CN111740855B - Risk identification method, device and equipment based on data migration and storage medium - Google Patents
Risk identification method, device and equipment based on data migration and storage medium Download PDFInfo
- Publication number
- CN111740855B CN111740855B CN202010374129.4A CN202010374129A CN111740855B CN 111740855 B CN111740855 B CN 111740855B CN 202010374129 A CN202010374129 A CN 202010374129A CN 111740855 B CN111740855 B CN 111740855B
- Authority
- CN
- China
- Prior art keywords
- attack
- address
- public network
- attribute
- threat
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/069—Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
- H04L63/302—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information gathering intelligence information for situation awareness or reconnaissance
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Evolutionary Computation (AREA)
- Technology Law (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application relates to a risk identification method, a risk identification device, risk identification equipment and a storage medium based on data migration, wherein the risk identification method based on the data migration comprises the following steps: acquiring an alarm event log reported by a using device; comparing the alarm event log with threat intelligence data, wherein the threat intelligence data comprises a discovered first public network IP address; when the alarm event log comprises a second public network IP address consistent with the first public network IP address, inquiring the attribute of the first public network IP address from threat intelligence data; and comparing the attribute of the second public network IP address according to the attribute of the first public network IP address, and if the matching value of the attribute of the first public network IP address and the attribute of the second public network IP address reaches a preset first threshold value, judging that the second public network IP address is a risk object. The method and the device realize identification of the sub-risk in the network.
Description
Technical Field
The embodiment of the application relates to the technical field of computers, in particular to a risk identification method, device, equipment and storage medium based on data migration.
Background
With the development of network technology, the possibility of attack on a device is higher and higher, and how to identify the risk of a network behavior is an urgent problem to be solved in realizing the data security of the device.
Disclosure of Invention
In order to solve the problems, the application provides a risk identification method, a risk identification device, risk identification equipment and a storage medium based on data migration.
A first aspect of the present application discloses a risk identification method based on data migration, the method including the steps of:
acquiring an alarm event log reported by a using device;
comparing the alarm event log with threat intelligence data, wherein the threat intelligence data comprises a discovered first public network IP address;
when the alarm event log comprises a second public network IP address consistent with the first public network IP address, inquiring the attribute of the first public network IP address from threat intelligence data;
and comparing the attribute of the second public network IP address according to the attribute of the first public network IP address, and if the matching value of the attribute of the first public network IP address and the attribute of the second public network IP address reaches a preset first threshold value, judging that the second public network IP address is a risk object.
In the application, the alarm event log reported by the using equipment is obtained, the alarm event log is compared with threat information data, and then when the alarm event log comprises a second public network IP address consistent with the first public network IP address, the attribute of the first public network IP address is inquired from the threat information data, and then the attribute of the second public network IP address is compared according to the attribute of the first public network IP address, so that if the matching value of the attribute of the first public network IP address and the attribute of the second public network IP address reaches a preset first threshold value, the second public network IP address can be judged as a risk object.
As an optional implementation manner, the attribute of the first public network IP address includes an attack feature quantity, an IP total attack number, and a network type.
As an optional implementation manner, before obtaining the alarm event log reported by the device, the method further includes:
acquiring an attack means in the ES log;
indexing the attack means with a first public network IP address;
counting according to the frequency of the attack means appearing in the ES log to obtain a threat value of the attack means;
when the threat value of the attack means reaches a preset second threshold value, comparing the attack means with attack group data;
when the attack means is matched with one attack object in the attack object data, acquiring all attack behaviors of the attack object;
and binding all attack behaviors of the attack object to be the attribute of the first public network IP address.
As an optional implementation manner, the attack means is at least one means of SQL injection behavior, XSS cross-site behavior, and malicious scanning behavior.
As an optional implementation manner, before the obtaining the attack means in the ES log, the method further includes:
detecting whether a target attack behavior occurs or an intranet penetration behavior occurs;
when a target attack or an intranet penetration behavior is detected, acquiring an IP address of an attacker, an attack mode and attack time;
performing feature processing on the IP address of the attacker, the attack mode and the attack time to construct a feature vector model;
and classifying and clustering the feature vector model according to a machine learning algorithm so as to classify the target attack occurrence or the intranet penetration behavior into an attack behavior of the attack group.
As an optional implementation manner, after the detecting that a target attack occurs or an intranet infiltration behavior occurs, before the collecting an attacker IP address, an attack mode, and an attack time, the method further includes:
and judging whether the target attack occurs or the intranet penetration behavior forms a threat, and if so, executing acquisition of an IP address of an attacker, an attack mode and attack time.
As an optional implementation manner, the determining whether the target attack occurs or the intranet penetration behavior constitutes a threat includes:
and judging whether the target server is abnormal or not, and if so, determining that the target attack occurs or the intranet penetration behavior forms a threat.
A second aspect of the present application discloses a risk identification device based on data migration, the device comprising:
the first acquisition module is used for acquiring an alarm event log reported by using equipment;
the first comparison module is used for comparing the alarm event log with threat information data, wherein the threat information data comprises the discovered first public network IP address;
the query module is used for querying the attribute of the first public network IP address from threat intelligence data when the alarm event log comprises a second public network IP address consistent with the first public network IP address;
and the second comparison module is used for comparing the attribute of the second public network IP address according to the attribute of the first public network IP address, and if the matching value of the attribute of the first public network IP address and the attribute of the second public network IP address reaches a preset first threshold value, judging that the second public network IP address is a risk object.
According to the risk identification device based on data migration in the second aspect of the application, by executing the risk identification method based on data migration, the alarm event log reported by the user equipment can be obtained, the alarm event log is compared with the threat information data, further, when the alarm event log comprises a second public network IP address consistent with the first public network IP address, the attribute of the first public network IP address is inquired from the threat information data, and then the attribute of the second public network IP address is compared according to the attribute of the first public network IP address, so that if the matching value of the attribute of the first public network IP address and the attribute of the second public network IP address reaches the preset first threshold value, the second public network IP address can be judged as a risk object.
A third aspect of the present application discloses a risk identification device based on data migration, the device comprising:
a memory storing executable program code;
a processor coupled with the memory;
the processor calls the executable program code stored in the memory to execute the risk identification method based on data migration as disclosed in the first aspect of the application.
According to the risk identification device based on data migration in the third aspect of the application, by executing the risk identification method based on data migration, the alarm event log reported by the use device can be obtained, the alarm event log is compared with threat information data, further, when the alarm event log comprises a second public network IP address consistent with the first public network IP address, the attribute of the first public network IP address is inquired from the threat information data, and then the attribute of the second public network IP address is compared according to the attribute of the first public network IP address, so that if the matching value of the attribute of the first public network IP address and the attribute of the second public network IP address reaches the preset first threshold value, the second public network IP address can be judged to be a risk object.
A third aspect of the present application discloses a computer storage medium, which stores computer instructions for executing the risk identification method based on data migration disclosed in the first aspect of the present application when the computer instructions are called.
The computer storage medium according to the fourth aspect of the present application, by executing the risk identification method based on data migration, can compare the alarm event log with the threat information data by obtaining the alarm event log reported by the user equipment, and further, when the alarm event log includes the second public network IP address consistent with the first public network IP address, query the attribute of the first public network IP address from the threat information data, and then compare the attribute of the second public network IP address according to the attribute of the first public network IP address, so that, if the matching value of the attribute of the first public network IP address and the attribute of the second public network IP address reaches the preset first threshold value, it can determine that the second public network IP address is a risk object.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic flowchart of a risk identification method based on data migration according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of a risk identification device based on data migration according to a second embodiment of the present application;
fig. 3 is a schematic structural diagram of a risk identification device based on data migration according to a second embodiment of the present application.
Detailed Description
In order to make those skilled in the art better understand the technical solutions of the present application, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The terms "first," "second," and the like in the description and claims of the present application and in the above-described drawings are used for distinguishing between different objects and not for describing a particular order. Furthermore, the terms "include" and "have," as well as any variations thereof, are intended to cover non-exclusive inclusions. For example, a process, method, apparatus, product, or apparatus that comprises a list of steps or elements is not limited to those listed but may alternatively include other steps or elements not listed or inherent to such process, method, product, or apparatus.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the application. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is explicitly and implicitly understood by one skilled in the art that the embodiments described herein can be combined with other embodiments.
Example one
Referring to fig. 1, fig. 1 is a schematic flowchart illustrating a risk identification method based on data migration according to an embodiment of the present disclosure. As shown in fig. 1, the risk identification method based on data migration in the embodiment of the present application includes the steps of:
101. acquiring an alarm event log reported by a using device;
102. comparing the alarm event log with threat intelligence data, wherein the threat intelligence data comprises the discovered first public network IP address;
103. when the alarm event log comprises a second public network IP address consistent with the first public network IP address, inquiring the attribute of the first public network IP address from the threat intelligence data;
104. and comparing the attribute of the second public network IP address according to the attribute of the first public network IP address, and if the matching value of the attribute of the first public network IP address and the attribute of the second public network IP address reaches a preset first threshold value, judging the second public network IP address as a risk object.
In the embodiment of the application, the alarm event log reported by the using equipment is obtained, the alarm event log is compared with threat information data, and then when the alarm event log comprises a second public network IP address consistent with the first public network IP address, the attribute of the first public network IP address is inquired from the threat information data, and then the attribute of the second public network IP address is compared according to the attribute of the first public network IP address, so that if the matching value of the attribute of the first public network IP address and the attribute of the second public network IP address reaches a preset first threshold value, the second public network IP address can be judged as a risk object.
As an optional implementation manner, the attribute of the first public network IP address includes the number of attack features, the total number of attacks of the IP, and the network type.
As an optional implementation manner, before obtaining the alarm event log reported by the used device, the method further includes:
acquiring an attack means in the ES log;
indexing the attack means with a first public network IP address;
counting according to the frequency of the attack means appearing in the ES log to obtain a threat value of the attack means;
when the threat value of the attack means reaches a preset second threshold value, comparing the attack means with the attack group data;
when the attack means is matched with one attack object in the attack object data, acquiring all attack behaviors of the attack object;
and binding all attack behaviors of the attack object to the attribute of the first public network IP address.
As an optional implementation mode, the attack means is at least one means of SQL injection behavior, XSS cross-site behavior and malicious scanning behavior.
As an optional implementation manner, before obtaining the attack means in the ES log, the method further includes:
detecting whether a target attack behavior occurs or a behavior permeating an intranet occurs;
when a target attack or an intranet penetration behavior is detected, acquiring an IP address of an attacker, an attack mode and attack time;
carrying out feature processing on the IP address, the attack mode and the attack time of an attacker to construct a feature vector model;
and classifying and clustering the feature vector model according to a machine learning algorithm so as to classify the behavior that the target attack occurs or permeates into the intranet into an attack behavior of an attack group.
As an optional implementation manner, after detecting that a target attack occurs or an intranet penetration behavior occurs, before collecting an IP address of an attacker, an attack mode, and attack time, the method further includes:
and judging whether the target attack occurs or the behavior of penetrating the intranet forms a threat, if so, executing acquisition of the IP address of the attacker, the attack mode and the attack time.
As an optional implementation manner, the determining whether the behavior of target attack occurring or penetrating to the intranet forms a threat includes:
and judging whether the target server generates abnormity, and if so, determining that the target attack occurs or the intranet is penetrated to form a threat.
Example two
Referring to fig. 2, fig. 2 is a schematic structural diagram of a risk identification device based on data migration according to an embodiment of the present application. As shown in fig. 2, the risk identification apparatus based on data migration in the embodiment of the present application includes a first obtaining module 201, a first comparing module 202, a querying module 203, and a second comparing module 204, where:
a first obtaining module 201, configured to obtain an alarm event log reported by a device;
a first comparison module 202, configured to compare the alarm event log with threat intelligence data, where the threat intelligence data includes the discovered first public network IP address;
the query module 203 is used for querying the attribute of the first public network IP address from the threat intelligence data when the alarm event log comprises a second public network IP address consistent with the first public network IP address;
the second comparison module 204 is configured to compare the attribute of the second public network IP address according to the attribute of the first public network IP address, and determine that the second public network IP address is a risk object if a matching value of the attribute of the first public network IP address and the attribute of the second public network IP address reaches a preset first threshold value.
As an optional implementation manner, the attribute of the first public network IP address includes the number of attack features, the total number of attacks of the IP, and the network type.
As an optional implementation manner, the risk identification apparatus based on data migration according to the embodiment of the present application further includes a second obtaining module, an indexing module, a statistical module, a third comparing module, a third obtaining module, and a binding module, where:
the second acquisition module is used for acquiring the attack means in the ES log;
the index module is used for indexing the attack means and a first public network IP address;
the statistic module is used for carrying out statistics according to the frequency of the attack means appearing in the ES log so as to obtain a threat value of the attack means;
the third comparison module is used for comparing the attack means with the attack group data when the threat value of the attack means reaches a preset second threshold value;
the third acquisition module is used for acquiring all attack behaviors of the attack object when the attack means is matched with one attack object in the attack object data;
and the binding module is used for binding all the attack behaviors of the attack object into the attribute of the first public network IP address.
As an optional implementation mode, the attack means is at least one means of SQL injection behavior, XSS cross-site behavior and malicious scanning behavior.
As an optional implementation manner, the risk identification apparatus based on data migration in the embodiment of the present application further includes a detection module, an acquisition module, a feature processing module, and a classification module, where:
the detection module is used for detecting whether a target attack behavior occurs or an intranet penetration behavior occurs;
the acquisition module is used for acquiring an IP address of an attacker, an attack mode and attack time when a target attack or intranet penetration behavior is detected;
the characteristic processing module is used for carrying out characteristic processing on the IP address, the attack mode and the attack time of an attacker so as to construct a characteristic vector model;
and the classification module is used for classifying and clustering the characteristic vector model according to a machine learning algorithm so as to classify the behavior that the target attack occurs or permeates into the intranet into an attack behavior of an attack group.
As an optional implementation manner, the risk identification apparatus based on data migration according to the embodiment of the present application further includes a determining module, where:
and the judging module is used for judging whether the target attack occurs or the behavior penetrating the intranet forms a threat, and if so, acquiring the IP address of the attacker, the attack mode and the attack time.
As an optional implementation manner, the specific way for the determination module to perform the determination of whether the target attack occurs or the intranet penetration behavior forms a threat is as follows:
and judging whether the target server is abnormal or not, and if so, determining that the target attack occurs or the target attack penetrates into the intranet to form a threat.
The risk identification device based on data migration in the embodiment of the application can compare the alarm event log with threat information data by obtaining the alarm event log reported by the user equipment through executing the risk identification method based on data migration, further query the attribute of the first public network IP address from the threat information data when the alarm event log includes the second public network IP address consistent with the first public network IP address, and then compare the attribute of the second public network IP address according to the attribute of the first public network IP address, so that if the matching value of the attribute of the first public network IP address and the attribute of the second public network IP address reaches the preset first threshold value, the second public network IP address can be judged as a risk object.
EXAMPLE III
The embodiment of the application discloses a risk identification device based on data migration. The risk identification device based on data migration in the embodiment of the application comprises:
a memory storing executable program code;
a processor coupled to the memory;
the processor calls the executable program codes stored in the memory to execute the risk identification method based on the data migration.
According to the risk identification device based on data migration, by executing the risk identification method based on data migration, the alarm event log reported by the use device can be obtained, the alarm event log is compared with threat information data, further, when the alarm event log comprises a second public network IP address consistent with the first public network IP address, the attribute of the first public network IP address is inquired from the threat information data, and then the attribute of the second public network IP address is compared according to the attribute of the first public network IP address, so that if the matching value of the attribute of the first public network IP address and the attribute of the second public network IP address reaches the preset first threshold value, the second public network IP address can be judged to be a risk object.
Example four
The embodiment of the application discloses a computer storage medium, wherein computer instructions are stored in the computer storage medium and used for executing a risk identification method based on data migration.
By executing the risk identification method based on data migration, the computer storage medium of the embodiment of the application can compare the alarm event log with threat intelligence data by obtaining the alarm event log reported by the user equipment, and further, when the alarm event log includes a second public network IP address consistent with the first public network IP address, query the attribute of the first public network IP address from the threat intelligence data, and compare the attribute of the second public network IP address according to the attribute of the first public network IP address, so that if the matching value of the attribute of the first public network IP address and the attribute of the second public network IP address reaches the preset first threshold value, it can be determined that the second public network IP address is a risk object.
EXAMPLE five
The fifth implementation discloses a computer program product comprising a non-transitory computer readable storage medium storing a computer program, and the computer program is operable to cause a computer to perform the risk identification method based on data migration disclosed in the first aspect of the present application.
The computer program product of the embodiment of the application can compare the alarm event log with threat information data by acquiring the alarm event log reported by the using equipment through executing the risk identification method based on data migration, and further query the attribute of the first public network IP address from the threat information data when the alarm event log comprises the second public network IP address consistent with the first public network IP address, and then compare the attribute of the second public network IP address according to the attribute of the first public network IP address, so that if the matching value of the attribute of the first public network IP address and the attribute of the second public network IP address reaches the preset first threshold value, the second public network IP address can be judged as a risk object.
In the foregoing embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable memory. Based on such understanding, the technical solution of the present application may be substantially implemented or a part of or all or part of the technical solution contributing to the prior art may be embodied in the form of a software product stored in a memory, and including several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method described in the embodiments of the present application. And the aforementioned memory comprises: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by associated hardware instructed by a program, which may be stored in a computer-readable memory, which may include: flash Memory disks, read-Only memories (ROMs), random Access Memories (RAMs), magnetic or optical disks, and the like.
The foregoing detailed description of the embodiments of the present application has been presented to illustrate the principles and implementations of the present application, and the above description of the embodiments is only provided to help understand the method and the core concept of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.
Claims (9)
1. A risk identification method based on data migration is characterized by comprising the following steps:
acquiring an attack means in the ES log;
indexing the attack means with a first public network IP address;
counting according to the frequency of the attack means appearing in the ES log to obtain a threat value of the attack means;
when the threat value of the attack means reaches a preset second threshold value, comparing the attack means with attack group data;
when the attack means is matched with one attack object in the attack object data, acquiring all attack behaviors of the attack object;
binding all attack behaviors of the attack object to be attributes of the first public network IP address;
acquiring an alarm event log reported by a using device;
comparing the alarm event log with threat intelligence data, wherein the threat intelligence data comprises a discovered first public network IP address;
when the alarm event log comprises a second public network IP address consistent with the first public network IP address, inquiring the attribute of the first public network IP address from threat intelligence data;
and comparing the attribute of the second public network IP address according to the attribute of the first public network IP address, and if the matching value of the attribute of the first public network IP address and the attribute of the second public network IP address reaches a preset first threshold value, judging that the second public network IP address is a risk object.
2. The method of claim 1, wherein the attributes of the first public network IP address include a number of attack signatures, an IP aggregate number of attacks, a network type.
3. The method of claim 1, wherein the attacking means is at least one of SQL injection behavior, XSS cross-site behavior, malicious scanning behavior.
4. The method of claim 1, wherein prior to said obtaining the means of attack in the ES log, the method further comprises:
detecting whether a target attack behavior occurs or an intranet penetration behavior occurs;
when a target attack or an intranet penetration behavior is detected, acquiring an IP address of an attacker, an attack mode and attack time;
performing feature processing on the IP address of the attacker, the attack mode and the attack time to construct a feature vector model;
and classifying and clustering the feature vector model according to a machine learning algorithm so as to classify the target attack occurrence or the intranet penetration behavior into an attack behavior of the attack group.
5. The method according to claim 4, wherein after the time when the target attack or the intranet penetration behavior is detected, the method further comprises the following steps before the attacker IP address, attack mode and attack time are collected:
and judging whether the target attack occurs or the intranet penetration behavior forms a threat, and if so, executing acquisition of an IP address of an attacker, an attack mode and attack time.
6. The method of claim 5, wherein said determining whether said target attack occurrence or said intranet penetration behavior constitutes a threat comprises:
and judging whether the target server is abnormal or not, and if so, determining that the target attack occurs or the intranet penetration behavior forms a threat.
7. An apparatus for risk identification based on data migration, the apparatus comprising:
the first acquisition module is used for acquiring an alarm event log reported by a user equipment;
the second acquisition module is used for acquiring the attack means in the ES log;
the index module is used for indexing the attack means and a first public network IP address;
the statistic module is used for carrying out statistics according to the frequency of the attack means appearing in the ES log so as to obtain a threat value of the attack means;
the third comparison module is used for comparing the attack means with the attack group data when the threat value of the attack means reaches a preset second threshold value;
the third acquisition module is used for acquiring all attack behaviors of the attack object when the attack means is matched with one attack object in the attack object data;
the binding module is used for binding all attack behaviors of the attack object into the attribute of the first public network IP address;
the first comparison module is used for comparing the alarm event log with threat information data, wherein the threat information data comprises the discovered first public network IP address;
the query module is used for querying the attribute of the first public network IP address from threat intelligence data when the alarm event log comprises a second public network IP address consistent with the first public network IP address;
and the second comparison module is used for comparing the attribute of the second public network IP address according to the attribute of the first public network IP address, and if the matching value of the attribute of the first public network IP address and the attribute of the second public network IP address reaches a preset first threshold value, judging that the second public network IP address is a risk object.
8. A risk identification device based on data migration, the device comprising:
a memory storing executable program code;
a processor coupled with the memory;
the processor calls the executable program code stored in the memory to execute the risk identification method based on data migration according to any one of claims 1-7.
9. A computer storage medium storing computer instructions which, when invoked, perform a risk identification method based on data migration according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010374129.4A CN111740855B (en) | 2020-05-06 | 2020-05-06 | Risk identification method, device and equipment based on data migration and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010374129.4A CN111740855B (en) | 2020-05-06 | 2020-05-06 | Risk identification method, device and equipment based on data migration and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111740855A CN111740855A (en) | 2020-10-02 |
| CN111740855B true CN111740855B (en) | 2023-04-18 |
Family
ID=72646977
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010374129.4A Active CN111740855B (en) | 2020-05-06 | 2020-05-06 | Risk identification method, device and equipment based on data migration and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111740855B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009135396A1 (en) * | 2008-05-09 | 2009-11-12 | 成都市华为赛门铁克科技有限公司 | Network attack processing method, processing device and network analyzing and monitoring center |
| CN108173884A (en) * | 2018-03-20 | 2018-06-15 | 国家计算机网络与信息安全管理中心 | Based on network attack with the ddos attack population analysis method of behavior |
| CN110912861A (en) * | 2018-09-18 | 2020-03-24 | 北京数安鑫云信息技术有限公司 | AI detection method and device for deeply tracking group attack behavior |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104468632A (en) * | 2014-12-31 | 2015-03-25 | 北京奇虎科技有限公司 | Loophole attack prevention method, device and system |
| CN106790292A (en) * | 2017-03-13 | 2017-05-31 | 摩贝(上海)生物科技有限公司 | The web application layer attacks detection and defence method of Behavior-based control characteristic matching and analysis |
| CN107819783A (en) * | 2017-11-27 | 2018-03-20 | 深信服科技股份有限公司 | A kind of network security detection method and system based on threat information |
| CN109873811A (en) * | 2019-01-16 | 2019-06-11 | 光通天下网络科技股份有限公司 | Network safety protection method and its network security protection system based on attack IP portrait |
| CN110266670A (en) * | 2019-06-06 | 2019-09-20 | 深圳前海微众银行股份有限公司 | A kind of processing method and processing device of terminal network external connection behavior |
| CN110213108A (en) * | 2019-06-11 | 2019-09-06 | 四川久远国基科技有限公司 | A kind of network security situation awareness method for early warning and system |
| CN110719291B (en) * | 2019-10-16 | 2022-10-14 | 杭州安恒信息技术股份有限公司 | Network threat identification method and identification system based on threat information |
-
2020
- 2020-05-06 CN CN202010374129.4A patent/CN111740855B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009135396A1 (en) * | 2008-05-09 | 2009-11-12 | 成都市华为赛门铁克科技有限公司 | Network attack processing method, processing device and network analyzing and monitoring center |
| CN108173884A (en) * | 2018-03-20 | 2018-06-15 | 国家计算机网络与信息安全管理中心 | Based on network attack with the ddos attack population analysis method of behavior |
| CN110912861A (en) * | 2018-09-18 | 2020-03-24 | 北京数安鑫云信息技术有限公司 | AI detection method and device for deeply tracking group attack behavior |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111740855A (en) | 2020-10-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107659583B (en) | Method and system for detecting attack in fact | |
| CN110581827B (en) | Detection method and device for brute force cracking | |
| CN107888571B (en) | Multi-dimensional webshell intrusion detection method and system based on HTTP log | |
| CN108881263B (en) | Network attack result detection method and system | |
| CN111460445B (en) | Sample program malicious degree automatic identification method and device | |
| CN110650117B (en) | Cross-site attack protection method, device, equipment and storage medium | |
| CN107016298B (en) | Webpage tampering monitoring method and device | |
| CN110351248B (en) | Safety protection method and device based on intelligent analysis and intelligent current limiting | |
| CN109600362B (en) | Zombie host recognition method, device and medium based on recognition model | |
| CN109995750B (en) | Network attack defense method and electronic equipment | |
| CN109376537B (en) | Asset scoring method and system based on multi-factor fusion | |
| CN111385270A (en) | WAF-based network attack detection method and device | |
| CN111368289B (en) | Malicious software detection method and device | |
| CN105516128A (en) | Detecting method and device of Web attack | |
| CN110365636B (en) | Method and device for judging attack data source of industrial control honeypot | |
| CN111726342B (en) | Method and system for improving alarm output accuracy of honeypot system | |
| CN114553523A (en) | Attack detection method and device based on attack detection model, medium and equipment | |
| CN113162953A (en) | Network threat message detection and source tracing evidence obtaining method and device | |
| CN109257369B (en) | Scanning IP classification method and device based on machine learning | |
| CN110839216A (en) | Method and device for identifying communication information fraud | |
| CN113965419B (en) | Method and device for judging attack success through reverse connection | |
| CN112153062B (en) | Multi-dimension-based suspicious terminal equipment detection method and system | |
| CN113535823B (en) | Abnormal access behavior detection method and device and electronic equipment | |
| CN111885011B (en) | Method and system for analyzing and mining safety of service data network | |
| CN111740855B (en) | Risk identification method, device and equipment based on data migration and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |