CN113992454A - Attack tracing method and device - Google Patents
Attack tracing method and device Download PDFInfo
- Publication number
- CN113992454A CN113992454A CN202111636686.XA CN202111636686A CN113992454A CN 113992454 A CN113992454 A CN 113992454A CN 202111636686 A CN202111636686 A CN 202111636686A CN 113992454 A CN113992454 A CN 113992454A
- Authority
- CN
- China
- Prior art keywords
- data
- network
- attack
- file
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
The embodiment of the application provides an attack tracing method and device, which relate to the technical field of network security, and the attack tracing method comprises the steps of firstly obtaining process data, network data and file data of a target terminal; then, performing association processing on the network data and the process data to obtain first associated data; performing association processing on the file data and the process data to obtain second associated data; generating associated process chain data of the target terminal according to the first associated data and the second associated data, and storing the associated process chain data into a process chain database; when the network attack warning information aiming at the target terminal is received, the attack tracing is carried out according to the process chain database and the network attack warning information to obtain the attack tracing information, the network attack can be traced simply and quickly, the cost is low, the network resource is saved, the applicability is good, and the tracing efficiency is favorably improved.
Description
Technical Field
The application relates to the technical field of network security, in particular to an attack tracing method and device.
Background
At present, with the rapid development of networks, networks have become indispensable content in daily life, malicious behaviors on the networks have increased, and network-based attack behaviors are emerging endlessly, so the problem of network security has been more and more emphasized. The existing network attack tracing method generally carries out grouping marking on all routers in a network by a grouping marking method, and tracing is carried out according to the marking when the attack tracing is carried out. However, in practice, it is found that the existing packet marking method is costly due to high hardware complexity, and increases the packet data length due to network complexity, thereby increasing the network load. Therefore, the existing method is high in cost, occupies larger network resources, and is poor in applicability, so that the tracing efficiency is reduced.
Disclosure of Invention
The embodiment of the application aims to provide an attack tracing method and device, which can simply and quickly trace the source of network attacks, are low in cost, save network resources, are good in applicability and are beneficial to improving the tracing efficiency.
A first aspect of the embodiments of the present application provides an attack tracing method, including:
acquiring process data, network data and file data of a target terminal;
performing association processing on the network data and the process data to obtain first associated data; performing association processing on the file data and the process data to obtain second associated data;
generating associated process chain data of a target terminal according to the first associated data and the second associated data, and storing the associated process chain data into a process chain database;
and when network attack warning information aiming at the target terminal is received, carrying out attack tracing according to the process chain database and the network attack warning information to obtain attack tracing information.
In the implementation process, process data, network data and file data of a target terminal are obtained firstly; then, performing association processing on the network data and the process data to obtain first associated data; performing association processing on the file data and the process data to obtain second associated data; generating associated process chain data of the target terminal according to the first associated data and the second associated data, and storing the associated process chain data into a process chain database; when the network attack warning information aiming at the target terminal is received, the attack tracing is carried out according to the process chain database and the network attack warning information to obtain the attack tracing information, the network attack can be traced simply and quickly, the cost is low, the network resource is saved, the applicability is good, and the tracing efficiency is favorably improved.
Further, the associating the network data with the process data to obtain first associated data includes:
acquiring a target process identifier, a target network address, process action time and process action data in the process data;
judging whether the network data is matched with the target process identification;
if the network data is matched with the target process identification, performing process identification-based association processing on the network data and the process data according to the target process identification to obtain first associated data;
if the network data is not matched with the target process identification, judging whether the network data is matched with the target network address;
and if the network data is matched with the target network address, performing network address-based association processing on the network data and the process data according to the target network address to obtain first associated data.
Further, the method further comprises:
when the network data is judged not to be matched with the target network address, judging whether the network data is matched with the process action time or not;
if so, acquiring weblog data in the network data, and performing time-based association processing on the network data and the process data when the weblog data is matched with the process action data to obtain first associated data.
Further, associating the file data with the process data to obtain second associated data, including:
acquiring a target file path in the process data;
judging whether the file data is matched with the target process identification;
if the file data is matched with the target process identifier, performing process identifier-based association processing on the file data and the process data according to the target process identifier to obtain second associated data;
if the file data is not matched with the target process identification, judging whether the file data is matched with the target file path;
and if the file data is matched with the target file path, performing file path-based association processing on the file data and the process data according to the target file path to obtain second associated data.
Further, the method further comprises:
when the file data is judged not to be matched with the target file path, judging whether the file data is matched with the process action time or not;
if so, acquiring file log data in the file data, and performing time-based association processing on the file data and the process data when the file log data is matched with the process action data to obtain second associated data.
Further, after storing the associated process chain data in a process chain database, the method further comprises:
when the target terminal is detected to be abnormal, acquiring basic information of the abnormal condition;
determining abnormal associated process chain data matched with the basic information according to the process chain database;
carrying out anomaly analysis on the abnormal associated process chain data to determine complete process data of the target terminal with the anomaly;
and outputting exception prompt information comprising the complete process data.
Further, performing attack tracing according to the process chain database and the network attack warning information to obtain attack tracing information, including:
acquiring network attack information according to the network attack warning information;
determining attack process chain data matched with the network attack information according to the process chain database;
performing source tracing analysis on the attack process chain data to determine complete attack process data of an attacker attacking the target terminal;
and outputting attack tracing information comprising the complete attack process data.
A second aspect of the embodiments of the present application provides an attack tracing apparatus, where the attack tracing apparatus includes:
the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring process data, network data and file data of a target terminal;
the first association unit is used for associating the network data with the process data to obtain first association data;
the second association unit is used for associating the file data with the process data to obtain second association data;
a process chain generating unit, configured to generate associated process chain data of the target terminal according to the first associated data and the second associated data;
the storage unit is used for storing the associated process chain data into a process chain database;
and the attack tracing unit is used for carrying out attack tracing according to the process chain database and the network attack warning information to obtain attack tracing information when the network attack warning information aiming at the target terminal is received.
In the implementation process, the acquisition unit acquires process data, network data and file data of the target terminal; then the first association unit associates the network data with the process data to obtain first association data; the second association unit associates the file data with the process data to obtain second association data; the process chain generating unit generates associated process chain data of the target terminal according to the first associated data and the second associated data, and the storage unit stores the associated process chain data into a process chain database; when the attack tracing unit receives the network attack warning information aiming at the target terminal, the attack tracing unit conducts attack tracing according to the process chain database and the network attack warning information to obtain the attack tracing information, can simply and quickly trace the source of the network attack, is low in cost, saves network resources, is good in applicability, and is beneficial to improving the tracing efficiency.
A third aspect of the embodiments of the present application provides an electronic device, including a memory and a processor, where the memory is used to store a computer program, and the processor runs the computer program to enable the electronic device to execute the attack tracing method according to any one of the first aspect of the embodiments of the present application.
A fourth aspect of the present embodiment provides a computer-readable storage medium, which stores computer program instructions, where the computer program instructions, when read and executed by a processor, perform the attack tracing method according to any one of the first aspect of the present embodiment.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic flowchart of an attack tracing method according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of an attack tracing apparatus according to an embodiment of the present application;
fig. 3 is a schematic flowchart of a process for associating process data with network data and files according to an embodiment of the present disclosure.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
Example 1
Referring to fig. 1, fig. 1 is a schematic flowchart of an attack tracing method according to an embodiment of the present application. The attack tracing method comprises the following steps:
s101, acquiring process data, network data and file data of the target terminal.
In the embodiment of the application, the acquisition device can be arranged in the target terminal, and then the data of the target terminal is acquired through the acquisition device. Specifically, the collection device may be an Agent device.
In the embodiment of the application, the process data, the network data and the file data may be data in a preset time period, and the process data, the network data and the file data generated by the target terminal in the preset time period may be acquired every other preset time period.
In this embodiment, the process data includes one or more of process log data, a process identifier (e.g., a process ID, etc.), a process name, a process action, a process command line, a work directory, a process creation time, a process end time, a process belonging terminal, a process belonging session, a user identifier (e.g., a user ID, etc.) of a process belonging user, a user name of a process belonging user, a user right of a process belonging user, a process file corresponding to a process, a file path of the process file, a creation time of the process file, a modification time of the process file, a last access time of the process file, a parent process identifier (e.g., a parent process ID, etc.) of a process, and the like, and this embodiment is not limited in this application.
In this embodiment, the network data includes one or more of weblog data, a related process identifier (e.g., a process ID, etc.), a network address, network data generation time, a DNS (Domain Name Server) data packet, a HTTP (Hyper Text Transfer Protocol) data packet, a TCP (Transmission Control Protocol) data packet, a UDP (User data packet Protocol) data packet, and an ICPM (Internet Control Message Protocol) data packet, which is not limited in this embodiment.
In this embodiment, the file data includes one or more of file log data, a related process identifier (e.g., a process ID, etc.), a file path, an md5 file, a sha256 file, a file attribute, a file size, a file type, a file creation time, a file modification time, a file last access time, and the like, which is not limited in this embodiment of the present application.
Among them, MD5, a Message Digest Algorithm (MD 5 Message-Digest Algorithm), a widely used cryptographic hash function, can generate a 128-bit (16-byte) hash value (hash value) to ensure the integrity of Message transmission.
Where SHA256, SHA-256, is an encryption algorithm used for some columns of digital currency.
In the embodiment of the present application, the execution subject of the method may be a computing device such as a computer and a server, and is not limited in this embodiment.
In this embodiment, an execution subject of the method may also be an intelligent device such as a smart phone and a tablet computer, which is not limited in this embodiment.
S102, acquiring a target process identification, a target network address, process action time and process action data in the process data.
S103, judging whether the network data is matched with the target process identification, and if so, executing a step S104; if not, step S105 is performed.
In the embodiment of the application, whether the network data is matched with the target process identifier is judged, that is, whether the process identifier in the network data is consistent with the target process identifier in the process data is judged, if so, the network data is matched with the target process identifier, and if not, the network data is not matched with the target process identifier.
S104, according to the target process identification, performing process identification-based association processing on the network data and the process data to obtain first associated data, and executing the step S110.
In the embodiment of the application, when the network data is judged to be matched with the target process identification, the network data can be enriched into the process data to form the first associated data.
In the embodiment of the application, the network data and the process data are associated based on the process identification to obtain first associated data, and the confidence coefficient of the first associated data is the first confidence coefficient.
S105, judging whether the network data is matched with the target network address, and if so, executing a step S106; if not, step S107 is performed.
In the embodiment of the application, if the network data is not matched with the target process identifier, the process identifier in the network data is empty, or the process identifier in the network data is not consistent with the target process identifier in the process data, whether the network address in the network data is consistent with the target network address in the process data can be judged, and if so, the network data is determined to be matched with the target network address; if not, it is determined that the network data does not match the target network address.
S106, according to the target network address, performing association processing based on the network address on the network data and the process data to obtain first associated data, and executing the step S110.
In the embodiment of the application, if the network data is matched with the target network address, the network data is enriched into the process data to form the first associated data.
In the embodiment of the application, the confidence of the first associated data obtained by performing association processing based on the network address on the network data and the process data is the second confidence.
S107, judging whether the network data is matched with the process action time, and if so, executing the step S108; if not, step S109 is performed.
S108, obtaining the weblog data in the network data, performing time-based association processing on the network data and the process data to obtain first associated data when the weblog data is matched with the process action data, and executing the step S109.
In the embodiment of the application, if the network data is not matched with the target process identifier and the target network address, the target network address is null, or the target network address is not matched with the network address in the network data.
In the embodiment of the application, for example, if the network data exists, the accuracy of the data is confirmed through rule matching, so that whether the network log data is matched with the process action data or not can be confirmed. For example, if the process data includes a ping process, the network data includes ICMP packets, and the ICMP packet generation time is during the ping process run, the blog data is considered to match the process action data.
As an optional implementation, the determining whether the network data matches the process action time includes:
acquiring data receiving time and/or data sending time in network data;
judging whether the data receiving time and/or the data sending time are consistent with the process action time;
when the data receiving time is judged to be consistent with the process action time;
or when the data sending time is judged to be consistent with the process action time;
or when the data receiving time is consistent with the process action time and the data sending time is consistent with the process action time, determining that the weblog data is matched with the process action time.
And if the data receiving time is inconsistent with the process action time and the data sending time is inconsistent with the process action time, determining that the weblog data is not matched with the process action time.
In the embodiment of the application, when the weblog data is matched with the process action time, whether the weblog data is matched with the process action data or not is continuously judged, and if yes, the weblog data is enriched into the process data to form first associated data.
In the embodiment of the application, the confidence of the first associated data obtained by performing time-based association processing on the network data and the process data is a third confidence.
S109, determining the progress data as the first associated data, and executing the step S110.
In the embodiment of the present application, when the network data does not match the process action time, the network data is discarded without being associated, and at this time, steps S110 to S117 are executed to perform association processing between the file data and the process data.
In this embodiment of the application, when the first associated data is process data, it indicates that the network data is not associated with the process data, and at this time, the first associated data has no confidence.
In the embodiment of the present application, by implementing the steps S102 to S109, the first associated data can be obtained by associating the network data with the process data.
And S110, acquiring a target file path in the process data.
S111, judging whether the file data is matched with the target process identification, and if so, executing a step S112; if not, step S113 is performed.
In the embodiment of the application, whether the file data is matched with the target process identifier is judged, namely whether the process identifier in the file data is consistent with the target process identifier in the process data is judged, if so, the file data is matched with the process data, and if not, the file data is not matched with the process data.
S112, according to the target process identification, the file data and the process data are subjected to process identification-based association processing to obtain second association data, and the step S118 is executed.
In the embodiment of the application, whether the process identification in the file data is consistent with the target process identification in the process data is judged, if yes, the file data is matched with the process data, the file data is enriched to the process data, and second associated data is formed.
In the embodiment of the application, the confidence coefficient of the second associated data obtained by performing association processing on the file data and the process data based on the process identification is the first confidence coefficient.
S113, judging whether the file data is matched with the target file path, and if so, executing a step S114; if not, step S115 is performed.
S114, according to the target file path, performing association processing based on the file path on the file data and the process data to obtain second associated data, and executing the step S118.
In the embodiment of the application, if the file data is matched with the target file path, the process identifier in the file data is empty, or the process identifier in the file data is inconsistent with the target process identifier, whether the file path in the file data is consistent with the target file path in the process data is judged, if yes, the file data is matched with the target file path, the file data is enriched to the process data, and second associated data is formed.
In the embodiment of the application, the confidence level of the second associated data is the second confidence level, wherein the second associated data is obtained by performing association processing on the file data and the process data based on the file path.
S115, judging whether the file data is matched with the process action time, and if so, executing the step S116; if not, step S117 is performed.
In the embodiment of the application, when the file data is judged not to be matched with the target file path, the target file path is empty, or the target file path is inconsistent with the file path in the file data.
As an optional implementation manner, the determining whether the file data matches the process action time includes:
acquiring time data and file log data in file data, wherein the time data comprises one or more of file creation time, file modification time and file last access time;
judging whether the time data is consistent with the process action time;
if so, the file data is matched with the process action time;
if not, the file data does not match the process action time.
S116, acquiring file log data in the file data, performing time-based association processing on the file data and the process data when the file log data is matched with the process action data to obtain second associated data, and executing the step S118.
In the embodiment of the present application, for example, if the process data includes process action data for creating a file and process action data for reading and writing a file, when it is determined that file data exists at a corresponding time point according to the file log data, it may be determined that the file log data matches the process action data.
In the embodiment of the present application, when the file log data does not match the process action data, step S117 is performed.
In the embodiment of the application, the file data and the process data are subjected to time-based association processing to obtain second association data, and the confidence coefficient of the second association data is a third confidence coefficient.
S117 determines the process data as the second associated data, and executes step S118.
In the embodiment of the application, when the file data is not matched with the process action time, the file data is discarded without being associated, and at this time, the second associated data only has process data.
In this embodiment of the application, when the second associated data is process data, it indicates that the file data is not associated with the process data, and at this time, the second associated data has no confidence.
In the embodiment of the present application, by performing the steps S110 to S117, the file data and the process data can be associated with each other to obtain second associated data.
In the embodiment of the application, the network data and the file data are associated with the process data, that is, the network data and the file data are integrated into the process data to enrich the process data, and the data integration is to define a protocol for process description and fill the corresponding data into the protocol.
In the embodiment of the present invention, the steps S102 to S109 may occur before the steps S110 to S117, or may occur after the steps S110 to S117, or may be processed in parallel with the steps S110 to S117, and only one processing sequence is given in the embodiment, and the specific execution sequence is not limited in the embodiment of the present invention.
In the embodiment of the present invention, when steps S102 to S109 and steps S110 to S117 are performed in parallel, the file data and the process data are associated to obtain the first associated data, and the network data and the process data are associated to obtain the second associated data, that is, the first associated data and the second associated data can be obtained at the same time.
And S118, generating associated process chain data of the target terminal according to the first associated data and the second associated data, and storing the associated process chain data into a process chain database.
As an optional implementation manner, generating associated process chain data of the target terminal according to the first associated data and the second associated data includes:
merging and integrating the first associated data and the second associated data according to the process data to obtain integrated data;
and generating the associated process chain data of the target terminal according to the integrated data.
In the embodiment of the application, because the first associated data and the second associated data both include process data, the first associated data and the second associated data may be integrated according to the process data to obtain integrated data.
In the embodiment of the application, the confidence degrees of the data are sequentially a first confidence degree, a second confidence degree and a third confidence degree from large to small.
In the embodiment of the present application, taking the execution sequence given in this embodiment as an example, the network data and the file data can be associated with the process data respectively through different matching conditions, the confidence of the first associated data obtained by associating the network data with the process data through steps S102 to S109 can be one of a first confidence, a second confidence, a third confidence, and no confidence, and through steps S110 to S117, the file data and the process data can be associated to obtain second associated data, the confidence of the second associated data can be one of the first confidence, the second confidence, the third confidence, and no confidence, which is not limited in this embodiment of the present application.
As shown in fig. 3, fig. 3 is a schematic flowchart of a process data, network data, and file association process provided in an embodiment of the present application. As shown in fig. 3, the process is performed in parallel with steps S102 to S109 and steps S110 to S117. The first associated data and the second associated data with different degrees of confidence can be obtained according to different association conditions, so that the integrated data obtained by integrating the first associated data and the second associated data includes the first associated data and the second associated data with different degrees of confidence. For example, the consolidated data may include first associated data of a first confidence level and second associated data of a second confidence level.
As shown in fig. 3, when the first associated data is the first confidence level and the second associated data is the first confidence level, the integrated data obtained by integrating the first associated data and the second associated data is the first confidence integrated data; when the first associated data is the second confidence degree and the second associated data is the second confidence degree, the integrated data obtained by integrating the first associated data and the second associated data is second confidence integrated data; and when the first associated data is the third confidence degree and the second associated data is the third confidence degree, integrating the first associated data and the second associated data to obtain integrated data which is third confidence integrated data.
In the embodiment of the application, after the process data, the network data and the file data of the target terminal are collected, the process data, the network data and the file data are integrated to form complete associated process chain data. And storing the associated process chain data into a process chain database, namely sending the associated process chain data to the OneEDR server to be stored into the process chain database.
In the embodiment of the application, the acquisition device on the target terminal continuously executes the steps S101-S118, continuously acquires and associates process data, network data and file data in a preset time period, and then sends complete associated process chain data to the OneEDR server to form a process chain database. The process chain database contains process data, network data and file data related to the associated process chain data.
In the embodiment of the application, for example, taking a bounce shell as an example, a target terminal locally sends a network connection request to other target terminals, and then continuously executes a shell command. By using the method, the shell command generated after the network connection and the process data generating the network connection can be subjected to data association processing, so that a process chain is complete.
As an optional implementation, after storing the associated process chain data in the process chain database, the method further includes:
when the target terminal is detected to be abnormal, acquiring basic information of the abnormal condition;
determining abnormal associated process chain data matched with the basic information according to the process chain database;
carrying out anomaly analysis on the abnormal associated process chain data to determine complete process data of the target terminal with the anomaly;
and outputting exception prompt information comprising complete process data.
And S119, when receiving the network attack warning information aiming at the target terminal, carrying out attack tracing according to the process chain database and the network attack warning information to obtain attack tracing information.
In the embodiment of the application, when network attack warning information of a target terminal is received, the network attack warning information can be matched with various information in a process chain database, if one type of information is successfully matched, the whole associated process chain data is used as attack traceability information, and the attack traceability information is fed back to safety operation and maintenance personnel.
As an optional implementation manner, performing attack tracing according to the process chain database and the network attack warning information to obtain attack tracing information, including:
acquiring network attack information according to the network attack warning information;
determining attack process chain data matched with the network attack information according to the process chain database;
carrying out source tracing analysis on the attack process chain data to determine complete attack process data of an attacker attacking a target terminal;
and outputting attack tracing information comprising complete attack process data.
In the above embodiment, in the network attack tracing, the target terminal associates the process data, the file data and the network data together in advance to form complete associated process chain data, and when the target terminal is attacked, effective associated data information can be obtained according to the network attack information in the network alarm information to obtain the attack process chain data, thereby reducing the tracing difficulty, providing more effective data, making the tracing more accurate, and providing effective threat information. Meanwhile, the method can obviously improve the program performance and reduce the utilization rate of the processor and the memory.
In the embodiment, the attack process of the attacker on the target terminal can be fully known by including the complete attack process data, so that the network attack can be fully analyzed, the network attack can be better countered or blocked, and the network security can be maintained.
Therefore, the attack tracing method described in this embodiment can simply and quickly trace the source of the network attack, is low in cost, saves network resources, has good applicability, and is beneficial to improving the tracing efficiency.
Example 2
Please refer to fig. 2, fig. 2 is a schematic structural diagram of an attack tracing apparatus according to an embodiment of the present application. As shown in fig. 2, the attack tracing apparatus includes:
an obtaining unit 210, configured to obtain process data, network data, and file data of a target terminal;
a first associating unit 220, configured to perform association processing on the network data and the process data to obtain first associated data;
a second associating unit 230, configured to perform association processing on the file data and the process data to obtain second associated data;
a process chain generating unit 240, configured to generate associated process chain data of the target terminal according to the first associated data and the second associated data;
a storage unit 250, configured to store the associated process chain data in a process chain database;
and the attack tracing unit 260 is configured to, when receiving the network attack warning information for the target terminal, perform attack tracing according to the process chain database and the network attack warning information to obtain attack tracing information.
As an optional implementation, the first associating unit 220 includes:
a first obtaining subunit 221, configured to obtain a target process identifier, a target network address, a process action time, and process action data in the process data;
a first determining subunit 222, configured to determine whether the network data matches the target process identifier;
a first association subunit 223, configured to, when it is determined that the network data matches the target process identifier, perform association processing based on the process identifier on the network data and the process data according to the target process identifier to obtain first association data;
the first determining subunit 222 is further configured to determine whether the network data matches the target network address when it is determined that the network data does not match the target process identifier;
the first association subunit 223 is configured to, when it is determined that the network data matches the target network address, perform association processing based on the network address on the network data and the process data according to the target network address to obtain first association data.
As an optional implementation manner, the first determining subunit 222 is further configured to determine whether the network data matches the process action time when it is determined that the network data does not match the target network address;
the first obtaining subunit 221, configured to obtain weblog data in the network data when it is determined that the network data matches the process action time;
the first associating subunit 223 is further configured to, when the weblog data matches the process action data, perform time-based association processing on the weblog data and the process data to obtain first associated data.
As an optional implementation, the second associating unit 230 includes:
a second obtaining subunit 231, configured to obtain a target file path in the process data;
a second judging subunit 232, configured to judge whether the file data matches the target process identifier;
a second association subunit 233, configured to, if the file data matches the target process identifier, perform association processing based on the process identifier on the file data and the process data according to the target process identifier to obtain second association data;
the second determining subunit 232 is further configured to determine whether the file data matches the target file path when it is determined that the file data does not match the target process identifier;
the second association subunit 233 is further configured to, when it is determined that the file data matches the target file path, perform association processing based on the file path on the file data and the process data according to the target file path to obtain second association data.
As an optional implementation manner, the second determining subunit 232 is further configured to determine whether the file data matches the process action time when it is determined that the file data does not match the target file path;
the second obtaining subunit 231 is configured to, when it is determined that the file data matches the process action time, obtain file log data in the file data, and, when the file log data matches the process action data, perform time-based association processing on the file data and the process data to obtain second association data.
As an optional implementation manner, the obtaining unit 210 is further configured to, after storing the associated process chain data in the process chain database, obtain basic information of an occurrence of an abnormality when it is detected that the target terminal has the abnormality;
the attack tracing device further comprises:
a determining unit 270, configured to determine, according to the process chain database, abnormal associated process chain data that matches the basic information;
the anomaly analysis unit 280 is configured to perform anomaly analysis on the anomaly-associated process chain data to determine complete process data in which the target terminal is abnormal;
the output unit 290 is configured to output an exception prompt message including complete process data.
As an optional implementation, the attack tracing unit 260 includes:
a determining subunit 261, configured to, when receiving network attack warning information for a target terminal, obtain network attack information according to the network attack warning information; determining attack process chain data matched with the network attack information according to the process chain database;
a tracing subunit 262, configured to perform tracing analysis on the attack process chain data, and determine complete attack process data of an attacker attacking the target terminal;
and the output subunit 263 is configured to output attack tracing information including complete attack process data.
In the embodiment of the present application, for the explanation of the attack tracing apparatus, reference may be made to the description in embodiment 1, and details are not repeated in this embodiment.
Therefore, the attack tracing device described in the embodiment can simply and quickly trace the source of the network attack, is low in cost, saves network resources, is good in applicability, and is favorable for improving the tracing efficiency.
The embodiment of the present application provides an electronic device, which includes a memory and a processor, where the memory is used to store a computer program, and the processor runs the computer program to enable the electronic device to execute the attack tracing method in embodiment 1 of the present application.
An embodiment of the present application provides a computer-readable storage medium, which stores computer program instructions, where the computer program instructions are read and executed by a processor to execute the attack tracing method in embodiment 1 of the present application.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Claims (10)
1. An attack tracing method is characterized by comprising the following steps:
acquiring process data, network data and file data of a target terminal;
performing association processing on the network data and the process data to obtain first associated data; performing association processing on the file data and the process data to obtain second associated data;
generating associated process chain data of a target terminal according to the first associated data and the second associated data, and storing the associated process chain data into a process chain database;
and when network attack warning information aiming at the target terminal is received, carrying out attack tracing according to the process chain database and the network attack warning information to obtain attack tracing information.
2. The attack tracing method according to claim 1, wherein associating the network data with the process data to obtain first associated data comprises:
acquiring a target process identifier, a target network address, process action time and process action data in the process data;
judging whether the network data is matched with the target process identification;
if the network data is matched with the target process identification, performing process identification-based association processing on the network data and the process data according to the target process identification to obtain first associated data;
if the network data is not matched with the target process identification, judging whether the network data is matched with the target network address;
and if the network data is matched with the target network address, performing network address-based association processing on the network data and the process data according to the target network address to obtain first associated data.
3. The attack tracing method of claim 2, wherein the method further comprises:
when the network data is judged not to be matched with the target network address, judging whether the network data is matched with the process action time or not;
if so, acquiring weblog data in the network data, and performing time-based association processing on the network data and the process data when the weblog data is matched with the process action data to obtain first associated data.
4. The attack tracing method according to claim 2, wherein associating the file data with the process data to obtain second associated data comprises:
acquiring a target file path in the process data;
judging whether the file data is matched with the target process identification;
if the file data is matched with the target process identifier, performing process identifier-based association processing on the file data and the process data according to the target process identifier to obtain second associated data;
if the file data is not matched with the target process identification, judging whether the file data is matched with the target file path;
and if the file data is matched with the target file path, performing file path-based association processing on the file data and the process data according to the target file path to obtain second associated data.
5. The attack tracing method of claim 4, wherein the method further comprises:
when the file data is judged not to be matched with the target file path, judging whether the file data is matched with the process action time or not;
if so, acquiring file log data in the file data, and performing time-based association processing on the file data and the process data when the file log data is matched with the process action data to obtain second associated data.
6. The attack tracing method of claim 1, wherein after storing the associated process chain data in a process chain database, the method further comprises:
when the target terminal is detected to be abnormal, acquiring basic information of the abnormal condition;
determining abnormal associated process chain data matched with the basic information according to the process chain database;
carrying out anomaly analysis on the abnormal associated process chain data to determine complete process data of the target terminal with the anomaly;
and outputting exception prompt information comprising the complete process data.
7. The attack tracing method according to claim 1, wherein performing attack tracing according to the process chain database and the network attack warning information to obtain attack tracing information comprises:
acquiring network attack information according to the network attack warning information;
determining attack process chain data matched with the network attack information according to the process chain database;
performing source tracing analysis on the attack process chain data to determine complete attack process data of an attacker attacking the target terminal;
and outputting attack tracing information comprising the complete attack process data.
8. An attack tracing apparatus, comprising:
the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring process data, network data and file data of a target terminal;
the first association unit is used for associating the network data with the process data to obtain first association data;
the second association unit is used for associating the file data with the process data to obtain second association data;
a process chain generating unit, configured to generate associated process chain data of the target terminal according to the first associated data and the second associated data;
the storage unit is used for storing the associated process chain data into a process chain database;
and the attack tracing unit is used for carrying out attack tracing according to the process chain database and the network attack warning information to obtain attack tracing information when the network attack warning information aiming at the target terminal is received.
9. An electronic device, comprising a memory for storing a computer program and a processor for executing the computer program to cause the electronic device to perform the attack tracing method according to any one of claims 1 to 7.
10. A readable storage medium, wherein computer program instructions are stored in the readable storage medium, and when the computer program instructions are read and executed by a processor, the attack tracing method according to any one of claims 1 to 7 is executed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111636686.XA CN113992454A (en) | 2021-12-30 | 2021-12-30 | Attack tracing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111636686.XA CN113992454A (en) | 2021-12-30 | 2021-12-30 | Attack tracing method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113992454A true CN113992454A (en) | 2022-01-28 |
Family
ID=79734902
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111636686.XA Pending CN113992454A (en) | 2021-12-30 | 2021-12-30 | Attack tracing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113992454A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020099959A1 (en) * | 2000-11-13 | 2002-07-25 | Redlich Ron M. | Data security system and method responsive to electronic attacks |
| CN108259449A (en) * | 2017-03-27 | 2018-07-06 | 新华三技术有限公司 | A kind of method and system for defending APT attacks |
| CN109787964A (en) * | 2018-12-29 | 2019-05-21 | 北京零平数据处理有限公司 | Process behavior is traced to the source device and method |
| CN111628964A (en) * | 2020-04-03 | 2020-09-04 | 北京奇艺世纪科技有限公司 | Network attack tracing method and device |
-
2021
- 2021-12-30 CN CN202111636686.XA patent/CN113992454A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020099959A1 (en) * | 2000-11-13 | 2002-07-25 | Redlich Ron M. | Data security system and method responsive to electronic attacks |
| CN108259449A (en) * | 2017-03-27 | 2018-07-06 | 新华三技术有限公司 | A kind of method and system for defending APT attacks |
| CN109787964A (en) * | 2018-12-29 | 2019-05-21 | 北京零平数据处理有限公司 | Process behavior is traced to the source device and method |
| CN111628964A (en) * | 2020-04-03 | 2020-09-04 | 北京奇艺世纪科技有限公司 | Network attack tracing method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108763031B (en) | Log-based threat information detection method and device | |
| CN110012005B (en) | Method and device for identifying abnormal data, electronic equipment and storage medium | |
| CN106470214B (en) | Attack detection method and device | |
| US20130312092A1 (en) | System and method for forensic cyber adversary profiling, attribution and attack identification | |
| US11647032B2 (en) | Apparatus and method for classifying attack groups | |
| CN110210213B (en) | Method and device for filtering malicious sample, storage medium and electronic device | |
| CN107979581B (en) | Detection method and device for zombie characteristics | |
| CN110493225B (en) | Request transmission method, device, equipment and readable storage medium | |
| CN114095274B (en) | Attack studying and judging method and device | |
| CN110008719B (en) | File processing method and device, and file detection method and device | |
| CN110188538B (en) | Method and device for detecting data by adopting sandbox cluster | |
| CN113726818B (en) | Method and device for detecting lost host | |
| US20230252145A1 (en) | Cyber threat information processing apparatus, cyber threat information processing method, and storage medium storing cyber threat information processing program | |
| EP3242240B1 (en) | Malicious communication pattern extraction device, malicious communication pattern extraction system, malicious communication pattern extraction method and malicious communication pattern extraction program | |
| CN113965419B (en) | Method and device for judging attack success through reverse connection | |
| Kebande et al. | Functional requirements for adding digital forensic readiness as a security component in IoT environments | |
| CN110149318B (en) | Mail metadata processing method and device, storage medium and electronic device | |
| CN110830500A (en) | Network attack tracking method and device, electronic equipment and readable storage medium | |
| CN112153062B (en) | Multi-dimension-based suspicious terminal equipment detection method and system | |
| CN113992454A (en) | Attack tracing method and device | |
| TWI640891B (en) | Method and apparatus for detecting malware | |
| CN107995167B (en) | Equipment identification method and server | |
| CN111064730A (en) | Network security detection method, device, equipment and storage medium | |
| US20230254340A1 (en) | Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information | |
| CN113965418B (en) | Attack success judgment method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20220128 |