CN111193749B - Attack tracing method and device, electronic equipment and storage medium - Google Patents
Attack tracing method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN111193749B CN111193749B CN202010009230.XA CN202010009230A CN111193749B CN 111193749 B CN111193749 B CN 111193749B CN 202010009230 A CN202010009230 A CN 202010009230A CN 111193749 B CN111193749 B CN 111193749B
- Authority
- CN
- China
- Prior art keywords
- information
- attack
- target
- knowledge graph
- characteristic information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
The application provides an attack tracing method, an attack tracing device, electronic equipment and a storage medium, wherein the method comprises the following steps: acquiring to-be-traced attack information, wherein the to-be-traced attack information is intercepted attack information; extracting the characteristics of the attack information to be traced to obtain corresponding characteristic information; acquiring at least one target feature information associated with the feature information from a pre-established knowledge graph; the knowledge graph stores characteristic information of a plurality of attack information, and each characteristic information is associated with at least one piece of other characteristic information; and determining an attack source of the attack information to be traced according to the associated at least one target characteristic information. According to the embodiment of the application, the target characteristic information associated with the characteristic information of the attack information to be traced can be efficiently and accurately found according to the knowledge graph with a plurality of associated attack information, and faster attack tracing is realized.
Description
Technical Field
The present application relates to the field of attack tracing, and in particular, to an attack tracing method, an attack tracing apparatus, an electronic device, and a storage medium.
Background
With the continuous expansion of the internet coverage, networks have become an indispensable part of people's daily life. However, network-based computer attacks are also becoming more and more serious, and network attackers mostly use forged IP addresses, so that it is difficult for attackers to determine the position of an attack source, and a targeted protection strategy cannot be implemented. These all make the tracing technology of the reverse tracing attack source an important ring in the network active defense system.
The information intercepted by the network is distributed in different base tables respectively, the relation among the information is relatively disordered, and the position of an attack source is difficult to track reversely according to the directly intercepted information.
Disclosure of Invention
An object of the embodiments of the present application is to provide an attack tracing method, an attack tracing device, an electronic device, and a storage medium, which are used to accurately trace the source of intercepted attack information.
In a first aspect, an embodiment provides an attack tracing method, including: acquiring to-be-traced attack information, wherein the to-be-traced attack information is intercepted attack information; extracting the characteristics of the attack information to be traced to obtain corresponding characteristic information; acquiring at least one target feature information associated with the feature information from a pre-established knowledge graph; the knowledge graph stores characteristic information of a plurality of attack information, and each characteristic information is associated with at least one piece of other characteristic information; and determining an attack source of the attack information to be traced according to the associated at least one target characteristic information.
According to the embodiment of the application, the target characteristic information associated with the characteristic information of the attack information to be traced can be efficiently and accurately found according to the knowledge graph with a plurality of associated attack information, and faster attack tracing is realized.
In an optional embodiment, the feature information includes a destination IP, where the destination IP is an IP address of an attacked object; the acquiring of at least one target feature information associated with the feature information from a pre-established knowledge graph includes: acquiring a target IP chain associated with the target IP from the knowledge graph, wherein the target IP chain is used for representing the transmission relation of attack information between at least one IP and the target IP; the determining an attack source of the attack information to be traced according to the associated at least one target characteristic information includes: and acquiring at least one source IP associated with the target IP from the target IP chain as an attack source of the attack information to be traced, wherein the source IP is an initial end IP of the target IP chain.
According to the method and the device, the target IP chain associated with the target IP of the attack information to be traced is found in the knowledge graph, so that the attack source of the attack information to be traced can be determined more accurately and rapidly, and efficient attack tracing is realized.
In an optional embodiment, before the obtaining of the at least one target feature information associated with the feature information from the pre-established knowledge-graph, the method further includes: acquiring a plurality of attack information and a rule number corresponding to each attack information, wherein the rule number is used for representing the attack type of the corresponding attack information; extracting information of the attack information according to the rule number corresponding to each attack information to obtain a plurality of characteristic information corresponding to the attack information; and associating a plurality of characteristic information according to the rule number corresponding to each attack information to obtain the knowledge graph. In the embodiment, in the obtained knowledge graph, a plurality of attack information are associated through corresponding characteristic information so as to carry out subsequent attack tracing.
In an optional embodiment, the extracting information of the attack information according to the rule number corresponding to each attack information to obtain a plurality of feature information corresponding to the attack information includes: acquiring a preset extraction position corresponding to each attack information according to the rule number corresponding to the attack information; the preset extraction position is used for representing the position of the characteristic information in the attack information; and extracting information of the attack information according to the preset extraction position to obtain a plurality of characteristic information corresponding to the attack information.
According to the embodiment of the application, the preset extraction position is determined through the rule number, the characteristic information of the attack information can be extracted quickly and accurately, and the attack tracing efficiency is improved.
In an optional implementation manner, the associating the plurality of feature information according to the rule number corresponding to each attack information to obtain the knowledge graph includes: after the following steps are sequentially executed for all attack information in the plurality of attack information, selecting the latest knowledge graph to be constructed as a knowledge graph; wherein the step performed for each of the attack information comprises: obtaining at least one piece of relation information corresponding to the attack information according to the rule number corresponding to the attack information, wherein the relation information is used for representing the association between the characteristic information corresponding to the attack information; acquiring a knowledge graph to be constructed; judging whether the knowledge graph to be constructed contains the characteristic information or not according to each characteristic information corresponding to the attack information; if the to-be-constructed knowledge graph contains the characteristic information, taking the characteristic information in the to-be-constructed knowledge graph as to-be-associated characteristic information; if the to-be-constructed knowledge graph does not contain the feature information, storing the feature information of the attack information as to-be-associated feature information into the to-be-constructed knowledge graph; and according to the relation information, correlating the plurality of feature information to be correlated to obtain a new knowledge graph to be constructed.
According to the embodiment of the application, the association between the corresponding feature information to be associated is established for each attack information, so that the knowledge graph corresponding to a plurality of attack information can be quickly and accurately obtained, the association between the attack information can be more visually displayed by the knowledge graph, and the subsequent attack tracing can be conveniently carried out.
In a second aspect, an embodiment provides an attack tracing apparatus, including: the system comprises an acquisition module, a source tracing module and a source tracing module, wherein the acquisition module is used for acquiring attack information to be traced, and the attack information to be traced is intercepted attack information; the characteristic extraction module is used for extracting the characteristics of the attack information to be traced to obtain corresponding characteristic information; the searching module is used for acquiring at least one target characteristic information associated with the characteristic information from a pre-established knowledge graph; the knowledge graph stores characteristic information of a plurality of attack information, and each characteristic information is associated with at least one piece of other characteristic information; and the source tracing module is used for determining an attack source of the attack information to be traced according to the associated at least one target characteristic information.
According to the embodiment of the application, the searching module is utilized to efficiently and accurately find the target characteristic information associated with the characteristic information of the attack information to be traced according to the knowledge graph with a plurality of associated attack information, so that the tracing module can realize faster attack tracing.
In an optional embodiment, the feature information includes a destination IP, where the destination IP is an IP address of an attacked object; the search module is specifically configured to: acquiring a target IP chain associated with the target IP from the knowledge graph, wherein the target IP chain is used for representing the transmission relation of attack information between at least one IP and the target IP; the tracing module is specifically configured to: and acquiring at least one source IP associated with the target IP from the target IP chain as an attack source of the attack information to be traced, wherein the source IP is an initial end IP of the target IP chain.
According to the embodiment of the application, the searching module is used for finding the target IP chain associated with the target IP of the attack information to be traced in the knowledge graph, and then the source tracing module can be used for more accurately and quickly determining the attack source of the attack information to be traced, so that efficient attack tracing is realized.
In an optional embodiment, the attack tracing apparatus further includes a map establishing module, configured to: acquiring a plurality of attack information and a rule number corresponding to each attack information, wherein the rule number is used for representing the attack type of the corresponding attack information; extracting information of the attack information according to the rule number corresponding to each attack information to obtain a plurality of characteristic information corresponding to the attack information; and associating a plurality of characteristic information according to the rule number corresponding to each attack information to obtain the knowledge graph. In the knowledge graph obtained in the embodiment, a plurality of attack information are associated through corresponding characteristic information, so that subsequent attack tracing is performed.
In a third aspect, an embodiment provides an electronic device, including: the system comprises a processor, a memory and a bus, wherein the processor and the memory are communicated with each other through the bus; the memory stores program instructions executable by the processor, the processor being capable of executing the method of any one of the preceding embodiments when invoked by the processor.
In a fourth aspect, embodiments provide a non-transitory computer readable storage medium storing computer instructions that cause the computer to perform the method of any of the preceding embodiments.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic flowchart of an attack tracing method according to an embodiment of the present application;
FIG. 2 is a schematic diagram of a relationship between feature information of a knowledge graph provided in an embodiment of the present application;
fig. 3 is a schematic structural diagram of an attack tracing apparatus according to an embodiment of the present application;
fig. 4 is a block diagram of an electronic device applicable to the embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
Fig. 1 is a schematic flowchart of an attack tracing method provided in an embodiment of the present application, where the method includes:
step 110: and acquiring to-be-traced attack information, wherein the to-be-traced attack information is intercepted attack information.
The information to be traced may be information carried in a data packet for performing a network attack on a certain node, and the data packet for performing the network attack may be intercepted by the interception software. In order to realize the protection of the network, interception software can be arranged at the routing end of the network. And the interception software matches each data packet transmitted by the router, and intercepts the information carried in the data packet as attack information if the content in the data packet is successfully matched with the pre-stored sample rule number. The sample rule numbers pre-stored in the interception software can be regular expressions for representing attack types of the sample attack information by performing type analysis on the multiple sample attack information, and different sample rule numbers can represent attack types corresponding to different sample attack information.
Furthermore, the attack types corresponding to the attack information to be traced and the sample attack information are various, and can be backdoor attacks, trojan corpses, counterfeit websites and the like, and the specific attack types can be adjusted according to actual attack tracing requirements.
Step 120: and extracting the characteristics of the attack information to be traced to obtain corresponding characteristic information.
Each attack information carries a plurality of characteristic information, and the plurality of characteristic information in the attack information may include: a combination of a plurality of pieces of feature information such as an IP address, a rule number, a target domain name, a malicious link, a rule number, and the like. For the same type of feature information, the content of the feature information corresponding to different attack information may be the same or different. For example, for characteristic information such as malicious code, the code content of the malicious code corresponding to different attack information may be the same or different.
It should be noted that the attack information generally includes two IP addresses, which are divided into a source IP address and a destination IP address, the source IP address corresponding to the attack information is the IP address sending the attack information, and the destination IP address corresponding to the attack information is the IP address to receive the attack information. And according to the target domain name corresponding to the attack information, a root domain name corresponding to the attack information can be determined, and the root domain name can also be a kind of feature information.
Furthermore, the types of the feature information included in the attack information corresponding to different attack types may also be different, for example: the attack type is attack information of backdoor attack, and the corresponding characteristic information comprises: IP address, rule number, target domain name, and malicious link. The attack type is attack information of the trojan zombies, and the corresponding characteristic information comprises: IP address and rule number. The attack type is attack information of a counterfeit website, and the corresponding characteristic information comprises: IP address, rule number, target domain name, malicious link, and malicious code. The specific type of the characteristic information can be adjusted according to the actual attack tracing requirement.
Step 130: acquiring at least one target feature information associated with the feature information from a pre-established knowledge graph; the knowledge graph stores characteristic information of a plurality of attack information, and each characteristic information is associated with at least one piece of other characteristic information.
The knowledge graph stores feature information corresponding to a plurality of attack information, for the plurality of feature information in each attack information, one feature information is at least associated with another feature information, and the two associated feature information may correspond to the same attack information or different attack information. Taking the feature information of the target domain name in one attack information as an example, the target domain name in the attack information may be associated with the feature information of the same attack information, for example, the IP address of the same attack information; and the attack information can also be associated with the characteristic information with similar or same content in different attack information, such as the target domain name with the same content in different attack information.
Meanwhile, in the knowledge graph, different attack information can be associated through feature information with the same content. For example, in the knowledge graph, the code contents of the malicious codes corresponding to the two attack information are the same, and the two attack information can be associated through the same characteristic information of the malicious codes. Therefore, at least one target characteristic information related to the characteristic information content can be found in the knowledge graph according to the characteristic information to be traced.
Step 140: and determining an attack source of the attack information to be traced according to the associated at least one target characteristic information.
And then, performing source tracing analysis on at least one target attack information to determine an attack source of the attack information to be traced. Therefore, according to the knowledge graph with a plurality of associated attack information, the target characteristic information associated with the characteristic information of the attack information to be traced can be efficiently and accurately found, so that the attack tracing can be more quickly realized.
Moreover, the attack source can carry out network attack by sending data packets to other nodes, and meanwhile, the attacked node can be used as a communication pipeline of the attack source and a node for hiding the identity; it may also be controlled to send packets to other nodes for network attacks. Therefore, the attack source of the attack information to be traced is the network node which initially sends the data packet to carry out network attack. Meanwhile, there may be one attack source or a plurality of attack sources for the attack information to be traced, that is, there may be a plurality of attack sources attacking the node corresponding to the attack information to be traced.
And for obtaining the target characteristic information from the knowledge graph according to the characteristic information, a target IP in the attack information can be selected as the characteristic information to obtain the target characteristic information, a target domain name can also be selected as the characteristic information to obtain the target characteristic information, the type of the characteristic information of the attack information to be traced is not limited, and the characteristic information can be selected according to the actual attack tracing requirement. The following description will be given by taking the destination IP in the feature information as an example.
As an implementation manner of the present application, the feature information includes a destination IP, where the destination IP is an IP address of an attacked object, and step 130 may specifically include: and acquiring a target IP chain associated with the target IP from the knowledge graph, wherein the target IP chain is used for representing the transmission relation of attack information between at least one IP and the target IP. Furthermore, step 140 may specifically include: and acquiring at least one source IP associated with the target IP from the target IP chain as an attack source of the attack information to be traced, wherein the source IP is an initial end IP of the target IP chain.
At least one IP chain is stored in the knowledge graph, each IP chain is provided with a plurality of IP addresses, and each IP address is at least associated with one other IP address. Meanwhile, the IP chain has directionality, and the transmission direction and the transmission relation of the attack information between the IPs can be represented. For example, assuming that there are three IP addresses, IP20, IP 30, and IP 40 are arranged in the IP chain in order from front to back, the transmission direction of the attack information between the IPs on the IP chain is the direction from IP20 to IP 30 and from IP 30 to IP 40, the transmission relationship of the attack information may be that IP20 transmits the attack information to IP 30, and IP 30 transmits the attack information to IP 40. Therefore, according to the transmission relation of the attack information between the IPs on the IP chain in the knowledge graph, the attack tracing can be carried out more quickly and intuitively. Moreover, the attack situation of the corresponding network attack can be found out according to the IP chain, namely the development situation of the current network attack is determined, so that the subsequent network attack can be prevented.
Meanwhile, the source IP corresponding to the target IP chain is the start IP of the target IP chain, and the IP chain may be a chain without branches or a tree with multiple branches, that is, one or multiple start IP addresses of the IP chain may be provided. Therefore, the source IP corresponding to the destination IP may be one or multiple, that is, there may be one or multiple attack sources of the attack information to be traced.
As an embodiment of the present application, before step 130, the method further includes: acquiring a plurality of attack information and a rule number corresponding to each attack information, wherein the rule number is used for representing the attack type of the corresponding attack information; extracting information of the attack information according to the rule number corresponding to each attack information to obtain a plurality of characteristic information corresponding to the attack information; and associating a plurality of characteristic information according to the rule number corresponding to each attack information to obtain the knowledge graph.
The rule number is determined according to the successfully matched sample rule number in the process of intercepting the attack information. According to the rule number of the attack information, the attack type of the corresponding attack information can be determined, and then the characteristic extraction is carried out according to the attack type of the attack information, so that the characteristic information corresponding to the attack information can be obtained more accurately. One attack type may correspond to one rule number, or may correspond to a plurality of rule numbers, for example, a backdoor attack may include attack modes such as a web backdoor attack, an extended backdoor attack, and the like, each attack mode may correspond to one rule number, and a backdoor attack may correspond to a plurality of rule numbers.
Similarly, step 120 may specifically include: acquiring a rule number corresponding to the information of the attack to be traced, and extracting the information of the attack to be traced according to the rule number corresponding to the information of the attack to be traced to obtain the characteristic information corresponding to the information of the attack to be traced.
Meanwhile, for a plurality of characteristic information of one attack information, at least two of the plurality of characteristic information can be associated according to the attack type, so that one characteristic information at least corresponds to the other characteristic information. For a plurality of attack information, correlation can be carried out according to the content of the characteristic information so as to obtain the knowledge graph.
It is worth to be noted that after the new attack information is intercepted, the knowledge graph can be updated by associating a plurality of feature information corresponding to the new attack information according to the rule number corresponding to the new attack information, so that the data capacity of the knowledge graph is enlarged, and the subsequent attack tracing is more accurate.
As an implementation manner of the present application, the extracting information of the attack information according to the rule number corresponding to each attack information to obtain a plurality of feature information corresponding to the attack information includes: acquiring a preset extraction position corresponding to each attack information according to the rule number corresponding to the attack information; the preset extraction position is used for representing the position of the characteristic information in the attack information; and extracting information of the attack information according to the preset extraction position to obtain a plurality of characteristic information corresponding to the attack information.
According to the rule number corresponding to the attack information, the attack type corresponding to the attack information can be made clear, the format of the attack information can be determined according to the attack type, and the placement position of the characteristic information can be determined according to the format of the attack information, namely the placement position is the preset extraction position. Therefore, the attack information is directly extracted according to the preset extraction position, the characteristic information of each attack information can be quickly and accurately extracted, and the attack tracing efficiency is improved.
As an embodiment of the present application, the associating a plurality of feature information according to a rule number corresponding to each attack information to obtain the knowledge graph includes: after the following steps are sequentially executed for all attack information in the plurality of attack information, selecting the latest knowledge graph to be constructed as a knowledge graph; wherein the step performed for each of the attack information comprises:
obtaining at least one piece of relation information corresponding to the attack information according to the rule number corresponding to the attack information, wherein the relation information is used for representing the association between the characteristic information corresponding to the attack information; acquiring a knowledge graph to be constructed; judging whether the knowledge graph to be constructed contains the characteristic information or not according to each characteristic information corresponding to the attack information; if the to-be-constructed knowledge graph contains the characteristic information, taking the characteristic information in the to-be-constructed knowledge graph as to-be-associated characteristic information; if the to-be-constructed knowledge graph does not contain the feature information, storing the feature information of the attack information as to-be-associated feature information into the to-be-constructed knowledge graph; and according to the relation information, correlating the plurality of pieces of feature information to be correlated to obtain a new knowledge graph to be constructed.
Fig. 2 is a schematic diagram of a relationship between feature information of a knowledge graph provided in an embodiment of the present application, and table 1 is a schematic diagram of relationship information provided in an embodiment of the present application. As shown in fig. 2, the relationship information corresponding to different types of attack information may be different. The relationship information may have directionality, and may have a starting point and a terminal. Thus, in the attack information in which one row in table 1 represents one attack type, the association between two pieces of feature information is relationship information. For example, in the first row, which represents that one attack type is a backdoor attack, the relationship between the source IP address and the destination IP address is the backdoor attack, the starting point of the relationship is the source IP address, and the ending point of the relationship is the destination IP address. Therefore, the relationship information corresponding to the characteristic information in each attack information can be obtained quickly according to the table.
TABLE 1A schematic table of the corresponding relationship of characteristic information
Table 2 is a schematic table of a correspondence between types of feature information and types of feature information to be associated provided in the embodiment of the present application; it is worth to be noted that, for the source IP address and the destination IP address in the attack information, the source IP address and the destination IP address are both IP addresses per se, and in order to reduce repeated storage of data, the source IP address and the destination IP address can be used as the type of characteristic information to be associated to perform subsequent association in the to-be-constructed knowledge graph. Therefore, for different attack information, the association among a plurality of attack information can be established according to the characteristic information and the characteristic information to be associated.
Table 2 a schematic table showing the correspondence between the types of feature information and the types of feature information to be associated
It should be noted that both tables 1 and 2 are implementation manners for associating the feature information of the attack information provided in the embodiment of the present application, and the corresponding relationship of the feature information of the actual attack information is not limited, and may be adjusted according to the actual attack tracing requirement. Meanwhile, the execution sequence of the step of obtaining the relationship information and the step of obtaining the feature information to be associated is not limited, and can be adjusted according to actual construction requirements.
The attack type is taken as the attack information of the backdoor attack as an example for explanation, and the attack information X and the attack information Y are assumed to exist, the attack information X is stored in the knowledge graph to be constructed, and the attack information Y is not stored in the knowledge graph to be constructed. The attack information X includes: a source IP address 1, a destination IP address 2, a rule number 1, a target domain name 1 and a malicious link 1; the attack information Y includes: source IP address 2, destination IP address 3, rule number 3, target domain name 3, malicious link 1.
Therefore, at least one piece of relationship information corresponding to the attack information Y can be obtained according to the rule number of the attack information Y, and the relationship information comprises the following steps: representing the relation information 1 of the correlation between the source IP address 2 and the destination IP address 3, and representing the relation information 2 of the correlation between the source IP address 2 and the rule number 3; representing the relation information 3 of the association between the target IP address 3 and the rule number 3; representing the relation information 4 of the correlation between the target IP address 3 and the target domain name 3; the attack connection of the destination IP address associated with the malicious link 1 is characterized.
Meanwhile, if the to-be-constructed knowledge graph contains the IP address 2 and is consistent with the source IP address 2 in the attack information Y, the IP address 2 in the to-be-constructed knowledge graph is used as the to-be-associated feature information. Secondly, judging that the knowledge graph to be constructed contains the malicious link 1 which is consistent with the malicious link 1 in the attack information Y, and taking the malicious link 1 in the knowledge graph to be constructed as feature information to be associated. Meanwhile, if the target IP address 3, the rule number 3 and the target domain name 3 are judged not to be contained in the to-be-constructed knowledge graph, the IP address 3, the rule number 3 and the target domain name 3 are stored in the to-be-constructed knowledge graph as to-be-associated feature information.
And then according to the relationship information, establishing the association between each piece of feature information to be associated and at least one piece of feature information to be associated to obtain a new knowledge graph to be constructed so as to construct the knowledge graph according to the next attack information.
It should be noted that, in the initial step, if the to-be-constructed knowledge graph in the initial state is a blank graph, that is, the to-be-constructed knowledge graph does not contain feature information, the feature information of the attack information is used as the to-be-associated feature information, and is stored in the to-be-constructed knowledge graph in the initial state, and then, the association between a plurality of to-be-associated feature information is performed.
Fig. 3 is a schematic structural diagram of an attack tracing apparatus provided in the embodiment of the present application, and based on the same inventive concept, an attack tracing apparatus 300 is further provided in the embodiment of the present application, including: an obtaining module 310, configured to obtain attack information to be traced, where the attack information to be traced is intercepted attack information; the feature extraction module 320 is configured to perform feature extraction on the attack information to be traced to obtain corresponding feature information; a searching module 330, configured to obtain at least one target feature information associated with the feature information from a pre-established knowledge graph; the knowledge graph stores characteristic information of a plurality of attack information, and each characteristic information is associated with at least one piece of other characteristic information; and the source tracing module 340 is configured to determine an attack source of the attack information to be traced according to the associated at least one target feature information.
On the basis of the foregoing embodiment, the feature information includes a destination IP, where the destination IP is an IP address of an attacked object, and the search module 330 is specifically configured to: acquiring a target IP chain associated with the target IP from the knowledge graph, wherein the target IP chain is used for representing the transmission relation of attack information between at least one IP and the target IP; the tracing module 340 is specifically configured to: and acquiring at least one source IP associated with the target IP from the target IP chain as an attack source of the attack information to be traced, wherein the source IP is an initial end IP of the target IP chain.
On the basis of the above embodiment, the attack tracing apparatus 300 further includes a map establishing module, configured to: acquiring a plurality of attack information and a rule number corresponding to each attack information, wherein the rule number is used for representing the attack type of the corresponding attack information; extracting information of the attack information according to the rule number corresponding to each attack information to obtain a plurality of characteristic information corresponding to the attack information; and associating a plurality of characteristic information according to the rule number corresponding to each attack information to obtain the knowledge graph.
On the basis of the above embodiment, the map establishing module is specifically configured to: acquiring a preset extraction position corresponding to each attack information according to the rule number corresponding to the attack information; the preset extraction position is used for representing the position of the characteristic information in the attack information; and extracting information of the attack information according to the preset extraction position to obtain a plurality of characteristic information corresponding to the attack information.
On the basis of the above embodiment, the map establishing module is specifically configured to: after the following steps are sequentially executed for all attack information in the plurality of attack information, selecting the latest knowledge graph to be constructed as a knowledge graph; wherein the step performed for each of the attack information comprises: obtaining at least one piece of relation information corresponding to the attack information according to the rule number corresponding to the attack information, wherein the relation information is used for representing the association between the characteristic information corresponding to the attack information; acquiring a knowledge graph to be constructed; judging whether the knowledge graph to be constructed contains the characteristic information or not according to each characteristic information corresponding to the attack information; if the to-be-constructed knowledge graph contains the characteristic information, taking the characteristic information in the to-be-constructed knowledge graph as target characteristic information; if the to-be-constructed knowledge graph does not contain the characteristic information, storing the characteristic information of the attack information as target characteristic information into the to-be-constructed knowledge graph; and according to the relation information, correlating the target characteristic information to obtain a new knowledge graph to be constructed.
Referring to fig. 4, fig. 4 is a block diagram illustrating a structure of an electronic device 10 applicable to the embodiment of the present application. The electronic device 10 may include a memory 101, a memory controller 102, a processor 103, a peripheral interface 104, an input-output unit 105, a display unit 107.
The memory 101, the memory controller 102, the processor 103, the peripheral interface 104, the input/output unit 105, and the display unit 107 are electrically connected to each other directly or indirectly to implement data transmission or interaction. For example, the components may be electrically connected to each other via one or more communication buses or signal lines. At least one software or firmware (firmware) is stored in the memory 101 or a software function module solidified in an Operating System (OS). The processor 103 is used to execute executable modules, software functional modules or computer programs stored in the memory 101.
The Memory 101 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Read-Only Memory (EPROM), an electrically Erasable Read-Only Memory (EEPROM), and the like. The memory 101 is configured to store a program, and the processor 103 executes the program after receiving an execution instruction, and the method disclosed in any of the foregoing embodiments of the present application may be applied to the processor 103, or implemented by the processor 103.
The processor 103 may be an integrated circuit chip having signal processing capabilities. The Processor 103 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; but may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor 103 may be any conventional processor or the like.
The peripheral interface 104 couples various input/output devices to the processor 103 as well as to the memory 101. In some embodiments, the peripheral interface 104, the processor 103, and the memory controller 102 may be implemented in a single chip. In other examples, they may be implemented separately from the individual chips.
The input/output unit 105 is used for providing input data to a user to enable the user to interact with the electronic device 10. The input/output unit 105 may be, but is not limited to, a mouse, a keyboard, and the like.
The display unit 107 provides an interactive interface (e.g., a user interface) between the electronic device 10 and a user or for displaying image data to a user reference. In this embodiment, the display unit 107 may be a liquid crystal display or a touch display. In the case of a touch display, the display can be a capacitive touch screen or a resistive touch screen, which supports single-point and multi-point touch operations. Supporting single-point and multi-point touch operations means that the touch display can sense touch operations simultaneously generated from one or more positions on the touch display, and the sensed touch operations are sent to the processor 103 for calculation and processing.
It will be appreciated that the configuration shown in FIG. 4 is merely illustrative and that the electronic device 10 may include more or fewer components than shown in FIG. 4 or may have a different configuration than shown in FIG. 4. The components shown in fig. 4 may be implemented in hardware, software, or a combination thereof.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working process of the apparatus described above may refer to the corresponding process in the foregoing method, and will not be described in too much detail herein.
To sum up, the embodiment of the present application provides an attack tracing method, an attack tracing apparatus, an electronic device, and a storage medium, where the method includes: acquiring to-be-traced attack information, wherein the to-be-traced attack information is intercepted attack information; extracting the characteristics of the attack information to be traced to obtain corresponding characteristic information; acquiring at least one target feature information associated with the feature information from a pre-established knowledge graph; the knowledge graph stores characteristic information of a plurality of attack information, and each characteristic information is associated with at least one piece of other characteristic information; and determining an attack source of the attack information to be traced according to the associated at least one target characteristic information. According to the embodiment of the application, the target characteristic information associated with the characteristic information of the attack information to be traced can be efficiently and accurately found according to the knowledge graph with a plurality of associated attack information, and faster attack tracing is realized.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
In addition, units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
Furthermore, the functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
It should be noted that the functions, if implemented in the form of software functional modules and sold or used as independent products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.
Claims (8)
1. An attack tracing method is characterized by comprising the following steps:
acquiring to-be-traced attack information, wherein the to-be-traced attack information is intercepted attack information;
extracting the characteristics of the attack information to be traced to obtain corresponding characteristic information;
acquiring a plurality of attack information and a rule number corresponding to each attack information, wherein the rule number is used for representing the attack type of the corresponding attack information;
extracting information of the attack information according to the rule number corresponding to each attack information to obtain a plurality of characteristic information corresponding to the attack information;
associating a plurality of characteristic information according to the rule number corresponding to each attack information to obtain a knowledge graph;
acquiring at least one target feature information associated with the feature information from a pre-established knowledge graph; the knowledge graph stores characteristic information of a plurality of attack information, and each characteristic information is associated with at least one piece of other characteristic information;
and determining an attack source of the attack information to be traced according to the associated at least one target characteristic information.
2. The attack tracing method according to claim 1, wherein the characteristic information includes a destination IP, and the destination IP is an IP address of an attacked object; the acquiring of at least one target feature information associated with the feature information from a pre-established knowledge graph includes:
acquiring a target IP chain associated with the target IP from the knowledge graph, wherein the target IP chain is used for representing the transmission relation of attack information between at least one IP and the target IP;
the determining an attack source of the attack information to be traced according to the associated at least one target characteristic information includes:
and acquiring at least one source IP associated with the target IP from the target IP chain as an attack source of the attack information to be traced, wherein the source IP is an initial end IP of the target IP chain.
3. The attack tracing method according to claim 1, wherein the extracting information of the attack information according to the rule number corresponding to each attack information to obtain a plurality of feature information corresponding to the attack information comprises:
acquiring a preset extraction position corresponding to each attack information according to the rule number corresponding to the attack information; the preset extraction position is used for representing the position of the characteristic information in the attack information;
and extracting information of the attack information according to the preset extraction position to obtain a plurality of characteristic information corresponding to the attack information.
4. The attack tracing method according to claim 1, wherein the associating a plurality of feature information according to a rule number corresponding to each attack information to obtain the knowledge graph comprises:
after the following steps are sequentially executed for all attack information in the attack information, selecting the latest knowledge graph to be constructed as a knowledge graph;
wherein the step performed for each of the attack information comprises:
obtaining at least one piece of relation information corresponding to the attack information according to the rule number corresponding to the attack information, wherein the relation information is used for representing the association between the characteristic information corresponding to the attack information;
acquiring a knowledge graph to be constructed;
judging whether the knowledge graph to be constructed contains the characteristic information or not according to each characteristic information corresponding to the attack information;
if the to-be-constructed knowledge graph contains the characteristic information, taking the characteristic information in the to-be-constructed knowledge graph as to-be-associated characteristic information;
if the to-be-constructed knowledge graph does not contain the feature information, storing the feature information of the attack information as to-be-associated feature information into the to-be-constructed knowledge graph;
and according to the relation information, correlating the plurality of feature information to be correlated to obtain a new knowledge graph to be constructed.
5. An attack tracing apparatus, comprising:
the system comprises an acquisition module, a source tracing module and a source tracing module, wherein the acquisition module is used for acquiring attack information to be traced, and the attack information to be traced is intercepted attack information;
the characteristic extraction module is used for extracting the characteristics of the attack information to be traced to obtain corresponding characteristic information;
the map establishing module is used for acquiring a plurality of attack information and a rule number corresponding to each attack information, wherein the rule number is used for representing the attack type of the corresponding attack information; extracting information of the attack information according to the rule number corresponding to each attack information to obtain a plurality of characteristic information corresponding to the attack information; associating a plurality of characteristic information according to the rule number corresponding to each attack information to obtain a knowledge graph;
the searching module is used for acquiring at least one target characteristic information associated with the characteristic information from a pre-established knowledge graph; the knowledge graph stores characteristic information of a plurality of attack information, and each characteristic information is associated with at least one piece of other characteristic information;
and the source tracing module is used for determining an attack source of the attack information to be traced according to the associated at least one target characteristic information.
6. The attack tracing apparatus according to claim 5, wherein the characteristic information includes a destination IP, and the destination IP is an IP address of an attacked object; the search module is specifically configured to:
acquiring a target IP chain associated with the target IP from the knowledge graph, wherein the target IP chain is used for representing the transmission relation of attack information between at least one IP and the target IP;
the tracing module is specifically configured to: and acquiring at least one source IP associated with the target IP from the target IP chain as an attack source of the attack information to be traced, wherein the source IP is an initial end IP of the target IP chain.
7. An electronic device, comprising: a processor, a memory, and a bus, wherein,
the processor and the memory are communicated with each other through the bus;
the memory stores program instructions executable by the processor, the processor invoking the program instructions to perform the method of any one of claims 1-4.
8. A non-transitory computer-readable storage medium storing computer instructions that cause a computer to perform the method of any one of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010009230.XA CN111193749B (en) | 2020-01-03 | 2020-01-03 | Attack tracing method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010009230.XA CN111193749B (en) | 2020-01-03 | 2020-01-03 | Attack tracing method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111193749A CN111193749A (en) | 2020-05-22 |
| CN111193749B true CN111193749B (en) | 2022-05-17 |
Family
ID=70709889
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010009230.XA Active CN111193749B (en) | 2020-01-03 | 2020-01-03 | Attack tracing method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111193749B (en) |
Families Citing this family (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111565205B (en) * | 2020-07-16 | 2020-10-23 | 腾讯科技(深圳)有限公司 | Network attack identification method and device, computer equipment and storage medium |
| CN112134837A (en) * | 2020-08-06 | 2020-12-25 | 瑞数信息技术(上海)有限公司 | Method and system for detecting Web attack behavior |
| CN112364173B (en) * | 2020-10-21 | 2022-03-18 | 中国电子科技网络信息安全有限公司 | IP address mechanism tracing method based on knowledge graph |
| CN114650146A (en) * | 2020-12-02 | 2022-06-21 | 中国电信股份有限公司 | Attack tracing method and device and computer storage medium |
| CN112839061B (en) * | 2021-03-04 | 2022-11-25 | 安天科技集团股份有限公司 | Tracing method and device based on regional characteristics |
| CN114157480B (en) * | 2021-12-01 | 2024-01-26 | 北京华云安信息技术有限公司 | Method, device, equipment and storage medium for determining network attack scheme |
| CN114499959B (en) * | 2021-12-24 | 2024-04-16 | 北京网神洞鉴科技有限公司 | Server attack tracing method and device |
| CN114338211B (en) * | 2021-12-31 | 2023-10-20 | 上海浦东发展银行股份有限公司 | Network attack tracing method and device, electronic equipment and storage medium |
| CN114944956A (en) * | 2022-05-27 | 2022-08-26 | 深信服科技股份有限公司 | Attack link detection method and device, electronic equipment and storage medium |
| CN117235200A (en) * | 2023-09-12 | 2023-12-15 | 杭州湘云信息技术有限公司 | Data integration method and device based on AI technology, computer equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108256063A (en) * | 2018-01-15 | 2018-07-06 | 中国人民解放军国防科技大学 | Knowledge base construction method for network security |
| CN108933793A (en) * | 2018-07-24 | 2018-12-04 | 中国人民解放军战略支援部队信息工程大学 | The attack drawing generating method and its device of knowledge based map |
| CN109474567A (en) * | 2017-10-19 | 2019-03-15 | 公安部第三研究所 | DDOS attack source tracing method, device, storage medium and electronic equipment |
| US10515212B1 (en) * | 2016-06-22 | 2019-12-24 | Amazon Technologies, Inc. | Tracking sensitive data in a distributed computing environment |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8504504B2 (en) * | 2008-09-26 | 2013-08-06 | Oracle America, Inc. | System and method for distributed denial of service identification and prevention |
| US9922032B2 (en) * | 2013-12-02 | 2018-03-20 | Qbase, LLC | Featured co-occurrence knowledge base from a corpus of documents |
| US10699008B2 (en) * | 2017-05-17 | 2020-06-30 | Threatmodeler Software Inc. | Threat model chaining and attack simulation systems and related methods |
| CN107733913A (en) * | 2017-11-04 | 2018-02-23 | 武汉虹旭信息技术有限责任公司 | Based on 5G network attacks traceability system and its method |
| CN110519264B (en) * | 2019-08-26 | 2022-09-30 | 奇安信科技集团股份有限公司 | Method, device and equipment for tracing attack event |
-
2020
- 2020-01-03 CN CN202010009230.XA patent/CN111193749B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10515212B1 (en) * | 2016-06-22 | 2019-12-24 | Amazon Technologies, Inc. | Tracking sensitive data in a distributed computing environment |
| CN109474567A (en) * | 2017-10-19 | 2019-03-15 | 公安部第三研究所 | DDOS attack source tracing method, device, storage medium and electronic equipment |
| CN108256063A (en) * | 2018-01-15 | 2018-07-06 | 中国人民解放军国防科技大学 | Knowledge base construction method for network security |
| CN108933793A (en) * | 2018-07-24 | 2018-12-04 | 中国人民解放军战略支援部队信息工程大学 | The attack drawing generating method and its device of knowledge based map |
Non-Patent Citations (1)
| Title |
|---|
| 基于流量的攻击溯源分析和防护方法研究;谭彬;《电信工程技术与标准化》;20191231;第32卷(第12期);第61页第2.5节、第63页第3.2节 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111193749A (en) | 2020-05-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111193749B (en) | Attack tracing method and device, electronic equipment and storage medium | |
| CN106936793B (en) | Information interception processing method and terminal | |
| JP6626211B2 (en) | Method and apparatus for processing short link and short link server | |
| US20140297727A1 (en) | Method, system, server and client device for message sychronizing | |
| CN107809383B (en) | MVC-based path mapping method and device | |
| KR102271545B1 (en) | Systems and Methods for Domain Generation Algorithm (DGA) Malware Detection | |
| CN111277635B (en) | Method, equipment, device and computer medium for accessing external node to block chain | |
| RU2631769C2 (en) | Method and device for determining objective of information processing | |
| CN111600850A (en) | Method, equipment and storage medium for detecting mine digging virtual currency | |
| US11088991B2 (en) | Firewall device to automatically select a rule required for each individual web server | |
| CN109815112B (en) | Data debugging method and device based on functional test and terminal equipment | |
| CN111224878B (en) | Route forwarding method and device, electronic equipment and storage medium | |
| CN112657182A (en) | Game equipment switching method, device and system and terminal equipment | |
| CN110020272B (en) | Caching method and device and computer storage medium | |
| CN106878311B (en) | HTTP message rewriting method and device | |
| JP2015026182A (en) | Security service effect display system, security service effect display method, and security service effect display program | |
| CN111047434A (en) | Operation record generation method and device, computer equipment and storage medium | |
| CN112887451B (en) | Domain name resolution method and device and computer equipment | |
| CN106779899A (en) | The recognition methods of malice order and device | |
| US11863583B2 (en) | Generating action recommendations for courses of action used for incident response | |
| CN113792232B (en) | Page feature calculation method, page feature calculation device, electronic equipment, page feature calculation medium and page feature calculation program product | |
| US10652365B2 (en) | Robust computing device identification framework | |
| CN111127094B (en) | Account matching method and device, electronic equipment and storage medium | |
| CN114185592A (en) | Multi-version coexisting target item access method, device, equipment and storage medium | |
| CN111753162A (en) | Data crawling method, device, server and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |