CN111935192A

CN111935192A - Network attack event tracing processing method, device, equipment and storage medium

Info

Publication number: CN111935192A
Application number: CN202011082874.8A
Authority: CN
Inventors: 张婵娟; 廖湘平; 邓永; 董文辉; 杨耀荣
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2020-10-12
Filing date: 2020-10-12
Publication date: 2020-11-13
Anticipated expiration: 2040-10-12
Also published as: CN111935192B

Abstract

The present application relates to the field of network security technologies, and in particular, to a method, an apparatus, a device, and a storage medium for processing a network attack event. The method comprises the following steps: acquiring a network attack clue related to a network attack event to be traced; carrying out information mining on a network attack clue based on the constructed network threat association model to obtain threat information related to a network attack event; taking the network attack clues and threat intelligence as attack behavior elements corresponding to the network attack events, and constructing a traceability analysis model containing the incidence relation among the attack behavior elements; and determining a tracing path according to the incidence relation between the target attack behavior elements in the tracing analysis model, and tracing the network attack event based on the tracing path to obtain a tracing result of the network attack event. By adopting the method, the network attack event can be accurately tracked and traced, so that the safety of the computer communication network is improved.

Description

Network attack event tracing processing method, device, equipment and storage medium

Technical Field

The present application relates to the field of network security technologies, and in particular, to a method, an apparatus, a device, and a storage medium for processing a network attack event.

Background

With the development of network technology, network security technology has emerged, which is used to maintain the security of computer communication network, mainly including the normal operation of the hardware and software of the network and the security of data information exchange. In practical application, the frequent occurrence of the network attack behavior often causes hidden danger to the network security of the system, and tracing the network attack event is a common and effective means for attacking the network attack behavior.

At present, a tracing processing method for a network attack event mainly comprises the following steps: the method comprises the steps of analyzing an IP address used by an attacker, analyzing domain name information used by the attacker, analyzing a behavior log after the attacker invades a host, analyzing the behavior log through full flow, and performing homologous analysis through malicious codes.

However, the above tracing processing method for the network attack event cannot accurately and effectively trace the source of the network attack event because the dimension of the tracing analysis is single.

Disclosure of Invention

In view of the foregoing, it is desirable to provide a network attack event tracing processing method, apparatus, device and storage medium capable of improving the accuracy of tracing the network attack event.

A network attack event tracing processing method comprises the following steps:

acquiring a network attack clue related to a network attack event to be traced;

based on the corresponding threat elements of the network attack clues in the constructed network threat association model and the association relation between the threat elements in the network threat association model, carrying out information mining on the network attack clues to obtain threat information related to the network attack events;

taking the network attack clues and the threat intelligence as attack behavior elements corresponding to the network attack events, and constructing a traceability analysis model containing the incidence relation between the attack behavior elements;

and determining a tracing path according to the incidence relation between the target attack behavior elements in the tracing analysis model, and tracing the network attack event based on the tracing path to obtain a tracing result of the network attack event.

A cyber attack event tracing apparatus, the apparatus comprising:

the network attack clue acquisition module is used for acquiring network attack clues related to the network attack events to be traced;

the intelligence characteristic extraction and analysis module is used for mining the intelligence of the network attack clues based on corresponding threat elements of the network attack clues in the constructed network threat association model and the association relation between the threat elements in the network threat association model to obtain threat intelligence related to the network attack events;

a source tracing analysis model building module, configured to use the network attack clues and the threat intelligence as attack behavior elements corresponding to the network attack event, and build a source tracing analysis model including an incidence relation between the attack behavior elements;

and the tracing and tracing module is used for determining a tracing path according to the incidence relation between the target attack behavior elements in the tracing analysis model, tracing the network attack event based on the tracing path, and obtaining a tracing and tracing result of the network attack event.

A computer device comprising a memory and a processor, the memory storing a computer program, the processor implementing the following steps when executing the computer program:

acquiring a network attack clue related to a network attack event to be traced;

A computer-readable storage medium, on which a computer program is stored which, when executed by a processor, carries out the steps of:

acquiring a network attack clue related to a network attack event to be traced;

After the network attack event tracing processing method, the network attack event tracing processing device, the network attack event tracing processing equipment and the storage medium acquire the network attack clues related to the network attack event to be traced, based on the corresponding threat elements of the network attack clues in the constructed network threat association model and the association relationship among the threat elements in the network threat association model, the network attack clues are mined with intelligence, so that threat intelligence related to the network attack events can be mined from multiple dimensions, further using the network attack clues and threat intelligence as each attack behavior element corresponding to the network attack event, constructing a source tracing analysis model containing the incidence relation among the attack behavior elements, determining a tracing path according to the incidence relation between target attack behavior elements in the tracing analysis model, therefore, the network attack event is traced based on the tracing path, and the tracing result of the network attack event is obtained. When the method is adopted to trace the source of the network attack event based on the network attack clue, the tracing information of multiple dimensions related to the network attack clue can be mined, and the accurate tracing of the network attack event can be realized by comprehensively analyzing the incidence relation between the network attack clue and the mined tracing information of multiple dimensions.

Drawings

FIG. 1 is a diagram of an application environment of a method for tracing a source of a network attack event in an embodiment;

FIG. 2 is a flowchart illustrating a method for tracing a network attack event according to an embodiment;

FIG. 3 is a schematic diagram of a hierarchy of threat intelligence data in one embodiment;

FIG. 4 is a diagram of time-dimension threat intelligence data in one embodiment;

FIG. 5 is a diagram of spatial dimension threat intelligence data in one embodiment;

FIG. 6 is a diagram illustrating image dimension threat intelligence data in one embodiment;

FIG. 7 is a schematic diagram of a branch of a threat intelligence tree, according to an embodiment;

FIG. 8 is a diagram of a multi-dimensional threat intelligence tree, in accordance with an embodiment;

FIG. 9 is a diagram illustrating a threat intelligence tree corresponding to the traceability analysis model in one embodiment;

FIG. 10 is a flowchart illustrating the tracing step according to the tracing analysis model in one embodiment;

FIG. 11 is a diagram of a traceability analysis model in one embodiment;

FIG. 12 is a diagram illustrating the tracing results in one embodiment;

FIG. 13 is a schematic flowchart of a method for tracing a network attack event source in another embodiment;

FIG. 14 is a schematic flowchart of another method for tracing network attack events in an application scenario;

FIG. 15 is a block diagram illustrating an exemplary embodiment of a device for tracing network attack events;

FIG. 16 is a block diagram of a device for tracing network attack events according to another embodiment;

FIG. 17 is a diagram showing an internal structure of a computer device in one embodiment;

fig. 18 is an internal structural view of a computer device in another embodiment.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.

The network attack event tracing processing method provided by the application can be applied to the application environment shown in fig. 1. Wherein the terminal 102 communicates with the server 104 via a network. The network attack event tracing processing method provided by the embodiments of the present application can be executed independently by the terminal 102 or the server 104, or can be executed cooperatively by the terminal 102 and the server 104. The server may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing basic cloud computing services such as cloud service, a cloud database, cloud computing, a cloud function, cloud storage, network service, cloud communication, middleware service, domain name service, security service, CDN, big data and artificial intelligence platform. The terminal may be, but is not limited to, a smart phone, a tablet computer, a laptop computer, a desktop computer, a smart speaker, a smart watch, and the like. The terminal and the server may be directly or indirectly connected through wired or wireless communication, and the application is not limited herein.

It should be noted that, in some specific application scenarios, when the server is a cloud server, the present application may be applied to a cloud computing platform to provide a security service for a user. In this case, it is clear that the present application will be directed to cloud security technology. Cloud Security (Cloud Security) refers to a generic term for Security software, hardware, users, organizations, secure Cloud platforms based on Cloud computing business model applications. The cloud security integrates emerging technologies and concepts such as parallel processing, grid computing and unknown virus behavior judgment, abnormal monitoring of software behaviors in the network is achieved through a large number of meshed clients, the latest information of trojans and malicious programs in the internet is obtained and sent to the server for automatic analysis and processing, and then the virus and trojan solution is distributed to each client.

The main research directions of cloud security include: 1. the cloud computing security mainly researches how to guarantee the security of the cloud and various applications on the cloud, including the security of a cloud computer system, the secure storage and isolation of user data, user access authentication, information transmission security, network attack protection, compliance audit and the like; 2. the cloud of the security infrastructure mainly researches how to adopt cloud computing to newly build and integrate security infrastructure resources and optimize a security protection mechanism, and comprises the steps of constructing a super-large-scale security event and an information acquisition and processing platform through a cloud computing technology, realizing the acquisition and correlation analysis of mass information, and improving the handling control capability and the risk control capability of the security event of the whole network; 3. the cloud security service mainly researches various security services, such as anti-virus services and the like, provided for users based on a cloud computing platform.

It is to be understood that in other specific application scenarios, the server may also be a physical server, and the network protection security function is provided for the user through the physical server.

In one embodiment, as shown in fig. 2, a method for tracing a network attack event source is provided, which is described by taking the method as an example applied to a computer device (such as the terminal 102 or the server 104 in fig. 1) in fig. 1, and includes the following steps:

s202, network attack clues relevant to the network attack events to be traced are obtained.

The network attack event is an event formed by a series of related network attack behaviors, and the series of related network attack behaviors often have an association relationship in tactics. For example, a certain network attack event includes network attack behaviors in different stages, such as External Remote Services in an Initial Access stage, Access Features in a Privilege elevation stage, and Input Capture in a collection stage. The network attack behaviors in different stages have context relationship and jointly form a complete network attack event. That is, for a complete cyber attack event, at least one cyber attack action occurs therein. It can be understood that the network attack behavior is a malicious network behavior, which may bring a security risk to the system and needs to be identified and prevented.

The cyber attack clues are information related to the cyber attack events and can be used for tracing the cyber attack events, and the information comprises data related to attack sources corresponding to the cyber attack events and threat intelligence information extracted based on the data related to the attack sources, such as tactical intelligence information. The data related to the attack source comprises attack behavior data generated by the attack behavior of a malicious attacker and basic information of the attack source.

In one embodiment, the network device generates network communication related data during operation, and the network device may transmit the network communication related data to the computer device for processing according to the stored network communication related data generated within a certain period of time and one or more clues discovered by security personnel in the event of a network attack. The computer equipment extracts the network attack clues relevant to the network attack events to be traced from the network communication relevant data generated when the network equipment works.

The network device may be at least one of a switch, a router, or a host device, and the host device in this embodiment is an attacked party in a network attack event. The network communication related data is related data generated by the network device in the data communication process, and includes communication data and log data, where the communication data may be communication data between different devices, or communication data between different programs or processes in the same device, and the like, and this is not limited in this embodiment of the application. The communication data may specifically include network traffic data generated in a communication process, and may also include process data or thread data generated when the host device runs. The network traffic data may specifically be a data packet forwarded by a switch. The process data includes a process name, a process result obtained after the process is executed, and the like. The thread data includes a thread name, a thread result obtained after the thread is executed, and the like. The log data is data for recording the operating state of the host device, and includes a hardware state log and an application system log. The hardware status log includes a Central Processing Unit (CPU) of the host device or a memory usage status, etc.; the application system log includes log data generated by an operating system and an application program during running, and the like.

In one embodiment, the computer device extracts the network attack clues related to the network attack events to be traced from the network communication related data generated by the network device during operation, including but not limited to: after receiving network communication related data generated when the network equipment works, the computer equipment carries out attack detection on the network communication related data based on a preset attack index; and determining an attacker related to the network attack event, and determining a network attack clue of the network attack event to be traced according to data related to the attacker in the network communication related data. For example, when data related to an attacker in the network communication related data is a related log of each device in an attack chain process and a description of a network attack event by security personnel, a network attack clue of the network attack event to be traced can be determined according to the data related to the attacker in the network event related data.

The attack indicators are preset indicators for detecting whether a network attack event occurs, and specifically may be sink detection Indicators (IOCs) including malicious file HASH, IP address, domain name, and the like, for example, the computer device performs IOC detection on log data, and when one or more Of the malicious file HASH, IP address, and domain name are found, an alarm (that is, a determination) is given that a network attack event occurs. In addition, threat factors (also called attack indexes) of attack detection can be dynamically adjusted according to actual service requirements. For example, the attack index is a flow index, and when the network flow data exceeds a threshold set by the flow index within a preset time or the characteristics of malicious attack in the network flow are hit, the occurrence of a network attack event is sensed; and the attack index is set as a malicious behavior keyword, the computer equipment performs behavior detection of equipment operation on the log data, and when the keyword is detected, a network attack event is determined to occur.

In one embodiment, the computer device performs attack detection and situation awareness on network communication related data based on preset security attack features, extracts data related to an attack source from the network communication related data after detecting the attack source related to the network attack event, and directly determines the data related to the attack source as a network attack clue of the network attack event to be traced.

In one embodiment, the computer device performs attack detection on the network communication related data based on a preset attack index, determines an attack source related to the network attack event, performs tactical information analysis on the data related to the attack source through an established threat information knowledge base and open source threat information to obtain tactical information related to the network attack event to be traced, and determines the tactical information as a network attack clue of the network attack event to be traced. Wherein, the threat intelligence knowledge base can be constructed according to daily accumulation.

For example, data related to an attack source acquired by the computer device is attack behavior data of the attack source, tactical intelligence analysis is performed on the attack behavior data through threat intelligence knowledge, so that TTP intelligence is obtained, and the TTP intelligence is determined as an attack clue of a network attack event to be traced. TTP (tactical Tactics, technical and process Procedures) is an important index to describe advanced threat organizations and their attacks. Tactics (Tactics) refers to a high-level description of the behavior a threatening actor is attempting to accomplish; technology (Techniques) is a detailed description of the acts or actions that lead to tactics; procedures (Procedures) are technical details or instructions on how a threat performer uses the technology to achieve its goals.

S204, based on the corresponding threat elements of the network attack clues in the constructed network threat association model and the association relation between the threat elements in the network threat association model, carrying out information mining on the network attack clues to obtain threat information related to the network attack events.

The network threat association model is an association model pre-constructed based on known threat intelligence, contains the association between each threat element, and the known threat intelligence knowledge base for constructing the network threat association model is based on the information accumulated by historical network attack events, the prediction of the variety of the malicious family group based on a certain situation perception system, the threat intelligence in the open source information and the like. Threat intelligence is evidence-based knowledge that includes contexts, mechanisms, metrics, implicit and actual recommendations that describe existing or impending threats or dangers to an asset and can be used to inform a subject to take some response to the relevant threat or danger.

Specifically, the known threat intelligence may be derived from threat intelligence data published by open source intelligence, such as a security vendor's intelligence data publishing website or various types of security forums, security information websites, virus analysis forums, and the like. The threat intelligence data comprises information data such as a feature library, a black/white list, an attack source, a hazard degree, an intrusion intention, tools used by a malicious group, malicious software, an attack mode, vulnerability information, an attack event, an attack organization, TTP (time to live) threat intelligence and the like. According to the cognition of the security community on the threat intelligence data, the hierarchical structure of the threat intelligence data is shown in fig. 3, according to the sequence from bottom to top, the difficulty of obtaining the threat intelligence data is gradually increased, the stability of the threat intelligence data is gradually enhanced, and the information content carried by the threat intelligence data is gradually increased.

The threat elements are elements which are determined based on threat intelligence data and are related to network attack events, and entities which describe network attacks, such as attack characteristics in a characteristic library, virus samples in a black/white list, malicious domain names, malicious domain name whois information, malicious IP addresses, malicious URL information and the like are threat elements.

In one embodiment, after obtaining an attack clue related to a network attack event to be traced, a computer device obtains a pre-constructed network threat association model, determines a threat element corresponding to the network attack clue in the network threat association model, and performs intelligence mining based on an association relationship between the threat element and other threat elements in the network threat association model to obtain threat intelligence (also referred to as tracing information) related to the network attack event to be traced.

In one embodiment, after determining the threat elements corresponding to the cyber attack clues in the cyber threat association model, the computer device performs five intelligence operations, such as depth traversal or breadth traversal, layer by layer along the association paths between the threat elements and other threat elements to perform threat intelligence mining, using the threat elements as the starting points of threat intelligence data mining, so as to obtain threat intelligence (i.e., traceability information) related to the cyber attack event to be traced. For example, heuristic association profile analysis (i.e., intelligence mining) is performed based on massive security information, and after more threat intelligence information is analyzed according to existing attack cues, such as IOC or TTP or victims, a traceability analysis model can be established, so as to find the root cause of the attack (refer to S206 to S208). By tracing and analyzing the malicious network attacks based on threat intelligence, a gangster which launches the malicious attacks is found, the attack intention is determined, an attack path diagram is traced back, and a targeted defense strategy is formulated.

In one embodiment, after determining the threat elements corresponding to the cyber attack clues in the cyber threat association model, the computer device constructs a threat intelligence knowledge graph based on the threat elements, and may specifically construct the threat intelligence knowledge graph in the form of constructing a threat intelligence tree, and determine the threat entity related to the cyber attack event according to the threat intelligence knowledge graph. Wherein the root node of the threat intelligence tree corresponding to the threat intelligence knowledge-graph corresponds to the threat element corresponding to the network attack clue.

S206, taking the network attack clues and the threat intelligence as each attack behavior element corresponding to the network attack event, and constructing a traceability analysis model containing the incidence relation between each attack behavior element.

The attack behavior elements are elements related to the network attack event to be traced, and particularly, the network attack clues and threat intelligence mined based on the network attack clues can be used as the attack behavior elements to draw the entity under the network attack immediately. The source tracing analysis model is used for finally tracing the network attack event, specifically comprises the incidence relation among all attack behavior elements of the network attack event to be traced, and can represent an attack path diagram, an attack purpose and an attack trend of the network attack event, and continuously trace the malicious group to which the attack source belongs.

In one embodiment, after excavating threat intelligence of a network attack event to be traced based on a constructed network threat association model (also referred to as a routing analysis model) and a network attack clue, a computer device takes the network attack clue and the threat intelligence as attack behavior elements of the network attack event, and establishes a tracing analysis model containing association relations among the attack behavior elements based on the association relations among the attack behavior elements in the constructed network threat association model.

S208, determining a tracing path according to the incidence relation between the target attack behavior elements in the tracing analysis model, and tracing the network attack event based on the tracing path to obtain a tracing result of the network attack event.

The target attack behavior element is an attack behavior element which meets a traceability availability condition in the traceability analysis model, and can also be called as an effective attack behavior element, and the traceability availability condition can be dynamically set according to actual service requirements.

In an actual application scenario, some noise may exist in a tracing result analyzed based on a network attack clue, the noise is data which has no effect on tracing but can affect tracing efficiency, and it can be understood that a noise attack behavior element may exist in a tracing analysis model constructed based on the network attack clue and threat intelligence. Therefore, when the tracing and tracing result of the network attack event is determined based on the tracing analysis model, the tracing and tracing result of the network attack event is determined according to the incidence relation between the effective attack behavior elements in the tracing analysis model and the tracing aspect which is finally concerned by security personnel, and the target attack behavior element is the non-noise attack behavior element in the tracing analysis model.

In one embodiment, after obtaining the traceability analysis model, the computer device determines whether each attack behavior element in the traceability analysis model meets traceability availability conditions, determines the attack behavior element meeting the traceability availability conditions as an effective attack behavior element, determines the attack behavior element not meeting the traceability availability conditions as a noise attack behavior element, performs convergence information on attack entities or noise elements of heuristic association search, and removes noise data brought by association analysis. And determining the tracing result of the network attack event based on the incidence relation between the effective attack behavior elements.

In an embodiment, when there are at least two network attack clues, determining whether the attack behavior elements have an association relationship with the attack behavior elements corresponding to all network attack clues simultaneously or not for each other attack behavior element except the attack behavior elements corresponding to the network attack clues in the tracing analysis model, determining the attack behavior elements having an association relationship with the attack behavior elements corresponding to all network attack clues simultaneously as effective attack behavior elements, determining the attack behavior elements not having an association relationship with the attack behavior elements corresponding to all network attack clues simultaneously as noise, determining a tracing path based on the association relationship between target attack behavior elements, and tracing the network attack event based on the tracing path to obtain a tracing result of the network attack event.

In the above embodiment, after the computer device obtains the network attack clue related to the network attack event to be traced, based on the corresponding threat elements of the network attack clues in the constructed network threat association model and the association relationship among the threat elements in the network threat association model, information mining is carried out on the network attack clues, so that threat information related to the network attack event can be analyzed from a plurality of dimensions, further using the network attack clues and threat intelligence as each attack behavior element corresponding to the network attack event, constructing a source tracing analysis model containing the incidence relation among the attack behavior elements, determining a tracing path according to the incidence relation between target attack behavior elements in the tracing analysis model, therefore, the network attack event is traced based on the tracing path, and the tracing result of the network attack event is obtained. Therefore, the tracing information of multiple dimensions related to the network attack clues can be mined out based on the network attack clues, and the back root of the network attack event is mined out by comprehensively analyzing the incidence relation between the network attack clues and the mined tracing information, so that the accurate tracing and tracing of the network attack event are realized.

In one embodiment, before tracing a network attack event, threat intelligence data is obtained based on an accumulated existing threat intelligence knowledge base and open source threat intelligence, the obtained threat intelligence data is comprehensively analyzed from a time dimension, a space dimension and an image dimension, the association relation among threat elements in the threat intelligence data is determined, and a network threat association model is constructed according to the association relation among the threat elements in the threat intelligence data. The method comprises the steps of intelligently establishing an association analysis model by using algorithms such as big data, artificial intelligence and the like by taking a threat knowledge base and open source information as a foundation, widening boundaries of attack clues by points, lines and planes, mining a large number of new clues associated with known clues and converging, mining a network attack link diagram, and tracking malicious attack sources and groups.

The time dimension, the space dimension and the image dimension are main analysis dimensions for tracing analysis, and the tracing analysis dimensions can be flexibly constructed based on business requirements. In the embodiment of the application, threat elements, such as TTP intelligence and log data, which can show that attack behaviors are associated in time, are divided into a time dimension (refer to fig. 4), IOC intelligence, malicious samples, attack weapons, certificates, and the like are divided into a space dimension (refer to fig. 5), and basic information, victim information, malicious group virtual identity association information, historical security events, and the like of malicious groups are divided into an image dimension (refer to fig. 6). Correspondingly, threat elements in the network threat association model obtained by comprehensively analyzing the established threat intelligence data from the time dimension, the space dimension and the portrait dimension comprise time threat elements, space threat elements and portrait threat elements.

Specifically, the portrait dimension is mainly used for describing an attack group of a network attack event, and the portrait of the attack organization mainly comprises basic information, victim information, virtual identity of the attack organization and historical security events. The basic information of the attack organization comprises the name, alias, common language, brief introduction, identity and role of the group, wherein the identity can be hacker, terrorist and black grey group, and the role can be malicious software author, sponsor, propagator, vulnerability exploitation, vulnerability mining and architect; the victim information comprises the language of the victim, the geographical position of the victim, the industry of the victim and the attribute of the victim, wherein the attribute of the victim can be one or more of a server, office equipment, a development machine, a router and the like; the malicious group virtual identity related information is whether related information exists in various platforms such as Facebook, GitHub, Twitter and the like or not, wherein the mail is found in the Internet, the nickname of personnel in a background organization, the common character string and the like. Waiting for virtual identity information; historical security events include the context of ever occurring security events, the intent of the attack, the homology of the attack path, the attack source used, including exploiting vulnerabilities, exploiting tools, exploiting trojans or backdoors, etc. Here, the loophole, the tool and the trojan are similar in image description characteristics, and detailed characteristics are analyzed in space-dimensional weapons in detail.

In an actual application scenario, for one or more network attack clues of analysis dimensions, when information mining is performed by using the network threat association model constructed in the above embodiment, threat information belonging to different analysis dimensions can be obtained based on the network attack clues.

Example 1, for cyber attack cues belonging to log data in the time dimension, which typically records the attack behavior of an attacker on a victim device, cyber attacks are generally linear, typically with context information and attack strategy models, this dimension is mainly analyzed from TTPS intelligence. Because the sequence of a series of attack behaviors of attackers belonging to the same attack group on the victim device is similar to the sequence of each attack behavior, a similar attack source which has relevance to the attack behaviors and the attack time recorded in the log data is mined based on the log data and the constructed network threat association model, and then attack organizations related to the similar attack source are mined. For example, an attack source of a certain directed network attack event records that an attack source loads a malicious PE file by using a white file, then operates a cmd command, then views netstat-ano to view a network state, and finally loads a configuration file, and a certain Vietnam attack organization with similar attack behaviors and attack time sequence is mined based on the similarity of attack behavior characteristics recorded in log data and the sequence between attack behaviors.

Similarly, similar attack sources with similar work and rest rules can be mined based on a network threat association model based on work and rest rules such as attack source login equipment time, server connection time, weapon construction time and connection C2 (Command and Control) time, and then attack groups associated with the similar attack sources are mined, wherein the work and rest rules reflect the geographical area where the attack organization is located.

Because the ATT & CK model unifies the mark and description of the malicious network attack behavior and is approved by security personnel, the ATT & CK model is used in the TTP attack technical process. The tactics of the ATT & CK model set forth specific network attack behavior characteristics that characterize, i.e., tactical refinement, how the corresponding tactics are characterized with tactical characteristics. And establishing a corresponding TTPS rule list for the tactics, technologies and processes commonly used for the network attack family based on the ATT & CK model, sorting corresponding numbers according to the attack behaviors, and establishing an attack technology perception rule base of the malicious family.

Example 2, for IOC-type intelligence network attack clues belonging to a spatial dimension, such as an IP address, a domain name, a URL, registration information including the domain name, similarity of the domain name, and the like in addition to basic information such as an operator of the IP address, a port opened by the IP, an ASN, registration information of the domain name, and the like, whether the URL is a malicious URL, detailed information of the URL, similarity of the URL, and an association relationship between the IP address, the domain name, the URL, and MD 5. The malicious network attackers also conform to the thought inertia of people, and have certain preference when performing domain name creation or selection, and certain similarity exists in the same group or organization domain name or URL. These infrastructures also exist with a certain short-term invariance, so that attacks by malicious parties take advantage of the fact that the infrastructure has one or more IOCs that are identical or similar in time. Therefore, similar other IOC information is mined based on the IOC information network attack clues and the network threat association model, and the attack source is traced and analyzed based on the mined IOC information, so that the attack group related to the similar attack source is mined. The association relationship among the IP address, the domain name, the URL, and the MD5 may be a domain name found by the IP reverse search, a sample MD5 of the IP download, a domain name connection MD5, a URL included in the domain name, a domain name included in the MD5, a URL included in the MD5, and the like.

Similarly, for clues of malicious sample type security events belonging to the spatial dimension, such as file names, sample PDB paths, sample uploading paths and the like, the malicious parties belonging to the security event are subjected to source tracing analysis based on the network threat association model. The method specifically comprises the steps of mining similar sample threat information based on a network threat association model, mining a similar attacker based on the mined malicious sample threat information, and then mining an attack organization related to the similar attacker, wherein when the malicious sample threat information similar to the malicious attacker is mined based on the network threat association model, traditional static characteristics and dynamic characteristics can be used for analysis, the static characteristics comprise confusion, floral instructions, function naming, encryption and the like, and the dynamic characteristics comprise vulnerability utilization, virtual detection behaviors, sandbox detection behaviors and the like. And constructing a map of homology and parent-child relationship between the samples.

Similarly, for attacking weapon network attack clues belonging to spatial dimensions, such as bugs, tools, trojans, viruses and the like, characteristics are constructed so as to establish a network threat association model, and heuristic association route-exploiting analysis (namely information mining) is carried out by removing the network attack clues based on the network threat association model, so that the root source of the malicious group of the network attack event and a network attack link diagram are mined, the malicious attack source and the malicious group are tracked, and the tracking and tracing are carried out.

In the above embodiment, the computer device obtains threat intelligence data from open source intelligence, comprehensively analyzes the obtained threat intelligence data from time dimension, space dimension and portrait dimension, determines the association relationship among threat elements in the threat intelligence data, and constructs a network threat association model according to the association relationship among the threat elements in the threat intelligence data, so that when tracing a network attack event, more threat intelligence can be mined from multiple dimensions based on fewer network attack clues and the network threat association model, the boundaries of the attack clues are widened by points, lines, points and planes, and then accurate tracing of the network attack event is realized by using the network attack clues and the mined multiple-dimension threats.

In one embodiment, the computer device performs intelligence mining on the network attack clues based on threat elements corresponding to the network attack clues in the constructed network threat association model and association relations between the threat elements in the network threat association model to obtain threat intelligence related to the network attack events, and the method includes: and constructing a root node mined by information based on the corresponding threat elements of the network attack clues in the network threat association model, constructing descendant nodes mined by the information based on the threat elements which have association relations with the threat elements corresponding to the root node in the network threat association model, obtaining a threat information tree, and determining the threat elements which are used as the descendant nodes in the threat information tree as the threat information related to the network attack event.

Specifically, after the computer device constructs a root node mined by intelligence based on threat elements corresponding to network attack clues in a network threat association model, the computer device searches threat elements directly associated with the node in the network threat association model layer by layer from the root node based on the threat elements corresponding to the nodes in the current layer in the network threat association model, and constructs sub-nodes of the nodes in the current layer based on the searched threat elements.

Explaining by taking one branch of a constructed threat intelligence tree as an example, as shown in fig. 7, a network attack clue related to a to-be-traced network attack event acquired by a computer device is a domain name "xxx.com", it is determined that a threat element corresponding to the network attack clue in a constructed network threat association model is a malicious domain name "xxx.com", the malicious domain name "xxx.com" is taken as a root node mined by intelligence, a threat element malicious IP "xx.xx.xx.xx.xx" having a direct association relation with the malicious domain name "xxx.com" is searched in the network threat association model, sub-nodes of the root node are constructed based on the malicious IP "xx.xx.xx.xx.xx.xx", and then a sub-node corresponding to the malicious IP "xx.xx.xx.xx.xx" is searched in the network threat association model, and a malicious element virus family "MM" having a direct association relation with the malicious IP "is constructed based on a virus family" MM ". Wherein, the malicious IP "xx.xx.xx.xx" and the virus family "MM" are collectively called descendant nodes of the root node, and a branch of the threat intelligence tree is obtained.

In the above embodiment, the computer device constructs the threat information tree based on the association relationship between the network attack clue and the threat elements in the network threat association model, so as to obtain the threat information related to the network attack event based on the threat information tree, and further realize accurate tracing of the network attack event based on the network attack clue and the mined threat information.

In one embodiment, the threat elements in the cyber-threat association model include temporal threat elements, spatial threat elements, and portrait threat elements, the temporal threat elements belonging to a temporal dimension, the spatial threat elements belonging to a spatial dimension, and the portrait threat elements belonging to a portrait dimension. After determining the threat elements corresponding to the network attack clues in the network threat association model, the computer equipment searches the associated threat elements in the network threat association model layer by layer from the root node based on the threat elements corresponding to the nodes in the current layer in the network threat association model according to the time dimension, the space dimension and the image dimension, and constructs the sub-nodes of the nodes in the current layer based on the searched threat elements until constructing the threat information tree.

Taking a sub-node for searching a root node as an example for explanation, as shown in fig. 8, a network attack clue related to a network attack event to be traced obtained by a computer device is a domain name "xxx.com", a threat element corresponding to the network attack clue in a constructed network threat association model is determined to be a malicious domain name "xxx.com", the malicious domain name "xxx.com" is taken as a root node mined by intelligence, and a threat element having a direct association relation with the malicious domain name "xxx.com" is searched in the network threat association model according to a time dimension, a space dimension and an imaging dimension, wherein the time threat element having the direct association relation with the malicious domain name "xxx.com" is not searched in the time dimension; finding out that the space threat elements having direct association relation with the malicious domain name "XXX.com" comprise IP contained in the malicious domain name "XXX.com", URL contained in the malicious domain name "XXX.com", sub-domain name contained in the malicious domain name "XXX.com", a sample downloaded from the malicious domain name "XXX.com", and a sample accessing the malicious domain name "XXX.com" in the space dimension; and finding out a virus family to which the portrait element directly associated with the malicious domain name XXX.com belongs in the portrait dimension, and constructing a child node of the root node based on the found space threat element and the portrait threat element.

In the above embodiment, the computer device constructs a threat intelligence tree that integrates a plurality of dimensionality threat elements based on the network attack clues and the incidence relations between the threat elements of different dimensionalities in the network threat incidence model, so as to obtain a plurality of dimensionality threat intelligence related to the network attack event based on the constructed threat intelligence tree, and further realize accurate tracing to the network attack event based on the network attack clues and the mined threat intelligence of a plurality of dimensionalities.

In one embodiment, after obtaining threat intelligence based on a threat intelligence tree and constructing a traceability analysis model, a computer device determines a mining level upper limit matched with the value degree of a network attack clue, performs convergence operation on attack behavior elements of the traceability analysis model according to the mining level upper limit to obtain the converged traceability analysis model, wherein the node level of the attack behavior elements in the converged traceability analysis model corresponding to the threat intelligence tree is not greater than the mining level upper limit, and determines a traceability tracking result of a network attack event according to the incidence relation between target attack behavior elements in the converged traceability analysis model.

The value degree of the network attack clue represents the size of the function of the network attack clue in the process of tracing the source of the network attack event. The higher the value degree of the network attack clue is, the less the effective threat information needs to be mined during tracing and tracing, the lower the value degree of the network attack clue is, the more the effective threat information needs to be mined during tracing and tracing, the number of the effective threat information needs to be mined is related to the node hierarchy of the constructed threat information tree, and it can be understood that the more the node hierarchy of the threat information tree is, the more the number of the effective threat information is. And the mining level upper limit is used for carrying out convergence operation on the traceability analysis model constructed based on the threat intelligence tree, the value of the mining level upper limit is matched with the value degree, and the higher the value degree is, the larger the value of the corresponding mining level upper limit is. The convergence operation is an operation of removing part of attack behavior elements in the traceability analysis model, and the node level of the removed attack behavior elements in the threat intelligence tree is larger than the upper limit of the mining level.

Specifically, the threat intelligence tree comprises a plurality of layers of descendant nodes corresponding to the threat intelligence besides a root node corresponding to a network attack clue, wherein the threat intelligence directly associated with the network attack clue corresponding to the root node corresponds to a first-level child node, the threat intelligence directly associated with the threat intelligence corresponding to the first-level child node corresponds to a second-level child node … …, and so on, the computer equipment obtains the threat intelligence based on the threat intelligence tree and constructs a traceability analysis model, then obtains the value degree of the network attack clue corresponding to the root node of the threat intelligence tree, obtains a matched excavation level upper limit N based on the value degree, removes attack behavior elements in the traceability analysis model with the corresponding node level in the threat intelligence tree being greater than the excavation level upper limit N, obtains a converged traceability analysis model, and obtains the association relationship between target attack behavior elements in the converged traceability analysis model according to the traceability analysis model, and determining the tracing result of the network attack event.

In the embodiment, the computer device performs the convergence operation on the attack behavior elements of the traceability analysis model according to the mining hierarchy upper limit matched with the value of the network attack clue, so that the converged traceability analysis model with less data volume and capable of meeting the traceability requirement can be obtained, the calculation amount of traceability according to the converged traceability analysis model is reduced, the efficiency of tracing the network attack event is improved under the condition of ensuring accurate tracing of the network attack event, and the network attack event is favorably and rapidly controlled.

In one embodiment, the computer device determines whether the attack behavior elements meet the traceability availability condition based on the analysis dimension to which the attack behavior elements belong in the traceability analysis model, determines a traceability path according to the incidence relation between target attack behavior elements meeting the traceability availability condition in the traceability analysis model, and traces the network attack event based on the traceability path to obtain the tracing result of the network attack event.

Specifically, whether the associated attack behavior elements corresponding to the leaf nodes of the threat information tree belong to the portrait dimension or not is determined for each attack behavior element in the traceability analysis model, if yes, the attack behavior element is determined to be a target attack behavior element, if not, the attack behavior element is determined to be a noise attack behavior element, and after the target attack behavior element is determined, the traceability tracking result of the network attack event is determined based on the association relationship between the target attack behavior elements.

For example, fig. 9 shows a structure of a threat intelligence tree corresponding to each attack behavior element in the traceability analysis model in an embodiment, in which the attack behavior element malicious IP "xx.xx.xx.96" and the malicious URL "XX" do not belong to the portrait dimension and correspond to a leaf node of the threat intelligence tree, so that the attack behavior element malicious IP "xx.xx.xx.96" and the malicious URL "XX" are determined as a noise attack behavior element; in the graph, a threat element virus family 'MM' corresponding to a leaf node associated with an attack behavior element malicious IP 'xx.xx.xx.xx.xx' belongs to an portrait dimension, so that the attack behavior element malicious 'xx.xx.xx.xx.xx' is determined as a target attack behavior element; the threat element virus family 'MM' belongs to the image dimension and corresponds to the leaf node of the threat intelligence tree, so that the attacking behavior element virus family 'MM' is determined as the target attacking behavior element.

In the embodiment, the computer device determines the target attack behavior elements based on the analysis dimensions to which the attack behavior elements belong in the tracing analysis model, so as to determine the tracing path according to the incidence relation between the target attack behavior elements, and traces the network attack event based on the tracing path to obtain the tracing result of the network attack event, thereby realizing accurate tracing of the network attack event.

In one embodiment, as shown in fig. 10, S208 specifically includes the following steps:

s1002, determining at least one candidate tracing path according to the incidence relation among the target attack behavior elements in the tracing analysis model.

Specifically, the target attack behavior elements correspond to the target attack entities, the target attack behavior elements corresponding to the network attack clues in the traceable analysis model are used as traceable starting points, the traceable destination elements corresponding to the maximum node level of the threat intelligence tree in the traceable analysis model are used as traceable destination points, and at least one candidate traceable path from the traceable starting point to the traceable destination point is determined based on the incidence relation between the traceable destination required elements in the traceable analysis model.

And S1004, calculating the traceability credibility corresponding to each candidate traceability path according to the analysis dimension of the target attack behavior element corresponding to each candidate traceability path and the corresponding node level of the target attack behavior element in the threat intelligence tree.

The target attack behavior element may also be referred to as a source tracing destination element.

Specifically, the target attack behavior elements on the tracing path respectively correspond to a dimension attribute value and a hierarchy attribute value, and for any tracing path, the tracing reliability of the tracing path is calculated based on the dimension attribute value and the hierarchy attribute value corresponding to each target attack behavior element on the tracing path.

In one embodiment, for any candidate tracing path, the computer device obtains a dimension attribute value and a hierarchy attribute value corresponding to a target attack behavior element corresponding to the candidate tracing path, and calculates tracing reliability corresponding to the candidate tracing path by using a tracing reliability calculation formula, where the tracing reliability calculation formula is as follows:

wherein the content of the first and second substances,

for the tracing reliability value corresponding to the candidate tracing path,

the dimension attribute value corresponding to the ith target attack behavior element in the tracing path,

specifically, the first target attack behavior element on the candidate tracing path corresponds to a tracing start point of the candidate tracing path, the nth target attack behavior element on the candidate tracing path corresponds to a tracing end point of the candidate tracing path, and on the candidate tracing path, the sequence number of the target attack behavior element gradually increases along the direction from the tracing start point to the tracing end point.

Fig. 11 shows a schematic diagram of a traceback analysis model in an embodiment, where O is a target attack behavior element (i.e., a traceback starting point) corresponding to a network attack clue, Q1 and Q2 are two target attack behavior elements on a traceback path 1, P1, P2 and P3 are three target attack behavior elements on a traceback path 2, the characters in parentheses describe analysis dimensions to which the corresponding target attack behavior elements belong,

numbers

3, 2 and 5 marked on the traceback path represent dimension attribute values of the corresponding target attack behavior elements, the dotted lines in the figure identify the node hierarchy corresponding to each target attack behavior element, the node attribute value of the target attack behavior element is set to be the same as the node hierarchy, based on the traceability credibility calculation formula, the traceability credibility of the candidate traceability path 1 can be calculated to be 4, and the traceability credibility of the candidate traceability path 2 can be calculated to be 10/3.

S1006, screening the tracing paths from the candidate tracing paths according to the tracing credibility.

Specifically, after the computer device calculates the traceability credibility of each candidate traceability path, the computer device sorts the traceability paths corresponding to each candidate traceability path according to the traceability credibility from large to small, and selects a traceability path larger than a preset rank from each candidate traceability path. For example, if there are 5 candidate tracing paths, then the tracing path with the top three ranking positions of tracing credibility is selected, or the tracing path with the first ranking position is selected.

And S1008, determining a tracing result of the network attack event based on the target attack behavior element corresponding to the tracing path.

In an embodiment, after the tracing path is screened out by the computer device, if an entity belonging to an established dimension exists in the tracing destination corresponding to the tracing path, the tracing result of the network attack event can be determined directly according to the group belonging to the entity. For example, the target analysis elements include target analysis elements belonging to an image dimension, and the tracking and tracing result of the network attack event is determined directly from the target analysis elements belonging to the image dimension.

The application provides an application scenario, in which the above network attack event tracing processing method is applied, a network attack clue related to a network attack event to be traced, which is acquired by computer equipment, is a domain name "xxx.com", information mining is performed through an association relation between threat elements in a constructed network threat association model based on the domain name "xxx.com", a tracing analysis model is obtained, and target attack behavior elements on a tracing path determined according to the tracing analysis model include: com, IP, and virus family, wherein the target attack behavior element virus family belongs to the image dimension, and the tracking and tracing result of the network attack event is determined based on the target attack behavior element virus family. As shown in fig. 12, the traceback result shows information of the attacking organization.

In an embodiment, if the destination requirements corresponding to the tracing path do not have the tracing destination requirements belonging to the established dimensionality, for example, the target analysis elements corresponding to the tracing path do not have the target analysis elements belonging to the portrait dimensionality, an attack feature sequence can be constructed according to the tracing destination requirements corresponding to the tracing path, and the attack feature sequence is classified and predicted by a pre-trained tracing classifier, so that the tracing analysis result of the network attack event is obtained.

The application provides an application scenario, and the application scenario applies the network attack event tracing processing method. Specifically, the application of the network attack event tracing processing method in the application scenario is as follows:

the network attack event is an event formed by a series of related attack behaviors, and the series of related attack behaviors are often in tactical precedence relationship. When an attacker launches a network attack event, the network attack event can be realized by adopting a specific certain technology in different stages of tactics. Correspondingly, tactical information analysis is carried out on attack behavior data generated by various network attack behaviors in a network attack event through the ATT & CK model to obtain TTP information, and the TTP information is determined as an information clue of the network attack event to be traced.

The obtained TTP information is taken as a network attack clue, and the network threat association model is an ATT & CK (adaptive signatures, Techniques, and Common Knowledge) model, which is a model and Knowledge base reflecting network attack behaviors of each attack life cycle. Through the ATT & CK model, the standard of network attack behavior description is unified, and various network attack behaviors corresponding to attack behavior data are subdivided to express attack behavior characteristics.

Referring to table 1, table 1 is example details of corresponding tactical and technical features in the ATT & CK model. Where line 1 is the tactic of the TTP and each column is the specific technology employed in the tactic.

TABLE 1

It is understood that only a portion of the tactics, such as Initial Access, Privilege elevation, Credential Access, and Collection, are shown in table 1. Parts of technologies are illustrated under each tactic, such as Initial Access (Initial Access) corresponding to Drive-by complex (passthrough threat), explicit Public-Facing Application (using Public Application), and External Remote Services (External Remote Services).

It can be understood that, for each time of network attack behavior, that is, each TTP notification-like network attack clue, the computer device can find the corresponding mapping relationship from the ATT & CK model. That is, in each network attack event, the initiator may employ some technology in some tactics to initiate the corresponding network attack. For example, mapping and corresponding each network attack behavior occurring in one network attack event in the ATT & CK table is as shown in table 2, where font slant and underlined technology is a corresponding technology selected by an attacker in each tactic when initiating the network attack event, such as technology "External Remote Services" (network attack thread 1) and technology "Brute Force" (network attack thread 2) in table 1, based on "External Remote Services" and technology "Brute Force" (association between ATT & CK model and other technologies, technology "access resources" (technology with font slant and bolded in table) and technology "External Remote Services" and technology "Brute Force" are mined from ATT & CK model, and then "access resources" is determined as the threatened threat, and then technology "External Remote Services" and technology "Brute Force" are used as corresponding information of attack events and attack information technology, and constructing a source tracing analysis model containing the incidence relation among the attack behavior elements.

TABLE 2

According to the incidence relation among the technology 'External Remote Services', the technology 'Accessibility Features' and the technology 'Brute Force', a traceability analysis model containing the incidence relation among all attack behavior elements is constructed, attack characteristic sequences 'External Remote Services, Accessibility Features and Brute Force' for traceability are determined based on the traceability analysis model, and classification and prediction are carried out on the attack characteristic sequences through a pre-trained traceability classifier, so that the traceability analysis result of the network attack event is obtained.

In the above embodiment, the computer device determines at least one candidate tracing path according to an association relationship between target attack behavior elements in the tracing analysis model, calculates tracing reliability corresponding to each candidate tracing path according to an analysis dimension to which the target attack behavior element corresponding to each candidate tracing path belongs and a node level corresponding to the target attack behavior element in the threat information tree, screens out the tracing path from the candidate tracing paths according to the tracing reliability, and determines a tracing result of the network attack event based on the target attack behavior element corresponding to the tracing path, so that accurate tracing of the network attack event can be realized.

In an embodiment, after obtaining the tracing result of the network attack event, the computer device may further determine, according to the tracing result and the network attack clue, an attack intention of an attack source of the network attack event and a corresponding attack stage of the network attack event currently in a network attack chain, and generate a countermeasure report for the network attack event based on the attack intention and the corresponding attack stage of the network attack event currently in the network attack chain.

Specifically, after the tracing result is obtained, the computer device may determine its attack intention according to the basic information of the attack organization to which the attack source belongs in the tracing result, determine the current attack stage based on the attack intention and the acquired network attack clue, and predict a predicted network attack event that may occur in the future based on the attack intention and the current attack stage, thereby generating a corresponding countermeasure report based on the predicted network attack event.

In the above embodiment, the computer device determines the attack intention of the attack source of the network attack event and the attack stage corresponding to the network attack event in the network attack chain according to the tracing result and the network attack clue, and generates the countermeasure report for the network attack event based on the attack intention and the attack stage corresponding to the network attack event in the network attack chain, so that the security personnel can counteract the traced network attack event according to the countermeasure report.

In an embodiment, as shown in fig. 13, there is further provided a network attack event tracing processing method, which is described by taking the method as an example applied to a computer device (such as the terminal 102 or the server 104 in fig. 1) in fig. 1, and includes the following steps:

s1302, threat intelligence data is obtained from the open source intelligence.

The open source intelligence can be a threat intelligence knowledge base constructed based on security big data or an open source intelligence system.

And S1304, performing characteristic analysis on the threat intelligence data from a time dimension, a space dimension and an image dimension, and determining the incidence relation among threat elements in the threat intelligence data.

S1306, a network threat association model is built according to the association relation among the threat elements in the threat intelligence data.

S1308, network communication related data generated when the network device works is obtained.

S1310, determining a network attack clue of the network attack event to be traced according to the network communication related data.

S1312, constructing root nodes for intelligence mining based on threat elements corresponding to the network attack clues in the network threat association model.

And S1314, starting from the root node, searching the associated threat elements in the network threat association model layer by layer according to the time dimension, the space dimension and the image dimension based on the corresponding threat elements of the nodes in the current layer in the network threat association model, and constructing the sub-nodes of the nodes in the current layer based on the searched threat elements until the threat information tree is constructed.

S1316, the threat elements which are used as descendant nodes in the threat information tree are determined as the threat information relevant to the network attack event.

S1318, using the network attack clues and the threat intelligence as attack behavior elements corresponding to the network attack event, and constructing a source tracing analysis model containing the incidence relation among the attack behavior elements.

S1320, determining the mining level upper limit matched with the value degree of the network attack clue.

And S1322, carrying out convergence operation on the attack behavior elements of the traceability analysis model according to the mining level upper limit to obtain the converged traceability analysis model.

S1324, determining a tracing path according to the incidence relation between the target attack behavior elements in the converged tracing analysis model, and tracing the network attack event based on the tracing path to obtain a tracing result of the network attack event.

In a specific application scenario, the method can be applied to intelligent tracing and tracing of threat information in an enterprise, referring to fig. 14, after a network attack event occurs, network attack clues such as infrastructure used by the attack source, set external resources, attack behaviors, attacker information and the like can be acquired by computer equipment, based on the network attack clues, based on the constructed threat analysis model, the network attack clues are subjected to extension analysis from multiple dimensions, so that clues of time dimension, space dimension and portrait dimension are obtained, based on the network attack clues and the obtained clue information of different dimensions, a tracing analysis model is constructed, the tracing analysis model is subjected to convergence, noise reduction and the like, and based on the tracing analysis model subjected to convergence and noise reduction, the network attack event is traced and traced, and a tracing result is output. After the tracing result is output, if the network attack clue is a new occurring attack clue, the network attack clue can be added into the constructed threat analysis model based on tracing, and the constructed threat analysis model is updated.

It should be understood that although the various steps in the flowcharts of fig. 2, 10, 13 and 14 are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least some of the steps in fig. 2, 10, 13 and 14 may include multiple steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, which are not necessarily performed in sequence, but may be performed alternately or alternately with other steps or at least some of the other steps.

In an embodiment, as shown in fig. 15, there is provided a network attack event tracing processing apparatus, where the apparatus may adopt a software module or a hardware module, or a combination of the two modules to form a part of a computer device, and the apparatus specifically includes: a network attack cue obtaining module 1502, an intelligence feature extraction and analysis module 1504, a tracing analysis model construction module 1506 and a tracing module 1508, wherein:

a network attack thread obtaining module 1502, configured to obtain a network attack thread related to a network attack event to be traced;

the intelligence characteristic extraction and analysis module 1504 is used for mining the intelligence of the network attack clues based on the corresponding threat elements of the network attack clues in the constructed network threat association model and the association relationship between the threat elements in the network threat association model to obtain the threat intelligence related to the network attack events;

a traceability analysis model construction module 1506, configured to construct a traceability analysis model including an association relationship between attack behavior elements by using the network attack clues and threat intelligence as the attack behavior elements corresponding to the network attack event;

the tracing and tracing module 1508 is configured to determine a tracing path according to an incidence relation between target attack behavior elements in the tracing analysis model, and trace the source of the network attack event based on the tracing path to obtain a tracing and tracing result of the network attack event.

In one embodiment, the network attack cue acquisition module 1502 is further configured to:

acquiring network communication related data generated when network equipment works;

carrying out attack detection on network communication related data based on a preset attack index, and determining an attack source related to a network attack event;

and determining a network attack clue of the network attack event to be traced according to data related to the attack source in the network communication related data.

tactical information analysis is carried out on data related to an attack source in network communication related data through a threat information knowledge base and open source threat information to obtain tactical information related to a network attack event to be traced;

and determining the tactical intelligence information as a network attack clue of the network attack event to be traced.

In the above embodiment, after the computer device obtains the network attack clue related to the network attack event to be traced, based on the corresponding threat elements of the network attack clues in the constructed network threat association model and the association relationship among the threat elements in the network threat association model, the network attack clues are mined with intelligence, so that threat intelligence related to the network attack events can be mined from multiple dimensions, further using the network attack clues and threat intelligence as each attack behavior element corresponding to the network attack event, constructing a source tracing analysis model containing the incidence relation among the attack behavior elements, determining a tracing path according to the incidence relation between target attack behavior elements in the tracing analysis model, therefore, the network attack event is traced based on the tracing path, and the tracing result of the network attack event is obtained. When the method is adopted to trace the source of the network attack event based on the network attack clue, the tracing information of multiple dimensions related to the network attack clue can be mined, and the accurate tracing of the network attack event can be realized by comprehensively analyzing the incidence relation between the network attack clue and the mined tracing information of multiple dimensions.

In one embodiment, as shown in fig. 16, the apparatus further comprises: threat intelligence data acquisition module 1510, comprehensive analysis module 1512 and network threat association model building module 1514, wherein:

a threat intelligence data acquisition module 1510, configured to acquire threat intelligence data from open source intelligence;

the comprehensive analysis module 1512 is configured to perform comprehensive analysis on the acquired threat intelligence data from a time dimension, a space dimension and an image dimension, and determine an association relationship between threat elements in the threat intelligence data;

and a network threat association model building module 1514, configured to build a network threat association model according to the association relationship between the threat elements in the threat intelligence data.

In the embodiment, the computer device obtains threat intelligence data from open source intelligence, comprehensively analyzes the collected threat intelligence data from time dimension, space dimension and image dimension, determines the association relationship among threat elements in the threat intelligence data, and constructs a network threat association model according to the association relationship among the threat elements in the threat intelligence data, so that when tracing a network attack event, more threat intelligence can be mined from multiple dimensions based on the network threat association model based on less network attack speed limit, and accurate tracing of the network attack event is realized by using network attack clues and the mined multiple dimension threat intelligence.

In one embodiment, the intelligence feature extraction and analysis module 1504 is further configured to:

constructing root nodes for information mining based on corresponding threat elements of the network attack clues in the network threat association model;

constructing descendant nodes mined by the intelligence based on threat elements which have an association relation with the threat elements corresponding to the root nodes in the network threat association model, and obtaining a threat intelligence tree;

and determining the threat elements serving as descendant nodes in the threat intelligence tree as the threat intelligence relevant to the network attack event.

In one embodiment, the threat elements in the cyber-threat association model include temporal threat elements, spatial threat elements, and portrait threat elements; the intelligence feature extraction and analysis module 1504 is further configured to:

starting from a root node, searching the associated threat elements in the network threat association model layer by layer according to the time dimension, the space dimension and the image dimension based on the corresponding threat elements of the nodes in the current layer in the network threat association model, and constructing the sub-nodes of the nodes in the current layer based on the searched threat elements until the threat information tree is constructed.

In one embodiment, as shown in fig. 16, the apparatus further comprises: a mining level upper limit determination module 1516 and a model convergence module 1518, wherein:

a mining level upper limit determining module 1516, configured to determine a mining level upper limit matching the value degree of the network attack clue;

the model convergence module 1518 is configured to perform convergence operation on the attack behavior elements of the traceability analysis model according to the mining hierarchy upper limit, so as to obtain a converged traceability analysis model; the corresponding node level of the attack behavior elements in the converged traceability analysis model in the threat intelligence tree is not more than the upper limit of the mining level;

the trace traceability module 1508, further configured to:

and determining a tracing path according to the incidence relation between the target attack behavior elements in the converged tracing analysis model, and tracing the network attack event based on the tracing path to obtain a tracing result of the network attack event.

In one embodiment, the trace traceability module 1508 is further configured to:

determining whether the attack behavior elements meet the traceability availability condition or not based on the analysis dimensionality to which the attack behavior elements belong in the traceability analysis model;

and determining a tracing path according to the incidence relation between the target attack behavior elements meeting the tracing availability condition in the tracing analysis model, and tracing the network attack event based on the tracing path to obtain a tracing result of the network attack event.

In the embodiment, the computer device determines the target attack behavior elements based on the analysis dimensions to which the attack behavior elements belong in the tracing analysis model, so that the tracing result of the network attack event is determined according to the incidence relation between the target attack behavior elements, and the accurate tracing of the network attack event is realized.

In one embodiment, the trace traceability module 1508 is further configured to:

determining at least one candidate tracing path according to the incidence relation between the target attack behavior elements in the tracing analysis model;

calculating the traceability credibility corresponding to each candidate traceability path according to the analysis dimension of the target attack behavior element corresponding to each candidate traceability path and the corresponding node level of the target attack behavior element in the threat intelligence tree;

screening a tracing path from the candidate tracing paths according to the tracing credibility;

and determining a tracing result of the network attack event based on the target attack behavior element corresponding to the tracing path.

In one embodiment, as shown in fig. 16, the apparatus further comprises: an attack status determination module 1520 and a counter measure report generation module 1522, wherein:

the attack state determining module 1520, configured to determine, according to the tracing result and the network attack thread, an attack intention of an attack source of the network attack event and an attack stage corresponding to the network attack event currently in the network attack chain;

a countermeasure report generation module 1522, configured to generate a countermeasure report for the network attack event based on the attack intention and the corresponding attack stage of the network attack event currently in the network attack chain.

For specific limitations of the network attack event tracing processing apparatus, reference may be made to the above limitations on the network attack event tracing processing method, which is not described herein again. All or part of the modules in the network attack event tracing processing device can be realized by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.

In one embodiment, a computer device is provided, which may be a server, and its internal structure diagram may be as shown in fig. 17. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer device is used to store threat intelligence data. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to realize a network attack event tracing processing method.

In one embodiment, a computer device is provided, which may be a terminal, and its internal structure diagram may be as shown in fig. 18. The computer device includes a processor, a memory, a communication interface, a display screen, and an input device connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless communication can be realized through WIFI, an operator network, NFC (near field communication) or other technologies. The computer program is executed by a processor to realize a network attack event tracing processing method. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, a key, a track ball or a touch pad arranged on the shell of the computer equipment, an external keyboard, a touch pad or a mouse and the like.

It will be appreciated by those skilled in the art that the configurations shown in fig. 17 or 18 are block diagrams of only some of the configurations relevant to the present application, and do not constitute a limitation on the computing devices to which the present application may be applied, and that a particular computing device may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.

In one embodiment, a computer device is further provided, which includes a memory and a processor, the memory stores a computer program, and the processor implements the steps of the above method embodiments when executing the computer program.

In an embodiment, a computer-readable storage medium is provided, in which a computer program is stored which, when being executed by a processor, carries out the steps of the above-mentioned method embodiments.

In one embodiment, a computer program product or computer program is provided that includes computer instructions stored in a computer-readable storage medium. The computer instructions are read by a processor of a computer device from a computer-readable storage medium, and the computer instructions are executed by the processor to cause the computer device to perform the steps in the above-mentioned method embodiments.

It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database or other medium used in the embodiments provided herein can include at least one of non-volatile and volatile memory. Non-volatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical storage, or the like. Volatile Memory can include Random Access Memory (RAM) or external cache Memory. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others.

The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.

The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims

1. A network attack event tracing processing method is characterized by comprising the following steps:

acquiring a network attack clue related to a network attack event to be traced;

2. The method according to claim 1, wherein the obtaining of the cyber attack clue related to the cyber attack event to be traced comprises:

carrying out attack detection on the network communication related data based on a preset attack index, and determining an attacker related to a network attack event;

and determining a network attack clue of the network attack event to be traced according to the data related to the attacker in the network communication related data.

3. The method according to claim 2, wherein the determining a cyber attack cue of the cyber attack event to be traced according to the data related to the attacker in the network communication related data comprises:

carrying out tactical information analysis on data related to the attack source in the network communication related data through a threat information knowledge base and open source threat information to obtain tactical information related to the network attack event to be traced;

4. The method of claim 1, further comprising:

obtaining threat intelligence data from open source intelligence;

comprehensively analyzing the obtained threat intelligence data from a time dimension, a space dimension and an image dimension, and determining an incidence relation between threat elements in the threat intelligence data;

and constructing a network threat association model according to the association relationship among the threat elements in the threat intelligence data.

5. The method according to claim 1, wherein the performing intelligence mining on the cyber attack clues based on threat elements corresponding to the cyber attack clues in the constructed cyber threat association model and an association relationship between the threat elements in the cyber threat association model to obtain threat intelligence related to the cyber attack event comprises:

constructing descendant nodes mined by the intelligence based on threat elements which have an association relation with the threat elements corresponding to the root node in the network threat association model, and obtaining a threat intelligence tree;

6. The method of claim 5, wherein the threat elements in the cyber-threat correlation model include temporal threat elements, spatial threat elements, and portrait threat elements;

constructing descendant nodes mined by the information based on the threat elements which have the association relation with the threat elements corresponding to the root node in the network threat association model to obtain a threat information tree, wherein the method comprises the following steps:

and searching the associated threat elements in the network threat association model layer by layer according to the time dimension, the space dimension and the portrait dimension based on the corresponding threat elements of the nodes in the current layer in the network threat association model from the root node until a threat information tree is constructed.

7. The method of claim 6, further comprising:

determining a mining level upper limit matched with the value degree of the network attack clue;

carrying out convergence operation on the attack behavior elements of the traceability analysis model according to the mining level upper limit to obtain a converged traceability analysis model; the node level corresponding to the attack behavior elements in the converged traceability analysis model in the threat intelligence tree is not more than the upper limit of the mining level;

the determining a tracing path according to the incidence relation between the target attack behavior elements in the tracing analysis model, tracing the network attack event based on the tracing path, and obtaining a tracing result of the network attack event includes:

8. The method according to any one of claims 1 to 7, wherein the determining a tracing path according to an incidence relation between target attack behavior elements in the tracing analysis model, and tracing the network attack event based on the tracing path to obtain a tracing result of the network attack event comprises:

determining whether the attack behavior elements meet a traceability availability condition or not based on the analysis dimensionality to which the attack behavior elements belong in the traceability analysis model;

9. The method according to any one of claims 1 to 7, wherein the determining a tracing path according to an incidence relation between target attack behavior elements in the tracing analysis model, and tracing the network attack event based on the tracing path to obtain a tracing result of the network attack event comprises:

calculating the tracing credibility corresponding to each candidate tracing path according to the analysis dimension to which the target attack behavior element corresponding to each candidate tracing path belongs and the corresponding node level of the target attack behavior element in the threat intelligence tree;

10. The method according to any one of claims 1 to 7, further comprising:

determining an attack intention of an attack source of the network attack event and a corresponding attack stage of the network attack event in a network attack chain according to the tracing result and the network attack clue;

and generating a countermeasure report for the network attack event based on the attack intention and the corresponding attack stage of the network attack event in the network attack chain.

11. A network attack event tracing processing device, the device comprising:

12. The apparatus of claim 11, wherein the cyber attack cue obtaining module is further configured to:

carrying out attack detection on the network communication related data based on a preset attack index, and determining an attack source related to a network attack event;

and determining a network attack clue of the network attack event to be traced according to the data related to the attack source in the network communication related data.

13. The apparatus of claim 12, wherein the cyber attack cue obtaining module is further configured to:

14. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor realizes the steps of the method of any one of claims 1 to 10 when executing the computer program.

15. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 10.