CN112311728A - Host attack and sink judgment method and device, computing equipment and computer storage medium - Google Patents

Host attack and sink judgment method and device, computing equipment and computer storage medium Download PDF

Info

Publication number
CN112311728A
CN112311728A CN201910688033.2A CN201910688033A CN112311728A CN 112311728 A CN112311728 A CN 112311728A CN 201910688033 A CN201910688033 A CN 201910688033A CN 112311728 A CN112311728 A CN 112311728A
Authority
CN
China
Prior art keywords
attack
host
log
security event
event
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910688033.2A
Other languages
Chinese (zh)
Inventor
胡声秋
李友国
吴玲丽
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Group Chongqing Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Group Chongqing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Group Chongqing Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201910688033.2A priority Critical patent/CN112311728A/en
Publication of CN112311728A publication Critical patent/CN112311728A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the invention relates to the technical field of network security, and discloses a host attack and trap judgment method, a host attack and trap judgment device, a computing device and a computer storage medium, wherein the method comprises the following steps: acquiring an attack log containing attack information of an intruder and a packet return log which is matched with the attack log and contains TCP session packet return information of a victim; generating an effective security event according to the attack log and the back packet log, and marking an attack stage of the effective security event; generating a view attack chain of the host according to the effective security event and the attack stage of the effective security event; and judging whether the host is attacked or not according to the view attack chain of the host by applying a preset attack trapping rule. Through the mode, the attack and subsidence judging method based on attack chain reasoning can automatically judge whether the host is attacked and subside, and accuracy of judging whether attack and subsidence is successful is improved.

Description

Host attack and sink judgment method and device, computing equipment and computer storage medium
Technical Field
The embodiment of the invention relates to the technical field of network security, in particular to a host attack and trap judgment method and device, computing equipment and a computer storage medium.
Background
In all situation-aware products in the existing market, only attack events, asset threats, risk scores and other information are generally provided, but information about whether an asset is attacked or not, which is most concerned by a user, is not provided and displayed.
A device may generate a large volume of traffic logs while performing network activities. In the existing host attack and subsidence judgment method, most of the existing host attack and subsidence judgment methods depend on manual judgment, a base line is established through a flow log, attacks are found from mass behavior data through log association and big data analysis, and whether assets are lost or not is judged.
In the process of implementing the embodiment of the present invention, the inventors found that: the existing host attack and subsidence judgment method relies on strong professional knowledge to carry out manual judgment, the subjectivity is strong, the attack and subsidence judgment stage carried out by establishing a base line through a flow log is weak in relevance, the assets are attacked and subsided, the flow is not abnormal, and the attack and subsidence judgment is easy to cause inaccuracy.
Disclosure of Invention
In view of the foregoing, embodiments of the present invention provide a host computer attack and depression determination method, device, computing device, and computer storage medium, which overcome or at least partially solve the above problems.
According to an aspect of an embodiment of the present invention, a host computer attack and trap determination method is provided, where the method includes: acquiring an attack log containing attack information of an intruder and a packet return log which is matched with the attack log and contains TCP session packet return information of a victim; generating an effective security event according to the attack log and the back packet log, and marking an attack stage of the effective security event; generating a view attack chain of the host according to the effective security event and the attack stage of the effective security event; and judging whether the host is attacked or not according to the view attack chain of the host by applying a preset attack trapping rule.
In an optional manner, the generating an effective security event according to the attack log and the loopback log, and marking an attack stage of the effective security event includes: generating a security event by applying a preset event rule according to the attack log, and marking the attack stage of the security event; filtering the mutually exclusive security events by applying a preset denoising rule; and matching the back packet log with the attack log to screen out the effective security event and the attack stage of the effective security event.
In an optional manner, the generating a security event by applying a preset event rule and a preset denoising rule according to the attack log and marking a phase number identifier corresponding to the security event includes: extracting characteristic values in the attack logs by applying the preset event rules; aggregating the attack logs according to the characteristic values to generate the security events; marking an attack phase of the security event.
In an optional manner, the matching the back packet log and the attack log to filter out the valid security event and the attack phase of the valid security event includes: screening out the security events matched with the attack logs and the back packet logs; marking whether the safety event is successful according to a preset identification; and screening the safety event marked as successful as the effective safety event.
In an optional manner, the marking whether the security event is successful according to a preset identifier includes: and marking whether the security event is successful or not according to the result identification and/or the behavior identification in the back packet log.
In an optional manner, the generating a view attack chain of a host according to the valid security event and the attack phase of the valid security event includes: aggregating the effective security events with the target IP and the host IP into an original attack chain; if the effective security event of which the attack stage is the first preset attack stage exists in the original attack chain, acquiring the effective security event of which the source IP is the host IP; supplementing the effective security event with the source IP as the host IP to the original attack chain, marking the attack stage of the effective security event as a second preset attack stage, and generating the view attack chain of the host.
In an optional manner, the determining whether the host is attacked or not by applying a preset attack trapping rule according to the view attack chain of the host includes: and if the view attack chain of the host at least comprises two effective security events with different attack stages, and the attack stage of one effective security event is any one of high-order attack stages, judging that the host is attacked.
According to another aspect of the embodiments of the present invention, there is provided a host attack and trap determination apparatus, including: the log obtaining unit is used for obtaining an attack log containing attack information of an intruder and a packet returning log which is matched with the attack log and contains TCP session packet returning information of a victim; the event reasoning unit is used for generating an effective security event according to the attack log and the packet returning log and marking the attack stage of the effective security event; the attack chain reasoning unit is used for generating a view attack chain of the host according to the effective security event and the attack stage of the effective security event; and the attack and trap judging unit is used for judging whether the host is attacked and trapped or not according to the view attack chain of the host by applying a preset attack and trap rule.
According to another aspect of embodiments of the present invention, there is provided a computing device including: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction enables the processor to execute the steps of the host attack and subsidence determination method.
According to another aspect of the embodiments of the present invention, there is provided a computer storage medium having at least one executable instruction stored therein, where the executable instruction causes the processor to execute the steps of the host attack determination method.
The embodiment of the invention obtains an attack log containing attack information of an intruder and a packet return log which is matched with the attack log and contains TCP session packet return information of a victim; generating an effective security event according to the attack log and the back packet log, and marking an attack stage of the effective security event; generating a view attack chain of the host according to the effective security event and the attack stage of the effective security event; whether the host is attacked or not is judged by applying a preset attack and subsidence rule according to the view attack chain of the host, whether the host is attacked or not can be automatically judged by an attack and subsidence judgment method based on attack chain reasoning, and the accuracy of judging whether the attack and subsidence are successful or not is improved.
The foregoing description is only an overview of the technical solutions of the embodiments of the present invention, and the embodiments of the present invention can be implemented according to the content of the description in order to make the technical means of the embodiments of the present invention more clearly understood, and the detailed description of the present invention is provided below in order to make the foregoing and other objects, features, and advantages of the embodiments of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 is a schematic flow chart illustrating a host attack and fault determination method according to an embodiment of the present invention;
fig. 2 is a schematic flow chart illustrating another host attack and fault determination method according to an embodiment of the present invention;
fig. 3 is a schematic flowchart illustrating a further host attack and fault determination method according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram illustrating a host attack and subsidence determination apparatus according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a computing device provided by an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the invention are shown in the drawings, it should be understood that the invention can be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
Fig. 1 is a schematic flow chart illustrating a host attack and fault determination method according to an embodiment of the present invention. As shown in fig. 1, the host computer attack and fault determination method includes:
step S11: and acquiring an attack log containing the attack information of the intruder and a packet return log which is matched with the attack log and contains the TCP session packet return information of the victim.
And receiving the attack log sent by the security device and the back packet log matched with the attack log. Specifically, two logs, namely an attack log and a packet return log, sent by the Security device are received through a multiferroic Security device module (TSA), wherein the attack log contains attack information of an intruder, and the packet return log is information of a Transmission Control Protocol (TCP) session packet return of a victim.
Step S12: and generating an effective security event according to the attack log and the packet return log, and marking the attack stage of the effective security event.
Specifically, firstly, a preset event rule is applied to generate a security event according to the attack log, and an attack stage of the security event is marked. In the embodiment of the invention, a preset event rule is applied to extract a characteristic value in the attack log; aggregating the attack logs according to the characteristic values to generate the security events; marking an attack phase of the security event. The event rule is pre-configured, and the user can configure the event rule according to needs, which is not limited herein.
And then, applying a preset denoising rule to filter the mutually exclusive security events. Namely, noise events in two or more security events which cannot occur simultaneously are filtered according to a pre-configured denoising rule, and a mutual exclusion event is optimized.
And finally, matching the back packet log with the attack log to screen out the effective security event and the attack stage of the effective security event. Specifically, screening out the security events matched with the attack logs and the back packet logs; marking whether the safety event is successful according to a preset identification; and screening the safety event marked as successful as the effective safety event. Matching a corresponding attack log according to the packet returning log, and marking whether the security event is successful or not according to a result identifier (result) and/or a behavior identifier (action) in the packet returning log. In the embodiment of the present invention, whether an event is successful or not can be further manually marked, and the manual mark is given the maximum weight and the priority level. A security event flagged as successful is a valid security event.
In the embodiment of the present invention, more specifically, as shown in fig. 2, step S12 includes:
step S120: and starting.
Step S121: and judging whether the log is an attack log. If yes, go to step S122; if not, it jumps to execute step S124.
The security log includes an attack log and a wraparound log, and if the attack log is acquired in step S11, step S122 is executed; if the attack log is acquired in step S11, it jumps to execution of step S124.
Step S122: and generating a security event by applying a preset event rule according to the attack log, and marking the attack stage of the security event.
When the attack log is obtained in step S11, extracting feature values in the security log according to a preset event rule, aggregating the attack log according to the feature values to generate a security event, and marking an attack stage of the security event. The Advanced Persistent Threat (APT) includes 7 phases, i.e., the phase number identification corresponding to the attack phase of the security event may be any one of 1-7. Wherein, the stage number 1 is a Reconnaissance target (Reconnaissance), and is mainly to fully utilize social engineering to know a target network; phase number 2 is a production tool (weapnionization), mainly referring to the production of a directional attack tool, such as a pdf file or an office file with malicious code; stage number 3 is a Delivery tool (Delivery), which is mainly used for delivering an attack tool to a target system, and commonly used methods include attachments of mails, websites (hanging horses), U disks and the like; phase number 4 is a triggering tool (application), and mainly uses an application or operating system vulnerability of a target system to trigger an attack tool to run in the target system; phase number 5 is Installation of a trojan (Installation), mainly a remote control program (Trojan), so that an attacker can remain in the target system for a long time; phase number 6 is to establish connection (Command and Control), and mainly establishes a C2 channel with the internet controller server; the phase number 7 is an execution attack (Actions on objects), and mainly is an attack action required for execution, such as stealing information, tampering information, and the like. The step of marking the attack phase of the security event is to set a phase number identifier corresponding to the attack phase of the security event. For example, if the attack phase of the security event is attack phase 4, the phase number identifier corresponding to the attack phase of the security event is set to 4.
Step S123: and filtering the mutually exclusive security events by applying a preset denoising rule.
According to a preset denoising rule, two or more security events which cannot occur simultaneously are filtered, namely mutually exclusive security events are removed.
Step S124: and screening out security events matched with the attack logs and the back packet logs.
If the packet return log is acquired in step S11, the security event with which the attack log matches is screened out from the packet return log.
Step S125: and marking whether the safety event is successful according to the preset identification.
Specifically, whether the event is successful is marked according to result and action identification in the back packet log.
Step S126: manually flag whether the security event was successful.
In the embodiment of the present invention, part of the security events may also manually mark whether the event is successful, and assign the maximum weight and preference level to whether the manually marked event is successful.
Step S127: and screening the safety events marked as successful as effective safety events.
Step S128: and (6) ending.
According to the embodiment of the invention, the characteristic value of whether the security event happens successfully or not is extracted by the method of matching the back packet log and the attack log, whether the attack happens successfully or not is judged, and the accuracy of judging whether the host attack is successful or not is improved.
Step S13: and generating a view attack chain of the host according to the effective security event and the attack stage of the effective security event.
In step S13, aggregating the effective security event with a destination Internet Protocol Address (IP) and a host IP as an original attack chain; if the effective security event of which the attack stage is the first preset attack stage exists in the original attack chain, acquiring the effective security event of which the source IP is the host IP; supplementing the effective security event with the source IP as the host IP to the original attack chain, marking the attack stage of the effective security event as a second preset attack stage, and generating the view attack chain of the host. The first preset attack stage is an attack stage corresponding to any one of the stage number identifiers 1-6, and the second preset attack stage is an attack stage corresponding to the stage number identifier 7.
More specifically, as shown in fig. 3, step S13 includes:
step S130: and starting.
Step S131: all security events for which the destination IP is the host IP are looked up.
When the host needs to be judged whether to be attacked or not, all the security events of which the destination IP is the host IP are searched.
Step S132: the aggregation forms the original attack chain.
And aggregating all security events of which the destination IP is the host IP to form an original attack chain of the host.
Step S133: and judging whether the attack stage is a security event of the first preset attack stage. If yes, step S134 is executed, and if no, the process jumps to step S137 and ends.
If the attack phase in the original attack chain of the host is judged to be the security event of the first preset attack phase, the host is attacked, but the attack is not necessarily successful, the subsequent further judgment is needed, and if the attack phase in the original attack chain of the host is not judged to be the security event of the first preset attack phase, the host is not attacked, and the process is finished directly.
Step S134: the source IP is looked up as all security events for the host IP.
If the source IP is found to be the security event of the host IP, the host is shown to be used as the source IP to execute the attack.
Step S135: the attack stage marking the valid security event is a second preset attack stage.
And marking the attack stages of all the security events of which the source IP is the host IP as second preset attack stages.
Step S136: and supplementing the original attack chain to form a view attack chain.
And supplementing all the security events of the searched source IP as the host IP to the original attack chain of the host to form the view attack chain of the host.
Step S137: and (6) ending.
In the embodiment of the invention, the original attack chain is modified, the events of the malicious activities of the host are supplemented, the view attack chain is formed, the inferred attack chain is further optimized, and the accuracy of judging whether the attack and the subsidence are successful is improved.
Step S14: and judging whether the host is attacked or not according to the view attack chain of the host by applying a preset attack trapping rule.
In the embodiment of the invention, the preset attack and trap rule can be configured according to the needs of the user, which is beneficial to continuous optimization so as to improve the accuracy of judgment. The default attack and trap rules are: and if the view attack chain of the host at least comprises two effective security events with different attack stages, and the attack stage of one effective security event is any one of the high-order attack stages, judging that the host is attacked. Two effective security events with different attack stages exist in the view attack chain of the host, which indicates that the host is attacked, but whether the attack is successful or not cannot be determined. And if the attack stage exists in any one of the high-order attack stages, the host is successfully attacked. The higher-order attack stages are represented as attack stages with stage numbers of 5, 6 and 7.
In the embodiment of the invention, the attack and subsidence judgment method adopting attack chain reasoning is adopted, so that the function of automatically judging whether the host is attacked and subsided is realized, the problem that whether the host is attacked and subsided needs to depend on a safety engineer is solved, the requirement of a user on whether the asset is attacked and subsided is met, and the method is helpful for timely warning that the host is attacked and subsided when running and maintenance resources are insufficient to monitor.
The embodiment of the invention obtains an attack log containing attack information of an intruder and a packet return log which is matched with the attack log and contains TCP session packet return information of a victim; generating an effective security event according to the attack log and the back packet log, and marking an attack stage of the effective security event; generating a view attack chain of the host according to the effective security event and the attack stage of the effective security event; whether the host is attacked or not is judged by applying a preset attack and subsidence rule according to the view attack chain of the host, whether the host is attacked or not can be automatically judged by an attack and subsidence judgment method based on attack chain reasoning, and the accuracy of judging whether the attack and subsidence are successful or not is improved.
Fig. 4 is a schematic structural diagram illustrating a host attack and subsidence determination apparatus according to an embodiment of the present invention. As shown in fig. 4, the host computer attack/subsidence determination apparatus includes: a log acquisition unit 401, an event inference unit 402, an attack chain inference unit 403, and an attack trap determination unit 404. Wherein:
the log obtaining unit 401 is configured to obtain an attack log including attack information of an intruder and a packet returning log including TCP session packet returning information of a victim, where the packet returning log is matched with the attack log; the event inference unit 402 is configured to generate an effective security event according to the attack log and the loopback log, and mark an attack stage of the effective security event; the attack chain reasoning unit 403 is configured to generate a view attack chain of the host according to the valid security event and the attack phase of the valid security event; the attack and trap determination unit 404 is configured to determine whether the host is attacked and trapped according to the view attack chain of the host by applying a preset attack and trap rule.
In an alternative approach, the event inference unit 402 is configured to: generating a security event by applying a preset event rule according to the attack log, and marking the attack stage of the security event; filtering the mutually exclusive security events by applying a preset denoising rule; and matching the back packet log with the attack log to screen out the effective security event and the attack stage of the effective security event.
In an alternative approach, the event inference unit 402 is configured to: extracting characteristic values in the attack logs by applying the preset event rules; aggregating the attack logs according to the characteristic values to generate the security events; marking an attack phase of the security event.
In an alternative approach, the event inference unit 402 is further configured to: screening out the security events matched with the attack logs and the back packet logs; marking whether the safety event is successful according to a preset identification; and screening the safety event marked as successful as the effective safety event.
In an alternative approach, the event inference unit 402 is further configured to: and marking whether the security event is successful or not according to the result identification and/or the behavior identification in the back packet log.
In an alternative approach, the attack chain inference unit 403 is configured to: aggregating the effective security events with the target IP as the host IP into an original attack chain; if the effective security event of which the attack stage is the first preset attack stage exists in the original attack chain, acquiring the effective security event of which the source IP is the host IP; supplementing the effective security event with the source IP as the host IP to the original attack chain, marking the attack stage of the effective security event as a first preset attack stage, and generating the view attack chain of the host.
In an alternative manner, the attack and trapping determination unit 404 is further configured to: and if the view attack chain of the host at least comprises two effective security events with different attack stages, and the attack stage of one effective security event is any one of high-order attack stages, judging that the host is attacked.
The embodiment of the invention obtains an attack log containing attack information of an intruder and a packet return log which is matched with the attack log and contains TCP session packet return information of a victim; generating an effective security event according to the attack log and the back packet log, and marking an attack stage of the effective security event; generating a view attack chain of the host according to the effective security event and the attack stage of the effective security event; whether the host is attacked or not is judged by applying a preset attack and subsidence rule according to the view attack chain of the host, whether the host is attacked or not can be automatically judged by an attack and subsidence judgment method based on attack chain reasoning, and the accuracy of judging whether the attack and subsidence are successful or not is improved.
The embodiment of the invention provides a nonvolatile computer storage medium, wherein at least one executable instruction is stored in the computer storage medium, and the computer executable instruction can execute the host attack and trap judgment method in any method embodiment.
The executable instructions may be specifically configured to cause the processor to:
acquiring an attack log containing attack information of an intruder and a packet return log which is matched with the attack log and contains TCP session packet return information of a victim;
generating an effective security event according to the attack log and the back packet log, and marking an attack stage of the effective security event;
generating a view attack chain of the host according to the effective security event and the attack stage of the effective security event;
and judging whether the host is attacked or not according to the view attack chain of the host by applying a preset attack trapping rule.
In an alternative, the executable instructions cause the processor to:
generating a security event by applying a preset event rule according to the attack log, and marking the attack stage of the security event;
filtering the mutually exclusive security events by applying a preset denoising rule;
and matching the back packet log with the attack log to screen out the effective security event and the attack stage of the effective security event.
In an alternative, the executable instructions cause the processor to:
extracting characteristic values in the attack logs by applying the preset event rules;
aggregating the attack logs according to the characteristic values to generate the security events;
marking an attack phase of the security event.
In an alternative, the executable instructions cause the processor to:
screening out the security events matched with the attack logs and the back packet logs;
marking whether the safety event is successful according to a preset identification;
and screening the safety event marked as successful as the effective safety event.
In an alternative, the executable instructions cause the processor to:
and marking whether the security event is successful or not according to the result identification and/or the behavior identification in the back packet log.
In an alternative, the executable instructions cause the processor to:
aggregating the effective security events with the target IP as the host IP into an original attack chain;
if the effective security event of which the attack stage is the first preset attack stage exists in the original attack chain, acquiring the effective security event of which the source IP is the host IP;
supplementing the effective security event with the source IP as the host IP to the original attack chain, marking the attack stage of the effective security event as a second preset attack stage, and generating the view attack chain of the host.
In an alternative, the executable instructions cause the processor to:
and if the view attack chain of the host at least comprises two effective security events with different attack stages, and the attack stage of one effective security event is any one of high-order attack stages, judging that the host is attacked.
The embodiment of the invention obtains an attack log containing attack information of an intruder and a packet return log which is matched with the attack log and contains TCP session packet return information of a victim; generating an effective security event according to the attack log and the back packet log, and marking an attack stage of the effective security event; generating a view attack chain of the host according to the effective security event and the attack stage of the effective security event; whether the host is attacked or not is judged by applying a preset attack and subsidence rule according to the view attack chain of the host, whether the host is attacked or not can be automatically judged by an attack and subsidence judgment method based on attack chain reasoning, and the accuracy of judging whether the attack and subsidence are successful or not is improved.
An embodiment of the present invention provides a computer program product, where the computer program product includes a computer program stored on a computer storage medium, where the computer program includes program instructions, and when the program instructions are executed by a computer, the computer is caused to execute the host attack and fault determination method in any of the above method embodiments.
The executable instructions may be specifically configured to cause the processor to:
acquiring an attack log containing attack information of an intruder and a packet return log which is matched with the attack log and contains TCP session packet return information of a victim;
generating an effective security event according to the attack log and the back packet log, and marking an attack stage of the effective security event;
generating a view attack chain of the host according to the effective security event and the attack stage of the effective security event;
and judging whether the host is attacked or not according to the view attack chain of the host by applying a preset attack trapping rule.
In an alternative, the executable instructions cause the processor to:
generating a security event by applying a preset event rule according to the attack log, and marking the attack stage of the security event;
filtering the mutually exclusive security events by applying a preset denoising rule;
and matching the back packet log with the attack log to screen out the effective security event and the attack stage of the effective security event.
In an alternative, the executable instructions cause the processor to:
extracting characteristic values in the attack logs by applying the preset event rules;
aggregating the attack logs according to the characteristic values to generate the security events;
marking an attack phase of the security event.
In an alternative, the executable instructions cause the processor to:
screening out the security events matched with the attack logs and the back packet logs;
marking whether the safety event is successful according to a preset identification;
and screening the safety event marked as successful as the effective safety event.
In an alternative, the executable instructions cause the processor to:
and marking whether the security event is successful or not according to the result identification and/or the behavior identification in the back packet log.
In an alternative, the executable instructions cause the processor to:
aggregating the effective security events with the target IP as the host IP into an original attack chain;
if the effective security event of which the attack stage is the first preset attack stage exists in the original attack chain, acquiring the effective security event of which the source IP is the host IP;
supplementing the effective security event with the source IP as the host IP to the original attack chain, marking the attack stage of the effective security event as a second preset attack stage, and generating the view attack chain of the host.
In an alternative, the executable instructions cause the processor to:
and if the view attack chain of the host at least comprises two effective security events with different attack stages, and the attack stage of one effective security event is any one of high-order attack stages, judging that the host is attacked.
The embodiment of the invention obtains an attack log containing attack information of an intruder and a packet return log which is matched with the attack log and contains TCP session packet return information of a victim; generating an effective security event according to the attack log and the back packet log, and marking an attack stage of the effective security event; generating a view attack chain of the host according to the effective security event and the attack stage of the effective security event; whether the host is attacked or not is judged by applying a preset attack and subsidence rule according to the view attack chain of the host, whether the host is attacked or not can be automatically judged by an attack and subsidence judgment method based on attack chain reasoning, and the accuracy of judging whether the attack and subsidence are successful or not is improved.
Fig. 5 is a schematic structural diagram of an embodiment of the apparatus according to the present invention, and the specific embodiment of the present invention does not limit the specific implementation of the apparatus.
As shown in fig. 5, the apparatus may include: a processor (processor)502, a Communications Interface 504, a memory 506, and a communication bus 508.
Wherein: the processor 502, communication interface 504, and memory 506 communicate with one another via a communication bus 508. A communication interface 504 for communicating with network elements of other devices, such as clients or other servers. The processor 502 is configured to execute the program 510, and may specifically execute the relevant steps in the above-described host attack and fault determination method embodiment.
In particular, program 510 may include program code that includes computer operating instructions.
The processor 502 may be a central processing unit CPU, or an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits configured to implement an embodiment of the present invention. The device includes one or more processors, which may be the same type of processor, such as one or more CPUs; or may be different types of processors such as one or more CPUs and one or more ASICs.
And a memory 506 for storing a program 510. The memory 506 may comprise high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
The program 510 may specifically be used to cause the processor 502 to perform the following operations:
acquiring an attack log containing attack information of an intruder and a packet return log which is matched with the attack log and contains TCP session packet return information of a victim;
generating an effective security event according to the attack log and the back packet log, and marking an attack stage of the effective security event;
generating a view attack chain of the host according to the effective security event and the attack stage of the effective security event;
and judging whether the host is attacked or not according to the view attack chain of the host by applying a preset attack trapping rule.
In an alternative, the program 510 causes the processor to:
generating a security event by applying a preset event rule according to the attack log, and marking a phase number identifier corresponding to the security event;
filtering the mutually exclusive security events by applying a preset denoising rule;
and matching the back packet log with the attack log to screen out the effective security event and the attack stage of the effective security event.
In an alternative, the program 510 causes the processor to:
extracting characteristic values in the attack logs by applying the preset event rules;
aggregating the attack logs according to the characteristic values to generate the security events;
marking an attack phase of the security event.
In an alternative, the program 510 causes the processor to:
screening out the security events matched with the attack logs and the back packet logs;
marking whether the safety event is successful according to a preset identification;
and screening the safety event marked as successful as the effective safety event.
In an alternative, the program 510 causes the processor to:
and marking whether the security event is successful or not according to the result identification and/or the behavior identification in the back packet log.
In an alternative, the program 510 causes the processor to:
aggregating the effective security events with the target IP as the host IP into an original attack chain;
if the effective security event of which the attack stage is the first preset attack stage exists in the original attack chain, acquiring the effective security event of which the source IP is the host IP;
supplementing the effective security event with the source IP as the host IP to the original attack chain, marking the attack stage of the effective security event as a second preset attack stage, and generating the view attack chain of the host.
In an alternative, the program 510 causes the processor to:
and if the view attack chain of the host at least comprises two effective security events with different attack stages, and the attack stage of one effective security event is any one of high-order attack stages, judging that the host is attacked.
The embodiment of the invention obtains an attack log containing attack information of an intruder and a packet return log which is matched with the attack log and contains TCP session packet return information of a victim; generating an effective security event according to the attack log and the back packet log, and marking an attack stage of the effective security event; generating a view attack chain of the host according to the effective security event and the attack stage of the effective security event; whether the host is attacked or not is judged by applying a preset attack and subsidence rule according to the view attack chain of the host, whether the host is attacked or not can be automatically judged by an attack and subsidence judgment method based on attack chain reasoning, and the accuracy of judging whether the attack and subsidence are successful or not is improved.
The algorithms or displays presented herein are not inherently related to any particular computer, virtual system, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. In addition, embodiments of the present invention are not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the embodiments of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the invention and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names. The steps in the above embodiments should not be construed as limiting the order of execution unless specified otherwise.

Claims (10)

1. A host attack and trap determination method is characterized by comprising the following steps:
acquiring an attack log containing attack information of an intruder and a packet return log which is matched with the attack log and contains TCP session packet return information of a victim;
generating an effective security event according to the attack log and the back packet log, and marking an attack stage of the effective security event;
generating a view attack chain of the host according to the effective security event and the attack stage of the effective security event;
and judging whether the host is attacked or not according to the view attack chain of the host by applying a preset attack trapping rule.
2. The method of claim 1, wherein generating valid security events from the attack log and the loopback log, and marking attack phases of the valid security events comprises:
generating a security event by applying a preset event rule according to the attack log, and marking the attack stage of the security event;
filtering the mutually exclusive security events by applying a preset denoising rule;
and matching the back packet log with the attack log to screen out the effective security event and the attack stage of the effective security event.
3. The method of claim 2, wherein the generating of the security event and the marking of the attack phase of the security event by applying preset event rules and denoising rules according to the attack log comprises:
extracting characteristic values in the attack logs by applying the preset event rules;
aggregating the attack logs according to the characteristic values to generate the security events;
marking an attack phase of the security event.
4. The method of claim 3, wherein matching the loopback log with the attack log screens out the valid security event and an attack phase of the valid security event, comprising:
screening out the security events matched with the attack logs and the back packet logs;
marking whether the safety event is successful according to a preset identification;
and screening the safety event marked as successful as the effective safety event.
5. The method of claim 4, wherein said marking whether the security event is successful according to a preset identifier comprises:
and marking whether the security event is successful or not according to the result identification and/or the behavior identification in the back packet log.
6. The method of claim 1, wherein generating a view attack chain for a host according to the valid security event and the attack phase of the valid security event comprises:
aggregating the effective security events with the target IP and the host IP into an original attack chain;
if the effective security event of which the attack stage is the first preset attack stage exists in the original attack chain, acquiring the effective security event of which the source IP is the host IP;
supplementing the effective security event with the source IP as the host IP to the original attack chain, marking the attack stage of the effective security event as a second preset attack stage, and generating the view attack chain of the host.
7. The method according to claim 6, wherein the determining whether the host is attacked according to the view attack chain of the host applying a preset attack trapping rule comprises:
and if the view attack chain of the host at least comprises two effective security events with different attack stages, and the attack stage of one effective security event is any one of high-order attack stages, judging that the host is attacked.
8. A host attack and subsidence determination device, the device comprising:
the log obtaining unit is used for obtaining an attack log containing attack information of an intruder and a packet returning log which is matched with the attack log and contains TCP session packet returning information of a victim;
the event reasoning unit is used for generating an effective security event according to the attack log and the packet returning log and marking the attack stage of the effective security event;
the attack chain reasoning unit is used for generating a view attack chain of the host according to the effective security event and the attack stage of the effective security event;
and the attack and trap judging unit is used for judging whether the host is attacked and trapped or not according to the view attack chain of the host by applying a preset attack and trap rule.
9. A computing device, comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is configured to store at least one executable instruction that causes the processor to perform the steps of the host attack determination method according to any one of claims 1-7.
10. A computer storage medium having stored therein at least one executable instruction for causing a processor to perform the steps of the host attack determination method according to any one of claims 1-7.
CN201910688033.2A 2019-07-29 2019-07-29 Host attack and sink judgment method and device, computing equipment and computer storage medium Pending CN112311728A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910688033.2A CN112311728A (en) 2019-07-29 2019-07-29 Host attack and sink judgment method and device, computing equipment and computer storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910688033.2A CN112311728A (en) 2019-07-29 2019-07-29 Host attack and sink judgment method and device, computing equipment and computer storage medium

Publications (1)

Publication Number Publication Date
CN112311728A true CN112311728A (en) 2021-02-02

Family

ID=74329426

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910688033.2A Pending CN112311728A (en) 2019-07-29 2019-07-29 Host attack and sink judgment method and device, computing equipment and computer storage medium

Country Status (1)

Country Link
CN (1) CN112311728A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113259361A (en) * 2021-05-20 2021-08-13 常州皓焱信息科技有限公司 Internet security data processing method and system
CN114448679A (en) * 2022-01-04 2022-05-06 深圳萨摩耶数字科技有限公司 Attack chain construction method and device, electronic equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101270027B1 (en) * 2011-12-26 2013-05-31 한국기초과학지원연구원 Method for ip back-tracing of ddos using traffic screen
CN105721443A (en) * 2016-01-25 2016-06-29 飞天诚信科技股份有限公司 Link session key negotiation method and device
CN109617885A (en) * 2018-12-20 2019-04-12 北京神州绿盟信息安全科技股份有限公司 Capture host automatic judging method, device, electronic equipment and storage medium
CN109698819A (en) * 2018-11-19 2019-04-30 中国科学院信息工程研究所 Threat disposition management method and system in a kind of network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101270027B1 (en) * 2011-12-26 2013-05-31 한국기초과학지원연구원 Method for ip back-tracing of ddos using traffic screen
CN105721443A (en) * 2016-01-25 2016-06-29 飞天诚信科技股份有限公司 Link session key negotiation method and device
CN109698819A (en) * 2018-11-19 2019-04-30 中国科学院信息工程研究所 Threat disposition management method and system in a kind of network
CN109617885A (en) * 2018-12-20 2019-04-12 北京神州绿盟信息安全科技股份有限公司 Capture host automatic judging method, device, electronic equipment and storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
吕宗平: "基于攻击链和网络流量检测的威胁情报分析研究", 《计算机应用研究》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113259361A (en) * 2021-05-20 2021-08-13 常州皓焱信息科技有限公司 Internet security data processing method and system
CN113259361B (en) * 2021-05-20 2022-03-22 常州皓焱信息科技有限公司 Internet security data processing method and system
CN114448679A (en) * 2022-01-04 2022-05-06 深圳萨摩耶数字科技有限公司 Attack chain construction method and device, electronic equipment and storage medium
CN114448679B (en) * 2022-01-04 2024-05-24 深圳萨摩耶数字科技有限公司 Attack chain construction method and device, electronic equipment and storage medium

Similar Documents

Publication Publication Date Title
US10467411B1 (en) System and method for generating a malware identifier
CN110933101B (en) Security event log processing method, device and storage medium
EP3129884B1 (en) Method and system for providing security aware applications
WO2018218537A1 (en) Industrial control system and network security monitoring method therefor
US8789135B1 (en) Scalable stateful firewall design in openflow based networks
CN106453438B (en) Network attack identification method and device
CN109286511B (en) Data processing method and device
US8997234B2 (en) System and method for network-based asset operational dependence scoring
CN112738071B (en) Method and device for constructing attack chain topology
CN110583003A (en) Non-protocol specific systems and methods for classifying suspicious IP addresses as non-target attack sources on cloud-based machines
US10489720B2 (en) System and method for vendor agnostic automatic supplementary intelligence propagation
CN109309591B (en) Traffic data statistical method, electronic device and storage medium
CN107733725B (en) Safety early warning method, device, equipment and storage medium
US20070289014A1 (en) Network security device and method for processing packet data using the same
CN103997489A (en) Method and device for recognizing DDoS bot network communication protocol
CN112311728A (en) Host attack and sink judgment method and device, computing equipment and computer storage medium
CN108183884B (en) Network attack determination method and device
CN116614287A (en) Network security event evaluation processing method, device, equipment and medium
CN105207997A (en) Anti-attack message forwarding method and system
CN112650180B (en) Safety warning method, device, terminal equipment and storage medium
CN113098827B (en) Network security early warning method and device based on situation awareness
CN106506553B (en) A kind of Internet protocol IP filter method and system
WO2017217247A1 (en) Malignant event detection apparatus, malignant event detection method, and malignant event detection program
CN112583841A (en) Virtual machine safety protection method and system, electronic equipment and storage medium
US20150222648A1 (en) Apparatus for analyzing the attack feature dna and method thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20210202