first alarm data is based on a network attack event; when any set condition is met, carrying out statistical analysis on the first alarm data based on the dimensionality to obtain a statistical analysis result; and executing processing operation according to the statistical analysis result. The technical scheme of the invention breaks through the barrier between the safety devices, does not need manual communication, can process the network attack event in a targeted manner based on the statistical analysis result, reduces the capability requirement on monitoring personnel to identify and analyze the alarm data, greatly saves the time for reporting and communicating, and obviously improves the processing efficiency of the network attack event.

Description

Network attack event processing method and electronic equipment thereof
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method for processing a network attack event and an electronic device thereof.
Background
With the continuous popularization and deepening application of networks, the influence range of the internet on people is continuously increased from the breadth and the depth. Corresponding network security events are also endless, and attack means such as Distributed denial of service attack (DDoS attack), man-in-the-middle attack, malicious software, phishing attack, lasso virus and the like not only cause great economic loss to people, but also influence the life security of people in sensitive fields such as medical treatment, traffic and the like, and even cause serious damage to strategic national infrastructure.
In order to cope with the current situation, a large number of security devices are deployed by enterprises at different positions of a network for attack event detection, protection and handling. However, a large number of security devices are managed individually by each business or system responsibility department, and are lack of unified planning and management and control, and cannot realize rapid linkage, when the disposal of security events requires mutual cooperation of each professional, only manual communication, positioning and response are relied on, the processing speed is limited, and an ideal processing effect cannot be achieved.
Disclosure of Invention
In view of the above, an object of the present invention is to provide a method for processing a network attack event and an electronic device thereof, which can solve the problem that in the prior art, each security device is managed separately and lacks of fast linkage.
Based on the above object, the present invention provides a method for processing a network attack event, which includes:
acquiring first alarm data of security equipment in a network to be monitored and storing the first alarm data in a database, wherein the first alarm data is based on a network attack event;
when any set condition is met, carrying out statistical analysis on the first alarm data based on the dimensionality to obtain a statistical analysis result;
and executing processing operation according to the statistical analysis result.
Further, the setting condition includes a preset number of the first alarm data and a preset monitoring duration.
Further, the method also comprises the following steps: and obtaining a feedback result of the processing operation, and if the feedback result is processing failure, identifying the corresponding first alarm data.
Further, the step of acquiring first alarm data of a security device in a network to be monitored and storing the first alarm data in a database, wherein the first alarm data is based on a network attack event, includes:
acquiring original alarm data, and performing packet processing to obtain packet alarm data and sending the packet alarm data to a first distributed subscription message system;
reading the packet alarm data, fusing to obtain first alarm data and sending the first alarm data to a second distributed subscription message system;
and reading the first alarm data, and storing the first alarm data in a corresponding data mode of the database according to the alarm type.
Further, the step of obtaining the first alarm data by the fusion processing includes:
carrying out standardization processing on the packet alarm data;
screening the standardized packet alarm data according to the filtering condition;
if the filtering condition is met, directly obtaining the first alarm data;
and if the filtering condition is not met, performing enrichment treatment to obtain the first alarm data.
Further, the step of obtaining the first alarm data after performing the enrichment processing includes:
acquiring a field name and a field value of standard packet alarm data to be enriched, and matching an enrichment rule to obtain a target field name and a target field value;
matching a corresponding data pattern in the database based on the alarm type;
and arranging the target field names and the target field values based on the data mode to obtain the first alarm data.
Further, the step of executing the processing operation according to the statistical analysis result includes:
performing hazard judgment according to the statistical analysis result;
and executing corresponding processing operation according to the hazard judgment result.
Further, the method also comprises the following steps:
acquiring and storing operation data generated in the process of acquiring first alarm data of the safety equipment in the network to be monitored and storing the first alarm data in a database;
and when the operating data is abnormal, executing corresponding alarm operation according to a preset alarm strategy.
Further, the step of acquiring and storing the operation data generated in the process of acquiring the first alarm data of the security device in the network to be monitored and storing the first alarm data in the database includes:
collecting the operating data and sending the operating data to a third distributed subscription message system;
reading the running data from the third distributed subscription message system, formatting the running data to obtain formatted running data, and sending the formatted running data to a fourth distributed subscription message system;
and reading and storing the formatted running data from the fourth distributed subscription message system.
In another aspect of the embodiments of the present invention, an electronic device is provided, including: at least one processor; and the number of the first and second groups,
a memory coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the one processor to cause the at least one processor to perform any of the processing methods described above.
As can be seen from the above, according to the method for processing the network attack event and the electronic device thereof provided by the present invention, by acquiring the first alarm data of the security device in the network to be monitored, performing statistical analysis on the first alarm data based on the dimensionality, and executing the processing operation according to the statistical analysis result, the barrier between the security devices is broken, manual communication is not required, the network attack event can be processed in a targeted manner based on the statistical analysis result, the capability requirement for the monitoring personnel to identify and analyze the alarm data is reduced, the time for reporting and communicating is greatly saved, the network attack event can be processed globally and uniformly, and the processing efficiency of the network attack event is significantly improved.
Drawings
Fig. 1 is a flowchart of a method for processing a network attack event according to an embodiment of the present invention;
fig. 2 is a schematic diagram of performing statistical analysis on the first alarm data based on a dimension according to an embodiment of the present invention;
fig. 3 is a flowchart of another network attack event processing method according to an embodiment of the present invention;
fig. 4 is a flowchart illustrating acquiring the first alarm data of the security device in the network to be monitored and storing the first alarm data in a database according to an embodiment of the present invention;
fig. 5 is a flowchart of obtaining first alarm data by fusion processing according to an embodiment of the present invention;
FIG. 6 is a flowchart illustrating a process performed according to the result of the statistical analysis according to an embodiment of the present invention;
FIG. 7 is a schematic diagram of operational data monitoring provided by an embodiment of the present invention;
fig. 8 is a schematic diagram of a data acquisition mechanism of a distributed subscription message system according to an embodiment of the present invention;
fig. 9 is a flowchart of collecting the operation data according to an embodiment of the present invention;
fig. 10 is a schematic structural diagram of an embodiment of a device for processing a network attack event according to an embodiment of the present invention;
fig. 11 is a schematic structural diagram of an embodiment of an electronic device provided in the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to specific embodiments and the accompanying drawings.
It should be noted that all expressions using "first" and "second" in the embodiments of the present invention are used for distinguishing two entities with the same name but different names or different parameters, and it should be noted that "first" and "second" are merely for convenience of description and should not be construed as limitations of the embodiments of the present invention, and they are not described in any more detail in the following embodiments.
In view of the foregoing, a first aspect of the embodiments of the present invention provides an embodiment of a method for processing a network attack event. As shown in fig. 1, a schematic flow chart of an embodiment of a method for processing a network attack event provided by the present invention specifically includes:
step 101: first alarm data of safety equipment in a network to be monitored are obtained and stored in a database, and the first alarm data are based on a network attack event.
The security device may be hardware or software that performs security functions, such as: advanced Persistent threat detection (APT detection), Domain name resolution (DNS), desktop management or operating systems, and the like. It should be understood by those skilled in the art that the technical solution of the present invention can obtain any hardware device or software generated alarm data for ensuring network security, and is not limited to the above list.
Those skilled in the art will appreciate that for a network attack event, multiple security devices may be caused to generate alarm data, respectively; there may be multiple network attack events in the network to be monitored, i.e. the same security device may also generate multiple alarm data. Therefore, the first alarm data in the present invention covers each alarm data generated by each security device.
Step 102: and when any set condition is met, carrying out statistical analysis on the first alarm data based on the dimensionality to obtain a statistical analysis result.
It will be appreciated that the cyber attack event is unpredictable, and that the first alarm data generated based on the cyber attack event is not predictable. Therefore, a plurality of setting conditions are set simultaneously, and statistical analysis can be started when any setting condition is met, so that effective processing of network attack events is ensured.
And based on dimension deep analysis of the first alarm data, association among the first alarm data can be mined quickly, and appropriate processing operation can be adopted in a targeted manner. When performing a specific statistical analysis, one dimension may be selected for the statistical analysis, or a plurality of dimensions may be selected for the statistical analysis.
Here, the dimension may be a victim dimension, an aggressor dimension, or an alarm type dimension. In addition to the above-listed dimensions, other dimensions may also be used for statistical analysis of the first alarm data, which is not illustrated.
For ease of understanding, the dimension-based statistical analysis is briefly described with reference to FIG. 2.
For the dimension of the victim, the IP address of the victim in the first alarm data can be extracted, and indexes such as the number of times of attack each victim receives, the type of alarm caused by the attack, the last attacked event and the like are counted.
For the dimension of the attacker, the IP address of the attacker in the first alarm data can be extracted, and indexes such as the attack frequency sent by each attacker, the region to which the attacker belongs, the last attack event, the alarm type caused by the attack and the like can be counted.
For the dimension of the alarm type, according to the alarm type, counting indexes of the occurrence frequency, the last occurrence time, the IP of the victim attacked for the last time, the identity of the attacker who sends out the attacker for the last time and the like of each alarm type in a certain time period. For example, the alarm type percentage shown in fig. 2 is calculated in the following manner: and in the preset monitoring time period, the time length of each alarm type accounts for the proportion of the preset monitoring time period.
In order to enable the statistical analysis result to be utilized in other scenes, the statistical analysis result may be written into a real-time storage engine for downloading or calling. For example, security personnel may invoke the statistical analysis results for further investigation and analysis.
Furthermore, the statistical analysis result is displayed in a visual or simple interactive mode, so that safety monitoring personnel can conveniently check the statistical analysis result, and make targeted judgment on the concerned field.
Step 103: and executing processing operation according to the statistical analysis result.
Here, the processing operation may be performed automatically or according to a worker's instruction.
It can be seen from the foregoing embodiments that, in the method for processing a network attack event according to the embodiments of the present invention, by obtaining the first alarm data of the security device in the network to be monitored, performing statistical analysis on the first alarm data based on the dimensionality, and executing processing operation according to the statistical analysis result, the barrier between the security devices is broken, manual communication is not required, and based on the statistical analysis result, the network attack event can be processed in a targeted manner, so that the requirement on the capability of monitoring personnel to identify and analyze the alarm data is reduced, time for reporting and communicating is greatly saved, global and uniform processing operation can be performed on the network attack event, and the processing efficiency on the network attack event is significantly improved.
In addition, compared with the prior art, the method for processing the network attack event in the embodiment of the invention realizes deep mining of a large amount of first alarm data by performing statistical analysis on the first alarm data, and discovers potential or easily ignored deliberate attack behaviors and attack sources based on the correlation between the first alarm data so as to prevent and process the data in a targeted manner, thereby providing a more reliable network security environment. Compared with the prior art that the alarm data of the safety equipment is only identified manually, the method obviously provides the processing efficiency and effect of the alarm data.
In some embodiments of the present invention, the setting condition includes a preset number of the first alarm data and a preset monitoring time period.
Specifically, the preset number of the first alarm data may be obtained by recording the obtained first alarm data, or by querying the database. If a large amount of first alarm data are generated in a very short time, the threat of a network attack event is larger or the network attack event is more, at the moment, the amount of the first alarm data reaches a preset value, statistical analysis is started in time, and then a large amount of first alarm data are processed in a targeted manner.
The preset monitoring duration refers to the above, because of the uncertainty of the network attack event, if the first alarm data is analyzed in real time, the waste of system resources is easily caused, and meaningful statistical analysis cannot be performed.
Therefore, when one of two set conditions is met, the statistical analysis can be started, and the processing efficiency of the network attack event and the effective utilization of system resources are considered.
It should be understood that the preset number of the first alarm data and the preset monitoring time period are not fixed. The technical personnel in the field can reasonably set the preset quantity of the first alarm data and the preset monitoring time according to the information such as the occurrence frequency of the network attack event of the network to be monitored, so as to ensure the high-efficiency processing of the network attack event.
In some embodiments of the present invention, referring to fig. 3, further comprising:
step 104: and obtaining a feedback result of the processing operation, and if the feedback result is processing failure, identifying the corresponding first alarm data.
By adopting the mode, the execution condition of the processing operation is monitored, the corresponding first alarm data is identified according to the feedback result, so that safety personnel can conveniently check the first alarm data, and appropriate remedial processing measures can be conveniently taken aiming at the first alarm data which fails to be processed, for example, the corresponding processing operation is executed again, and the complete processing of the alarm data is ensured.
It should be understood by those skilled in the art that the processing method of the embodiment of the present invention can continue to obtain the first alarm data of the security device in the network to be monitored while processing the operation, that is, the processing method of the embodiment of the present invention can continue to perform security protection on the network to be monitored.
Therefore, for the first alarm data marked as processing failure, statistical analysis can be simultaneously performed and processing operation can be executed as the alarm data to be processed of the next stage and the first alarm data newly acquired in the next stage. By the aid of the processing mode, the first alarm data which fails to be processed can be processed again simply and conveniently. In addition, for the alarm data which fails in the first processing, along with the continuation of the network attack, the first alarm data which fails in the previous processing and the newly acquired first alarm data are subjected to statistical analysis at the same time, so that the relation between the first alarm data and the newly acquired first alarm data can be sufficiently mined, and more targeted processing operation can be adopted, and the method is particularly suitable for the condition that the reason of the processing failure is caused by the characteristics of the undetected network attack.
In some embodiments of the present invention, as shown in fig. 4, the step of obtaining first alarm data of a security device in a network to be monitored and storing the first alarm data in a database, where the alarm data is based on a network attack event specifically includes:
step 401: original alarm data is obtained, packet processing is carried out to obtain packet alarm data, and the packet alarm data is sent to a first distributed subscription message system (a distributed subscription message system, corresponding to the English Kafka).
The original alarm data is obtained through a data input plug-in, and the type and the number of the data input plug-ins are flexibly set according to the condition of the first alarm data. The original alarm data of various structured, unstructured and file types can be conveniently obtained by adjusting the setting of the data input plug-in, and the method has the characteristics of strong expansibility, simplicity and convenience.
Furthermore, a plurality of data input plug-ins are arranged to provide a uniform bus interface for the original alarm data, and the data access standard is uniform. Therefore, although the original alarm data from the safety equipment are different, the obtained original alarm data can be unified through the data input plug-in unit, and the subsequent processing is facilitated.
In addition, the plug-in is utilized, and the original alarm data can be conveniently compressed and decompressed for transmission.
Step 402: and reading the packet alarm data, fusing to obtain the first alarm data, and sending the first alarm data to a second distributed subscription message system.
Step 403: and reading the first alarm data, and storing the first alarm data in a corresponding data mode (Schema) of the database according to the alarm type.
It should be noted that the original alarm data is usually generated according to a log rule, and when the alarm types are different, the generated original alarm data also has differences, and the data patterns applicable in the database also have differences, so that it is determined which specific data pattern the first alarm data is stored in according to the alarm types.
By adopting a distributed subscription message system and utilizing the characteristics of persistence, dynamic expansion and the like, the distributed subscription message system can ensure that the alarm data is not lost when a large amount of alarm data is continuously generated, and supports the storage of a large amount of alarm data; in addition, the distributed message subscription system enables the alarm data to be simultaneously used for steps of inquiry, statistical analysis and the like in a multi-consumer reading mode, and can meet the requirements of real-time calculation and off-line calculation.
Referring to fig. 5, in some embodiments of the present invention, the step of obtaining the first alarm data by the fusion process includes:
step 501: and carrying out standardization processing on the packet alarm data.
Specifically, the normalization process is to perform data normalization according to different sources, alarm types, and alarm data fields of the original alarm data, unify alarm data including specific alarm sources (types of security devices and corresponding IP addresses), alarm types (types of twelve major types of alarms), and alarm fields (preset and fixed alarm information fields), and unify differences of different alarm type data generated by different security devices.
For the alarm type division, the division may be performed according to a known division method in the prior art, or may be further modified based on the existing division method, for example, a plurality of similar alarm types are combined into one large class.
The contents of the alarm field are typically determined by the settings of the security device itself.
Step 502: and screening the standardized packet alarm data according to the filtering condition.
Specifically, the filtering condition is a limitation on the alarm types, and the data form of the first alarm data of some alarm types is inconvenient to store in a database and needs to be subjected to subsequent enrichment processing.
Step 503: if the filtering condition is met, directly obtaining the first alarm data;
and if the filtering condition is not met, performing enrichment treatment to obtain the first alarm data.
Through fusion processing, the alarm data can be uniformly stored in the database, and subsequent operations such as statistical analysis and query are facilitated.
Further, the step of obtaining the first alarm data after performing the enrichment processing may include:
acquiring a field name and a field value of standard packet alarm data to be enriched, and matching an enrichment rule to obtain a target field name and a target field value;
matching a corresponding data pattern in the database based on the alarm type;
and arranging the target field names and the target field values based on the data mode to obtain the first alarm data.
As will be understood by those skilled in the art, an original alarm data corresponds to a first alarm data, and the original alarm data includes alarm type information, and in the process of obtaining the first alarm data from the original alarm data, although the format of the alarm data changes, the information included in the alarm data does not change, so the alarm type in the original alarm data remains unchanged all the time.
Here, the partial enrichment rule is listed as table 1. It should be noted that the enriching rule can be extended by a script, and those skilled in the art can write a new rule of the script by themselves to perform data conversion.
TABLE 1 enrichment rules
Rules Conversion to a regular array
convert(id) new Object[]{"convert","id"}
subString(name,3,5) new Object[]{"subString",3,5})
map(s_cardId,mapID,age) new Object[]{"map","s_cardId","mapID","age"}
sysDate("yyyy-MM-dd HH:mm:ss") new Object[]{"sysDate","yyyy-MM-dd HH:mm:ss"}
value ('high') new Object[]{ "value", "high" }
lngLatMap(ip,city) new Object[]{"lngLatMap","ip","city"}
uuid() new Object[]{"uuid"}
md5(field) new Object[]{"md5","field"}
getdate(field,"YYYYMMDD") new Object[]{"getdate","field","YYYYMMDD"}
to_string(field) new Object[]{"to_string","field"}
to_int(field) new Object[]{"to_int","field"}
to_long(field) new Object[]{"to_long","field"}
to_double(field) new Object[]{"to_double","field"}
to_float(field) new Object[]{"to_float","field"}
Arraytostring(field,type) new Object[]{"Arraytostring","field","int"}
In order to make the contents of table 1 more easily understandable, the following is supplemented with a detailed description of some enrichment rules.
1.convert(id)
Converting rules: assigning the value of the id to the target field;
2.subString(name,3,5)
intercepting the value of the name by a subString method;
3.map(s_cardId,mapID,age)
map rule
s _ cardId: original field
mapID: key corresponding to map
age: value of key that finally returns
Dictionary map.get (mapID). get (s _ cardId). get (age);
case-specific sysDate ("yyyy-MM-dd HH: MM: ss")
yearly month and day for yyyMMdd
yearly month and day for yyyMMddHH
Assigning the current time to a target field according to a corresponding format;
value ("high")
The assignment rule assigns the value in the bracket to the target field;
6.lngLatMap(ip,city)
the geographic map rule acquires a corresponding map from the geographic map through the value of the ip, and assigns the value of the city in the map to a target field;
7.Arraytostring(field,type)
type of array Type of the field (case-insensitive)
Type: string, int, Boolean, byte, char, double, float, long, short, Object.
In some embodiments of the present invention, as shown in fig. 6, the step of performing a processing operation according to the result of the statistical analysis includes:
step 601: and judging the damage according to the statistical analysis result.
It should be noted that the hazard judgment includes a plurality of factors, for example, asset value corresponding to the first alarm data, alarm type of the first alarm data, hazard level, external URL, attack source, and the like. It can be understood that, when the judgment is performed, the judgment result can be obtained by a single factor, or the judgment result can be obtained by comprehensively judging a plurality of factors. The asset value can be obtained by inquiring the asset corresponding to the safety equipment through the IP address in the first alarm data.
It should be understood that the evaluation parameter of the judgment factor may be manually set, or may be information based on the first alarm data, for example, the evaluation parameter of the asset value is usually manually set (the asset value is greater than ten thousand yuan and considered to be more harmful, and less than one hundred yuan and considered to be less harmful, etc.), and the evaluation parameter of the alarm type is usually determined by the degree of harm of the alarm type itself.
For the understanding of those skilled in the art, the hazard judgment is exemplified as follows:
for example, in the dimension of the alarm type, the first alarm data may be classified into a high level, a medium level, and a low level according to the evaluation parameter, and different levels correspond to different processing operations.
As another example, in the dimension of an attacker, the evaluation parameter may be that the IP address of the attacker is located overseas or domestically, based on the geographical location of the IP address of the attacker. Usually, overseas attackers, being more hazardous, should deal with them more deeply. If the harmfulness of the attacker is low in China, the attacker can select simpler processing operation. Of course, the evaluation parameter may also be whether the IP address of the attacker is an intranet or an extranet.
Step 602: and executing corresponding processing operation according to the hazard judgment result.
The processing operation may be a single processing action or multiple processing actions may be coordinated. Wherein the processing behavior may be virus checking and killing, IP blocking, network access blocking, asset execution antivirus, blacklist/whitelist adding, etc.
The processing operations are further explained below in conjunction with examples.
In conjunction with the foregoing, for an attacker from the country, the corresponding IP address may be selected to be blocked. For an attacker from abroad, a more in-depth approach can be chosen, for example: according to the characteristics of the attack, the comprehensive investigation of the network to be monitored is carried out, and measures such as forbidding IP addresses (the range of the IP addresses is wider and is not limited to one IP address) are taken according to the investigation result.
Through the scheme, if a plurality of network attack events come from a certain overseas area, the IP address of the overseas area is correspondingly forbidden instead of only the individual IP address of the attack source, so that the reoccurrence of similar network attack events is fundamentally avoided, and the technical effect is difficult to achieve by the prior art.
It should be understood that the evaluation parameter may affect the performance of a specific processing operation, such as IP blocking, if an extranet IP uses an external firewall, and if an internal IP finds a firewall that handles the IP segment and issues a blocking instruction.
Although the security device may generate a large amount of original alarm data, the network security harm levels of the network attack events causing the original alarm data are different, so that the harm level of the network attack events is accurately judged through harm judgment, and corresponding processing operations are selected based on the harm level. The technical scheme has pertinence to the processing of the network attack event, can ensure the effective processing of the network attack event, and avoids the economic and efficiency losses caused by the influence of the over-processing on the normal use of the network.
Referring to fig. 7, in the process of acquiring and storing the first alarm data, since the original alarm data is continuously generated and has a large amount, in order to ensure that the processing method operates normally and ensure accurate acquisition of the first alarm data, in some embodiments of the present invention, the method further includes a step of monitoring operation data, which specifically includes:
acquiring and storing operation data generated in the process of acquiring first alarm data of the safety equipment in the network to be monitored and storing the first alarm data in a database; here, the operation data may be a server log, a system log (flash system platform log), first distributed subscription message system data, second distributed subscription message system data, or the like;
and when the operating data is abnormal, executing corresponding alarm operation according to a preset alarm strategy.
Specifically, the alarm operation may be a short message, an email, or a custom plug-in. The staff is informed in such a way, so that the staff can adjust the system and the normal operation of the processing method is ensured.
Through the technical scheme, the original alarm data can be guaranteed to be obtained to the stored healthy operation, and when the operation has problems, the operation data can be timely found and alarmed through analysis, so that the working personnel can be prompted to solve the problems.
To further illustrate the technical solutions of the embodiments of the present invention, the following description is given by way of example with reference to specific operational data.
Server logs
The server log refers to the CPU utilization rate, the memory utilization rate, the disk utilization rate, the process running state, the occupation condition of the network port and the like corresponding to the server in the process of acquiring the first alarm data of the safety equipment of the network to be monitored and storing the first alarm data into the database. The server logs are collected by agents on a server which generates operation data, and when the data sent by the agents are lost, the occurrence of abnormity is judged, and corresponding alarm operation is triggered.
The data structure format of the server log is exemplified as follows:
adopting json encapsulation for server log
{
“endpoint”:“XXXXX”,
“metric”:“cpu-idle”,
“timestamp”:192010223,
“step”:60,
“value”:50,
“countertype”:“GAUGE”,
“tags”:“platform”,
}
The first distributed subscription messaging system data or the second distributed subscription messaging system data
The method specifically comprises the following steps: the production and consumption rates of the alarm data in the first distributed subscription message system or the second distributed subscription message system can be configured with corresponding alarm operations aiming at abnormal production and consumption rates.
As shown in fig. 8 below, by periodically accessing group _ id (corresponding to the consumer list obtained in the figure) of all topics and contexts of the cluster management zookeeper of the first distributed subscription message system or the second distributed subscription message system, all message offsets are obtained, and all offsets are saved, and the consumption rate of each consumption to the log is obtained (corresponding to concurrent execution). And simultaneously, acquiring the latest log offset of all topics through the api of the first distributed subscription message system or the second distributed subscription message system, and acquiring the production rate.
The Kafka Agent sends the acquired data to a topic corresponding to the third distributed subscription message system (corresponding to data sending in the graph) according to step intervals, and the specific data format is as follows:
{
“endpoint”:“kafka”,
the names of "metric": skygate ", # topic
“timestamp”:192010223,
“step”:60,
“value”:1203203,
“countertype”:“GAUGE”,
“tags”:“platform”,
}。
System logs
The System logs include, but are not limited to, a plug-in log, a Distributed subscription message System log, a Distributed File System (HDFS) log, an instant storage Engine (ES) log, and the like, and these logs may be used for data analysis and matching corresponding alarm operations based on a data analysis result.
Due to the diversity of system logs, a separate log processing plug-in is provided for each system log. For the plug-in log, an independent interface needs to be packaged for the plug-in to call, and the specific data structure is as follows:
Static class PluginLogger extend Logger{
Map<String,Logger>loggers;
public void regLogType(String type);
public Logger getLogger(String type);
public void debug(Object message)
public void fatal(Object message);
public void info(Object message);
public void warn(Object message);
public void error(Object message);
public void trace(Object message);
}
because the system log generating interfaces are not uniform and different development languages are possible, the system log is collected by using flash, a system log path needing to be collected is defined by configuration, and the system log path is sent to the third distributed subscription message system through syslog.
In some embodiments of the present invention, the performing of the corresponding alarm operation performs the related operation by calling a different restful interface.
In some embodiments of the invention, the collected operation data may be stored and displayed on a dashboard for easy viewing, in addition to being used for alarming.
In some embodiments of the present invention, as shown in fig. 9, the step of collecting and storing the operation data generated in the process of acquiring the first alarm data of the security device in the network to be monitored and storing the first alarm data in the database specifically includes:
step 901: and collecting the operating data and sending the operating data to a third distributed subscription message system.
Step 902: and reading the running data from the third distributed subscription message system, formatting to obtain formatted running data, and sending the formatted running data to the fourth distributed subscription message system.
Here, the formatting may be implemented by a formatting plug-in.
It should be noted that, for different operation data, corresponding formatted plug-ins are matched, and such a technical scheme has the characteristics of strong expansibility and simple and convenient use.
Step 903: and reading and storing the formatted running data from the fourth distributed subscription message system.
It should be appreciated that the operational data may be stored directly in the PostgreSQL database.
In view of the above object, a second aspect of the embodiments of the present invention provides an embodiment of a device for processing a network attack event. As shown in fig. 10, the apparatus includes:
an obtaining module 1001, configured to obtain first alarm data of a security device in a network to be monitored and store the first alarm data in a database, where the first alarm data is based on a network attack event;
the analysis module 1002 is configured to perform statistical analysis on the first alarm data based on the dimensionality to obtain a statistical analysis result when any set condition is met;
and the processing module 1003 is configured to execute a processing operation according to the statistical analysis result.
The technical effect of the embodiment of the apparatus for executing the method for processing the network attack event is the same as or similar to that of any method embodiment described above, and is not described again.
In view of the foregoing, a third aspect of the embodiments of the present invention provides an embodiment of an electronic device executing a method for processing a network attack event. Fig. 11 is a schematic diagram of a hardware structure of an embodiment of an electronic device for executing the method for processing the network attack event according to the present invention.
As shown in fig. 11, the electronic apparatus includes:
one or more processors 1101 and a memory 1102, with one processor 1101 being illustrated in fig. 11.
The electronic device executing the network attack event processing method may further include: an input device 1103 and an output device 1104.
The processor 1101, the memory 1102, the input device 1103 and the output device 1104 may be connected by a bus or other means, and are exemplified by being connected by a bus in fig. 11.
The memory 1102, which is a non-volatile computer-readable storage medium, may be configured to store a non-volatile software program, a non-volatile computer-executable program, and modules, such as program instructions/modules corresponding to the processing method of the network attack event in the embodiment of the present application (for example, the obtaining module 1001, the analyzing module 1002, and the processing module 1003 shown in fig. 10). The processor 1101 executes various functional applications of the server and data processing, namely, a processing method of a network attack event, which implements the above-described method embodiment, by running the nonvolatile software program, instructions and modules stored in the memory 1102.
The memory 1102 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created from use of a processing device of a network attack event, and the like. Further, the memory 1102 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some embodiments, memory 1102 may optionally include memory located remotely from processor 1101, which may be connected to member user behavior monitoring devices via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 1103 may receive input numeric or character information and generate key signal inputs related to user settings and function control of the processing device of the network attack event. The output device 1104 may include a display device such as a display screen.
The one or more modules are stored in the memory 1102 and when executed by the one or more processors 1101, perform a method for handling a network attack event in any of the above-described method embodiments. The technical effect of the embodiment of the electronic device executing the network attack event processing method is the same as or similar to that of any method embodiment.
Embodiments of the present application provide a non-transitory computer storage medium, where a computer-executable instruction is stored, and the computer-executable instruction may execute a processing method for list item operations in any of the above method embodiments. Embodiments of the non-transitory computer storage medium may be the same or similar in technical effect to any of the method embodiments described above.
Those of ordinary skill in the art will understand that: the discussion of any embodiment above is meant to be exemplary only, and is not intended to intimate that the scope of the disclosure, including the claims, is limited to these examples; within the idea of the invention, also features in the above embodiments or in different embodiments may be combined, steps may be implemented in any order, and there are many other variations of the different aspects of the invention as described above, which are not provided in detail for the sake of brevity.
In addition, well known power/ground connections to Integrated Circuit (IC) chips and other components may or may not be shown within the provided figures for simplicity of illustration and discussion, and so as not to obscure the invention. Furthermore, devices may be shown in block diagram form in order to avoid obscuring the invention, and also in view of the fact that specifics with respect to implementation of such block diagram devices are highly dependent upon the platform within which the present invention is to be implemented (i.e., specifics should be well within purview of one skilled in the art). Where specific details (e.g., circuits) are set forth in order to describe example embodiments of the invention, it should be apparent to one skilled in the art that the invention can be practiced without, or with variation of, these specific details. Accordingly, the description is to be regarded as illustrative instead of restrictive.
While the present invention has been described in conjunction with specific embodiments thereof, many alternatives, modifications, and variations of these embodiments will be apparent to those of ordinary skill in the art in light of the foregoing description. For example, other memory architectures (e.g., dynamic ram (dram)) may use the discussed embodiments.
The embodiments of the invention are intended to embrace all such alternatives, modifications and variances that fall within the broad scope of the appended claims. Therefore, any omissions, modifications, substitutions, improvements and the like that may be made without departing from the spirit and principles of the invention are intended to be included within the scope of the invention.

Claims (10)

1. A method for processing network attack events is characterized by comprising the following steps:
acquiring first alarm data of security equipment in a network to be monitored and storing the first alarm data in a database, wherein the first alarm data is based on a network attack event;
when any set condition is met, carrying out statistical analysis on the first alarm data based on the dimensionality to obtain a statistical analysis result;
and executing processing operation according to the statistical analysis result.
2. The processing method according to claim 1, wherein the setting condition includes a preset number of the first alarm data and a preset monitoring time period.
3. The processing method of claim 1, further comprising: and obtaining a feedback result of the processing operation, and if the feedback result is processing failure, identifying the corresponding first alarm data.
4. The processing method according to claim 1, wherein the step of obtaining and storing in a database first alarm data of a security device in the network to be monitored, the first alarm data being based on a network attack event, comprises:
acquiring original alarm data, and performing packet processing to obtain packet alarm data and sending the packet alarm data to a first distributed subscription message system;
reading the packet alarm data, fusing to obtain first alarm data and sending the first alarm data to a second distributed subscription message system;
and reading the first alarm data, and storing the first alarm data in a corresponding data mode of the database according to the alarm type.
5. The processing method according to claim 4, wherein the step of obtaining the first alarm data by the fusion process comprises:
carrying out standardization processing on the packet alarm data;
screening the standardized packet alarm data according to the filtering condition;
if the filtering condition is met, directly obtaining the first alarm data;
and if the filtering condition is not met, performing enrichment treatment to obtain the first alarm data.
6. The processing method according to claim 5, wherein the step of obtaining the first alarm data after performing the enrichment process comprises:
acquiring a field name and a field value of standard packet alarm data to be enriched, and matching an enrichment rule to obtain a target field name and a target field value;
matching a corresponding data pattern in the database based on the alarm type;
and arranging the target field names and the target field values based on the data mode to obtain the first alarm data.
7. The processing method according to claim 1, wherein said step of performing a processing operation based on said statistical analysis result comprises:
performing hazard judgment according to the statistical analysis result;
and executing corresponding processing operation according to the hazard judgment result.
8. The processing method of claim 1, further comprising:
acquiring and storing operation data generated in the process of acquiring first alarm data of the safety equipment in the network to be monitored and storing the first alarm data in a database;
and when the operating data is abnormal, executing corresponding alarm operation according to a preset alarm strategy.
9. The processing method according to claim 8, wherein the step of collecting and storing the operation data generated in the process of acquiring the first alarm data of the security device in the network to be monitored and storing the first alarm data in the database comprises:
collecting the operating data and sending the operating data to a third distributed subscription message system;
reading the running data from the third distributed subscription message system, formatting the running data to obtain formatted running data, and sending the formatted running data to a fourth distributed subscription message system;
and reading and storing the formatted running data from the fourth distributed subscription message system.
10. An electronic device, comprising:
at least one processor; and the number of the first and second groups,
a memory coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the one processor to cause the at least one processor to perform the processing method of any one of claims 1 to 9.
CN201910888270.3A 2019-09-19 2019-09-19 Network attack event processing method and electronic equipment thereof Pending CN110620690A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910888270.3A CN110620690A (en) 2019-09-19 2019-09-19 Network attack event processing method and electronic equipment thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910888270.3A CN110620690A (en) 2019-09-19 2019-09-19 Network attack event processing method and electronic equipment thereof

Publications (1)

Publication Number Publication Date
CN110620690A true CN110620690A (en) 2019-12-27

Family

ID=68923635

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910888270.3A Pending CN110620690A (en) 2019-09-19 2019-09-19 Network attack event processing method and electronic equipment thereof

Country Status (1)

Country Link
CN (1) CN110620690A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111522859A (en) * 2020-03-23 2020-08-11 深圳奇迹智慧网络有限公司 Alarm analysis method and device, computer equipment and storage medium
CN111695884A (en) * 2020-08-17 2020-09-22 广东新视野信息科技股份有限公司 Internet of things big data visualization method and system based on smart construction site
WO2021174694A1 (en) * 2020-03-06 2021-09-10 平安科技(深圳)有限公司 Operation and maintenance monitoring method and apparatus based on data center, device, and storage medium
CN113824711A (en) * 2021-09-16 2021-12-21 杭州安恒信息技术股份有限公司 Threat IP (Internet protocol) blocking method, device, equipment and medium
CN114143064A (en) * 2021-11-26 2022-03-04 国网四川省电力公司信息通信公司 Multi-source network security alarm event tracing and automatic processing method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100100963A1 (en) * 2008-10-21 2010-04-22 Flexilis, Inc. System and method for attack and malware prevention
CN105354303A (en) * 2015-11-06 2016-02-24 广东电网有限责任公司清远供电局 Power grid alarm data processing method and apparatus based on BI (Business Intelligence) multi-dimensional analysis theory
CN105471882A (en) * 2015-12-08 2016-04-06 中国电子科技集团公司第三十研究所 Behavior characteristics-based network attack detection method and device
CN109784043A (en) * 2018-12-29 2019-05-21 北京奇安信科技有限公司 Attack restoring method, device, electronic equipment and storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100100963A1 (en) * 2008-10-21 2010-04-22 Flexilis, Inc. System and method for attack and malware prevention
CN105354303A (en) * 2015-11-06 2016-02-24 广东电网有限责任公司清远供电局 Power grid alarm data processing method and apparatus based on BI (Business Intelligence) multi-dimensional analysis theory
CN105471882A (en) * 2015-12-08 2016-04-06 中国电子科技集团公司第三十研究所 Behavior characteristics-based network attack detection method and device
CN109784043A (en) * 2018-12-29 2019-05-21 北京奇安信科技有限公司 Attack restoring method, device, electronic equipment and storage medium

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021174694A1 (en) * 2020-03-06 2021-09-10 平安科技(深圳)有限公司 Operation and maintenance monitoring method and apparatus based on data center, device, and storage medium
CN111522859A (en) * 2020-03-23 2020-08-11 深圳奇迹智慧网络有限公司 Alarm analysis method and device, computer equipment and storage medium
CN111695884A (en) * 2020-08-17 2020-09-22 广东新视野信息科技股份有限公司 Internet of things big data visualization method and system based on smart construction site
CN111695884B (en) * 2020-08-17 2020-11-20 广东新视野信息科技股份有限公司 Internet of things big data visualization method and system based on smart construction site
CN113824711A (en) * 2021-09-16 2021-12-21 杭州安恒信息技术股份有限公司 Threat IP (Internet protocol) blocking method, device, equipment and medium
CN114143064A (en) * 2021-11-26 2022-03-04 国网四川省电力公司信息通信公司 Multi-source network security alarm event tracing and automatic processing method and device

Similar Documents

Publication Publication Date Title
US11750659B2 (en) Cybersecurity profiling and rating using active and passive external reconnaissance
US9838419B1 (en) Detection and remediation of watering hole attacks directed against an enterprise
CN110620690A (en) Network attack event processing method and electronic equipment thereof
US20220014560A1 (en) Correlating network event anomalies using active and passive external reconnaissance to identify attack information
US10601848B1 (en) Cyber-security system and method for weak indicator detection and correlation to generate strong indicators
US11388186B2 (en) Method and system to stitch cybersecurity, measure network cyber health, generate business and network risks, enable realtime zero trust verifications, and recommend ordered, predictive risk mitigations
CA2940874C (en) Detecting and managing abnormal data behavior
US20120246303A1 (en) Log collection, structuring and processing
US9584541B1 (en) Cyber threat identification and analytics apparatuses, methods and systems
US10135862B1 (en) Testing security incident response through automated injection of known indicators of compromise
US20210360032A1 (en) Cybersecurity risk analysis and anomaly detection using active and passive external reconnaissance
US10862921B2 (en) Application-aware intrusion detection system
CN108551449B (en) Anti-virus management system and method
CN109962927B (en) Anti-attack method based on threat intelligence
US11652828B1 (en) Systems and methods for automated anomalous behavior detection and risk-scoring individuals
US20230283641A1 (en) Dynamic cybersecurity scoring using traffic fingerprinting and risk score improvement
CN113839935A (en) Network situation awareness method, device and system
KR20210030361A (en) Systems and methods for reporting computer security incidents
CN110633195A (en) Performance data display method and device, electronic equipment and storage medium
CN113238923B (en) Service behavior tracing method and system based on state machine
US20210374121A1 (en) Data Loss Prevention via Indexed Document Matching
Gnatyuk et al. Modern SIEM Analysis and Critical Requirements Definition in the Context of Information Warfare
Mantoro Log visualization of intrusion and prevention reverse proxy server against Web attacks
CN116827698B (en) Network gateway flow security situation awareness system and method
CN114338175B (en) Data collection management system and data collection management method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20191227

RJ01 Rejection of invention patent application after publication