CN110990830A - Terminal evidence obtaining and tracing system and method - Google Patents
Terminal evidence obtaining and tracing system and method Download PDFInfo
- Publication number
- CN110990830A CN110990830A CN201911276014.5A CN201911276014A CN110990830A CN 110990830 A CN110990830 A CN 110990830A CN 201911276014 A CN201911276014 A CN 201911276014A CN 110990830 A CN110990830 A CN 110990830A
- Authority
- CN
- China
- Prior art keywords
- attack
- threat
- terminal
- tracing
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 16
- 238000004458 analytical method Methods 0.000 claims abstract description 82
- 238000001514 detection method Methods 0.000 claims abstract description 78
- 238000012545 processing Methods 0.000 claims abstract description 66
- 230000000694 effects Effects 0.000 claims abstract description 9
- 230000002159 abnormal effect Effects 0.000 claims description 12
- 230000007547 defect Effects 0.000 claims description 8
- 238000009434 installation Methods 0.000 claims description 6
- 206010000117 Abnormal behaviour Diseases 0.000 claims description 5
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 claims description 5
- 238000007405 data analysis Methods 0.000 claims description 4
- 238000002513 implantation Methods 0.000 claims description 4
- 238000004454 trace mineral analysis Methods 0.000 claims description 4
- 230000009467 reduction Effects 0.000 claims description 3
- 230000009385 viral infection Effects 0.000 claims description 3
- 238000013480 data collection Methods 0.000 claims description 2
- 238000012423 maintenance Methods 0.000 abstract description 18
- 230000008569 process Effects 0.000 abstract description 7
- 238000007726 management method Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 6
- 230000006872 improvement Effects 0.000 description 4
- 238000005457 optimization Methods 0.000 description 4
- 230000002155 anti-virotic effect Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 244000035744 Hura crepitans Species 0.000 description 1
- 241001377938 Yara Species 0.000 description 1
- 230000003247 decreasing effect Effects 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention relates to the technical field of network attack, in particular to a terminal evidence obtaining and tracing system and a method, wherein the terminal evidence obtaining and tracing system comprises a terminal data acquisition unit, an analysis processing unit and a report generating unit; the terminal data acquisition unit is used for carrying out all-dimensional scanning evidence obtaining on the target terminal based on an attack chain of an attacker view angle and acquiring all required service data; the analysis processing unit is used for detecting, judging, processing and studying all the collected business data through the identification traceability tool; and a report generation unit for generating an evidence collection analysis report according to the detection judgment result and the processing result. The invention integrates acquisition, analysis and processing, can automatically finish the evidence obtaining and tracing process of the terminal, forms an evidence obtaining and analyzing report, simplifies the evidence obtaining and tracing work of the terminal, reduces the requirements on operation and maintenance personnel, can update and add tracing tools through the front-end display unit, and effectively increases the identification and tracing of attacks and threats such as malicious activities.
Description
Technical Field
The invention relates to the technical field of network attack, in particular to a terminal evidence obtaining and tracing system and a terminal evidence obtaining and tracing method.
Background
The current terminal evidence obtaining work can face the following problems: the technical threshold is high, namely, operation and maintenance personnel who need to perform evidence obtaining analysis have very rich experience; related technical staff are absent, the number of staff responsible for safe operation and maintenance of a common enterprise is limited, the number of related technical staff is less, and the related technical staff is often unable to face numerous hosts; the high-level threat is difficult to discover, with the prevalence of high-level continuous threat attack, a single-function and established detection mechanism is more and more difficult to discover new attack, the detection capability of the traditional equipment continuously slides down, and a user cannot clearly and accurately know the beginning and the end of an attack event after suffering from the attack, and often falls into the embarrassment of needing to be repaired without going from the beginning; the complex host environment of some units has large scale, large number of hosts and various operating systems, so that the difficulty in checking all the hosts is high, and the tasks can hardly be finished.
Disclosure of Invention
The invention provides a terminal evidence obtaining and tracing system and a terminal evidence obtaining and tracing method, overcomes the defects of the prior art, and can effectively solve the problems that the prior terminal evidence obtaining and tracing mode depending on manual experience has high requirements on operation and maintenance personnel and cannot accurately identify.
One of the technical schemes of the invention is realized by the following measures: a terminal evidence obtaining and tracing system comprises a terminal data acquisition unit, an analysis processing unit and a report generating unit; the terminal data acquisition unit is used for carrying out all-dimensional scanning evidence collection on the target terminal based on an attack chain of an attacker view angle and acquiring all required service data; the analysis processing unit is used for detecting, judging, processing and studying all the collected service data through the identification traceability tool, wherein the detection judgment comprises threat discovery and attack restoration, and the processing and studying judgment comprises attack traceability and threat disposal; and the report generating unit is used for generating an evidence collection analysis report according to the detection judgment result and the processing result.
The following is further optimization or/and improvement of the technical scheme of the invention: the terminal data acquisition unit comprises a file system acquisition module, a starting item acquisition module, a memory acquisition module, a user trace acquisition module, a log acquisition module, a firmware acquisition module, a network acquisition module, a host defect acquisition module and a registry acquisition module, wherein the file system acquisition module, the starting item acquisition module, the memory acquisition module, the user trace acquisition module, the log acquisition module, the firmware acquisition module, the network acquisition module, the host defect acquisition module and the registry acquisition module are all used for acquiring corresponding service data.
The analysis processing unit comprises a detection judging module and a processing studying judging module; the detection judgment module is used for detecting and judging all the collected service data through a plurality of detection models and a plurality of analysis models which run in the database, wherein the detection judgment comprises threat discovery and attack restoration; and the processing and studying and judging module is used for processing and studying and judging the threat and the attack by combining the detection and judgment result and all the collected service data, wherein the processing and studying and judging comprises attack tracing and threat disposal.
The detection judging module comprises an analysis engine and a detection engine; the analysis engine comprises a file analysis model, a startup analysis model, a memory analysis model, a user trace analysis model, a log analysis model, a firmware analysis model, a network data analysis model, a host information analysis model and a registry analysis model which are operated in a database, and is respectively used for carrying out threat analysis on the collected corresponding service data to obtain threat discovery, wherein the threat discovery comprises Trojan horse implantation, virus infection, a hacker tool, an abnormal log, abnormal flow and threat information; and the detection engine comprises a plurality of detection models running in the database and is used for carrying out attack restoration aiming at the threat discovery obtained by the analysis engine, wherein the attack restoration comprises malicious code identification, abnormal behavior discovery and danger index judgment.
The processing and studying module comprises an attack tracing module and a threat handling module; the attack tracing module is used for carrying out attack tracing on the attack by combining the detection judgment result and all the collected service data, wherein the attack tracing comprises hacker activity time reduction, correlation tracing and threat tracing; and the threat handling module is used for providing a threat handling scheme for the threat by combining the detection judgment result and all the collected service data.
The display device also comprises a mounting unit and a front end display unit; the installation unit is used for installing programs on the target host computer so that the front-end display unit, the terminal data acquisition unit, the analysis processing unit and the report generation unit can be operated on the target host computer;
and the front-end display unit is used for providing login, management, operation and viewing services for the user.
The second technical scheme of the invention is realized by the following measures: a terminal forensics tracing method comprises the following steps:
based on an attack chain of an attacker view angle, carrying out all-dimensional scanning evidence collection on a target terminal, and collecting all required service data;
detecting, judging, processing and studying all the collected service data through an identification traceability tool, wherein the detecting and judging comprises threat discovery and attack restoration, and the processing and studying comprises attack traceability and threat disposal; and generating an evidence-taking analysis report according to the detection judgment result and the processing result.
The following is further optimization or/and improvement of the technical scheme of the invention:
the detecting, determining, processing and studying of all the collected service data through the corresponding models includes:
detecting and judging all collected service data through a plurality of detection models and a plurality of analysis models which are operated in a database, wherein the detection judgment comprises threat discovery and attack restoration; and processing and studying and judging the threats and the attacks by combining the detection judgment result and all the collected service data, wherein the processing and studying and judging comprises attack tracing and threat disposal.
The invention is compatible with a mainstream Windows operating system, is convenient to use, integrates acquisition, analysis and processing, can automatically finish the evidence obtaining and tracing process of the terminal, forms an evidence obtaining and analyzing report for operation and maintenance personnel to check and process, simplifies the evidence obtaining and tracing work of the terminal, does not need the operation and maintenance personnel to have specific related technology, reduces the requirements on the operation and maintenance personnel, and is convenient for the operation and maintenance personnel to operate on target hosts under different conditions. Meanwhile, traceability tools such as an analysis model, a retrieval model and antivirus software can be updated and added through the front-end display unit, and identification and traceability of attacks such as malicious activities and threats are effectively increased.
Drawings
Fig. 1 is a block diagram showing the structure of embodiment 1 of the present invention.
Fig. 2 is a block diagram of a detection and determination module in embodiment 1 of the present invention.
FIG. 3 is a flow chart of example 2 of the present invention.
Detailed Description
The present invention is not limited by the following examples, and specific embodiments may be determined according to the technical solutions and practical situations of the present invention.
The invention is further described with reference to the following examples and figures:
example 1: as shown in fig. 1, the terminal evidence obtaining and tracing system is characterized by comprising a terminal data acquisition unit, an analysis processing unit and a report generation unit; the terminal data acquisition unit is used for carrying out all-dimensional scanning evidence collection on the target terminal based on an attack chain of an attacker view angle and acquiring all required service data; the analysis processing unit is used for detecting, judging, processing and studying all the collected service data through the identification traceability tool, wherein the detection judgment comprises threat discovery and attack restoration, and the processing and studying judgment comprises attack traceability and threat disposal; and the report generating unit is used for generating an evidence collection analysis report according to the detection judgment result and the processing result.
Through the steps, the attacked host is determined and set as the target host, and all-around scanning evidence obtaining is carried out on each service module related to the attack chain in the target host by combining the attack chain of the attacker from the perspective of the attacker, wherein the attack chain comprises the attack full life cycle from information detection scanning to authority control and guard of the attacker.
Through the steps, after the analysis processing unit receives the service data of the service data uploaded by the terminal data acquisition unit, the service data is uniformly processed and analyzed, namely, abnormal service data, abnormal behaviors, abnormal flow, Trojan implantation conditions, hacker malicious activity conditions, threats and the like in the service data are detected, judged, processed and researched. The report generating unit forms a forensics analysis report according to the detection judgment and processing research and judgment results of the analysis processing unit, wherein the forensics analysis report includes detailed description of relevant information such as files maliciously executed in the contents of determined threats, suspicions, warnings and the like in all modules for scanning forensics, and the relevant information is used for operation and maintenance personnel to check. Wherein the identification traceability tools can be updated and added.
The invention is compatible with a mainstream Windows operating system, is convenient to use, integrates acquisition, analysis and processing, can automatically finish the evidence obtaining and tracing process of the terminal, forms an evidence obtaining and analyzing report for operation and maintenance personnel to check and process, simplifies the evidence obtaining and tracing work of the terminal, does not need the operation and maintenance personnel to have specific related technology, reduces the requirements on the operation and maintenance personnel, and is convenient for the operation and maintenance personnel to operate on target hosts under different conditions.
The following is further optimization or/and improvement of the technical scheme of the invention:
as shown in fig. 1, the terminal data collection unit includes a file system collection module, a start item collection module, a memory collection module, a user trace collection module, a log collection module, a firmware collection module, a network collection module, a host defect collection module, and a registry collection module, where the file system collection module, the start item collection module, the memory collection module, the user trace collection module, the log collection module, the firmware collection module, the network collection module, the host defect collection module, and the registry collection module are all used to collect corresponding service data.
The file system acquisition module acquires contents such as file signatures, file information and the like; the starting item acquisition module acquires service data such as driving service, planning task and the like; the memory acquisition module acquires process information, service drive and other business data; the user trace acquisition module acquires service data such as prefetch, login session, DNS cache and the like; the log acquisition module acquires service data such as a security log, a system log, other logs and the like; the firmware acquisition module acquires service data such as firmware information and the like; the network acquisition module acquires service data such as network data and the like; a host defect acquisition module acquires service data such as system patches, system hashes and the like; the registry collection module collects business data such as a registry.
As shown in fig. 1, the analysis processing unit includes a detection judging module and a processing studying judging module; the detection judgment module is used for detecting and judging all the collected service data through a plurality of detection models and a plurality of analysis models which run in the database, wherein the detection judgment comprises threat discovery and attack restoration; and the processing and studying and judging module is used for processing and studying and judging the threat and the attack by combining the detection and judgment result and all the collected service data, wherein the processing and studying and judging comprises attack tracing and threat disposal.
As shown in fig. 2, the detection decision module includes an analysis engine and a detection engine; the analysis engine comprises a file analysis model, a startup analysis model, a memory analysis model, a user trace analysis model, a log analysis model, a firmware analysis model, a network data analysis model, a host information analysis model and a registry analysis model which are operated in a database, and is respectively used for carrying out threat analysis on the collected corresponding service data to obtain threat discovery, wherein the threat discovery comprises Trojan horse implantation, virus infection, a hacker tool, an abnormal log, abnormal flow and threat information; and the detection engine comprises a plurality of detection models running in the database and is used for carrying out attack restoration aiming at the threat discovery obtained by the analysis engine, wherein the attack restoration comprises malicious code identification, abnormal behavior discovery and danger index judgment.
Enumerating all files in the system in a file analysis model in the analysis engine, performing shell judgment on non-system files, analyzing information such as digital signatures, import tables, export tables, character strings, code segments and the like of pe format files for judgment, and linking with 60 types of antivirus software for online searching and killing. The memory analysis model is used for analyzing the running program, extracting the module, handle information and command line parameters in the memory, analyzing whether malicious api function call exists in the memory, analyzing whether the memory module of the application program is abnormal, and judging whether the program in the memory has abnormal behavior. The starting item analysis model is used for analyzing information such as command line parameters in the starting items of the operating system, files corresponding to the starting items, environment variables and the like, and determining whether the starting items are abnormal or not. The registry analysis model is used to detect whether a suspicious executable file exists in the registry. The user trace analysis model is used for detecting user trace records in the host computer and judging whether deleted running suspicious programs exist or not. The firmware analysis model is used for detecting firmware programs such as main boards bios, uefi and mbr of the terminal host, and whether the system is infected with a firmware Trojan horse program or not is judged through comparison and analysis of a black and white name list library. The network data analysis model is used for detecting the network information of the terminal host and giving an alarm for the connection of different ip addresses in the same process in a short time. The host information analysis model is used for detecting the installation conditions of weak passwords and patches of the terminal host, and alarming if the weak passwords, the null passwords and important system patches are not installed. The log analysis model is used for detecting the operating system logs, paying attention to abnormal logging and log clearing events, listing abnormal operating behaviors of the system, and finding hacking behaviors through deep mining on the logs in the system, the security logs and the due program logs.
The detection engine comprises a file rule detection model, a startup rule detection model, a memory rule detection model, a user trace rule detection model, a log rule detection model, a firmware information detection model, a network rule detection model, a registry rule detection model, a weak password information detection model, a YARA detection model, a webshell detection model, a black and white list detection module, a cloud check and kill detection model and an office macro detection model.
As shown in fig. 1, the processing and judging module includes an attack tracing module and a threat handling module; the attack tracing module is used for carrying out attack tracing on the attack by combining the detection judgment result and all the collected service data, wherein the attack tracing comprises hacker activity time restoration, association tracing and threat tracing; and the threat handling module is used for providing a threat handling scheme for the threat by combining the detection judgment result and all the collected service data.
The hacker activity time is restored to analyze the collected business data, then whether the business data is suspicious is judged, and then according to some time information of the suspicious data, what operation the hacker has done to the terminal in what time period is judged. The association tracing is provided to the expert capable of capability for further analyzing data and finding out the problems which the expert considers not to be found in the rule. And the threat tracing is threat information linked with the cloud, and threats in all the collected service data are searched for tracing.
The threat treatment includes linked joint defense, electronic evidence obtaining, security service and the like. Ganged joint defense is used to further combine detection by other detection means, such as open source threat intelligence, sandboxes. Electronic forensics are used to automatically forensics through the system. The security service is used to provide manual technical support, for example, when the customer does not understand the report, the customer can be sent to assist in interpreting the report and providing a solution.
As shown in fig. 1, the display device further comprises a mounting unit and a front end display unit;
the installation unit is used for installing programs on the target host computer so that the front-end display unit, the terminal data acquisition unit, the analysis processing unit and the report generation unit can be operated on the target host computer; and the front-end display unit is used for providing login, management, operation and viewing services for the user.
The front-end display unit is used for providing login, management, operation and viewing services for a user. The front-end display unit comprises modules of threat detection, situation awareness, task management, system setting, login management and the like. The administrator can distribute the account numbers to other operation and maintenance personnel through logging in the management function, so that the cooperation work of the safe operation and maintenance personnel is facilitated, and the unified management of the account numbers is facilitated. The administrator and the operation and maintenance personnel can use the browser to interact with the analysis center through the SSL encryption channel, after login is successful, the operation and maintenance personnel can check the collected target host evidence obtaining analysis report through the threat detection function, and whether the terminal is attacked or not is judged through the threat condition in the evidence obtaining analysis report. And the situation awareness function can be used for counting the evidence obtaining analysis report, counting can be carried out from three aspects of a host, a project and a department, host distribution with a plurality of threat items can be found out from the statistics, and a basis is provided for operation and maintenance personnel to make repair. The task management function can set the organization structure, download the collector and check the collection progress. The system setting function can set and monitor the ip address and the service operation condition of the analysis center, and the normal operation of the analysis center is guaranteed.
Embodiment 2, as shown in fig. 3, the terminal forensics tracing method includes the following steps:
based on an attack chain of an attacker view angle, carrying out all-dimensional scanning evidence collection on a target terminal, and collecting all required service data;
detecting, judging, processing and studying all the collected service data through an identification traceability tool, wherein the detecting and judging comprises threat discovery and attack restoration, and the processing and studying comprises attack traceability and threat disposal;
and generating an evidence-taking analysis report according to the detection judgment result and the processing result.
The following is further optimization or/and improvement of the technical scheme of the invention:
as shown in fig. 3, the detecting, determining, processing and studying of all the collected service data by the corresponding model includes:
detecting and judging all collected service data through a plurality of detection models and a plurality of analysis models which are operated in a database, wherein the detection judgment comprises threat discovery and attack restoration;
and processing and studying and judging the threats and the attacks by combining the detection judgment result and all the collected service data, wherein the processing and studying and judging comprises attack tracing and threat disposal.
The above technical features constitute the best embodiment of the present invention, which has strong adaptability and best implementation effect, and unnecessary technical features can be increased or decreased according to actual needs to meet the requirements of different situations.
Claims (10)
1. A terminal evidence obtaining and tracing system is characterized by comprising a terminal data acquisition unit, an analysis processing unit and a report generating unit;
the terminal data acquisition unit is used for carrying out all-dimensional scanning evidence collection on the target terminal based on an attack chain of an attacker view angle and acquiring all required service data;
the analysis processing unit is used for detecting, judging, processing and studying all the collected service data through the identification traceability tool, wherein the detection judgment comprises threat discovery and attack restoration, and the processing and studying judgment comprises attack traceability and threat disposal;
and the report generating unit is used for generating an evidence collection analysis report according to the detection judgment result and the processing result.
2. The terminal evidence obtaining and tracing system of claim 1, wherein the terminal data collection unit comprises a file system collection module, a start item collection module, a memory collection module, a user trace collection module, a log collection module, a firmware collection module, a network collection module, a host defect collection module, and a registry collection module, and the file system collection module, the start item collection module, the memory collection module, the user trace collection module, the log collection module, the firmware collection module, the network collection module, the host defect collection module, and the registry collection module are all used for collecting corresponding service data.
3. The terminal evidence obtaining traceability system of claim 1 or 2, wherein the analysis processing unit comprises a detection judgment module and a processing judgment module;
the detection judgment module is used for detecting and judging all the collected service data through a plurality of detection models and a plurality of analysis models which run in the database, wherein the detection judgment comprises threat discovery and attack restoration;
and the processing and studying and judging module is used for processing and studying and judging the threat and the attack by combining the detection and judgment result and all the collected service data, wherein the processing and studying and judging comprises attack tracing and threat disposal.
4. The terminal forensics traceability system of claim 3, wherein the detection decision module comprises an analysis engine and a detection engine;
the analysis engine comprises a file analysis model, a startup analysis model, a memory analysis model, a user trace analysis model, a log analysis model, a firmware analysis model, a network data analysis model, a host information analysis model and a registry analysis model which are operated in a database, and is respectively used for carrying out threat analysis on the collected corresponding service data to obtain threat discovery, wherein the threat discovery comprises Trojan horse implantation, virus infection, a hacker tool, an abnormal log, abnormal flow and threat information;
and the detection engine comprises a plurality of detection models running in the database and is used for carrying out attack restoration aiming at the threat discovery obtained by the analysis engine, wherein the attack restoration comprises malicious code identification, abnormal behavior discovery and danger index judgment.
5. The terminal forensics traceability system of claim 3, wherein the processing and judging module comprises an attack traceability module and a threat handling module;
the attack tracing module is used for carrying out attack tracing on the attack by combining the detection judgment result and all the collected service data, wherein the attack tracing comprises hacker activity time reduction, correlation tracing and threat tracing;
and the threat handling module is used for providing a threat handling scheme for the threat by combining the detection judgment result and all the collected service data.
6. The terminal forensics traceability system of claim 4, wherein the processing and judging module comprises an attack traceability module and a threat handling module;
the attack tracing module is used for carrying out attack tracing on the attack by combining the detection judgment result and all the collected service data, wherein the attack tracing comprises hacker activity time reduction, correlation tracing and threat tracing;
and the threat handling module is used for providing a threat handling scheme for the threat by combining the detection judgment result and all the collected service data.
7. The terminal forensics traceability system of claim 1, 2, 4, 5 or 6, further comprising an installation unit and a front-end display unit;
the installation unit is used for installing programs on the target host computer so that the front-end display unit, the terminal data acquisition unit, the analysis processing unit and the report generation unit can be operated on the target host computer;
and the front-end display unit is used for providing login, management, operation and viewing services for the user.
8. The terminal forensics traceability system of claim 3, further comprising a mounting unit and a front-end display unit;
the installation unit is used for installing programs on the target host computer so that the front-end display unit, the terminal data acquisition unit, the analysis processing unit and the report generation unit can be operated on the target host computer;
and the front-end display unit is used for providing login, management, operation and viewing services for the user.
9. A terminal forensics tracing method according to any one of claims 1 to 8, comprising the steps of:
based on an attack chain of an attacker view angle, carrying out all-dimensional scanning evidence collection on a target terminal, and collecting all required service data;
detecting, judging, processing and studying all the collected service data through an identification traceability tool, wherein the detecting and judging comprises threat discovery and attack restoration, and the processing and studying comprises attack traceability and threat disposal;
and generating an evidence-taking analysis report according to the detection judgment result and the processing result.
10. The terminal forensics tracing method according to claim 9, wherein the detecting, determining, processing and studying of all the collected service data through the corresponding model comprises:
detecting and judging all collected service data through a plurality of detection models and a plurality of analysis models which are operated in a database, wherein the detection judgment comprises threat discovery and attack restoration;
and processing and studying and judging the threats and the attacks by combining the detection judgment result and all the collected service data, wherein the processing and studying and judging comprises attack tracing and threat disposal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911276014.5A CN110990830A (en) | 2019-12-12 | 2019-12-12 | Terminal evidence obtaining and tracing system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911276014.5A CN110990830A (en) | 2019-12-12 | 2019-12-12 | Terminal evidence obtaining and tracing system and method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110990830A true CN110990830A (en) | 2020-04-10 |
Family
ID=70092821
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911276014.5A Pending CN110990830A (en) | 2019-12-12 | 2019-12-12 | Terminal evidence obtaining and tracing system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110990830A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115118469A (en) * | 2022-06-15 | 2022-09-27 | 杭州温小度科技有限公司 | Network security threat processing system and processing method thereof |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7814546B1 (en) * | 2004-03-19 | 2010-10-12 | Verizon Corporate Services Group, Inc. | Method and system for integrated computer networking attack attribution |
| CN105791300A (en) * | 2016-03-23 | 2016-07-20 | 东北大学 | Single packet tracing method based on tracking trace importance evaluation |
| US20170134400A1 (en) * | 2015-08-20 | 2017-05-11 | The Boeing Company | Method for detecting malicious activity on an aircraft network |
| CN107046543A (en) * | 2017-04-26 | 2017-08-15 | 国家电网公司 | A kind of threat intelligence analysis system traced to the source towards attack |
| CN107196910A (en) * | 2017-04-18 | 2017-09-22 | 国网山东省电力公司电力科学研究院 | Threat early warning monitoring system, method and the deployment framework analyzed based on big data |
| CN107341375A (en) * | 2016-12-09 | 2017-11-10 | 北京安天网络安全技术有限公司 | A kind of method and system for the attacker that traced to the source based on Web page picture secret mark |
| CN108833397A (en) * | 2018-06-08 | 2018-11-16 | 武汉思普崚技术有限公司 | A kind of big data safety analysis plateform system based on network security |
| CN109067815A (en) * | 2018-11-06 | 2018-12-21 | 深信服科技股份有限公司 | Attack Source Tracing method, system, user equipment and storage medium |
| CN109495520A (en) * | 2019-01-11 | 2019-03-19 | 北京中睿天下信息技术有限公司 | Integrated network attack evidence obtaining source tracing method, system, equipment and storage medium |
| CN109861995A (en) * | 2019-01-17 | 2019-06-07 | 安徽谛听信息科技有限公司 | A kind of safe big data intelligent analysis method of cyberspace, computer-readable medium |
| CN110401632A (en) * | 2019-06-20 | 2019-11-01 | 国网辽宁省电力有限公司信息通信分公司 | A kind of malice domain name infection host source tracing method |
| CN110545250A (en) * | 2018-05-29 | 2019-12-06 | 国际关系学院 | Tracing method for fusion association of multi-source attack traces |
-
2019
- 2019-12-12 CN CN201911276014.5A patent/CN110990830A/en active Pending
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7814546B1 (en) * | 2004-03-19 | 2010-10-12 | Verizon Corporate Services Group, Inc. | Method and system for integrated computer networking attack attribution |
| US20170134400A1 (en) * | 2015-08-20 | 2017-05-11 | The Boeing Company | Method for detecting malicious activity on an aircraft network |
| CN105791300A (en) * | 2016-03-23 | 2016-07-20 | 东北大学 | Single packet tracing method based on tracking trace importance evaluation |
| CN107341375A (en) * | 2016-12-09 | 2017-11-10 | 北京安天网络安全技术有限公司 | A kind of method and system for the attacker that traced to the source based on Web page picture secret mark |
| CN107196910A (en) * | 2017-04-18 | 2017-09-22 | 国网山东省电力公司电力科学研究院 | Threat early warning monitoring system, method and the deployment framework analyzed based on big data |
| CN107046543A (en) * | 2017-04-26 | 2017-08-15 | 国家电网公司 | A kind of threat intelligence analysis system traced to the source towards attack |
| CN110545250A (en) * | 2018-05-29 | 2019-12-06 | 国际关系学院 | Tracing method for fusion association of multi-source attack traces |
| CN108833397A (en) * | 2018-06-08 | 2018-11-16 | 武汉思普崚技术有限公司 | A kind of big data safety analysis plateform system based on network security |
| CN109067815A (en) * | 2018-11-06 | 2018-12-21 | 深信服科技股份有限公司 | Attack Source Tracing method, system, user equipment and storage medium |
| CN109495520A (en) * | 2019-01-11 | 2019-03-19 | 北京中睿天下信息技术有限公司 | Integrated network attack evidence obtaining source tracing method, system, equipment and storage medium |
| CN109861995A (en) * | 2019-01-17 | 2019-06-07 | 安徽谛听信息科技有限公司 | A kind of safe big data intelligent analysis method of cyberspace, computer-readable medium |
| CN110401632A (en) * | 2019-06-20 | 2019-11-01 | 国网辽宁省电力有限公司信息通信分公司 | A kind of malice domain name infection host source tracing method |
Non-Patent Citations (2)
| Title |
|---|
| 石瑞生等: "《大数据安全与隐私保护》", 北京邮电大学出版社, pages: 202 - 205 * |
| 谢锋林: "互联网网络攻击主动防御的新方法研究", 《电信技术》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115118469A (en) * | 2022-06-15 | 2022-09-27 | 杭州温小度科技有限公司 | Network security threat processing system and processing method thereof |
| CN115118469B (en) * | 2022-06-15 | 2024-03-19 | 杭州温小度科技有限公司 | Network security threat processing system and processing method thereof |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US6742128B1 (en) | Threat assessment orchestrator system and method | |
| CN101924762B (en) | Cloud security-based active defense method | |
| Bayer et al. | A View on Current Malware Behaviors. | |
| US9047466B2 (en) | Method of detecting a malware based on a white list | |
| EP2893447B1 (en) | Systems and methods for automated memory and thread execution anomaly detection in a computer network | |
| CN112637220A (en) | Industrial control system safety protection method and device | |
| CN108830084B (en) | Handheld terminal for realizing vulnerability scanning and protection reinforcement and protection method | |
| CN101923617A (en) | Cloud-based sample database dynamic maintaining method | |
| CN110868403B (en) | Method and equipment for identifying advanced persistent Attack (APT) | |
| Rosli et al. | Clustering analysis for malware behavior detection using registry data | |
| CN113886814A (en) | Attack detection method and related device | |
| CN116305155A (en) | Program safety detection protection method, device, medium and electronic equipment | |
| CN110417578B (en) | Abnormal FTP connection alarm processing method | |
| CN115361203A (en) | Vulnerability analysis method based on distributed scanning engine | |
| CN111049828A (en) | Network attack detection and response method and system | |
| KR101226693B1 (en) | Database security method with remove the exposed weak point using Access Control System | |
| US10075454B1 (en) | Using telemetry data to detect false positives | |
| TW201537379A (en) | Computer program product and method for information safety monitoring and defense | |
| KR101174635B1 (en) | The automated defense system for the malicious code and the method thereof | |
| CN110990830A (en) | Terminal evidence obtaining and tracing system and method | |
| CN110555308B (en) | Terminal application behavior tracking and threat risk assessment method and system | |
| CN114629711B (en) | Method and system for detecting special Trojan horse on Windows platform | |
| Isawa et al. | Evaluating disassembly-code based similarity between IoT malware samples | |
| Kaur et al. | Hybrid real-time zero-day malware analysis and reporting system | |
| CN115913634A (en) | Network security abnormity detection method and system based on deep learning |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20200410 |