CN114003903B - Network attack tracing method and device - Google Patents
Network attack tracing method and device Download PDFInfo
- Publication number
- CN114003903B CN114003903B CN202111615214.6A CN202111615214A CN114003903B CN 114003903 B CN114003903 B CN 114003903B CN 202111615214 A CN202111615214 A CN 202111615214A CN 114003903 B CN114003903 B CN 114003903B
- Authority
- CN
- China
- Prior art keywords
- attacker
- target
- tracing
- information
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the application provides a network attack tracing method and a device, which relate to the technical field of network security, and the network attack tracing method comprises the following steps: firstly, acquiring an access log of a target network service, and detecting a first malicious file in the target network service; then extracting attacker information of a target attacker according to the access log and the first malicious file; then, determining other files accessed by the target attacker according to the access log and the attacker information, and using the files as files to be detected; further, according to the file to be detected, the access log, the first malicious file and the attacker information, an attacker portrait of the target attacker is constructed; finally, network attack tracing and tracing are carried out according to the image of the attacker, a tracing and tracing result is obtained, the network attack can be traced and traced under a real service scene, and the actual service scene is completely fitted, so that the tracing and tracing accuracy is improved, and the network safety is guaranteed.
Description
Technical Field
The application relates to the technical field of network security, in particular to a network attack tracing method and device.
Background
At present, the computer network technology is rapidly developed, more and more enterprises provide target network services, and meanwhile, the security protection of the main body of the network services, namely the network server, is more and more important. The existing network attack tracing and tracing method generally acquires an access log in a pre-deployed honeypot server; then extracting information of an attacker in the access log; and screening and matching the attacker information, recording effective attacker information and storing for record. However, in practice, it is found that in the existing method, the honeypot server can only simulate normal service, and there is a difference from the actual service scene, thereby resulting in low tracing accuracy.
Disclosure of Invention
An object of the embodiments of the present application is to provide a method and an apparatus for tracing and tracing a network attack, which can trace and trace a network attack in a real service scene, and completely fit an actual service scene, thereby facilitating to improve the accuracy of tracing and ensuring network security.
A first aspect of the embodiments of the present application provides a network attack tracing method, including:
acquiring an access log of a target network service, and detecting a first malicious file in the target network service;
according to the access log and the first malicious file, extracting attacker information of a target attacker;
determining other files accessed by the target attacker according to the access log and the attacker information, and using the other files as files to be detected;
constructing an attacker portrait of the target attacker according to the file to be detected, the access log, the first malicious file and the attacker information;
and carrying out network attack tracing according to the attacker image to obtain a tracing result.
In the implementation process, an access log of the target network service is obtained first, and a first malicious file in the target network service is detected; then extracting attacker information of a target attacker according to the access log and the first malicious file; then, determining other files accessed by the target attacker according to the access log and the attacker information, and using the files as files to be detected; further, according to the file to be detected, the access log, the first malicious file and the attacker information, an attacker portrait of the target attacker is constructed; finally, network attack tracing and tracing are carried out according to the image of the attacker, a tracing and tracing result is obtained, the network attack can be traced and traced under a real service scene, and the actual service scene is completely fitted, so that the tracing and tracing accuracy is improved, and the network safety is guaranteed.
Further, the detecting the first malicious file in the target network service includes:
acquiring a script file under the target network service directory;
and carrying out malicious file detection on the script file to determine a first malicious file.
Further, the extracting attacker information of the target attacker according to the access log and the first malicious file includes:
extracting a first access record of the first malicious file according to the access log;
and extracting the attacker information of the target attacker according to the first access record.
Further, the determining, according to the access log and the attacker information, other files that the target attacker accesses as files to be detected includes:
determining a second access record of the target attacker for accessing other files according to the access log and the attacker information;
and determining the file to be detected according to the second access record.
Further, the constructing an attacker portrait of the target attacker according to the file to be detected, the access log, the first malicious file and the attacker information includes:
carrying out integrity check on the file to be detected to obtain a check result;
determining an untampered file and a tampered file from the files to be detected according to the verification result;
carrying out intrusion point detection on the files which are not tampered to obtain intrusion point detection results, and carrying out malicious file detection on the tampered files again to obtain second malicious files;
carrying out multi-dimensional information statistics according to the access log, the first malicious file, the second malicious file, the intrusion point detection result and the attacker information to obtain a multi-dimensional information statistical result;
and constructing the attacker portrait of the target attacker according to the multi-dimensional information statistical result.
Further, the performing multidimensional information statistics according to the access log, the first malicious file, the second malicious file, the intrusion point detection result, and the attacker information to obtain a multidimensional information statistics result includes:
generating basic information of the target attacker according to the second malicious file, the access log and the attacker information;
counting data of the invader point according to the invader point detection result to obtain an invader point counting result;
evaluating the attack technical level of the target attacker according to the statistic result of the intrusion point;
acquiring all access records of the target attacker from the access log, and performing statistical analysis on all access records of the target attacker to obtain a time statistical result;
and summarizing the basic information, the intrusion point statistical result, the attack technical level and the time statistical result to obtain a multi-dimensional information statistical result.
Further, the network attack tracing and tracing according to the attacker image to obtain a tracing and tracing result includes:
matching the attacker portrait with a preset portrait database to obtain portrait matching information and portrait similarity;
judging whether the image similarity is greater than a preset similarity threshold value or not;
if so, tracking a source of the target attacker according to the portrait matching information to obtain a source tracking result;
and if not, adding the attacker portrait to the portrait database so as to update the portrait database.
A second aspect of the embodiments of the present application provides a network attack tracing and tracing system, where the network attack tracing and tracing system includes:
the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring an access log of a target network service in a target terminal;
the detection unit is used for detecting a first malicious file in the target network service;
the extracting unit is used for extracting the attacker information of a target attacker according to the access log and the first malicious file;
the determining unit is used for determining other files accessed by the target attacker as files to be detected according to the access log and the attacker information;
the portrait construction unit is used for constructing an attacker portrait of the target attacker according to the file to be detected, the access log, the first malicious file and the attacker information;
and the tracing and tracing unit is used for carrying out network attack tracing and tracing according to the attacker image to obtain a tracing and tracing result.
In the implementation process, an acquisition unit acquires an access log of a target network service, and a detection unit detects a first malicious file in the target network service; then the extracting unit extracts attacker information of a target attacker according to the access log and the first malicious file; then, the determining unit determines other files accessed by the target attacker as files to be detected according to the access log and the attacker information; furthermore, the portrait construction unit constructs an attacker portrait of the target attacker according to the file to be detected, the access log, the first malicious file and the attacker information; finally, the tracing and tracing unit traces and traces the source of the network attack according to the image of the attacker to obtain a tracing and tracing result, and can trace and trace the source of the network attack in a real service scene and completely fit the actual service scene, so that the tracing and tracing accuracy is improved, and the network safety is guaranteed.
A third aspect of the embodiments of the present application provides an electronic device, including a memory and a processor, where the memory is used to store a computer program, and the processor runs the computer program to enable the electronic device to execute the network attack tracing and tracing method according to any one of the first aspect of the embodiments of the present application.
A fourth aspect of the present embodiment provides a computer-readable storage medium, which stores computer program instructions, where the computer program instructions, when read and executed by a processor, perform the network attack tracing method according to any one of the first aspect of the present embodiment.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic flowchart of a network attack tracing method according to an embodiment of the present disclosure;
fig. 2 is a schematic structural diagram of a network attack tracing system according to an embodiment of the present disclosure;
fig. 3 is an information interaction schematic diagram of a network attack tracing and tracing system according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
Example 1
Referring to fig. 1, fig. 1 is a schematic flowchart illustrating a network attack tracing method according to an embodiment of the present disclosure. The network attack tracing and tracing method comprises the following steps:
s101, obtaining an access log of the target network service, and detecting a first malicious file in the target network service.
In the embodiment of the present application, the target network service may specifically be a WEB service, and the like, which is not limited in this embodiment of the present application.
In the embodiment of the application, the method can be applied to a network attack tracing and tracing system, as shown in fig. 3, the tracing and tracing system includes three parts, namely malicious file detection, log analysis and tracing, wherein a first malicious file in a target network service can be detected by the malicious file detection system.
In this embodiment, the tracing system may be run on a computing device such as a computer and a server, and is not limited in this embodiment.
In this embodiment, the tracing system may also be operated on an intelligent device such as a smart phone or a tablet computer, which is not limited in this embodiment.
In the embodiment of the application, the malicious file detection is mainly used for detecting all files under the target network service. And locking the invasion trace and discovering the attack behavior.
In the embodiment of the present application, the malicious file detection may specifically be a webshell detection module, which is not limited in this embodiment of the present application. When malicious files are detected through the webshell detection module, the method comprises two detection modes: static detection mode and dynamic detection mode.
In the embodiment of the application, the method locks real attacks through the webshell detection engine, collects log information of a real environment, performs correlation analysis, finds attack intrusion points, and can be used for subsequent vulnerability repair.
In the embodiment of the application, when the static detection mode is adopted, the data transmission and the transmitted data execution are carried out. For the execution data portion, keywords like exec, passhru, shell _ exec, system, eval, etc. may be collected, and then matched with the keywords in the script file to find the suspicious function, and when the execution data portion is matched with the suspicious function, a determination is made as to whether the data transfer portion is user controllable, such as $ _ POST, $ _ GET, $ _ REQUEST, $ _ FILES, $ _ COOKIE, $ _ SERVER, etc.
In the embodiment of the application, when a dynamic detection mode is adopted, the behavior of the sandbox can be monitored based on the dynamic operation of the sandbox environment, if the detected file is a script file for executing the command, a subprocess for executing the command can be generated, parameters required by webshell are transmitted, and a Fuzz test can be performed.
In the embodiment of the present application, the target network service may specifically be a web service, and the like, which is not limited to this embodiment of the present application.
As an optional implementation, detecting a first malicious file in a target network service includes:
acquiring a script file under a target network service directory;
and carrying out malicious file detection on the script file to determine a first malicious file.
S102, extracting a first access record of the first malicious file according to the access log, and extracting attacker information of a target attacker according to the first access record.
In this embodiment of the present application, the attacker information includes, but is not limited to, an attack source IP address, an agent corresponding to a request header, request time, transmitted request information, and the like, and this embodiment of the present application is not limited thereto.
In the embodiment of the present application, by implementing step S102, attacker information of a target attacker can be extracted according to the access log and the first malicious file.
S103, determining a second access record of the target attacker for accessing other files according to the access log and the attacker information.
In the embodiment of the application, the method reduces the number of file integrity checks through the associated access information, and improves the efficiency of security detection.
As shown in fig. 3, attacker information may be obtained by analyzing a log according to a first access record of a malicious file, and then a second access record with the same source is searched in the whole log according to the attacker information, where a request file to which the request records point includes an attack intrusion point or a backdoor left by an attacker, and specifically, the following code logic may be implemented:
if hash(request_file) == file_hash:
if is_ vuln_file(request_file):
invade.append(request_file)
else:
webshell_ detection(request_file)
the processing logic can improve the detection accuracy, avoid the integrity verification of all files and improve the efficiency.
After step S103, the following steps are also included:
and S104, determining the file to be detected according to the second access record.
In the embodiment of the application, by implementing the steps S103 to S104, other files accessed by the target attacker can be determined according to the access log and the attacker information, and the files are used as files to be detected.
And S105, carrying out integrity check on the file to be detected to obtain a check result.
And S106, determining the files which are not tampered and the files which are tampered from the files to be detected according to the verification result.
S107, intrusion point detection is carried out on the files which are not tampered to obtain intrusion point detection results, malicious file detection is carried out on the tampered files again to obtain second malicious files.
In the embodiment of the application, whether the file is tampered or not can be judged by verifying the integrity of the files, and whether the file is an intrusion point or not is judged if the file is not tampered.
And S108, generating basic information of the target attacker according to the second malicious file, the access log and the attacker information.
In the embodiment of the present application, when performing multidimensional information statistics, basic information of a target attacker is collected first, including but not limited to an attack source IP address, an operating system type, open port information, port binding service information, a geographic location, an ASN location to which the ASN belongs, a domain name reverse lookup of an IP, and the like, which is not limited in the embodiment of the present application.
And S109, counting the data of the intrusion point of the attacker according to the detection result of the intrusion point to obtain the statistic result of the intrusion point.
And S110, evaluating the attack technical level of the target attacker according to the statistic result of the intrusion point.
In the embodiment of the application, the data of the intrusion point of the attacker are counted, whether script attack or manual attack exists can be judged, and whether a vulnerability verification process exists before is utilized, so that the technical level of the target attacker can be measured.
And S111, acquiring all access records of the target attacker from the access log, and performing statistical analysis on all the access records of the target attacker to obtain a time statistical result.
In the embodiment of the present application, all the access records of the target attacker are subjected to temporal statistical analysis to obtain a temporal statistical result, specifically, the temporal statistical result includes attack duration, attack frequency, effective attack times, and the like, which is not limited in the embodiment of the present application.
And S112, summarizing the basic information, the intrusion point statistical result, the attack technical level and the time statistical result to obtain a multi-dimensional information statistical result.
In the embodiment of the application, by implementing the steps S108 to S112, multidimensional information statistics can be performed according to the access log, the first malicious file, the second malicious file, the intrusion point detection result, and the attacker information, so as to obtain a multidimensional information statistical result.
After step S112, the following steps are also included:
and S113, constructing the attacker portrait of the target attacker according to the multi-dimensional information statistical result.
In the embodiment of the application, the target attacker is mapped and recorded by finally combining the multi-dimensional information statistical result, the attacker portrait is established, and the similarity matching is carried out on the attacker portrait and the past data in the portrait database.
In the embodiment of the application, the method maps the image of the attacker through a multi-dimensional information source, and the effect of source tracing and countering is achieved.
In the embodiment of the application, by implementing the steps S105 to S113, an attacker portrait of a target attacker can be constructed according to the file to be detected, the access log, the first malicious file and the attacker information.
S114, matching the attacker image with a preset image database to obtain image matching information and image similarity.
S115, judging whether the image similarity is greater than a preset similarity threshold, and if so, executing a step S116; if not, step S117 is performed.
S116, tracking the source of the target attacker according to the portrait matching information to obtain a tracking source result, and ending the process.
And S117, adding the attacker image to the image database to update the image database.
In the embodiment of the present application, by implementing the steps S114 to S117, the network attack tracing can be performed according to the attacker figure, so as to obtain a tracing result.
According to the method, whether the malicious file exists in the target network service can be effectively detected, then the first access record of the malicious file is obtained through the access log in the target network service, the attacker information is extracted, all the attackers who access other files are screened out from the access log through the attacker information, and all the other files which access the other files contain the intrusion point and the backdoor file of the target attacker. All the access logs are based on real flow and completely fit with real services.
In the embodiment of the application, the method is based on access log analysis, the original log is processed, meanwhile, the image of the attacker is drawn through multi-dimensional mapping, similarity comparison is carried out on the image and the previous data of the database, the attack process is supplemented, and the closed detection loop is completed. Therefore, tracing under a real environment can be guaranteed, attack intrusion points can be found well, the logic of the whole attack flow is perfected, and meanwhile, the drawing of an attacker can be mapped.
Therefore, the network attack tracing and tracing method described in this embodiment can trace and trace the network attack in a real service scene, and completely fit the actual service scene, thereby being beneficial to improving the tracing and tracing accuracy and ensuring the network security.
Example 2
Referring to fig. 2, fig. 2 is a schematic structural diagram of a network attack tracing system according to an embodiment of the present application. As shown in fig. 2, the cyber attack tracing system includes:
an obtaining unit 210, configured to obtain an access log of a target network service in a target terminal;
a detecting unit 220, configured to detect a first malicious file in a target network service;
an extracting unit 230, configured to extract attacker information of a target attacker according to the access log and the first malicious file;
the determining unit 240 determines other files accessed by the target attacker according to the access log and the attacker information, and the other files are used as files to be detected;
the portrait construction unit 250 is used for constructing an attacker portrait of a target attacker according to the file to be detected, the access log, the first malicious file and the attacker information;
and the tracing and tracing unit 260 is configured to perform network attack tracing and tracing according to the attacker image to obtain a tracing and tracing result.
As an alternative embodiment, the detection unit 220 includes:
an acquiring subunit 221, configured to acquire a script file under the target network service directory;
the first detecting subunit 222 is configured to perform malicious file detection on the script file, and determine a first malicious file.
As an optional implementation manner, the extracting unit 230 is specifically configured to extract a first access record of the first malicious file according to the access log; and extracting the attacker information of the target attacker according to the first access record.
As an optional implementation manner, the determining unit 240 is specifically configured to determine, according to the access log and the attacker information, a second access record of the target attacker for accessing other files; and determining the file to be detected according to the second access record.
As an alternative embodiment, the representation construction unit 250 includes:
the verifying subunit 251 is configured to perform integrity verification on the file to be detected to obtain a verification result;
the determining subunit 252 is configured to determine, according to the verification result, an untampered file and a tampered file from the files to be detected;
a second detecting subunit 253, configured to perform intrusion point detection on the unaltered file to obtain an intrusion point detection result, and perform malicious file detection on the falsified file again to obtain a second malicious file;
a statistics subunit 254, configured to perform multidimensional information statistics according to the access log, the first malicious file, the second malicious file, the intrusion point detection result, and the attacker information, to obtain a multidimensional information statistics result;
and the constructing subunit 255 is configured to construct an attacker figure of the target attacker according to the multi-dimensional information statistics result.
As an alternative embodiment, the statistics subunit 254 includes:
the generating module is used for generating basic information of a target attacker according to the second malicious file, the access log and the attacker information;
the statistic module is used for carrying out statistics on data of the invader point according to the invader point detection result to obtain an invader point statistic result;
the evaluation module is used for evaluating the attack technical level of the target attacker according to the statistic result of the intrusion point;
the acquisition module is used for acquiring all access records of the target attacker from the access log and carrying out statistical analysis on all the access records of the target attacker to obtain a time statistical result;
and the summarizing module is used for summarizing the basic information, the intrusion point statistical result, the attack technical level and the time statistical result to obtain a multi-dimensional information statistical result.
As an optional implementation, the tracing and sourcing unit 260 includes:
a matching subunit 261, configured to match the attacker portrait with a preset image database, so as to obtain portrait matching information and portrait similarity;
a judging subunit 262, configured to judge whether the image similarity is greater than a preset similarity threshold;
the tracing subunit 263 is configured to, when it is determined that the similarity is greater than the preset similarity threshold, trace the source of the target attacker according to the portrait matching information to obtain a tracing source result;
the updating subunit 263 is configured to, when it is determined that the similarity is not greater than the preset similarity threshold, add the attacker image to the image database to update the image database.
In the embodiment of the present application, for explanation of the network attack tracing system, reference may be made to the description in embodiment 1, and details are not repeated in this embodiment.
Therefore, the network attack tracing and tracing system described in this embodiment can trace and trace the network attack in a real service scene, and completely conforms to the actual service scene, thereby being beneficial to improving the tracing and tracing accuracy and ensuring the network security.
The embodiment of the present application provides an electronic device, which includes a memory and a processor, where the memory is used to store a computer program, and the processor runs the computer program to enable the electronic device to execute the network attack tracing method in embodiment 1 of the present application.
An embodiment of the present application provides a computer-readable storage medium, which stores computer program instructions, and when the computer program instructions are read and executed by a processor, the network attack tracing method in embodiment 1 of the present application is executed.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Claims (9)
1. A network attack tracing method is characterized by comprising the following steps:
acquiring an access log of a target network service, and detecting a first malicious file in the target network service;
according to the access log and the first malicious file, extracting attacker information of a target attacker;
determining other files accessed by the target attacker according to the access log and the attacker information, and using the other files as files to be detected;
constructing an attacker portrait of the target attacker according to the file to be detected, the access log, the first malicious file and the attacker information;
performing network attack tracing according to the attacker image to obtain a tracing result;
wherein, the constructing the attacker portrait of the target attacker according to the file to be detected, the access log, the first malicious file and the attacker information comprises:
carrying out integrity check on the file to be detected to obtain a check result;
determining an untampered file and a tampered file from the files to be detected according to the verification result;
carrying out intrusion point detection on the files which are not tampered to obtain intrusion point detection results, and carrying out malicious file detection on the tampered files again to obtain second malicious files;
carrying out multi-dimensional information statistics according to the access log, the first malicious file, the second malicious file, the intrusion point detection result and the attacker information to obtain a multi-dimensional information statistical result;
constructing an attacker portrait of the target attacker according to the multi-dimensional information statistical result;
the multi-dimensional information statistical result comprises the basic information of the target attacker, an intrusion point statistical result, the attack technical level of the target attacker and a time statistical result.
2. The method of claim 1, wherein detecting the first malicious file in the target network service comprises:
acquiring a script file under the target network service directory;
and carrying out malicious file detection on the script file to determine a first malicious file.
3. The method for tracing and tracing internet attack according to claim 1, wherein the extracting attacker information of a target attacker according to the access log and the first malicious file comprises:
extracting a first access record of the first malicious file according to the access log;
and extracting the attacker information of the target attacker according to the first access record.
4. The network attack tracing and tracing method according to claim 1, wherein the determining other files accessed by the target attacker according to the access log and the attacker information as files to be detected comprises:
determining a second access record of the target attacker for accessing other files according to the access log and the attacker information;
and determining the file to be detected according to the second access record.
5. The network attack tracing method according to claim 1, wherein the performing multidimensional information statistics according to the access log, the first malicious file, the second malicious file, the intrusion point detection result, and the attacker information to obtain multidimensional information statistics results comprises:
generating basic information of the target attacker according to the second malicious file, the access log and the attacker information;
counting data of the invader point according to the invader point detection result to obtain an invader point counting result;
evaluating the attack technical level of the target attacker according to the statistic result of the intrusion point;
acquiring all access records of the target attacker from the access log, and performing statistical analysis on all access records of the target attacker to obtain a time statistical result;
and summarizing the basic information, the intrusion point statistical result, the attack technical level and the time statistical result to obtain a multi-dimensional information statistical result.
6. The network attack tracing and tracing method according to claim 1, wherein the network attack tracing and tracing according to the attacker image to obtain a tracing and tracing result comprises:
matching the attacker portrait with a preset portrait database to obtain portrait matching information and portrait similarity;
judging whether the image similarity is greater than a preset similarity threshold value or not;
if so, tracking a source of the target attacker according to the portrait matching information to obtain a source tracking result;
and if not, adding the attacker portrait to the portrait database so as to update the portrait database.
7. A cyber attack tracing system, comprising:
the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring an access log of a target network service in a target terminal;
the detection unit is used for detecting a first malicious file in the target network service;
the extracting unit is used for extracting the attacker information of a target attacker according to the access log and the first malicious file;
the determining unit is used for determining other files accessed by the target attacker as files to be detected according to the access log and the attacker information;
the portrait construction unit is used for constructing an attacker portrait of the target attacker according to the file to be detected, the access log, the first malicious file and the attacker information;
the tracing and tracing unit is used for carrying out network attack tracing and tracing according to the attacker image to obtain a tracing and tracing result;
wherein the portrait construction unit includes:
the checking subunit is used for carrying out integrity checking on the file to be detected to obtain a checking result;
the determining subunit is used for determining the non-tampered files and the tampered files from the files to be detected according to the verification result;
the second detection subunit is configured to perform intrusion point detection on the unaltered file to obtain an intrusion point detection result, and perform malicious file detection on the falsified file again to obtain a second malicious file;
the statistic subunit is configured to perform multidimensional information statistics according to the access log, the first malicious file, the second malicious file, the intrusion point detection result, and the attacker information to obtain a multidimensional information statistical result;
the construction subunit is used for constructing the attacker portrait of the target attacker according to the multi-dimensional information statistical result;
the multi-dimensional information statistical result comprises the basic information of the target attacker, an intrusion point statistical result, the attack technical level of the target attacker and a time statistical result.
8. An electronic device, comprising a memory for storing a computer program and a processor for executing the computer program to make the electronic device execute the cyber attack tracing method according to any one of claims 1 to 6.
9. A readable storage medium, wherein computer program instructions are stored in the readable storage medium, and when the computer program instructions are read and executed by a processor, the network attack tracing method according to any one of claims 1 to 6 is performed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111615214.6A CN114003903B (en) | 2021-12-28 | 2021-12-28 | Network attack tracing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111615214.6A CN114003903B (en) | 2021-12-28 | 2021-12-28 | Network attack tracing method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114003903A CN114003903A (en) | 2022-02-01 |
| CN114003903B true CN114003903B (en) | 2022-03-08 |
Family
ID=79932090
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111615214.6A Active CN114003903B (en) | 2021-12-28 | 2021-12-28 | Network attack tracing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114003903B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113904796B (en) * | 2021-08-27 | 2023-11-17 | 国家计算机网络与信息安全管理中心 | Equipment back door detection method for network flow safety detection |
| CN114598507B (en) * | 2022-02-22 | 2023-06-30 | 烽台科技(北京)有限公司 | Attacker figure generation method and device, terminal equipment and storage medium |
| CN114780956B (en) * | 2022-06-21 | 2022-10-14 | 一物一码数据(广州)实业有限公司 | Big data analysis-based tracing system |
| CN115834260A (en) * | 2023-02-21 | 2023-03-21 | 芯知科技(江苏)有限公司 | Network security defense system, method and device |
Citations (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2006254424A (en) * | 2005-02-14 | 2006-09-21 | Mitsuhiro Kawasaki | "information processing related object for making three-dimensional five senses by which plane image information jumps out before one's eyes" that possesses space information related object |
| CN102739647A (en) * | 2012-05-23 | 2012-10-17 | 国家计算机网络与信息安全管理中心 | High-interaction honeypot based network security system and implementation method thereof |
| CN106657025A (en) * | 2016-11-29 | 2017-05-10 | 神州网云(北京)信息技术有限公司 | Network attack behavior detection method and device |
| CN106909847A (en) * | 2017-02-17 | 2017-06-30 | 国家计算机网络与信息安全管理中心 | A kind of method of Malicious Code Detection, apparatus and system |
| CN109660557A (en) * | 2019-01-16 | 2019-04-19 | 光通天下网络科技股份有限公司 | Attack IP portrait generation method, attack IP portrait generating means and electronic equipment |
| CN110889113A (en) * | 2019-10-30 | 2020-03-17 | 泰康保险集团股份有限公司 | Log analysis method, server, electronic device and storage medium |
| CN110941823A (en) * | 2018-09-21 | 2020-03-31 | 武汉安天信息技术有限责任公司 | Threat information acquisition method and device |
| CN111083117A (en) * | 2019-11-22 | 2020-04-28 | 上海交通大学 | Botnet tracking and tracing system based on honeypots |
| CN111881460A (en) * | 2020-08-06 | 2020-11-03 | 深信服科技股份有限公司 | Vulnerability exploitation detection method, system, equipment and computer storage medium |
| CN111935192A (en) * | 2020-10-12 | 2020-11-13 | 腾讯科技(深圳)有限公司 | Network attack event tracing processing method, device, equipment and storage medium |
| CN112491892A (en) * | 2020-11-27 | 2021-03-12 | 杭州安恒信息安全技术有限公司 | Network attack inducing method, device, equipment and medium |
| CN112765366A (en) * | 2021-01-24 | 2021-05-07 | 中国电子科技集团公司第十五研究所 | APT (android Package) organization portrait construction method based on knowledge map |
| CN112822147A (en) * | 2019-11-18 | 2021-05-18 | 上海云盾信息技术有限公司 | Method, system and equipment for analyzing attack chain |
| CN112887285A (en) * | 2021-01-15 | 2021-06-01 | 中国科学院地理科学与资源研究所 | Cross-space layer mapping network behavior intelligent portrait analysis method |
| CN113282928A (en) * | 2021-06-11 | 2021-08-20 | 杭州安恒信息技术股份有限公司 | Malicious file processing method, device and system, electronic device and storage medium |
| CN113486351A (en) * | 2020-06-15 | 2021-10-08 | 中国民用航空局空中交通管理局 | Civil aviation air traffic control network safety detection early warning platform |
| CN113626814A (en) * | 2021-08-10 | 2021-11-09 | 国网福建省电力有限公司 | Window system emergency response method based on malicious attack behaviors |
-
2021
- 2021-12-28 CN CN202111615214.6A patent/CN114003903B/en active Active
Patent Citations (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2006254424A (en) * | 2005-02-14 | 2006-09-21 | Mitsuhiro Kawasaki | "information processing related object for making three-dimensional five senses by which plane image information jumps out before one's eyes" that possesses space information related object |
| CN102739647A (en) * | 2012-05-23 | 2012-10-17 | 国家计算机网络与信息安全管理中心 | High-interaction honeypot based network security system and implementation method thereof |
| CN106657025A (en) * | 2016-11-29 | 2017-05-10 | 神州网云(北京)信息技术有限公司 | Network attack behavior detection method and device |
| CN106909847A (en) * | 2017-02-17 | 2017-06-30 | 国家计算机网络与信息安全管理中心 | A kind of method of Malicious Code Detection, apparatus and system |
| CN110941823A (en) * | 2018-09-21 | 2020-03-31 | 武汉安天信息技术有限责任公司 | Threat information acquisition method and device |
| CN109660557A (en) * | 2019-01-16 | 2019-04-19 | 光通天下网络科技股份有限公司 | Attack IP portrait generation method, attack IP portrait generating means and electronic equipment |
| CN110889113A (en) * | 2019-10-30 | 2020-03-17 | 泰康保险集团股份有限公司 | Log analysis method, server, electronic device and storage medium |
| CN112822147A (en) * | 2019-11-18 | 2021-05-18 | 上海云盾信息技术有限公司 | Method, system and equipment for analyzing attack chain |
| CN111083117A (en) * | 2019-11-22 | 2020-04-28 | 上海交通大学 | Botnet tracking and tracing system based on honeypots |
| CN113486351A (en) * | 2020-06-15 | 2021-10-08 | 中国民用航空局空中交通管理局 | Civil aviation air traffic control network safety detection early warning platform |
| CN111881460A (en) * | 2020-08-06 | 2020-11-03 | 深信服科技股份有限公司 | Vulnerability exploitation detection method, system, equipment and computer storage medium |
| CN111935192A (en) * | 2020-10-12 | 2020-11-13 | 腾讯科技(深圳)有限公司 | Network attack event tracing processing method, device, equipment and storage medium |
| CN112491892A (en) * | 2020-11-27 | 2021-03-12 | 杭州安恒信息安全技术有限公司 | Network attack inducing method, device, equipment and medium |
| CN112887285A (en) * | 2021-01-15 | 2021-06-01 | 中国科学院地理科学与资源研究所 | Cross-space layer mapping network behavior intelligent portrait analysis method |
| CN112765366A (en) * | 2021-01-24 | 2021-05-07 | 中国电子科技集团公司第十五研究所 | APT (android Package) organization portrait construction method based on knowledge map |
| CN113282928A (en) * | 2021-06-11 | 2021-08-20 | 杭州安恒信息技术股份有限公司 | Malicious file processing method, device and system, electronic device and storage medium |
| CN113626814A (en) * | 2021-08-10 | 2021-11-09 | 国网福建省电力有限公司 | Window system emergency response method based on malicious attack behaviors |
Non-Patent Citations (7)
| Title |
|---|
| APTSHIELD: A Stable, Efficient and Real-time APT Detection System for Linux Hosts;Tiantian Zhu;《Cryptography and security》;20211217;全文 * |
| Remote KYC: Attacks and Counter-Measures;Marc PIC;《2019 European Intelligence and Security Informatics Conference (EISIC)》;20191127;全文 * |
| 基于大数据和图社群聚类算法的攻击者画像构建;黄志宏;《计算机应用研究》;20210131;第38卷(第1期);第232-236页 * |
| 基于网络日志的用户行为检测和画像构建系统;倪建伟;《计算机时代》;20210304;全文 * |
| 网络安全中攻击者画像的关键技术研究;王祖俪;《信息技术与信息化》;20180825(第08期);全文 * |
| 网络安全学习篇之攻击溯源思路及案例;HQ的小屋;《https://blog.csdn.net/qq_44762164/article/details/118675540》;20210712;全文 * |
| 面向攻击识别的威胁情报画像分析;杨沛安等;《计算机工程》;20190412(第01期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114003903A (en) | 2022-02-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114003903B (en) | Network attack tracing method and device | |
| CN107888571B (en) | Multi-dimensional webshell intrusion detection method and system based on HTTP log | |
| CN109922052B (en) | Malicious URL detection method combining multiple features | |
| CN110233849B (en) | Method and system for analyzing network security situation | |
| CN110602029B (en) | Method and system for identifying network attack | |
| CN108471429B (en) | Network attack warning method and system | |
| CN107579956B (en) | User behavior detection method and device | |
| EP3566166B1 (en) | Management of security vulnerabilities | |
| CN114915479B (en) | Web attack stage analysis method and system based on Web log | |
| CN109347808B (en) | Safety analysis method based on user group behavior activity | |
| US9871826B1 (en) | Sensor based rules for responding to malicious activity | |
| CN110392013A (en) | A kind of Malware recognition methods, system and electronic equipment based on net flow assorted | |
| CN114021040B (en) | Method and system for alarming and protecting malicious event based on service access | |
| CN111756724A (en) | Detection method, device and equipment for phishing website and computer readable storage medium | |
| CN107733699B (en) | Internet asset security management method, system, device and readable storage medium | |
| CN108337269A (en) | A kind of WebShell detection methods | |
| CN108989294A (en) | A kind of method and system for the malicious user accurately identifying website visiting | |
| CN114531283B (en) | Method, system, storage medium and terminal for measuring robustness of intrusion detection model | |
| CN111885011B (en) | Method and system for analyzing and mining safety of service data network | |
| CN113595975A (en) | Detection method and device for Webshell of Java memory | |
| Xu et al. | A fast detection method of network crime based on user portrait | |
| Wang et al. | Minedetector: Javascript browser-side cryptomining detection using static methods | |
| CN116155519A (en) | Threat alert information processing method, threat alert information processing device, computer equipment and storage medium | |
| Bo et al. | Tom: A threat operating model for early warning of cyber security threats | |
| CN114143105B (en) | Source tracing method and device for network air threat behavior bodies, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |