CN110830519B - Attack tracing method and device, electronic equipment and storage medium - Google Patents
Attack tracing method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN110830519B CN110830519B CN202010015899.XA CN202010015899A CN110830519B CN 110830519 B CN110830519 B CN 110830519B CN 202010015899 A CN202010015899 A CN 202010015899A CN 110830519 B CN110830519 B CN 110830519B
- Authority
- CN
- China
- Prior art keywords
- address
- data
- stage data
- query
- pair
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The invention discloses an attack tracing method, an attack tracing device, electronic equipment and a storage medium, and relates to the technical field of network security, wherein the attack tracing method comprises the following steps: acquiring phase data, and acquiring an associated address of each phase data according to the selected state of the phase data, wherein the phase data comprises sequentially executed detection data, intrusion data, control data and execution data; and according to the associated addresses of the stage data, performing address pair query and independent query on the address information of the stage data to obtain the address sequence of the stage data, and recording the address sequence into a traceability library. The method can completely show the attack landscape, improve the network evidence obtaining efficiency, provide basis for threat clue discovery and tracing evidence obtaining, enhance the attack resisting capability and effectively reduce the loss of an attacked. The invention also discloses an attack tracing device, electronic equipment and a computer storage medium.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to an attack tracing method and apparatus, an electronic device, and a storage medium.
Background
Along with the wide application of the internet and the mobile internet in various industries and various fields, various network attack events frequently occur, the network security problem is increasingly serious, along with various network attack technologies and computer hiding technologies, particularly along with the coming of a big data era, the scale, range and attack depth of the network attack are continuously improved, and the source tracing analysis of the network attack by the traditional method and the technical means is more and more difficult to achieve the expected effect. Although network security awareness of people is continuously improved, user equipment is often used as a plurality of security products, but the situation of increasingly severe threats is still difficult to effectively deal with.
When attack threats happen to the traditional security product, the current data are directly reported, data before and after an attack event is not associated and analyzed, the analysis and monitoring capability of the attack event is lacked, all data of the security product cannot be comprehensively subjected to source tracing analysis, a user cannot know how the attack happens, the attack capability is not enough when the user finds out, and then protection work cannot be accurately carried out.
Disclosure of Invention
In order to overcome the defects of the prior art, one of the objectives of the present invention is to provide an attack tracing method, which performs tracing analysis on four stages of data that are sequentially executed, performs address pair query and individual query according to the associated addresses and address information of the stages of data, obtains address ranking, and uses the address ranking as a tracing result of an attack.
One of the purposes of the invention is realized by adopting the following technical scheme:
acquiring phase data, and acquiring an associated address of each phase data according to the selected state of the phase data, wherein the phase data comprises sequentially executed detection data, intrusion data, control data and execution data;
according to the associated address of the stage data, address pair query and independent query are carried out on the address information of the stage data to obtain the address sequence of the stage data, and the address sequence is recorded into a traceability library;
obtaining the associated address of each stage data according to the selected state of the stage data, wherein the obtaining of the associated address of each stage data comprises the following steps: judging the selected state of the current stage data; when the selected state of the current stage data is unselected, judging the selected state of the adjacent stage data; when the selected state of the adjacent stage data is selected, obtaining the associated address of the current stage data according to the address information of the adjacent stage data;
wherein, the address information includes a source IP and a target IP, and according to the associated address of the stage data, address pair query and individual query are performed on the address information of the stage data to obtain the address sequence of the stage data, including: judging whether the associated address of the stage data exists or not; and when the associated address exists, obtaining a query address pair based on the associated address, and performing address pair query and independent query on the address information of the stage data according to the query address pair to obtain the address sequence of the stage data.
Further, the obtaining the associated address of the current-stage data by using the associated address including a first address pair and a second address pair includes:
when the selected state of the previous stage data is selected, the address information of the previous stage data is used as a first address pair of the current stage data;
and when the selected state of the next stage data is selected, using the address information of the next stage data as a second address pair of the current stage data.
Further, obtaining a query address pair based on the associated address includes:
when a first address pair and a second address pair in the associated address exist, the first address pair and the second address pair are respectively used as a query address pair;
and when a first address pair or a second address pair exists in the associated address, the existing first address pair or the second address pair is used as a query address pair.
Further, according to the query address pair, performing address pair query and individual query on the address information of the stage data to obtain the address ranking of the stage data, including:
address pair query is carried out on the address information of the stage data, and when a source IP and a target IP in the address information both belong to IP addresses in the query address pair, the occurrence frequency A of the query address pair is recorded;
individually inquiring the address information of the stage data, and recording the occurrence frequency B of the inquiry address pair when only an active IP or a target IP belongs to the IP address in the inquiry address pair in the address information;
and sequencing the query address pairs according to the occurrence times A and the occurrence times B to obtain the address sequencing.
The second objective of the present invention is to provide an attack tracing device, which performs tracing analysis on four stages of data executed in sequence, performs address pair query and independent query according to the associated addresses and address information of the stages of data, obtains address sequence, and uses the address sequence as a tracing result of an attack.
The second purpose of the invention is realized by adopting the following technical scheme:
an attack tracing apparatus, comprising:
the system comprises a correlated address acquisition module, a data acquisition module and a data acquisition module, wherein the correlated address acquisition module is used for acquiring phase data and acquiring a correlated address of each phase data according to the selected state of the phase data, and the phase data comprises sequentially executed investigation data, intrusion data, control data and execution data; obtaining the associated address of each stage data according to the selected state of the stage data, wherein the obtaining of the associated address of each stage data comprises the following steps: judging the selected state of the current stage data; when the selected state of the current stage data is unselected, judging the selected state of the adjacent stage data; when the selected state of the adjacent stage data is selected, obtaining the associated address of the current stage data according to the address information of the adjacent stage data;
the address query sorting module is used for carrying out address pair query and independent query on the address information of the stage data according to the query address pair to obtain the address sorting of the stage data and recording the address sorting into a traceability library; wherein, the address information includes a source IP and a target IP, and according to the associated address of the stage data, address pair query and individual query are performed on the address information of the stage data to obtain the address sequence of the stage data, including: judging whether the associated address of the stage data exists or not; and when the associated address exists, obtaining a query address pair based on the associated address, and performing address pair query and independent query on the address information of the stage data according to the query address pair to obtain the address sequence of the stage data.
It is a further object of the present invention to provide an electronic device for performing one of the objects of the present invention, which includes a processor, a storage medium, and a computer program, the computer program being stored in the storage medium, wherein the computer program is executed by the processor.
It is a further object of the present invention to provide a computer readable storage medium storing one of the objects of the invention, on which a computer program is stored, which computer program, when executed by a processor, implements an attack tracing method of one of the objects of the invention.
Compared with the prior art, the invention has the beneficial effects that:
the invention carries out traceability analysis on four stages of data which are sequentially executed, obtains the associated addresses of the stages of data, obtains the address sequence according to the associated addresses and the address information of the stages of data, takes the address sequence as the traceability result of the attack, can completely show the attack overview, improves the network evidence obtaining efficiency, provides basis for threat clue discovery and traceability evidence obtaining, enhances the attack resisting capability and effectively reduces the loss of an attacked.
Drawings
Fig. 1 is a flowchart of an attack tracing method according to a first embodiment of the present invention;
FIG. 2 is a flowchart illustrating a method for obtaining an associated address according to a first embodiment of the present invention;
FIG. 3 is a flowchart illustrating a first embodiment of obtaining address ordering;
fig. 4 is a block diagram of an attack tracing apparatus according to a second embodiment of the present invention;
fig. 5 is a block diagram of an electronic device according to a third embodiment of the present invention.
Detailed Description
The present invention will now be described in more detail with reference to the accompanying drawings, in which the description of the invention is given by way of illustration and not of limitation. The various embodiments may be combined with each other to form other embodiments not shown in the following description.
Example one
The first embodiment provides an attack tracing method, which aims to obtain associated addresses of stage data by performing tracing analysis on four stages of data which are sequentially executed, obtain address sequencing according to the associated addresses and address information of the stage data, and use the address sequencing as a tracing result of an attack. The method can completely show the attack landscape, improve the network evidence obtaining efficiency, provide basis for threat clue discovery and tracing evidence obtaining, enhance the attack resisting capability and effectively reduce the loss of an attacked.
Referring to fig. 1, an attack tracing method includes the following steps:
and S110, acquiring the phase data, and acquiring the associated address of each phase data according to the selected state of the phase data, wherein the phase data comprises sequentially executed detection data, intrusion data, control data and execution data.
The phase data may be obtained from a security product database created by the user, or may be obtained from a third-party security product database, which is not limited herein. Each phase data includes a selected state, address information, and an associated address. The selected state of the multiple phase data may be selected at the same time. Preferably, the method further comprises refreshing all the phase data when the selected state of the phase data is updated.
Referring to fig. 2, the selected state of the current stage data is determined; if the selected state of the current stage data is unselected, judging the selected state of the adjacent stage data; and if the selected state of the adjacent stage data is selected, obtaining the associated address of the current stage data according to the address information of the adjacent stage data.
The associated address includes a first address pair and a second address pair. Preferably, when the selected state of the previous stage data is selected, the address information of the previous stage data is used as the first address pair of the current stage data; and when the selected state of the next stage data is selected, using the address information of the next stage data as a second address pair of the current stage data.
And if the current stage data is the intrusion data and the selected state of the intrusion data is unselected, judging the selected states of the adjacent detection data and the adjacent control data. If the selected state of the detection data is unselected, the first address pair of the intrusion data does not exist; and if the selected state of the control data is selected, the address information of the control data is used as a second address pair of the intrusion data. The intrusion data includes a second address pair and no first address pair in the associated addresses.
And if the selected state of the current-stage data is selected, taking the address information of the current-stage data as the associated address of the adjacent-stage data of which the selected state is unselected. For example, if the current phase data is control data, and the selected state of the control data is selected, and the selected states of the last adjacent intrusion data and the next adjacent execution data of the control data are both unselected, the address information of the control data is used as the second address pair of the intrusion data and the first address pair of the execution data. The selected state is the selected phase data, and the adjacent phase data of the unselected state can be provided with the associated address.
And acquiring the associated address of each stage of data which is executed in sequence, wherein the first address pair and the second address pair in the associated address can be both present or absent, or only one address pair can be present, and the associated address is used as the query condition of address pair query and single query.
And S120, according to the associated addresses of the stage data, performing address pair query and independent query on the address information of the stage data to obtain the address sequence of the stage data, and recording the address sequence into a traceability library.
The address information of the phase data includes a source IP and a destination IP. Referring to fig. 3, it is determined whether the associated address of the phase data exists, and the existence of the first address pair and the second address pair in the associated address is classified into three cases: both are present, neither is present, only one of the address pairs is present. In which case both are absent is regarded as the case where the associated address is absent. And respectively carrying out address pair query and independent query on respective address information according to the associated addresses of the detection data, the intrusion data, the control data and the execution data.
And when the associated address of the stage data does not exist, acquiring the query IP address, and performing matching query on the address information of the stage data and the query IP address to obtain the address sequence of the stage data.
Preferably, when the source IP or the target IP of the phase data belongs to the query IP address, the occurrence times of the query IP address are recorded, and the query IP addresses are sorted according to the occurrence times to obtain address sorting.
Preferably, the query IP addresses are sorted in descending order of occurrence.
And if the associated address of the detection data does not exist, acquiring the query IP address. When the target IP of the investigation data belongs to the inquiry IP address a, recording the occurrence frequency a of the inquiry IP address a; and when the target IP of the investigation data belongs to the inquiry IP address b, recording the occurrence frequency b of the inquiry IP address b. If the occurrence frequency b is greater than the occurrence frequency a, obtaining the address sequence of the detection data: inquiring an IP address b, and generating times b; and inquiring the IP address a, and the occurrence frequency a.
When the associated address of the phase data exists, the query address pair is obtained based on the associated address. Preferably, when both a first address pair and a second address pair exist in the associated address, the first address pair and the second address pair are respectively used as a query address pair; when a first address pair or a second address pair in the associated address exists, the existing first address pair or second address pair is used as a query address pair.
And according to the query address pair, carrying out address pair query on the address information of the stage data. Preferably, when the source IP and the target IP in the address information both belong to an IP address in the query address pair, the occurrence frequency a of the query address pair is recorded.
And according to the query address pair, independently querying the address information of the stage data. Preferably, when only the source IP or the target IP belongs to the IP address in the query address pair in the address information, the occurrence number B of the query address pair is recorded.
And sequencing the query address pairs according to the occurrence frequency A and the occurrence frequency B to obtain address sequencing. Preferably, the results of the address pair query are ranked higher than the results of the individual queries, and the query addresses are ranked in descending order. The sequencing result can display the results of the address pair query according to one color, and display the results of the independent query according to the other color, so that the attack information can be conveniently and intuitively displayed.
And if the first address pair and the second address pair exist in the associated address of the control data, taking the first address pair and the second address pair as a query address pair. Address pair query is carried out on the control data: when the a source IP and the b target IP of the control data both belong to the IP address in the first address pair, recording the occurrence times A1 of the a source IP and the b target IP; when both the a-source IP and the c-destination IP of the control data belong to the IP addresses in the second address pair, the number of occurrences of the a-source IP and the c-destination IP is recorded as a 2. Individual queries are made for control data: when only the a source IP in the control data belongs to the IP address B1 in the first address pair, recording the occurrence frequency B1 of the IP address B1; only the d destination IP belongs to the IP address B2 in the second address pair, and the occurrence number B2 of the IP address B2 is recorded. If the occurrence frequency A1 is greater than the occurrence frequency B2 is greater than the occurrence frequency B1 is greater than the occurrence frequency A2, the address ordering of the control data is: a source IP and b target IP, the occurrence frequency A1; a source IP, c target IP, occurrence frequency A2; IP address B2, occurrence number B2; IP address B1, occurrence count B1.
And respectively obtaining address sequencing of the investigation data, the intrusion data, the control data and the execution data according to the associated address and the address information of the stage data, and recording the address sequencing into a traceability library. The traceability library can completely show the attack landscape, improve the network evidence obtaining efficiency, provide a basis for threat clue discovery and traceability evidence obtaining, enhance the attack resisting capability and effectively reduce the loss of an attacked.
Example two
The second embodiment discloses an attack tracing device corresponding to the attack tracing method of the first embodiment, which is a virtual device structure, and as shown in fig. 4, the attack tracing device includes:
the associated address obtaining module 210 is configured to obtain phase data, and obtain an associated address of each phase data according to a selected state of the phase data, where the phase data includes sequentially executed investigation data, intrusion data, control data, and execution data; obtaining the associated address of each stage data according to the selected state of the stage data, wherein the obtaining of the associated address of each stage data comprises the following steps: judging the selected state of the current stage data; when the selected state of the current stage data is unselected, judging the selected state of the adjacent stage data; when the selected state of the adjacent stage data is selected, obtaining the associated address of the current stage data according to the address information of the adjacent stage data;
the address query sorting module 220 is configured to perform address pair query and individual query on the address information of the phase data according to the associated address of the phase data to obtain an address sorting of the phase data, and record the address sorting into the source tracing library; wherein, the address information includes a source IP and a target IP, and according to the associated address of the stage data, address pair query and individual query are performed on the address information of the stage data to obtain the address sequence of the stage data, including: judging whether the associated address of the stage data exists or not; and when the associated address exists, obtaining a query address pair based on the associated address, and performing address pair query and independent query on the address information of the stage data according to the query address pair to obtain the address sequence of the stage data.
EXAMPLE III
Fig. 5 is a schematic structural diagram of an electronic device according to a third embodiment of the present invention, as shown in fig. 5, the electronic device includes a processor 310, a memory 320, an input device 330, and an output device 340; the number of the processors 310 in the computer device may be one or more, and one processor 310 is taken as an example in fig. 5; the processor 310, the memory 320, the input device 330 and the output device 340 in the electronic apparatus may be connected by a bus or other means, and the connection by the bus is exemplified in fig. 5.
The memory 320 is a computer-readable storage medium, and can be used to store software programs, computer-executable programs, and modules, such as program instructions/modules corresponding to the attack tracing method in the embodiment of the present invention (for example, the associated address obtaining module 210 and the address query sorting module 220 in the attack tracing apparatus). The processor 310 executes various functional applications and data processing of the electronic device by running the software programs, instructions and modules stored in the memory 320, so as to implement the attack tracing method according to the first embodiment.
The memory 320 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the terminal, and the like. Further, the memory 320 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples, the memory 320 may further include memory located remotely from the processor 310, which may be connected to the electronic device through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 330 may be used to receive phase data, etc. The output device 340 may include a display device such as a display screen.
Example four
An embodiment of the present invention further provides a storage medium containing computer-executable instructions, where the computer-executable instructions are executed by a computer processor to perform an attack tracing method, where the method includes:
acquiring phase data, and acquiring an associated address of each phase data according to the selected state of the phase data, wherein the phase data comprises sequentially executed detection data, intrusion data, control data and execution data;
according to the associated address of the stage data, address pair query and independent query are carried out on the address information of the stage data to obtain the address sequence of the stage data, and the address sequence is recorded into a traceability library;
obtaining the associated address of each stage data according to the selected state of the stage data, wherein the obtaining of the associated address of each stage data comprises the following steps: judging the selected state of the current stage data; when the selected state of the current stage data is unselected, judging the selected state of the adjacent stage data; when the selected state of the adjacent stage data is selected, obtaining the associated address of the current stage data according to the address information of the adjacent stage data;
wherein, the address information includes a source IP and a target IP, and according to the associated address of the stage data, address pair query and individual query are performed on the address information of the stage data to obtain the address sequence of the stage data, including: judging whether the associated address of the stage data exists or not; and when the associated address exists, obtaining a query address pair based on the associated address, and performing address pair query and independent query on the address information of the stage data according to the query address pair to obtain the address sequence of the stage data.
Of course, the storage medium containing the computer-executable instructions provided in the embodiments of the present invention is not limited to the method operations described above, and may also perform related operations in the attack tracing-based method provided in any embodiment of the present invention.
From the above description of the embodiments, it is obvious for those skilled in the art that the present invention can be implemented by software and necessary general hardware, and certainly, can also be implemented by hardware, but the former is a better embodiment in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which may be stored in a computer-readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, and includes instructions for enabling an electronic device (which may be a mobile phone, a personal computer, a server, or a network device) to execute the methods according to the embodiments of the present invention.
It should be noted that, in the embodiment of the source tracing device based on attack, each unit and each module included in the embodiment are only divided according to functional logic, but are not limited to the above division, as long as the corresponding function can be realized; in addition, specific names of the functional units are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present invention.
Various other modifications and changes may be made by those skilled in the art based on the above-described technical solutions and concepts, and all such modifications and changes should fall within the scope of the claims of the present invention.
Claims (7)
1. An attack tracing method is characterized in that: the method comprises the following steps:
acquiring phase data, and acquiring an associated address of each phase data according to the selected state of the phase data, wherein the phase data comprises sequentially executed detection data, intrusion data, control data and execution data;
according to the associated address of the stage data, address pair query and independent query are carried out on the address information of the stage data to obtain the address sequence of the stage data, and the address sequence is recorded into a traceability library;
obtaining the associated address of each stage data according to the selected state of the stage data, wherein the obtaining of the associated address of each stage data comprises the following steps: judging the selected state of the current stage data; when the selected state of the current stage data is unselected, judging the selected state of the adjacent stage data; when the selected state of the adjacent stage data is selected, obtaining the associated address of the current stage data according to the address information of the adjacent stage data;
wherein, the address information includes a source IP and a target IP, and according to the associated address of the stage data, address pair query and individual query are performed on the address information of the stage data to obtain the address sequence of the stage data, including: judging whether the associated address of the stage data exists or not; and when the associated address exists, obtaining a query address pair based on the associated address, and performing address pair query and independent query on the address information of the stage data according to the query address pair to obtain the address sequence of the stage data.
2. The attack tracing method according to claim 1, wherein: the obtaining of the associated address of the current stage data includes:
when the selected state of the previous stage data is selected, the address information of the previous stage data is used as a first address pair of the current stage data;
and when the selected state of the next stage data is selected, using the address information of the next stage data as a second address pair of the current stage data.
3. The attack tracing method according to claim 2, wherein: obtaining a query address pair based on the associated address, including:
when a first address pair and a second address pair in the associated address exist, the first address pair and the second address pair are respectively used as a query address pair;
and when a first address pair or a second address pair exists in the associated address, the existing first address pair or the second address pair is used as a query address pair.
4. The attack tracing method according to any one of claims 1 to 3, wherein: according to the query address pair, address pair query and independent query are carried out on the address information of the stage data to obtain the address sequence of the stage data, and the method comprises the following steps:
address pair query is carried out on the address information of the stage data, and when a source IP and a target IP in the address information both belong to the IP address in the query address pair, the occurrence frequency A of the query address pair is recorded;
individually inquiring the address information of the stage data, and recording the occurrence frequency B of the inquiry address pair when only an active IP or a target IP belongs to the IP address in the inquiry address pair in the address information;
and sequencing the query address pairs according to the occurrence times A and the occurrence times B to obtain the address sequencing.
5. An attack tracing apparatus, comprising:
the system comprises a correlated address acquisition module, a data acquisition module and a data acquisition module, wherein the correlated address acquisition module is used for acquiring phase data and acquiring a correlated address of each phase data according to the selected state of the phase data, and the phase data comprises sequentially executed investigation data, intrusion data, control data and execution data; obtaining the associated address of each stage data according to the selected state of the stage data, wherein the obtaining of the associated address of each stage data comprises the following steps: judging the selected state of the current stage data; when the selected state of the current stage data is unselected, judging the selected state of the adjacent stage data; when the selected state of the adjacent stage data is selected, obtaining the associated address of the current stage data according to the address information of the adjacent stage data;
the address query sequencing module is used for carrying out address pair query and independent query on the address information of the stage data according to the associated address of the stage data to obtain the address sequencing of the stage data and recording the address sequencing into the traceability library; wherein, the address information includes a source IP and a target IP, and according to the associated address of the stage data, address pair query and individual query are performed on the address information of the stage data to obtain the address sequence of the stage data, including: judging whether the associated address of the stage data exists or not; and when the associated address exists, obtaining a query address pair based on the associated address, and performing address pair query and independent query on the address information of the stage data according to the query address pair to obtain the address sequence of the stage data.
6. An electronic device comprising a processor, a storage medium, and a computer program, the computer program being stored in the storage medium, wherein the computer program, when executed by the processor, performs the attack tracing method according to any one of claims 1 to 4.
7. A computer storage medium having a computer program stored thereon, characterized in that: the computer program, when executed by a processor, implements the attack tracing method of any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010015899.XA CN110830519B (en) | 2020-01-08 | 2020-01-08 | Attack tracing method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010015899.XA CN110830519B (en) | 2020-01-08 | 2020-01-08 | Attack tracing method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110830519A CN110830519A (en) | 2020-02-21 |
| CN110830519B true CN110830519B (en) | 2020-05-08 |
Family
ID=69546500
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010015899.XA Active CN110830519B (en) | 2020-01-08 | 2020-01-08 | Attack tracing method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110830519B (en) |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100138919A1 (en) * | 2006-11-03 | 2010-06-03 | Tao Peng | System and process for detecting anomalous network traffic |
| CN106453346B (en) * | 2016-10-24 | 2019-04-26 | 中国工程物理研究院计算机应用研究所 | One kind being based on the associated application system change monitoring device of multidimensional information |
| US20190058731A1 (en) * | 2017-08-17 | 2019-02-21 | Qualcomm Incorporated | User-side detection and containment of arp spoofing attacks |
| CN109474567B (en) * | 2017-10-19 | 2022-01-07 | 公安部第三研究所 | DDOS attack tracing method and device, storage medium and electronic equipment |
| CN109951419A (en) * | 2017-12-20 | 2019-06-28 | 广东电网有限责任公司电力调度控制中心 | A kind of APT intrusion detection method based on attack chain attack rule digging |
| CN108900514B (en) * | 2018-07-04 | 2021-04-23 | 杭州安恒信息技术股份有限公司 | Attack information tracking and tracing method and device based on homologous analysis |
| CN110519264B (en) * | 2019-08-26 | 2022-09-30 | 奇安信科技集团股份有限公司 | Method, device and equipment for tracing attack event |
-
2020
- 2020-01-08 CN CN202010015899.XA patent/CN110830519B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN110830519A (en) | 2020-02-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11481383B2 (en) | Key name synthesis | |
| CN110809010B (en) | Threat information processing method, device, electronic equipment and medium | |
| US11182434B2 (en) | Cardinality of time series | |
| US9983954B2 (en) | High availability scheduler for scheduling searches of time stamped events | |
| US10296616B2 (en) | Generation of a search query to approximate replication of a cluster of events | |
| US20150180891A1 (en) | Using network locations obtained from multiple threat lists to evaluate network data or machine data | |
| CN111581397A (en) | Network attack tracing method, device and equipment based on knowledge graph | |
| Krokos et al. | Visual analytics for root dns data | |
| Bethel et al. | Accelerating network traffic analytics using query-driven visualization | |
| CN110708292A (en) | IP processing method, device, medium and electronic equipment | |
| US11405413B2 (en) | Anomaly lookup for cyber security hunting | |
| CN110691072A (en) | Distributed port scanning method, device, medium and electronic equipment | |
| CN113010484A (en) | Log file management method and device | |
| Wu et al. | Research on visualization systems for DDoS attack detection | |
| CN111988322B (en) | Attack event display system | |
| CN112287339A (en) | APT intrusion detection method and device and computer equipment | |
| CN111047434A (en) | Operation record generation method and device, computer equipment and storage medium | |
| CN110830519B (en) | Attack tracing method and device, electronic equipment and storage medium | |
| CN113438123A (en) | Network flow monitoring method and device, computer equipment and storage medium | |
| CN112287340B (en) | Evidence obtaining and tracing method and device for terminal attack and computer equipment | |
| JP7067612B2 (en) | Analytical equipment, analytical methods, and programs | |
| CN110830518B (en) | Traceability analysis method and device, electronic equipment and storage medium | |
| CN113343231A (en) | Data acquisition system of threat information based on centralized management and control | |
| CN108737522B (en) | Message processing method, device and system | |
| CN107844572B (en) | Multi-dimensional event correlation analysis method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |