CN113422697B - Tracking method, device, electronic equipment and readable storage medium - Google Patents
Tracking method, device, electronic equipment and readable storage medium Download PDFInfo
- Publication number
- CN113422697B CN113422697B CN202110687681.3A CN202110687681A CN113422697B CN 113422697 B CN113422697 B CN 113422697B CN 202110687681 A CN202110687681 A CN 202110687681A CN 113422697 B CN113422697 B CN 113422697B
- Authority
- CN
- China
- Prior art keywords
- abnormal
- address
- information
- equipment
- address information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0677—Localisation of faults
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5007—Internet protocol [IP] addresses
- H04L61/5014—Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2101/00—Indexing scheme associated with group H04L61/00
- H04L2101/60—Types of network addresses
- H04L2101/618—Details of network addresses
- H04L2101/622—Layer-2 addresses, e.g. medium access control [MAC] addresses
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Debugging And Monitoring (AREA)
- Small-Scale Networks (AREA)
Abstract
The application discloses a tracking method, a tracking device, an electronic device and a computer readable storage medium, wherein the method comprises the following steps: acquiring abnormal address information and abnormal occurrence time corresponding to the abnormal event; acquiring equipment state information; the device state information comprises device address information, an address active period and a device identifier; address matching is carried out on the abnormal address information and the equipment address information, and time matching is carried out on the abnormal occurrence time and the address active time period; determining the address information of the equipment passing both the address matching and the time matching as an abnormal equipment identifier; according to the method, the equipment state information is obtained and is screened by using the information corresponding to the abnormal event, so that the accurate abnormal equipment identification can be obtained, even if the address information is changed in a DHCP scene, the tracking can be accurately carried out, and the tracking accuracy and reliability are improved.
Description
Technical Field
The present disclosure relates to the field of network security technologies, and in particular, to a tracking method, a tracking apparatus, an electronic device, and a computer-readable storage medium.
Background
A Dynamic Host Configuration Protocol (DHCP), which is a network Protocol applied to a local area network, allows a server to dynamically allocate an IP address and Configuration information to a client, so that a device in a network environment dynamically obtains information such as an IP (Internet Protocol) address, a Gateway (Gateway) address, a DNS (Domain Name System) server address, and the like, and can improve the utilization rate of the address. When handling an abnormal event, the related art usually bases tracing on the abnormal address information adopted when the abnormal event occurs, and then determines that the abnormal address information is a source of a long time. However, in a network environment using the DHCP protocol, address information changes constantly, so that the accuracy and reliability of tracking in the related art are low, and abnormal event handling cannot be performed quickly and efficiently.
Disclosure of Invention
In view of the above, an object of the present invention is to provide a tracking method, a tracking apparatus, an electronic device, and a computer-readable storage medium, which can obtain an accurate abnormal device identifier by obtaining device status information and screening the device status information by using information corresponding to an abnormal event, and can accurately track the abnormal device identifier even if address information conversion occurs in a DHCP scenario.
In order to solve the above technical problem, the present application provides a tracking method, which specifically includes:
acquiring abnormal address information and abnormal occurrence time corresponding to the abnormal event;
acquiring equipment state information; the device state information comprises device address information, an address activity period and a device identification;
performing address matching on the abnormal address information and the equipment address information, and performing time matching on the abnormal occurrence time and the address active time period;
and determining the equipment identifier passing both address matching and time matching as an abnormal equipment identifier.
Device identification device address optionally, further comprising:
classifying the abnormal events based on the abnormal equipment identification to obtain an abnormal event group;
and outputting the abnormal device identification and the corresponding abnormal event group.
Optionally, the outputting the abnormal device identifier and the corresponding abnormal event group includes:
determining a target priority abnormal equipment identifier from multiple types of abnormal equipment identifiers by using the type priority corresponding to the equipment identifier;
and outputting the target priority abnormal device identification and the corresponding abnormal event group.
Optionally, the method further comprises:
receiving a visual angle switching instruction; the view switching instruction is used for specifying a target type;
and selecting the equipment identifier of the target type as a target equipment identifier according to the visual angle switching instruction, and outputting the target equipment identifier and/or the abnormal event group.
Optionally, the target type is a user name type; the outputting the target device identification and/or the abnormal event group includes:
and outputting the target user name specified by the visual angle switching instruction and/or the abnormal event group corresponding to the target user name.
Optionally, the method further comprises:
screening the device log based on the abnormal device identifier and/or the abnormal event to obtain abnormal information;
and generating tracking and tracing information by using the abnormal information.
Optionally, the method further comprises:
if a processing query instruction is received, outputting the abnormal event with the target identification; the target identification is at least one of an untreated identification, a newly added identification and a periodically newly added identification;
and if a handling instruction is received, handling the corresponding abnormal event based on the handling instruction.
The present application further provides a tracking device, including:
the first acquisition module is used for acquiring abnormal address information and abnormal occurrence time corresponding to the abnormal event;
the second acquisition module is used for acquiring the equipment state information; the device state information comprises device address information, an address activity period and a device identification;
the matching module is used for carrying out address matching on the abnormal address information and the equipment address information and carrying out time matching on the abnormal occurrence time and the address active time period;
and the determining module is used for determining the equipment identifier passing both address matching and time matching as the abnormal equipment identifier.
The present application further provides an electronic device comprising a memory and a processor, wherein:
the memory is used for storing a computer program;
the processor is configured to execute the computer program to implement the tracking method.
The present application also provides a computer-readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the tracking method described above.
The tracking method provided by the application obtains abnormal address information and abnormal occurrence time corresponding to an abnormal event; acquiring equipment state information; the device state information comprises device address information, an address active period and a device identifier; carrying out address matching on the abnormal address information and the equipment address information, and carrying out time matching on the abnormal occurrence time and the address active time period; and determining the address information of the equipment passing the address matching and the time matching as the abnormal equipment identification.
Therefore, when tracing the abnormal device (taking an abnormal host as an example) corresponding to the abnormal event, the method acquires the abnormal address information and the abnormal occurrence time corresponding to the abnormal event, and also acquires the device state information. The device status information may represent the address information status of each host device, including device address information used by the host, an address activity period characterizing a period of time during which the host uses the address information, and a device identification indicating the identity of the host device. The device status information accurately records address information used by each host device at any time period in the past. Therefore, the device state information is filtered based on the abnormal address information and the abnormal occurrence time related to the abnormal event, and the abnormal device identifier with the matched device address information and the abnormal address information and the matched address active period and the abnormal occurrence time can be obtained. The abnormal host corresponding to the abnormal device identifier is the host device using the abnormal address information in the time period of the abnormal occurrence time, and can determine that the abnormal event is caused by the abnormal host, thereby completing the accurate tracing of the abnormal host. By acquiring the equipment state information and screening the equipment state information by using the information corresponding to the abnormal event, the accurate abnormal equipment identification can be obtained, even if address information transformation occurs in a DHCP scene, the abnormal event can be accurately tracked, the tracking accuracy and reliability are improved, the abnormal event can be rapidly and efficiently handled, and the problems that the tracking accuracy and reliability are poor and the abnormal event cannot be rapidly and efficiently handled in the related technology are solved.
In addition, the application also provides a tracking device, an electronic device and a computer readable storage medium, which also have the beneficial effects.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a tracking method according to an embodiment of the present application;
FIG. 2 is a flowchart of a tracking method according to an embodiment of the present disclosure;
fig. 3 is a structural diagram of a tracking device according to an embodiment of the present disclosure;
fig. 4 is a hardware composition framework diagram applicable to a tracking method according to an embodiment of the present disclosure.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The abnormal device refers to a device related to an abnormal event, for example, a device that should have an abnormal event or participate in an abnormal event, and the specific type thereof is not limited. For example, the abnormal host may be a physical host, a virtual host, a cloud device, and the like (e.g., a virtual machine, a container device, and the like), and the following description takes the abnormal host as an example to describe a tracking process for the abnormal device. In the related art, when tracing the abnormal host, the corresponding host is usually determined based on the address corresponding to the abnormal event, so as to complete tracing the abnormal host. However, in the DHCP scenario, in order to increase the utilization rate of addresses, the addresses (e.g., IP addresses, gateway addresses, etc.) of the respective hosts in the network may change frequently. Because the tracing of the abnormal host is not usually performed in real time and has a certain hysteresis, the IP address corresponding to the abnormal event may have been reassigned to another host, which is not the abnormal host causing the abnormal event, thus resulting in a failure of tracing the abnormal host.
In order to solve the above technical problem, the present application provides a tracking method. Specifically, please refer to fig. 1, in which fig. 1 is a flowchart illustrating a tracking method according to an embodiment of the present disclosure. The method comprises the following steps:
s101: and acquiring exception address information and exception occurrence time corresponding to the exception event.
The exception address information is used to indicate a specific address causing an exception event, and the specific type of the exception address is not limited, and may be, for example, an IP address, or may be a gateway address. The abnormal occurrence time is used for recording the occurrence time of the abnormal event, and since the address information may change at any time in a DHCP scene, the abnormal occurrence time corresponding to the abnormal event can be obtained, so that the abnormal host using the abnormal address information to cause the abnormal event can be traced from a time perspective by subsequently using the abnormal occurrence time as a tracing basis. The data format of the exception occurrence time is not limited in this embodiment, and may be, for example, year-month-day-hour-minute-second, and it is understood that the minimum unit in the exception occurrence time must be smaller than the minimum time granularity of address update in the DHCP scenario.
The embodiment does not limit the specific manner of obtaining the abnormal address information and the abnormal occurrence time, and in a possible implementation, the two kinds of information may be directly obtained from other electronic devices, for example, from a security device (e.g., a network security device or a terminal security device). Specifically, after detecting an abnormal event, the security device records the abnormal event, extracts corresponding abnormal address information, and records the current time as the abnormal occurrence time. The security device may immediately transmit the abnormality address information and the abnormality occurrence time to the electronic device that performs each step of the present embodiment, or may respond to an instruction to acquire information with the abnormality address information and the abnormality occurrence time in between when the instruction is received. In this embodiment, part or all of the steps in this embodiment may be performed by using a unified management platform, which may be composed of one or more electronic devices.
In another possible implementation manner, the abnormal address information and the abnormal occurrence event may be obtained by the unified management platform itself, in this case, the unified management platform also performs the work of detecting the abnormal event, and obtains the corresponding information after detecting the abnormal event. It should be noted that the specific type of the abnormal event is not limited, and the specific detection mode and process of the abnormal event are also not limited.
S102: device status information is obtained.
In this embodiment, the device status information may indicate a network status of the host, which specifically includes device address information, address activity period, and device identification. The device address information may indicate which addresses are used by a certain host, the address active period is used to indicate a period in which the host uses the addresses, and the device identifier is an identity identifier of the host, which is not limited in specific form. For example, the host name may be used, or the host may be a Media Access Control Address (MAC Address), and in practical applications, the host is generally used by a fixed user, and the host and the user have a corresponding relationship, so the user name may also be used as the device identifier. The number of the device state information may be one or more, and since the number of the hosts is plural, the device state information may record the three items of information corresponding to all the hosts, or may record the three items of information corresponding to a single host. Because a certain address information can only be used by one host at a certain time, at most one corresponding device identifier is available after the address acquisition time period and the device address information are determined. The present embodiment does not limit the specific way of obtaining the device status information, for example, in an embodiment, since the device such as the gateway records the information during operation, the device status information may be obtained from the operation record of the device such as the gateway. In another embodiment, the address usage of each host in the network may be monitored and recorded to obtain device status information.
It should be noted that, the execution timing of the step of acquiring the device status information is not limited in this embodiment, and according to different acquisition manners, the execution timing of the step may be different, for example, execution may be implemented, or the step may be executed when an execution instruction is detected, where the execution instruction may be input from the outside, or may be automatically generated when a preset condition is met, for example, when it is detected that the device status information needs to be acquired or when the abnormal address information and the abnormal occurrence time have been acquired, it may be considered that the device status information needs to be acquired. Further, the present application also does not limit the execution sequence between step S201 and step S202, and both may be executed in series or may be executed in parallel.
S103: and carrying out address matching on the abnormal address information and the equipment address information, and carrying out time matching on the abnormal occurrence time and the address active period.
After the abnormal network address, the abnormal occurrence time and the equipment state information are obtained, address matching is carried out by using the abnormal address information and the equipment address information, and time matching is carried out by using the abnormal occurrence event and the address active time interval. The embodiment does not limit the specific manner of address matching and time matching, and in one implementation, the address matching may be address content matching, and the address matching is passed, specifically, the abnormal address information may be the same as the device address information; the time matching may be time range matching, and the time matching is passed, specifically, the time when the abnormality occurs is within the address active period.
S104: and determining the device identifier passing the address matching and the time matching as the abnormal device identifier.
Because the device address information, the device identifier and the address active time period are in a one-to-one correspondence relationship, the device address information corresponding to a certain device identifier is matched with the abnormal address information, and the corresponding address active time period is matched with the abnormal occurrence time, so that the device identifier is the abnormal device identifier corresponding to the abnormal host. It can be understood that, if the host corresponding to the device identifier uses the address recorded in the device address information in the address active period, only the host may use the abnormal address information to cause an abnormal event at the time of the occurrence of the abnormality, and therefore the host is inevitably an abnormal host, and the device identifier corresponding to the host is the abnormal device identifier.
By applying the tracking method provided by the embodiment of the application, when the abnormal host corresponding to the abnormal event is tracked, the abnormal address information and the abnormal occurrence time corresponding to the abnormal event are obtained, and the equipment state information is also obtained. The device status information may represent the address information status of each host device, including device address information used by the host, an address activity period characterizing a period of time during which the host uses the address information, and a device identification indicating the identity of the host device. The device status information accurately records address information used by each host device at any time period in the past. Therefore, the device status information is filtered based on the abnormal address information and the abnormal occurrence time related to the abnormal event, and the abnormal device identifier with the matched device address information and abnormal address information and the matched address active period and abnormal occurrence time can be obtained. The abnormal host corresponding to the abnormal device identifier is the host device using the abnormal address information in the time period of the abnormal occurrence time, and can determine that the abnormal event is caused by the abnormal host, thereby completing the accurate tracing of the abnormal host. By acquiring the equipment state information and screening the equipment state information by using the information corresponding to the abnormal event, the accurate abnormal equipment identification can be obtained, even if address information transformation occurs in a DHCP scene, the abnormal event can be accurately tracked, the tracking accuracy and reliability are improved, the abnormal event can be rapidly and efficiently handled, and the problems that the tracking accuracy and reliability are poor and the abnormal event cannot be rapidly and efficiently handled in the related technology are solved.
Based on the above embodiments, the present embodiment will specifically describe several steps in the above embodiments. In an embodiment, the unified management platform that performs all or part of the steps in this embodiment may autonomously obtain the device status information to obtain reliable device status information. Specifically, the process of acquiring the device status information may include the following steps:
step 11: and scanning the equipment identifier of the host equipment to obtain the equipment identifier.
In this embodiment, the device identifier of each host may be obtained by a device identifier scanning manner, and a specific process of scanning the host device is not limited, for example, the unified management platform may directly scan each host device, or a probe or a terminal detection response platform (i.e., EDR) may be deployed, and the probe or the terminal detection response platform is controlled to scan the host device. The embodiment does not limit the specific scanning manner of the device identifier, and the specific scanning manner may be different according to the type of the device identifier. For example, when the device identifier is a hostname, the device identifier may be scanned by using techniques such as SMB (Server Message Block) protocol audit, DHCP protocol audit, NMAP (Network map) active scan, and the like. When the device identifier is an MAC Address, the device identifier may be scanned by using techniques such as NMAP active scanning, ARP (Address Resolution Protocol) Protocol audit, SNMP (Simple Network Management Protocol) Protocol audit, and the like.
Step 12: and carrying out address information activity detection on the host equipment to obtain equipment address information and an address activity period.
The address information activity detection is used for detecting an address adopted by the host device, that is, detecting the activity time of the address used by the host device, and further obtaining the device address information and the address activity period. The embodiment does not limit the specific way of active detection of the address information, for example, a log of communication between the host device and the outside may be obtained, and the used address is determined by analyzing the log, so as to obtain the device address information; meanwhile, the initial use time and the final use time of each address are obtained, and the address active time period is obtained by using the initial use time and the final use time. In a specific implementation manner, the address information activity detection may be performed synchronously when the device identifier scanning is performed, and the specific detection process may refer to related technologies, which is not described herein again. Similar to the device identification scanning, the address information activity detection may be performed by the unified management platform itself, or may be performed by the unified management platform control probe, the terminal detection response platform, or the like. The specific execution process may be executed in real time, or may be executed according to a preset cycle. Because the host equipment is directly scanned, the reliability of the obtained equipment state information is high, and the reliability of the abnormal equipment identification is high.
In another possible implementation, since the host generally needs to use various gateway devices in the process of communicating with the outside world, the device status information may be obtained from the gateway device in order to obtain the device status information quickly and conveniently. The process of acquiring the device status information may specifically include the following steps:
step 21: and sending a work information acquisition request to the gateway equipment.
It should be noted that the device type and the deployment manner of the gateway device are not limited, and for example, the gateway device may be a gateway device for performing internet behavior management, or may be a gateway device for providing VPN service, or may be a wireless controller gateway device for performing wireless network connection. The gateway device has corresponding operating information in which the address used when the host device communicates with the outside world can be recorded. Therefore, when acquiring the device state information, a work information acquisition request may be sent to the gateway device. It can be understood that the data items recorded by different gateway devices may be different, for example, the specific types of the device identifiers may be different, some gateway devices use a user name as a device identifier, some gateway devices use a MAC address as a device identifier, and some gateway devices use a host name as a device identifier.
Step 22: and acquiring the working information sent by the gateway equipment, and acquiring equipment state information by using the working information.
After acquiring the work information acquisition request, the gateway device responds to the request by using the work information. Therefore, after the working information sent by the gateway device is obtained, the device state information can be obtained by using the working information. The device state information is obtained through the working information obtained from the gateway device, scanning of each host device is not needed, consumption of computing resources is saved, time for obtaining the working information is short, the process is convenient, and the device state information can be obtained quickly and conveniently.
In a possible implementation manner, the gateway device analyzes the host status according to its own working condition, and the obtained working information directly includes the host network address, the network address active period, and the device identifier. In another possible implementation, because the computing power of the gateway device is limited, the work information only records the specific work content of the gateway device, in this case, the work information needs to be analyzed and refined after being acquired, so as to obtain the corresponding device status information. Specifically, the process of generating the device status information by using the working information may include the following steps:
step 31: and extracting login time and exit time corresponding to each equipment identifier from the working information.
Step 32: and generating an address active time period by using the login time and the exit time, and extracting equipment address information corresponding to the address active time period from the working information to obtain equipment state information.
In this embodiment, the device identifier includes a user name, the user name is directly recorded in the work information, and the login time and the logout time corresponding to each user are recorded at the same time. It can be understood that, in the process of one login, the address used by the user does not change, so that the address activity period can be generated by using the login time and the exit time, and the device address information corresponding to the address activity period is extracted from the work information. Since the address activity period is generated based on the login time and the logout time, and has a correspondence with the device identifier, the obtained device address information also has a correspondence with the device identifier. And after the equipment address information is obtained, the process of obtaining the equipment state information is finished.
Based on the foregoing embodiments, in a specific implementation manner, when there are many abnormal events, in order to enable a user to conveniently determine a corresponding relationship between the abnormal event and the abnormal host, and further process the abnormal event and the abnormal host, the abnormal event may be categorized. Specifically, the method can further comprise the following steps:
step 41: and classifying the abnormal events based on the abnormal equipment identification to obtain an abnormal event group.
Since a single abnormal host may cause multiple abnormal events, specifically, the abnormal host may cause multiple abnormal events by using multiple abnormal network addresses, in order to enable a user to check the abnormal events caused by the abnormal host and quickly determine an abnormal situation, the abnormal events may be classified based on the abnormal host representation. On the basis of the above embodiment, the abnormal device identifier corresponding to each abnormal event may already be determined, so that the abnormal device identifier may be classified as a classification reference to obtain an abnormal event group. The number of the abnormal event groups may be one or more, and at least one abnormal event may be included in each abnormal event group. In this embodiment, a specific representation manner of the exception event is not limited, and may be, for example, a specific event number, or may be exception event type information, so that the exception practice group may include one or more exception event numbers and/or exception event type information. It should be noted that the exception events participating in the classification may be all exception events, or may be part of the exception events, for example, the exception events whose occurrence time is less than a preset threshold value, such as newly-added exception events each day, or may be exception events that are not handled.
Step 42: and outputting the abnormal device identification and the corresponding abnormal event group.
After the abnormal event group is obtained, the abnormal event caused by the abnormal host can be checked by the user through outputting the abnormal device identification and the corresponding abnormal event group, and the abnormal condition can be quickly determined. The embodiment does not limit the specific output manner, for example, a table or a file may be generated and then output; or may be visually output.
In a specific embodiment, the device identifier has a plurality of types, for example, including a host name, a user name and a MAC address, in which case, in order to enable the user to view the abnormal event group from a customary view, the process of outputting the abnormal device identifier and the corresponding abnormal event group may include the following steps:
step 51: and determining the target priority abnormal equipment identification from the multiple types of abnormal equipment identifications by using the type priority corresponding to the equipment identification.
Step 52: outputting the target priority exception device identification and/or the corresponding exception event group.
In this embodiment, the type priority may be preset, and the type priority is used to specify the priority order of each type, so that the method may be used to determine which type of data is selected to be output when there are multiple types of host flags. When the device identifier has multiple types of data, the target priority abnormal device identifier can be determined from the multiple types of abnormal device identifiers according to the corresponding type priority, and the target priority abnormal device identifier is output in the subsequent process. It should be noted that the target priority exception device identifier may be one or multiple, and specific content thereof may be set according to actual requirements, which is not limited in this embodiment.
Further, since there are a plurality of types of device identifications, the user can select a desired type of device identification as needed to view the abnormal event group from this point of view. Therefore, the following steps can be further included:
step 61: and receiving a visual angle switching instruction.
In this embodiment, the view switching instruction is used to specify a target type, where the target type is one of data types existing in the device identifier.
Step 62: and selecting the equipment identifier of the target type as a target equipment identifier according to the visual angle switching instruction, and outputting the target equipment identifier and/or the abnormal event group.
By determining the target device identification and outputting it with the exception group, the user may be allowed to view the exception from the perspective of the target type. In addition to outputting the exception event group, other information such as exception address information and exception occurrence time may be output, or an exception handling event or handling suggestion may be included.
In a specific embodiment, the target type is a user name type, in which case, the process of outputting the target device identification and/or the abnormal event group may include the following steps:
step 71: and outputting the target user name specified by the visual angle switching instruction and/or an abnormal event group corresponding to the target user name.
In this embodiment, the user name is used as the screening criterion, and in the previous abnormal event group dividing process, a step of classifying a plurality of abnormal events based on each user name to obtain a plurality of abnormal event groups divided based on the user name should be included. A user name can be designated in the view switching instruction as a target user name, and an abnormal event group corresponding to the target user name is output, so that the abnormal event corresponding to the user name can be displayed, and the behavior corresponding to the user name can be evaluated and the like.
Based on the above embodiment, in order to further improve the capability and effectiveness of tracing, the method may further include the following steps:
step 81: and screening the device log based on the abnormal device identifier and/or the abnormal event to obtain abnormal information.
Step 82: and generating tracking and tracing information by using the abnormal information.
The device log refers to a log having a correlation with a device designated by the abnormal device identifier or a device involved in the abnormal event. It should be noted that the present embodiment does not limit the specific type of the device log, and for example, the device log may be a work log, an exception log, a flow log, or multiple different types of logs may be included. The device log is filtered by using the abnormal device identifier and/or the abnormal event, so as to obtain information corresponding to the device log, which is referred to as abnormal information in this embodiment. Since the exception information is related to an abnormal device or an abnormal event, it generally has a value for performing exception tracing, and thus trace tracing information can be generated by using the exception information. The trace source information is information for performing the exception source tracing, and may be, for example, exception operation information, exception traffic information, or the like, and may further include other types of information, which is not limited herein.
Based on the above embodiment, further, the specified exception event may be output as needed, so as to query or process the exception event. Specifically, the method may further include:
step 91: and if a processing inquiry instruction is received, outputting an abnormal event with the target identification.
Wherein, the target identifier is an identifier specified in the processing query instruction and is used as a screening reference for screening the abnormal time. Specifically, the target identifier may be at least one of an untreated identifier, a newly added identifier, and a periodically newly added identifier. Wherein, the non-handling identifier refers to an identifier representing that the abnormal time is not processed; the new identifier is an identifier representing an abnormal event which newly appears between the last query and the current query, namely an identifier representing that the abnormal event is not queried; the cycle addition identifier is an identifier representing an added abnormal event in the current cycle, and the specific size of the cycle is not limited. For example, when the period is one day, the newly added identifier in the period is an identifier representing that an abnormal event occurs today; or when the period is one week, the newly added period identifier is an identifier representing that the abnormal event occurs in the week.
And step 92: and if the handling instruction is received, handling the corresponding abnormal event based on the handling instruction.
By receiving a handling instruction and processing the corresponding exception instruction based thereon, a user may be allowed to correspondingly handle any number of exception events. The specific manner of handling is not limited, and may be, for example, ignoring, or may be other handling operations.
Based on the above embodiments, please refer to fig. 2, and fig. 2 is a flowchart illustrating a specific tracking method according to an embodiment of the present application. The security event is the above exception event. In this embodiment, the unified management platform acquires the device status information in multiple ways, so as to perform comprehensive and multi-angle tracking.
Wherein, the Access Controller (AC) may provide the device status information related to the AC user name for the unified management platform, and includes: IP address, AC user name, user login time, and user exit time. The AC user name is an equipment identifier, the user login time and the user logout time are used for generating an address active period, and the IP address is equipment address information.
VPN (Virtual Private Network) is a technology for establishing a Private Network on a public Network and performing encrypted communication. The VPN gateway realizes remote access through encryption of the data packet and conversion of a data packet target address. The SSL VPN is a new VPN technology that uses an SSL (Secure Socket Layer) protocol to implement remote access, and can provide services including server authentication, client authentication, and the like, so as to implement data integrity on the SSL link and data confidentiality on the SSL link. The SSL VPN gateway may provide the unified management platform with device state information regarding SSL VPN usernames, including: IP address, SSL VPN user name, user login time and user exit time. The SSL VPN user name is an equipment identifier, the user login time and the user exit time are used for generating an address active period, and the IP address is equipment address information.
The Wireless Controller WAC (Wireless Access Point Controller) provides the device state information of the Wireless user name, which comprises the following steps: IP address, MAC address, host name, wireless user name, user login time and user exit time. The MAC address, the host name and the wireless user name are device identifiers, user login time and user logout time are used for generating address active periods, and the IP address is device address information.
Probes (e.g., a hold thread analysis (STA), an Endpoint Detection and Response (EDR)), etc. provide device status information such as IP address, host name, and MAC address of the host device. The host name acquisition mode comprises SMB protocol audit, DHCP protocol audit, NMAP active scanning and the like; the MAC address acquisition mode comprises NMAP active scanning, ARP protocol auditing, SNMP protocol auditing and the like. While the address activity period may be determined by the activity time of the IP address.
The security device may provide the security event as well as log data, which includes the abnormal network address and the occurrence/detection time corresponding to the abnormal event, i.e., the abnormal occurrence time.
And after the data are obtained, the unified management platform performs correlation analysis. Specifically, the occurrence time of the security event is associated with the login time and the exit time of each user name, and the IP address corresponding to the security event is associated with the IP address in the device state information. If the IP address and the occurrence time of the security event are in accordance with the IP address and the login-logout time of a certain user name, the security event is associated with information such as the user name and the like. Similarly, security events may also be associated with a host name, MAC address, etc. of the host device by an IP address.
After the data association is completed, multiple viewing angles for viewing the security event can be provided, it should be noted that the priority of each type of device identifier can be configured, and when data output is performed, the device identifier of the target priority can be selected for output, so that the security event can be viewed from the viewing angle of the device identifier. In the embodiment of fig. 2, two views may be provided simultaneously, one from the user name view and one from the host name + MAC address view. In the user name perspective, security events corresponding to the same user name (for example, an AC user name, an SSL VPN user name, or a WAC user name) are gathered under the user name, and no matter how the IP of an abnormal host changes, the abnormal host can be located and the risk thereof can be handled even after the abnormal event occurs. In the view of the host name + the MAC address, security events corresponding to the same host name and MAC address are gathered under the host name and MAC address, and as long as the host name or MAC address is unchanged, no matter how the IP of the abnormal host changes, and how long the abnormal event occurs, the abnormal host can be still located, and the risk of the abnormal host is handled.
In addition, in order to facilitate the handling of the security events, the unified management platform can also provide to-be-handled events and newly-added event modules. The method can acquire the exception handling instruction and further perform exception handling according to the exception handling instruction. Or the acquisition range setting instruction can be used to determine the tracking range of the abnormal event according to the specification, for example, the tracking range can be one day, so that the newly added event module is the daily newly added event module. The newly added abnormal events can be traced through the range setting instruction, or all the abnormal events are traced but only the abnormal events of the bath energy are output and displayed, so that the flexibility of tracing and/or output and display is improved.
The following describes a tracking device provided in an embodiment of the present application, and the following described tracking device and the above described tracking method can be referred to correspondingly.
Referring to fig. 3, fig. 3 is a schematic structural diagram of a tracking device according to an embodiment of the present application, including:
a first obtaining module 110, configured to obtain exception address information and exception occurrence time corresponding to an exception event;
a second obtaining module 120, configured to obtain device status information; the device state information comprises device address information, an address active period and a device identifier;
a matching module 130, configured to perform address matching on the abnormal address information and the device address information, and perform time matching on the abnormal occurrence time and the address active period;
and a determining module 140, configured to determine the device identifier that passes both the address matching and the time matching as the abnormal device identifier.
Device address optionally, further comprising:
the classification module is used for classifying the plurality of abnormal events based on the abnormal equipment identification to obtain an abnormal event group;
and the output module is used for outputting the abnormal equipment identification and the corresponding abnormal event group.
Optionally, the output module comprises:
the target priority abnormal device identification determining unit is used for determining the target priority abnormal device identification from the multiple types of abnormal device identifications by using the type priority corresponding to the device identification;
and the output unit is used for outputting the target priority abnormal equipment identification and/or the corresponding abnormal event group.
Optionally, the method further comprises:
the instruction receiving unit is used for receiving a visual angle switching instruction; the visual angle switching instruction is used for specifying a target type;
and the visual angle switching unit is used for selecting the equipment identifier of the target type as the target equipment identifier according to the visual angle switching instruction and outputting the target equipment identifier and/or the abnormal event group.
Optionally, the target type is a user name type; a viewing angle switching unit comprising:
and the user name and visual angle output subunit is used for outputting the target user name specified by the visual angle switching instruction and/or the abnormal event group corresponding to the target user name.
Optionally, the method further comprises:
the log screening module is used for screening the device log based on the abnormal device identifier and/or the abnormal event to obtain abnormal information;
and the tracing information generating module is used for generating tracing information by utilizing the abnormal information.
Optionally, the method further comprises:
the query module is used for outputting the abnormal event with the target identification if a processing query instruction is received; the target identification is at least one of an untreated identification, a newly added identification and a periodically newly added identification;
and the handling module is used for handling the corresponding abnormal event based on the handling instruction if the handling instruction is received.
In the following, the electronic device provided by the embodiment of the present application is introduced, and the electronic device described below and the tracking method described above may be referred to correspondingly.
Referring to fig. 4, fig. 4 is a schematic diagram of a hardware composition framework applicable to a tracking method according to an embodiment of the present disclosure. Wherein the electronic device 100 may include a processor 101 and a memory 102, and may further include one or more of a multimedia component 103, an information input/information output (I/O) interface 104, and a communication component 105.
The processor 101 is configured to control the overall operation of the electronic device 100 to complete all or part of the steps in the tracking method; the memory 102 is used to store various types of data to support operation at the electronic device 100, such data may include, for example, instructions for any application or method operating on the electronic device 100, as well as application-related data. The Memory 102 may be implemented by any type or combination of volatile and non-volatile Memory devices, such as one or more of Static Random Access Memory (SRAM), electrically Erasable Programmable Read-Only Memory (EEPROM), erasable Programmable Read-Only Memory (EPROM), programmable Read-Only Memory (PROM), read-Only Memory (ROM), magnetic Memory, flash Memory, magnetic or optical disk. In the present embodiment, the memory 102 stores therein at least programs and/or data for realizing the following functions:
acquiring abnormal address information and abnormal occurrence time corresponding to the abnormal event;
acquiring equipment state information; the device state information comprises device address information, an address activity period and a device identification;
performing address matching on the abnormal address information and the equipment address information, and performing time matching on the abnormal occurrence time and the address active time period;
and determining the equipment identifier passing both address matching and time matching as an abnormal equipment identifier.
The multimedia component 103 may include a screen and an audio component. Wherein the screen may be, for example, a touch screen and the audio component is used for outputting and/or inputting audio signals. For example, the audio component may include a microphone for receiving an external audio signal. The received audio signal may further be stored in the memory 102 or transmitted through the communication component 105. The audio assembly also includes at least one speaker for outputting audio signals. The I/O interface 104 provides an interface between the processor 101 and other interface modules, such as a keyboard, mouse, buttons, etc. These buttons may be virtual buttons or physical buttons. The communication component 105 is used for wired or wireless communication between the electronic device 100 and other devices. Wireless Communication, such as Wi-Fi, bluetooth, near Field Communication (NFC), 2G, 3G, or 4G, or a combination of one or more of them, so that the corresponding Communication component 105 may include: wi-Fi part, bluetooth part, NFC part.
The electronic Device 100 may be implemented by one or more Application Specific Integrated Circuits (ASICs), digital Signal Processors (DSPs), digital Signal Processing Devices (DSPDs), programmable Logic Devices (PLDs), field Programmable Gate Arrays (FPGAs), controllers, microcontrollers, microprocessors, or other electronic components for executing the tracking method according to the above embodiments.
Of course, the structure of the electronic device 100 shown in fig. 4 does not constitute a limitation of the electronic device in the embodiment of the present application, and in practical applications, the electronic device 100 may include more or less components than those shown in fig. 4, or some components may be combined.
The following describes a computer-readable storage medium provided in an embodiment of the present application, and the computer-readable storage medium described below and the tracking method described above may be referred to in a corresponding manner.
The present application further provides a computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the steps of the tracking method described above.
The computer-readable storage medium may include: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
Those of skill would further appreciate that the various illustrative components and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the technical solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Finally, it should also be noted that, herein, relationships such as first and second, etc., are intended only to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms include, or any other variation is intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that includes a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
The principle and the implementation of the present application are explained herein by applying specific examples, and the above description of the embodiments is only used to help understand the method and the core idea of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, the specific implementation manner and the application scope may be changed, and in summary, the content of the present specification should not be construed as a limitation to the present application.
Claims (10)
1. A method of tracking, comprising:
acquiring abnormal address information and abnormal occurrence time corresponding to the abnormal event;
acquiring equipment state information; the device state information comprises device address information, an address activity period and a device identification;
performing address matching on the abnormal address information and the equipment address information, and performing time matching on the abnormal occurrence time and the address active time period;
and determining the equipment identifier passing both address matching and time matching as an abnormal equipment identifier.
2. The tracking method according to claim 1, further comprising:
classifying a plurality of abnormal events based on the abnormal equipment identification to obtain an abnormal event group;
and outputting the abnormal device identification and the corresponding abnormal event group.
3. The tracking method according to claim 2, wherein said outputting said abnormal device identification and said corresponding abnormal event group comprises:
determining a target priority abnormal equipment identifier from multiple types of abnormal equipment identifiers by using the type priority corresponding to the equipment identifier;
and outputting the target priority abnormal device identification and/or the corresponding abnormal event group.
4. The tracking method according to claim 2, further comprising:
receiving a visual angle switching instruction; the view switching instruction is used for specifying a target type;
and selecting the equipment identifier of the target type as a target equipment identifier according to the visual angle switching instruction, and outputting the target equipment identifier and/or the abnormal event group.
5. The tracking method according to claim 4, characterized in that the target type is a username type; the outputting the target device identification and/or the abnormal event group includes:
and outputting the target user name specified by the visual angle switching instruction and/or the abnormal event group corresponding to the target user name.
6. The tracking method according to claim 1, further comprising:
screening the device log based on the abnormal device identifier and/or the abnormal event to obtain abnormal information;
and generating tracking and tracing information by using the abnormal information.
7. The tracking method according to claim 1, further comprising:
if a processing query instruction is received, outputting the abnormal event with the target identification; the target identification is at least one of an untreated identification, a newly added identification and a periodically newly added identification;
and if a handling instruction is received, handling the corresponding abnormal event based on the handling instruction.
8. A tracking device, comprising:
the first acquisition module is used for acquiring abnormal address information and abnormal occurrence time corresponding to the abnormal event;
the second acquisition module is used for acquiring the equipment state information; the device state information comprises device address information, an address activity period and a device identification;
the matching module is used for carrying out address matching on the abnormal address information and the equipment address information and carrying out time matching on the abnormal occurrence time and the address active time period;
and the determining module is used for determining the equipment identifier passing both address matching and time matching as the abnormal equipment identifier.
9. An electronic device comprising a memory and a processor, wherein:
the memory is used for storing a computer program;
the processor for executing the computer program to implement the tracking method according to any one of claims 1 to 7.
10. A computer-readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the tracking method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110687681.3A CN113422697B (en) | 2021-06-21 | 2021-06-21 | Tracking method, device, electronic equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110687681.3A CN113422697B (en) | 2021-06-21 | 2021-06-21 | Tracking method, device, electronic equipment and readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113422697A CN113422697A (en) | 2021-09-21 |
| CN113422697B true CN113422697B (en) | 2023-03-24 |
Family
ID=77789654
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110687681.3A Active CN113422697B (en) | 2021-06-21 | 2021-06-21 | Tracking method, device, electronic equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113422697B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113849331B (en) * | 2021-09-22 | 2023-09-29 | 网易(杭州)网络有限公司 | Anomaly tracking method, system, device, equipment and medium of hybrid technology stack |
| CN115022155A (en) * | 2022-05-24 | 2022-09-06 | 深信服科技股份有限公司 | Information processing method, device and storage medium |
| CN115102778B (en) * | 2022-07-11 | 2024-05-24 | 深信服科技股份有限公司 | State determination method, device, equipment and medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2003036109A (en) * | 2001-07-24 | 2003-02-07 | Mitsubishi Electric Corp | Abnormality diagnostic device |
| CN109240886A (en) * | 2018-09-03 | 2019-01-18 | 平安科技(深圳)有限公司 | Abnormality eliminating method, device, computer equipment and storage medium |
| CN109992600A (en) * | 2019-03-28 | 2019-07-09 | 佛山市百斯特电器科技有限公司 | A kind of response method and equipment of equipment fault |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP5518594B2 (en) * | 2010-06-30 | 2014-06-11 | 三菱電機株式会社 | Internal network management system, internal network management method and program |
| CN107465651B (en) * | 2016-06-06 | 2020-10-02 | 腾讯科技(深圳)有限公司 | Network attack detection method and device |
| CN107465648B (en) * | 2016-06-06 | 2020-09-04 | 腾讯科技(深圳)有限公司 | Abnormal equipment identification method and device |
| CN112583825B (en) * | 2020-12-07 | 2022-09-27 | 四川虹微技术有限公司 | Method and device for detecting abnormality of industrial system |
-
2021
- 2021-06-21 CN CN202110687681.3A patent/CN113422697B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2003036109A (en) * | 2001-07-24 | 2003-02-07 | Mitsubishi Electric Corp | Abnormality diagnostic device |
| CN109240886A (en) * | 2018-09-03 | 2019-01-18 | 平安科技(深圳)有限公司 | Abnormality eliminating method, device, computer equipment and storage medium |
| CN109992600A (en) * | 2019-03-28 | 2019-07-09 | 佛山市百斯特电器科技有限公司 | A kind of response method and equipment of equipment fault |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113422697A (en) | 2021-09-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113422697B (en) | Tracking method, device, electronic equipment and readable storage medium | |
| CN109543463B (en) | Data security access method, device, computer equipment and storage medium | |
| US11121947B2 (en) | Monitoring and analysis of interactions between network endpoints | |
| US20160057101A1 (en) | Asset detection system | |
| CN109951359B (en) | Asynchronous scanning method and device for distributed network assets | |
| US20180146008A1 (en) | Implementing Decoys in Network Endpoints | |
| KR20140025316A (en) | Method and system for fingerprinting operating systems running on nodes in a communication network | |
| CN111178760A (en) | Risk monitoring method and device, terminal equipment and computer readable storage medium | |
| CN107168844B (en) | Performance monitoring method and device | |
| CN110971579A (en) | Network attack display method and device | |
| US20150096019A1 (en) | Software network behavior analysis and identification system | |
| US20140189868A1 (en) | Method for detecting intrusions on a set of virtual resources | |
| US9866466B2 (en) | Simulating real user issues in support environments | |
| CN108733545B (en) | Pressure testing method and device | |
| CN112839054A (en) | Network attack detection method, device, equipment and medium | |
| CN112165451A (en) | APT attack analysis method, system and server | |
| Lupia et al. | ICS Honeypot Interactions: A Latitudinal Study | |
| US20160328200A1 (en) | Testing screens of a multi-screen device | |
| CN110457202B (en) | TPC-E testing method for quickly establishing ODBC connection and driver equipment | |
| CN109600398B (en) | Account use behavior detection method and device | |
| CN111585830A (en) | User behavior analysis method, device, equipment and storage medium | |
| CN111385293B (en) | Network risk detection method and device | |
| CN112040027B (en) | Data processing method and device, electronic equipment and storage medium | |
| CN113709210A (en) | Device discovery method, device, system, electronic device and storage medium | |
| US20210218763A1 (en) | Correlation-based network security |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |