CN113098852B - Log processing method and device - Google Patents

Log processing method and device Download PDF

Info

Publication number
CN113098852B
CN113098852B CN202110321168.2A CN202110321168A CN113098852B CN 113098852 B CN113098852 B CN 113098852B CN 202110321168 A CN202110321168 A CN 202110321168A CN 113098852 B CN113098852 B CN 113098852B
Authority
CN
China
Prior art keywords
address
source
attack
network device
log
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110321168.2A
Other languages
Chinese (zh)
Other versions
CN113098852A (en
Inventor
周维
吴浪
李学良
陈景妹
胡启明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Original Assignee
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nsfocus Technologies Inc, Nsfocus Technologies Group Co Ltd filed Critical Nsfocus Technologies Inc
Priority to CN202110321168.2A priority Critical patent/CN113098852B/en
Publication of CN113098852A publication Critical patent/CN113098852A/en
Application granted granted Critical
Publication of CN113098852B publication Critical patent/CN113098852B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks

Abstract

The application provides a log processing method and device, which are used for distinguishing different attack events containing the same IP address from intranet attack events and determining an attack source. The method comprises the following steps: acquiring a first threat log and a second threat log; the first threat log and the second threat log comprise the same source IP address, the first threat log and the second threat log comprise the same destination IP address, and the source IP address and the destination IP address both belong to the IP address of an intranet; determining that the first threat log was produced by a first attack event when the first threat log is determined to be from a first network device; the first attack event is generated by a terminal device connected with the first network device; determining that the second threat log was generated by a second attack event when the second threat log is determined to be from a second network device; the second attack event is generated by a terminal device connected to the second network device.

Description

Log processing method and device
Technical Field
The present application relates to the field of network security, and in particular, to a log processing method and apparatus.
Background
With the development of network technology, network security technology has appeared, which is mainly used to maintain the security of computer communication network, and mainly includes the normal operation of the hardware and software of the network and the security of data information exchange. In practical applications, the network security of the system is often hidden danger due to frequent network attack behaviors. In order to secure the system, it becomes important to identify the network attack and determine the attack source.
In an existing big data threat analysis system, multiple threat logs generated by a network device are generally obtained, attack events are generally grouped by analyzing five tuples (source IP address, source port, destination IP address, destination port, transport layer protocol) in the multiple threat logs, and the same IP address is regarded as the same event. However, since IP addresses in different intranets may be the same, a plurality of different attack events may be determined as one attack event, which may result in failure to perform early warning in time.
Disclosure of Invention
The application provides a log processing method and a log processing device, which are used for distinguishing different attack events containing the same IP address in intranet attack events according to network equipment identifiers.
In a first aspect, an embodiment of the present application provides a log processing method, including: acquiring a first threat log and a second threat log;
the first threat log and the second threat log comprise the same source IP address, the first threat log and the second threat log comprise the same destination IP address, and the source IP address and the destination IP address both belong to the IP address of an intranet;
determining that the first threat log was produced by a first attack event when the first threat log is determined to be from a first network device; the first attack event is generated by a terminal device connected with the first network device;
determining that the second threat log was generated by a second attack event when the second threat log is determined to be from a second network device; the second attack event is generated by a terminal device connected to the second network device.
Based on the scheme, when the first threat log and the second threat log are obtained, if the source IP address or the destination IP address in the two threat logs are the same, the application provides that different threat logs are distinguished from different network devices according to the threat logs. The problem that different attack events cannot be distinguished due to the fact that IP addresses from different intranets in intranet attack events may be the same is solved.
In one possible implementation, determining that the first threat log is from a first network device includes:
determining that the first threat log is from a first network device based on an identification of the first network device included in the first threat log; alternatively, the first and second electrodes may be,
determining that the second threat log is from a second network device, comprising:
determining that the second threat log is from a second network device based on an identification of the second network device included in the second threat log.
Based on the scheme, different threat logs are distinguished according to the identifiers of the network equipment contained in the threat logs, so that the different threat logs can be more accurately distinguished, and the situation of distinguishing errors is avoided.
In one possible implementation, the method further includes:
determining a first resource group associated with the identity of the first network device, the first resource group comprising IP addresses of one or more first terminal devices connected to the first network device; determining a first terminal device matched with the source IP address in the first resource group as an attack source of the first attack event; alternatively, the first and second electrodes may be,
determining a second resource group associated with the identity of the second network device, the second resource group comprising IP addresses of one or more second terminal devices connected with the second network device; and determining the second terminal equipment matched with the source IP address in the second resource group as an attack source of the second attack event.
Based on the scheme, after receiving the threat log, firstly, determining a resource group associated with the threat log according to the identifier of the network equipment contained in the threat log, wherein the resource group comprises IP addresses of one or more terminal equipment connected with the network equipment; and matching the source IP address in the threat log with the IP address of the terminal equipment in the resource group, wherein the terminal equipment with the same source IP address is the attack source. The source of the attack can be determined more accurately and quickly.
In one possible implementation, the method further includes:
receiving configuration information, wherein the configuration information comprises a first association relationship between the first network device and the one or more first terminal devices and a second association relationship between the second network device and the one or more second terminal devices;
generating a network topological graph according to the first incidence relation and the second incidence relation;
the information for describing the network topology map includes a correspondence between the identifier of the first network device and the first resource group, and a correspondence between the identifier of the second network device and the second resource group.
Based on the scheme, the network topological graph is generated according to the incidence relation between the network equipment and the terminal equipment contained in the configuration information, and the incidence relation among the network equipment, the resource group and the terminal equipment can be more vividly displayed.
In one possible implementation, the method further includes:
determining that the source IP address and the destination IP address both belong to the IP address of the intranet according to the intranet IP grey list;
wherein the intranet IP gray list comprises the source IP address and the destination IP address.
Based on the scheme, the source IP address and the destination IP address are determined to be the IP addresses of the internal network according to the internal network gray list, and whether the source IP address and the destination IP address are the IP addresses of the internal network can be more accurately judged.
In a possible implementation manner, before determining that the source IP address and the destination IP address both belong to an IP address of an intranet according to an intranet IP gray list, the method further includes:
determining that an intranet identification mode is started; the intranet identification mode is used for indicating that the attack event is determined by adopting an intranet IP address identification mode.
Based on the scheme, before determining that the source IP address and the target IP address are the intranet IP address, whether an intranet identification mode is started or not is determined, and an attack event is determined by adopting a mode of identifying the intranet IP address under the condition of determining the start, so that the computing resources can be saved.
In one possible implementation, the method further includes:
and if the intranet IP grey list is determined not to contain the source IP address or the destination IP address, determining the attack events of the first threat log and the second threat log according to the source IP address.
Based on the scheme, if the source IP address and the destination IP address are not the intranet IP, the attack event is determined according to the source IP address, and the situation that the attack event is determined by mistake can be avoided. And may distinguish intranet attacks from non-intranet attacks.
In a possible implementation manner, the configuration information further includes information and geographical location information of a person to which the one or more first terminal devices belong, and information and geographical location information of a person to which the one or more second terminal devices belong;
after the attack source of the first attack event is determined, determining personnel and the geographic position of the attack source of the first attack event according to the configuration information;
after the attack source of the second attack event is determined, determining personnel and a geographic position of the attack source of the second attack event according to the configuration information.
Based on the scheme, the geographical position and the personnel of the attack source are determined according to the personnel and the geographical position of the terminal equipment in the configuration information, so that the attack source can be accurately positioned, and the attack event can be solved more quickly.
In a second aspect, based on the same inventive concept as the first aspect, an embodiment of the present application provides a log processing apparatus, where the log processing apparatus may include a manner for implementing any one of the possible implementations of the first aspect, and beneficial effects may refer to the first aspect, which are not described herein again. The log processing apparatus includes:
the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring a first threat log and a second threat log;
the first threat log and the second threat log comprise the same source IP address, the first threat log and the second threat log comprise the same destination IP address, and the source IP address and the destination IP address both belong to the IP address of an intranet;
a processing unit to determine that the first threat log was generated by a first attack event when it is determined that the first threat log is from a first network device; the first attack event is generated by a terminal device connected with the first network device;
the processing unit further to determine that the second threat log was generated by a second attack event when it is determined that the second threat log is from a second network device; the second attack event is generated by a terminal device connected to the second network device.
In a possible implementation manner, the processing unit is specifically configured to:
determining that the first threat log is from a first network device based on an identification of the first network device included in the first threat log; alternatively, the first and second electrodes may be,
determining that the second threat log is from a second network device based on an identification of the second network device included in the second threat log.
In one possible implementation, the processing unit is further configured to:
determining a first resource group associated with the identity of the first network device, the first resource group comprising IP addresses of one or more first terminal devices connected to the first network device; determining a first terminal device matched with the source IP address in the first resource group as an attack source of the first attack event; alternatively, the first and second electrodes may be,
determining a second resource group associated with the identity of the second network device, the second resource group comprising IP addresses of one or more second terminal devices connected to the second network device; and determining a second terminal device matched with the source IP address in the second resource group as an attack source of the second attack event.
In a possible implementation manner, the obtaining unit is further configured to receive configuration information, where the configuration information includes a first association relationship between the first network device and the one or more first terminal devices, and a second association relationship between the second network device and the one or more second terminal devices;
the processing unit is further configured to generate a network topology map according to the first association relation and the second association relation;
the information for describing the network topology map includes a correspondence between the identifier of the first network device and the first resource group, and a correspondence between the identifier of the second network device and the second resource group.
In a possible implementation manner, the processing unit is further configured to:
determining that the source IP address and the destination IP address both belong to the IP address of the intranet according to an intranet IP gray list;
wherein the intranet IP gray list comprises the source IP address and the destination IP address.
In a possible implementation manner, before determining that the source IP address and the destination IP address both belong to an IP address of an intranet according to an intranet IP gray list, the processing unit is further configured to:
determining that an intranet identification mode is started; the intranet identification mode is used for indicating that the attack event is determined by adopting an intranet IP address identification mode.
In a possible implementation manner, the processing unit is further configured to:
and determining that the intranet IP gray list does not contain the source IP address or the destination IP address, and determining the attack event to which the first threat log and the second threat log belong according to the source IP address.
In a possible implementation manner, the configuration information further includes information and/or geographical location information of a person to which the one or more first terminal devices belong, and information and/or geographical location information of a person to which the one or more second terminal devices belong;
the processing unit determines the personnel and/or the geographical position of the attack source of the first attack event according to the configuration information after determining the attack source of the first attack event, and reports the personnel and/or the geographical position of the attack source of the first attack event to the network manager;
and after determining the attack source of the second attack event, the processing unit determines the personnel and/or the geographical position of the attack source of the second attack event according to the configuration information, and reports the personnel and/or the geographical position of the attack source of the first attack event to a network manager.
In a third aspect, an electronic device is provided that includes a processor and a memory. The memory is used for storing computer-executable instructions, and the processor executes the computer-executable instructions in the memory to perform the operational steps of the method of the first aspect or any one of the possible implementations of the first aspect by using hardware resources in the controller.
In a fourth aspect, the present application provides a computer-readable storage medium having stored therein instructions, which when executed on a computer, cause the computer to perform the method of the above-described aspects.
In addition, the beneficial effects of the second aspect to the fourth aspect can be referred to as the beneficial effects of the first aspect, and are not described herein again.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application.
Fig. 1 is a schematic diagram of a communication network architecture according to an embodiment of the present application;
fig. 2 is a flowchart of a log processing method according to an embodiment of the present application;
fig. 3 is a configuration flow of an intranet grey list according to an embodiment of the present application;
fig. 4 is a flowchart of a method for configuring a device group according to an embodiment of the present application;
fig. 5 is a network topology diagram provided in an embodiment of the present application;
fig. 6A is a schematic diagram of association between a device and a device group provided in an embodiment of the present application;
fig. 6B is a schematic diagram illustrating association between a device group and a network device according to an embodiment of the present application;
fig. 6C is another network topology diagram provided by an embodiment of the present application;
fig. 7 is a device having a log processing function according to an embodiment of the present application;
fig. 8 is an electronic device with a log processing function according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The existing network threat analysis system determines an attack event by analyzing a quintuple of a network device log, but if the attack event is an intranet attack event, the threat analysis system can merge a plurality of different attack events into one due to the fact that the same IP address may exist in different intranets, and early warning cannot be timely given. Based on the method, the attack events with the same IP address are distinguished according to the network equipment identification. And the host associated with the network equipment is configured in advance, and the specific host of the attack source is determined according to the attack source IP of the attack event.
To facilitate understanding of the embodiments of the present application, the following description will specifically use the communication network architecture diagram shown in fig. 1 as an example.
In the communication network architecture diagram shown in fig. 1, a first network device 110, a second network device 120, and a threat analysis system 130 are specifically included. The threat analysis system 130 may be composed of one or more engines, and the one or more engines include a parsing engine 131, a rule engine 132, and an intranet recognition engine 133. Threat analysis system 130 also includes an intranet grey list 134, a set of resources 135 stored locally to the system. The communication network architecture diagram further includes one or more first terminal devices 111 connected to the first network device, where n is a positive integer in fig. 1. The communication network architecture further comprises one or more second terminal devices 112 connected to the second network device, where m is illustrated as a positive integer in fig. 1. It should be noted that fig. 1 is only an example, and does not limit the number of network devices and the number of devices.
The first Network device 110 and the second Network device 120 are Network devices of a Wireless Local Area Network (WLAN), such as routers. The signal coverage range is usually within several kilometers of a square circle, and network equipment of a wireless local area network can support the use of several to several thousand computers. In the communication network architecture diagram shown in fig. 1, n first terminal devices 111 connected to the first network device 110 and m second terminal devices 121 connected to the second network device may also be included.
The threat analysis system 130 according to the present application is configured to obtain logs of the first network device 110 and the second network device 120, analyze five tuples (source IP address, source port, destination IP address, destination port, transport layer protocol) and network device identifiers included in the logs, and the threat analysis system 130 is further configured to determine an attack event. Optionally, the format of the message in the log may be converted by a parsing engine 131 included in the threat analysis system 130, for example, into a standard key-value pair format. Among them, key-value pairs, also called value pairs or attribute-value pairs, are a basic data representation method. Optionally, the rule engine 132 included in the threat analysis system 130 may further perform rule matching on the messages in the analyzed logs, distinguish the threat logs from the multiple logs, and generate multiple temporary attack events according to the multiple threat logs that are distinguished. It should be noted that here, a temporary attack event is generated according to each threat log. Optionally, the temporary attack events may be grouped and merged by the intranet recognition engine 133 in the threat analysis system, and the attack source is determined to obtain the attack event. The method specifically comprises the following steps: firstly, distinguishing intranet temporary attack events in the temporary attack events according to an intranet grey list 134 stored in the local system, grouping and merging the intranet temporary attack events according to a source IP address and a destination IP address in the intranet temporary attack events and a network device identifier, and finally matching the source IP address with a resource group 135 stored in the local system to determine an attack source. The resource group 135 stored locally in the system includes the above-mentioned n first terminal devices 111 and m second terminal devices 121. It should be noted that the attack events generated by the threat analysis system all have intranet tags, which are used to indicate that the attack events are intranet attack events, that is, the source IP addresses and the destination IP addresses of the attack events are intranet IP addresses.
The following describes in detail a log processing method flow provided by the embodiment of the present application with reference to a communication network architecture shown in fig. 1.
Fig. 2 is a schematic flow chart of a possible log processing method. The method specifically comprises the following steps:
the threat analysis system retrieves a log of network devices 201.
In a possible manner, when an attack event occurs, the network device that has the attack event may automatically report the log to the threat analysis system. In another possible mode, the threat analysis system may monitor each network device in real time, and extract a log of the corresponding network device when an attack event is monitored.
202, the threat analysis system analyzes the acquired log and matches the rule to generate a temporary attack event.
It should be noted that the threat analysis system may analyze and rule match the acquired log, an analysis engine included in the threat analysis system may analyze the acquired log, and a rule engine included in the threat analysis system may perform rule match on the analyzed log. The following description will specifically take an example in which the analysis engine performs log analysis and the rule engine performs rule matching.
In a possible implementation manner, the data in the log message acquired by the threat analysis system may be in multiple formats, and in order to facilitate subsequent rule matching, the parsing engine may convert the data in the log message into a uniform format, for example, into a standard key-value pair format. The log messages acquired by the threat analysis system may also contain character strings, and the analysis engine may also convert the character strings into integers.
After the log is completely analyzed, the rule engine further distinguishes the analyzed log, and threat logs are extracted from all the logs. Specifically, the rule engine may filter the parsed log according to some fields included in the log to determine the threat log, for example, determine the threat log according to one or more of the fields included in the log, such as a protocol, a source IP address, a destination IP address, a source port, a destination port, a log type, a device identifier, a rule ID, a log name, and the like. After extracting the threat log, the rule engine may further generate a temporary attack event according to the threat log. Specifically, a preset template of the temporary attack event may be configured in the rule engine, and the threat log may be adjusted according to the template to obtain the temporary attack event. It should be noted that each threat log corresponds to a temporary attack event.
203, the threat analysis system determines whether the intranet grey list includes the source IP address and the destination IP address in the temporary attack event.
And the threat analysis system locally calls a pre-configured intranet grey list from the system and judges whether the intranet grey list comprises a source IP address and a destination IP address in the temporary attack event.
If not, executing steps 204A-206A;
if so, steps 204B-206B are performed.
The intranet grey list may be pre-configured and stored locally in the threat analysis system. The intranet gray list includes the IP addresses of all intranets. In a possible implementation manner, when the intranet gray list is configured, a maximum intranet IP address and a minimum intranet IP address may be calculated, and the IP addresses in the intranet gray list include the maximum intranet IP address, the minimum intranet IP address, and all IP addresses between the minimum intranet IP address and the maximum intranet IP address. For example, if the IP segment of any intranet is 10.67.0.0/16, then the largest IP address in that intranet is 10.67.0.0 and the smallest IP address is 10.67.255.255. The specific configuration process of the intranet grey list may also refer to the flowchart shown in fig. 3.
When the specific judgment is executed, whether the source IP address and the destination IP address in the temporary attack event are between 10.67.0.0 and 10.67.255.255 or not only needs to be judged. If so, it can be determined that the source IP address and the destination IP address are both intranet IP addresses.
204A, the threat analysis system groups the attack events according to the source IP address and the destination IP address in the temporary attack events.
In one possible approach, the threat analysis system groups the temporary attack events by their source and destination IP addresses. Specifically, the temporary attack events containing the same source IP address and destination IP address may be grouped, i.e., the temporary attack events containing the same source IP address and destination IP address are considered to be the same temporary attack event.
As an example, there are three transient attack events before no packet is made, which are:
temporary attack event-source IP address included: 10.67.0.0, destination IP address: 10.67.255.0;
the temporary attack event two contains the source IP address: 10.67.0.0, destination IP address: 10.67.255.0;
the third temporary attack event contains the source IP address: 10.67.2.2, destination IP address: 10.67.255.2.
according to the fact that the source IP address and the destination IP address of the first temporary attack event and the second temporary attack event are the same, the first temporary attack event and the second temporary attack event can be regarded as the same temporary attack event and can be divided into a group. That is, the threat analysis system obtains two groups of temporary attack events after grouping the three temporary attack events, wherein the first group comprises a first temporary attack event and a second temporary attack event, and the second group comprises a third temporary attack event.
205A, the threat analysis system determines the source of the attack based on the source IP address.
After the temporary attack event grouping is completed, each group of temporary attack events has the same source IP address, and the attack source is determined according to the source IP address. For example, if the source IP address of a certain group of temporary attack events is 10.67.0.0, a terminal device with an IP address of 10.67.0.0 is found, that is, the attack source of the attack event.
206A, the threat analysis system generates an attack event.
After the threat analysis system determines the attack source, an attack event is generated, and an attack event may include, but is not limited to, the attack source, the attack destination, the source IP address, the destination IP address of the attack event, the consequences of the attack event, the solution of the attack event, and the like. The consequences generated by the attack events can be generated by a threat analysis system, optionally, the threat analysis system can distinguish different types of attack events and generate corresponding consequences according to the different types of attack events. For example, if the threat analysis system determines that the attack event is a webshell attack, the generated attack event may have the following consequences: user information leakage can be caused and machine rights can be maliciously acquired. The solution to the attack event may also be generated by a threat analysis system, and in an alternative manner, the threat analysis system may distinguish different attack events and provide a solution according to the different attack events. For example, when the threat analysis system determines that the attack event is a trojan backdoor communication event, the generated solution may be: and (4) checking and killing virus trojans on the attacked host. As another alternative, the threat analysis system may also directly generate common solutions without distinguishing attack events, such as: and the access of an attack IP address or virus cleaning and the like are forbidden.
In some embodiments, if the threat analysis system determines that the intranet grey list includes the source IP address and the destination IP address in the temporary attack event, the threat analysis system executes the following steps:
204B, the threat analysis system groups the attack events according to the source IP address, the destination IP address and the network equipment identification in the temporary attack events.
In one possible approach, the threat analysis system groups the temporary attack events by their source and destination IP addresses and network device identification. The network device identifier may be a unique hash value obtained by calculating a Media Access Control (MAC) address of the network device according to a hash algorithm, and the unique hash value is used as the identifier of the network device. At the time of grouping, temporary attack events having the same source and destination IP addresses and network device identifications may be grouped together. For example, there are four transient attack events before no grouping is done, which are:
temporary attack event-source IP address included: 10.67.0.0, destination IP address: 10.67.255.0, network device identification: 908;
the temporary attack event two contains the source IP address: 10.67.0.0, destination IP address: 10.67.255.0, network device identification: 908;
the third temporary attack event contains the source IP address: 10.67.0.0, destination IP address: 10.67.255.0, network device identification: 907;
the temporary attack event four contains the source IP address: 10.67.2.2, destination IP address: 10.67.255.2, network device identification: 908.
according to the fact that the source IP address, the destination IP address and the network equipment identification of the first temporary attack event and the second temporary attack event are the same, the first temporary attack event and the second temporary attack event can be regarded as the same temporary attack event and can be divided into a group. That is, the threat analysis system obtains three groups of temporary attack events after grouping the four temporary attack events, wherein the first group comprises a first temporary attack event and a second temporary attack event, the second group comprises a third temporary attack event, and the third group comprises a fourth temporary attack event.
205B, the threat analysis system determines the attack source based on the source IP address and the network device identification.
After the grouping of the temporary attack events is completed, each group of temporary attack events has the same source IP address and the same network equipment identifier, and the attack source of the temporary attack events is determined according to the source IP address and the network equipment identifier.
Specifically, the threat attack system may pre-configure resource groups and store the resource groups locally in the system, and may group the terminal devices according to the connected network devices, and divide all the terminal devices connected to the same network device into one resource group. The process of configuring a resource group in particular can also be seen in the flow diagram shown in fig. 4. After the threat provisioning system configures a resource group, a network topology map as shown in fig. 5 is further generated according to configuration information, where the configuration information includes association relationships between network devices and a plurality of terminal devices connected thereto. Specifically, fig. 5 shows, by taking two intranets as an example, an association relationship between a resource group and a network device, and an association relationship between each terminal device in the resource group and the network device. The network communication lines include four cables of twisted pair, unshielded twisted pair, coaxial cable and optical fiber, and also have wireless transmission of short wave, satellite communication and the like. For example, when the network device is a router and the terminal device is a mobile phone, the communication medium between the terminal device and the network device is short wave.
The resource group also contains the IP addresses of all terminal devices in the group. The configuration information further includes a person, a device name, longitude and latitude, a geographic location, or a department to which each terminal device belongs. When the threat analysis system determines the attack source according to the source IP address, the resource group associated with the network equipment can be called from the system local according to the network equipment identification, and then the attack source is determined by matching the terminal equipment in the resource group according to the source IP address. After the attack source is determined, the position of the attack source and the personnel belonging to the attack source can be further rapidly determined according to the information of the personnel belonging to the terminal equipment, the geographic position, the department belonging to the terminal equipment and the like contained in the configuration information.
As an example, a network device is taken as a router, and a terminal device is taken as a computer host. All hosts in a department a of a company share a router, which is identified as 908, and the hosts and the router are connected by optical fibers. When configuring the resource group of the a department, all hosts of the a department and the IP addresses of the hosts may be counted first, and all hosts may be associated with the a department, as shown in fig. 6A. Further, the identification of department a may be associated with the identification 908 of the router, as shown in fig. 6B. Finally, the association relationship between the network device and all hosts is obtained, as shown in fig. 6C. After configuration is complete, the network topology shown in FIG. 6C is stored locally to the threat analysis system. When an attack source is determined, a source IP address is directly matched with the IP addresses of all hosts in the resource group marked as the department A, and the host with the same source IP address is the attack source.
206B, the threat analysis system generates attack events with intranet tags.
The detailed process of generating attack events is shown in step 206A. Unlike step 206A, the generated attack event needs to be labeled with an intranet since the source IP address and the destination IP address are both intranet IP addresses. As an example, the intranet flag may specifically use a hash value unique to a network device as a flag.
In some embodiments, after the threat analysis system generates the attack event, the attack event may be sent to the user in the form of an email or a table, so as to remind the user to check the attack source and repair the attack destination. For example, the attack is targeted to a host of a company, which may unknowingly hack the computer by downloading malicious files. For another example, when the attack source is a host of a company, it may be that the host is hacked, which causes the host to actively attack other hosts inside the company without being controlled by the user.
In one possible implementation, the intranet recognition engine in the threat analysis system may also be provided with a switch. The threat analysis system determines whether the switch is in an on state in response to user operation or according to instructions input by a user. If the threat analysis system determines that the switch of the intranet recognition engine is in the on state, the method shown in fig. 2 is adopted to determine the attack event. And if the threat analysis system determines that the switch of the intranet recognition engine is in a closed state, determining the attack event of the threat log according to the quintuple in the network equipment log by adopting the method in the prior art.
Based on the same concept as the log processing method described above, as shown in fig. 7, there is provided an apparatus 700 having a log processing function. The apparatus 700 is capable of performing the steps performed by the threat analysis system in the above-described method, and will not be described in detail here to avoid repetition. The apparatus 700 comprises: an acquisition unit 701 and a processing unit 702.
An obtaining unit 701, configured to obtain a first threat log and a second threat log;
the first threat log and the second threat log comprise the same source IP address, the first threat log and the second threat log comprise the same destination IP address, and the source IP address and the destination IP address both belong to the IP address of an intranet;
a processing unit 702 configured to determine that the first threat log was generated by a first attack event when it is determined that the first threat log is from a first network device; the first attack event is generated by a terminal device connected with the first network device;
the processing unit 702 is further configured to determine that the second threat log was generated by a second attack event when the second threat log is determined to be from a second network device; the second attack event is generated by a terminal device connected to the second network device.
In a possible implementation manner, the processing unit 702 is specifically configured to:
determining that the first threat log is from a first network device based on an identification of the first network device included in the first threat log; alternatively, the first and second liquid crystal display panels may be,
determining that the second threat log is from a second network device based on an identification of the second network device included in the second threat log.
In one possible implementation manner, the processing unit 702 is further configured to:
determining a first resource group associated with the identity of the first network device, the first resource group comprising IP addresses of one or more first terminal devices connected to the first network device; determining a first terminal device matched with the source IP address in the first resource group as an attack source of the first attack event; alternatively, the first and second electrodes may be,
determining a second resource group associated with the identity of the second network device, the second resource group comprising IP addresses of one or more second terminal devices connected to the second network device; and determining the second terminal equipment matched with the source IP address in the second resource group as an attack source of the second attack event.
In a possible implementation manner, the obtaining unit 701 is further configured to receive configuration information, where the configuration information includes a first association relationship between the first network device and the one or more first terminal devices, and a second association relationship between the second network device and the one or more second terminal devices;
the processing unit 702 is further configured to generate a network topology map according to the first association relationship and the second association relationship;
the information for describing the network topology map includes a correspondence between the identifier of the first network device and the first resource group, and a correspondence between the identifier of the second network device and the second resource group.
In a possible implementation manner, the processing unit 702 is further configured to:
determining that the source IP address and the destination IP address both belong to the IP address of the intranet according to the intranet IP grey list;
wherein the intranet IP gray list comprises the source IP address and the destination IP address.
In a possible implementation manner, before determining that the source IP address and the destination IP address both belong to an IP address of an intranet according to an intranet IP gray list, the processing unit 702 is further configured to:
determining that an intranet identification mode is started; the intranet identification mode is used for indicating that the attack event is determined by adopting an intranet IP address identification mode.
In a possible implementation manner, the processing unit 702 is further configured to:
and determining that the intranet IP gray list does not contain the source IP address or the destination IP address, and determining the attack event to which the first threat log and the second threat log belong according to the source IP address.
In a possible implementation manner, the configuration information further includes information and/or geographical location information of a person to which the one or more first terminal devices belong, and information and/or geographical location information of a person to which the one or more second terminal devices belong;
after determining the attack source of the first attack event, the processing unit 702 determines the person and/or the geographical location of the attack source of the first attack event according to the configuration information, and reports the person and/or the geographical location of the attack source of the first attack event to a network manager;
after determining the attack source of the second attack event, the processing unit 702 determines the person and/or the geographical location of the attack source of the second attack event according to the configuration information, and reports the person and/or the geographical location of the attack source of the first attack event to the network manager.
Fig. 8 shows a schematic structural diagram of an electronic device corresponding to the threat analysis system according to the embodiment of the present application. The electronic device in this embodiment of the application may further include a communication interface 803, where the communication interface 803 is, for example, a network port, and the electronic device may transmit data through the communication interface 803, for example, receive a log of a network device.
In the present embodiment, the memory 802 stores instructions executable by the at least one processor 801, and the at least one processor 801 may be configured to perform the steps performed by the threat analysis system described above by executing the instructions stored by the memory 802.
The processor 801 is a control center of the electronic device, and may connect various parts of the whole electronic device by using various interfaces and lines, by executing or executing instructions stored in the memory 802 and calling up data stored in the memory 802. Alternatively, the processor 801 may include one or more processing units, and the processor 801 may integrate an application processor, which mainly handles operating systems, application programs, and the like, and a modem processor, which mainly handles wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 801. In some embodiments, the processor 801 and the memory 802 may be implemented on the same chip, or in some embodiments, they may be implemented separately on separate chips.
The processor 801 may be a general-purpose processor, such as a Central Processing Unit (CPU), digital signal processor, application specific integrated circuit, field programmable gate array or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or the like, that may implement or perform the methods, steps, and logic blocks disclosed in embodiments of the present application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps executed by the threat analysis system station disclosed in the embodiments of the present application may be directly executed by a hardware processor, or may be executed by a combination of hardware and software modules in the processor.
The memory 802, which is a non-volatile computer-readable storage medium, may be used to store non-volatile software programs, non-volatile computer-executable programs, and modules. The Memory 802 may include at least one type of storage medium, and may include, for example, a flash Memory, a hard disk, a multimedia card, a card-type Memory, a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a Programmable Read Only Memory (PROM), a Read Only Memory (ROM), a charge Erasable Programmable Read Only Memory (EEPROM), a magnetic Memory, a magnetic disk, an optical disk, and so on. The memory 802 is any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to such. The memory 802 in the embodiments of the present application may also be circuitry or any other device capable of performing a storage function to store program instructions and/or data.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and so forth) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims (8)

1. A method of log processing, the method comprising:
acquiring a first threat log and a second threat log;
the first threat log and the second threat log comprise the same source IP address, the first threat log and the second threat log comprise the same destination IP address, and the source IP address and the destination IP address both belong to the IP address of an intranet;
determining that the first threat log was generated by a first attack event when the first threat log is determined to be from a first network device based on an identification of the first network device that the first threat log includes;
determining a first resource group associated with the identity of the first network device, the first resource group comprising IP addresses of one or more first terminal devices connected to the first network device; determining a first terminal device matched with the source IP address in the first resource group as an attack source of the first attack event;
determining that the second threat log was generated by a second attack event when the second threat log is determined to be from a second network device based on an identification of the second network device included in the second threat log;
determining a second resource group associated with the identity of the second network device, the second resource group comprising IP addresses of one or more second terminal devices connected to the second network device; and determining a second terminal device matched with the source IP address in the second resource group as an attack source of the second attack event.
2. The method of claim 1, further comprising:
receiving configuration information, wherein the configuration information comprises a first association relationship between the first network device and the one or more first terminal devices and a second association relationship between the second network device and the one or more second terminal devices;
generating a network topological graph according to the first incidence relation and the second incidence relation;
the information for describing the network topology map includes a correspondence between the identifier of the first network device and the first resource group, and a correspondence between the identifier of the second network device and the second resource group.
3. The method of claim 1 or 2, further comprising:
determining that the source IP address and the destination IP address both belong to the IP address of the intranet according to an intranet IP gray list;
wherein the intranet IP gray list comprises the source IP address and the destination IP address.
4. The method of claim 3, wherein before determining that the source IP address and the destination IP address both belong to an IP address of an intranet according to an intranet IP gray list, the method further comprises:
determining that an intranet identification mode is started; the intranet identification mode is used for indicating that the attack event is determined by adopting an intranet IP address identification mode.
5. The method of claim 3, further comprising:
and if the intranet IP grey list is determined not to contain the source IP address or the destination IP address, determining the attack events of the first threat log and the second threat log according to the source IP address.
6. The method of claim 2, wherein the configuration information further comprises information and/or geographical location information of a person to which the one or more first terminal devices belong, and information and/or geographical location information of a person to which the one or more second terminal devices belong;
after the attack source of the first attack event is determined, determining personnel and/or geographical positions of the attack source of the first attack event according to the configuration information, and reporting the personnel and/or geographical positions of the attack source of the first attack event to a network manager;
after the attack source of the second attack event is determined, determining the personnel and/or the geographical position of the attack source of the second attack event according to the configuration information, and reporting the personnel and/or the geographical position of the attack source of the first attack event to a network manager.
7. A log processing apparatus, characterized in that the apparatus comprises:
the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring a first threat log and a second threat log;
the first threat log and the second threat log comprise the same source IP address, the first threat log and the second threat log comprise the same destination IP address, and the source IP address and the destination IP address both belong to the IP address of an intranet;
a processing unit, configured to determine that the first threat log is generated by a first attack event when the first threat log is determined to be from a first network device according to an identifier of the first network device included in the first threat log;
the processing unit is further configured to determine a first resource group associated with the identifier of the first network device, where the first resource group includes IP addresses of one or more first terminal devices connected to the first network device; determining a first terminal device matched with the source IP address in the first resource group as an attack source of the first attack event;
the processing unit is further configured to determine that the second threat log is generated by a second attack event when the second threat log is determined to be from a second network device according to an identification of the second network device included in the second threat log;
the processing unit is further configured to determine a second resource group associated with the identifier of the second network device, where the second resource group includes IP addresses of one or more second terminal devices connected to the second network device; and determining a second terminal device matched with the source IP address in the second resource group as an attack source of the second attack event.
8. An electronic device, characterized in that the electronic device comprises a processor and a memory,
the memory for storing a computer program or instructions;
the processor for executing a computer program or instructions in a memory, such that the method of any of claims 1-6 is performed.
CN202110321168.2A 2021-03-25 2021-03-25 Log processing method and device Active CN113098852B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110321168.2A CN113098852B (en) 2021-03-25 2021-03-25 Log processing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110321168.2A CN113098852B (en) 2021-03-25 2021-03-25 Log processing method and device

Publications (2)

Publication Number Publication Date
CN113098852A CN113098852A (en) 2021-07-09
CN113098852B true CN113098852B (en) 2022-11-22

Family

ID=76669969

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110321168.2A Active CN113098852B (en) 2021-03-25 2021-03-25 Log processing method and device

Country Status (1)

Country Link
CN (1) CN113098852B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114697106A (en) * 2022-03-29 2022-07-01 杭州安恒信息技术股份有限公司 Threat automatic association traceability method, system, computer equipment and storage medium
CN114780810B (en) * 2022-04-22 2024-02-27 中国电信股份有限公司 Data processing method and device, storage medium and electronic equipment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107046543A (en) * 2017-04-26 2017-08-15 国家电网公司 A kind of threat intelligence analysis system traced to the source towards attack
CN109862003A (en) * 2019-01-24 2019-06-07 深信服科技股份有限公司 Local generation method, device, system and the storage medium for threatening information bank

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4129207B2 (en) * 2003-07-18 2008-08-06 株式会社日立製作所 Intrusion analyzer
WO2014119669A1 (en) * 2013-01-30 2014-08-07 日本電信電話株式会社 Log analysis device, information processing method and program
CN104539626A (en) * 2015-01-14 2015-04-22 中国人民解放军信息工程大学 Network attack scene generating method based on multi-source alarm logs
CN111654489B (en) * 2020-05-27 2022-07-29 杭州迪普科技股份有限公司 Network security situation sensing method, device, equipment and storage medium
CN111565205B (en) * 2020-07-16 2020-10-23 腾讯科技(深圳)有限公司 Network attack identification method and device, computer equipment and storage medium

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107046543A (en) * 2017-04-26 2017-08-15 国家电网公司 A kind of threat intelligence analysis system traced to the source towards attack
CN109862003A (en) * 2019-01-24 2019-06-07 深信服科技股份有限公司 Local generation method, device, system and the storage medium for threatening information bank

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
一个融合网络安全信息的安全事件分析与预测模型;彭雪娜等;《东北大学学报(自然科学版)》;20050315;全文 *

Also Published As

Publication number Publication date
CN113098852A (en) 2021-07-09

Similar Documents

Publication Publication Date Title
US9438623B1 (en) Computer exploit detection using heap spray pattern matching
CN111353151B (en) Vulnerability detection method and device for network application
US10257222B2 (en) Cloud checking and killing method, device and system for combating anti-antivirus test
CN104717107B (en) The method, apparatus and system of network equipment detection
CN113098852B (en) Log processing method and device
WO2018216000A1 (en) A system and method for on-premise cyber training
CN112039900B (en) Network security risk detection method, system, computer device and storage medium
CN112073437A (en) Multidimensional security threat event analysis method, device, equipment and storage medium
CN111464513A (en) Data detection method, device, server and storage medium
CN112448963A (en) Method, device, equipment and storage medium for analyzing automatic attack industrial assets
CN106302515B (en) A kind of method and apparatus of web portal security protection
CN110224975B (en) APT information determination method and device, storage medium and electronic device
CN113127875A (en) Vulnerability processing method and related equipment
CN115150209B (en) Data processing method, industrial control system, electronic device, and storage medium
CN112769739A (en) Database operation violation processing method, device and equipment
CN113438225B (en) Vehicle-mounted terminal vulnerability detection method, system, equipment and storage medium
CN113014587B (en) API detection method and device, electronic equipment and storage medium
CN113225356B (en) TTP-based network security threat hunting method and network equipment
CN114567678A (en) Resource calling method and device of cloud security service and electronic equipment
US11677582B2 (en) Detecting anomalies on a controller area network bus
CN112350864B (en) Protection method, device, equipment and computer readable storage medium for domain control terminal
CN115225531A (en) Database firewall testing method and device, electronic equipment and medium
CN115242434A (en) Application program interface API identification method and device
CN107124390B (en) Security defense and implementation method, device and system of computing equipment
CN115174274B (en) Data processing method, industrial control system, electronic device, and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant