CN114338211B - Network attack tracing method and device, electronic equipment and storage medium - Google Patents
Network attack tracing method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN114338211B CN114338211B CN202111676939.6A CN202111676939A CN114338211B CN 114338211 B CN114338211 B CN 114338211B CN 202111676939 A CN202111676939 A CN 202111676939A CN 114338211 B CN114338211 B CN 114338211B
- Authority
- CN
- China
- Prior art keywords
- information
- target key
- tracing
- attack
- initial attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a tracing method and device for network attack, electronic equipment and a storage medium, and relates to the technical field of network security. The method comprises the following steps: when capturing that a preset attack event occurs, acquiring information of an initial attack element of the preset attack event; obtaining a pre-constructed element matrix; comparing element matrixes according to the acquired information of the initial attack elements, and determining at least one first target key means for acquiring the information of the initial attack elements; acquiring information of at least one first target key element associated with the initial attack element through at least one first target key means in combination with the information of the initial attack element; tracing the attacker based on the information of the initial attack element and the information of at least one first target key element. It can be seen that the embodiment of the application reduces the technical threshold of the tracing work, avoids confusion and omission caused by excessive dependence on personal ability, and greatly improves the tracing efficiency.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and apparatus for tracing a network attack, an electronic device, and a storage medium.
Background
With the rising of actual combat attack and defense exercises in recent years, network attack and defense countermeasures are continuously upgraded, and with the continuous improvement of the capability of defenders, the requirements on defenders are also continuously improved, so that not only are the defended passive situation immediately, but also the tracing work is needed to be carried out on the defending site, and the aggressors are subjected to portrait positioning to determine the organization or identity of the aggressors. At present, the development of the traceability work on various attack and defense exercise defense sites generally depends on the personal ability and personal experience of individual technicians on the sites, the traceability efficiency is low due to the lack of a unified flow and method, and different personnel cannot be unified due to the difference of experience, thinking and ideas, so that the defense sites are possibly disordered, and omission is easy to occur. Therefore, there is a need to solve this technical problem.
Disclosure of Invention
In view of the above problems, the present application provides a tracing method and apparatus for network attack, an electronic device, and a storage medium, which overcome the above problems or at least partially solve the above problems, and do not depend on personal ability or experience, so as to reduce the technical threshold of tracing work, and greatly improve tracing efficiency. The technical scheme is as follows:
In a first aspect, a tracing method for network attack is provided, including:
when capturing that a preset attack event occurs, acquiring information of an initial attack element of the preset attack event;
obtaining a pre-constructed element matrix, wherein the element matrix comprises one or more key elements for tracing an attacker and one or more key means for obtaining information of each key element;
comparing the element matrixes according to the acquired information of the initial attack elements, and determining at least one first target key means for acquiring the information of the initial attack elements;
acquiring information of at least one first target key element associated with the initial attack element through the at least one first target key means in combination with the information of the initial attack element;
tracing the attacker based on the information of the initial attack element and the information of the at least one first target key element.
In one possible implementation manner, after the information of the initial attack element is acquired by the at least one first target key means in combination with the information of the initial attack element, the method further includes:
Comparing the element matrix according to the information of the at least one first target key element, and determining at least one second target key means for acquiring the information of the at least one first target key element;
acquiring information of at least one second target key element associated with the at least one first target key element through the at least one second target key means in combination with the information of the at least one first target key element;
tracing an attacker based on the information of the initial attack element and the information of the at least one first target key element, including:
tracing an attacker based on the information of the initial attack element, the information of the at least one first target key element and the information of the at least one second target key element.
In one possible implementation manner, the element matrix is displayed by adopting a first type two-dimensional table, wherein one or more key elements for tracing an attacker are recorded in a row of the first type two-dimensional table, one or more key means are recorded in a column of the first type two-dimensional table, an identifier is recorded in a cell formed by intersecting the row and the column, and the identifier at least comprises: when any cell of the element matrix is recorded with the first identifier, the first identifier represents that the key means corresponding to the column of the cell is used for acquiring the information of the key element corresponding to the row of the cell;
Comparing the element matrix according to the acquired information of the initial attack element, and determining at least one first target key means for acquiring the information of the initial attack element, wherein the first target key means comprises:
inquiring one or more cells in the element matrix, wherein the identifier in the row of the initial attack element is a first identifier, according to the acquired information of the initial attack element;
and taking the key means recorded in the column of the one or more cells as at least one first target key means for acquiring the information of the initial attack element.
In one possible implementation manner, after the information of the initial attack element is acquired by the at least one first target key means in combination with the information of the initial attack element, the method further includes: writing the information of the initial attack element and the information of the at least one first target key element into a cell corresponding to the element matrix;
after the information of the at least one second target key element associated with the at least one first target key element is obtained by the at least one second target key means in combination with the information of the at least one first target key element, the method further comprises: writing the information of the at least one second target key element into a cell corresponding to the element matrix;
Comparing the element matrix according to the information of the at least one second target key element, and determining at least one third target key means for acquiring the information of the at least one second target key element;
acquiring information of at least one third target key element associated with the at least one second target key element through the at least one third target key means in combination with the information of the at least one second target key element;
writing the information of the at least one third target key element into a cell corresponding to the element matrix;
comparing the element matrix according to the information of the at least one Nth target key element, and determining at least one (n+1) th target key means for acquiring the information of the at least one Nth target key element;
acquiring information of at least one (n+1) th target key element associated with the at least one (n+1) th target key element through the at least one (n+1) th target key means in combination with the information of the at least one (N) th target key element;
writing the information of the at least one (n+1) th target key element into a cell corresponding to the element matrix;
And circularly executing the steps, and tracing an attacker by combining the written information when the information writing rate of the cell corresponding to the element matrix is larger than a preset threshold value.
In one possible implementation manner, the element matrix is displayed by adopting a second-type two-dimensional table, one or more key elements for tracing an attacker are recorded in columns of the second-type two-dimensional table, one or more key means are recorded in rows of the two-dimensional table, identifiers are recorded in cells formed by intersecting the rows and the columns, and the identifiers at least comprise: the second identifier, when the second identifier is recorded in any cell of the element matrix, the key means corresponding to the row of the cell is used for acquiring the information of the key element corresponding to the column of the cell;
comparing the element matrix according to the acquired information of the initial attack element, and determining at least one first target key means for acquiring the information of the initial attack element, wherein the first target key means comprises:
inquiring one or more cells in the element matrix, in which the identifier in the column of the initial attack element is a second identifier, according to the acquired information of the initial attack element;
And taking the key means recorded in the row of the one or more cells as at least one first target key means for acquiring the information of the initial attack element.
In one possible implementation manner, after the information of the initial attack element is acquired by the at least one first target key means in combination with the information of the initial attack element, the method further includes: writing the information of the initial attack element and the information of the at least one first target key element into a cell corresponding to the element matrix;
after the information of the at least one second target key element associated with the at least one first target key element is obtained by the at least one second target key means in combination with the information of the at least one first target key element, the method further comprises: writing the information of the at least one second target key element into a cell corresponding to the element matrix;
comparing the element matrix according to the information of the at least one second target key element, and determining at least one third target key means for acquiring the information of the at least one second target key element;
Acquiring information of at least one third target key element associated with the at least one second target key element through the at least one third target key means in combination with the information of the at least one second target key element;
writing the information of the at least one third target key element into a cell corresponding to the element matrix;
comparing the element matrix according to the information of the at least one Nth target key element, and determining at least one (n+1) th target key means for acquiring the information of the at least one Nth target key element;
acquiring information of at least one (n+1) th target key element associated with the at least one (n+1) th target key element through the at least one (n+1) th target key means in combination with the information of the at least one (N) th target key element;
writing the information of the at least one (n+1) th target key element into a cell corresponding to the element matrix;
and circularly executing the steps, and tracing an attacker by combining the written information when the information writing rate of the cell corresponding to the element matrix is larger than a preset threshold value.
In a possible implementation manner, the element matrix further comprises element levels corresponding to one or more key elements respectively, and different element levels represent degrees related to an attacker;
Tracing an attacker based on the information of the initial attack element and the information of the at least one first target key element, including:
and performing traceability analysis according to the information of the initial attack element and the information of the at least one first target key element by combining the element level of the initial attack element and the element level of the at least one first target key element, and portraying an attacker.
In a second aspect, a tracing device for network attack is provided, including:
the first acquisition module is used for acquiring information of an initial attack element of a preset attack event when the occurrence of the preset attack event is captured;
the second acquisition module is used for acquiring a pre-constructed element matrix, wherein the element matrix comprises one or more key elements for tracing an attacker and one or more key means for acquiring information of each key element;
the determining module is used for comparing the element matrixes according to the acquired information of the initial attack elements and determining at least one first target key means for acquiring the information of the initial attack elements;
the third acquisition module is used for acquiring information of at least one first target key element associated with the initial attack element through the at least one first target key means by combining the information of the initial attack element;
And the tracing module is used for tracing the source of the attacker based on the information of the initial attack element and the information of the at least one first target key element.
In a third aspect, an electronic device is provided, the electronic device comprising a processor and a memory, wherein the memory has stored therein a computer program, the processor being configured to run the computer program to perform the method of tracing a network attack of any one of the above.
In a fourth aspect, a storage medium is provided, where the storage medium stores a computer program, where the computer program is configured to perform the tracing method of a network attack according to any one of the preceding claims when run.
By means of the technical scheme, the tracing method and device for network attack, the electronic equipment and the storage medium provided by the embodiment of the application combine best practices of attack and defense exercise to enumerate key elements relied on in the tracing process, combine different key means capable of acquiring the key elements to form the element matrix, and can refer to the element matrix for comparison to combine corresponding processes to develop tracing work, so that the technical threshold of tracing work is reduced, confusion and omission caused by excessive dependence on personal capability are avoided, and tracing efficiency is greatly improved.
Drawings
In order to more clearly illustrate the technical solution of the embodiments of the present application, the drawings that are required to be used in the description of the embodiments of the present application will be briefly described below.
FIG. 1 illustrates a flow chart of a method of tracing a network attack according to an embodiment of the present application;
FIG. 2 shows a schematic diagram of an element matrix constructed in accordance with an embodiment of the application;
FIG. 3 is a flow chart of a method for tracing a network attack according to another embodiment of the present application;
fig. 4 shows a block diagram of a tracing apparatus for a network attack according to an embodiment of the present application.
Detailed Description
Exemplary embodiments of the present application will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present application are shown in the drawings, it should be understood that the present application may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the application to those skilled in the art.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present application and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that such use is interchangeable under appropriate circumstances such that the embodiments of the application described herein are capable of operation in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "include" and variations thereof are to be interpreted as open-ended terms that mean "include, but are not limited to.
The embodiment of the application provides a network attack tracing method, which can be applied to electronic equipment such as a server, a personal computer, a smart phone, a tablet personal computer and the like, as shown in fig. 1, and the network attack tracing method can comprise the following steps S101 to S105:
step S101, when capturing that a preset attack event occurs, acquiring information of an initial attack element of the preset attack event;
step S102, obtaining a pre-constructed element matrix, wherein the element matrix comprises one or more key elements for tracing an attacker and one or more key means for obtaining information of each key element;
step S103, according to the obtained information of the initial attack element, comparing element matrixes, and determining at least one first target key means for obtaining the information of the initial attack element;
step S104, combining the information of the initial attack element, and acquiring the information of at least one first target key element associated with the initial attack element through at least one first target key means;
step S105, tracing the attacker based on the information of the initial attack element and the information of at least one first target key element.
According to the embodiment of the application, enumeration is carried out on key elements relied on in the tracing process, meanwhile, different key means capable of acquiring the key elements are combined to form the element matrix, tracing work can be carried out by combining corresponding processes with reference to the element matrix, namely, information of initial attack elements is combined, information of at least one first target key element related to the initial attack elements is acquired through at least one first target key means, tracing is carried out on an attacker based on the information of the initial attack elements and the information of at least one first target key element, the technical threshold of tracing work is reduced, confusion and omission caused by excessive dependence on personal capability are avoided, and tracing efficiency is greatly improved.
The preset attack event mentioned in step S101 may be set according to actual requirements, such as the security device monitoring alarm event or intrusion event, which is not limited in this embodiment. When capturing the occurrence of the preset attack event, the tracing requirement is triggered, and the information of the initial attack element of the preset attack event can be obtained, for example, the information of the IP (Internet Protocol ) in the security device monitoring alarm event can be obtained, or the domain name information in the intrusion event can be obtained, which is to be noted, but the present embodiment is not limited by the example.
In the embodiment of the present application, a possible implementation manner is provided, where in the step S104, after the information of the initial attack element is combined and the information of the at least one first target key element associated with the initial attack element is obtained by the at least one first target key means, the method may further include the following steps A1 to A2:
a1, determining at least one second target key means for acquiring the information of at least one first target key element according to the information of at least one first target key element and comparing element matrixes;
a2, combining information of at least one first target key element, and acquiring information of at least one second target key element associated with the at least one first target key element through at least one second target key means;
furthermore, step S105 above traces the source of the attacker based on the information of the initial attack element and the information of the at least one first target key element, and may be specifically implemented as the following step A3:
and step A3, tracing an attacker based on the information of the initial attack element, the information of at least one first target key element and the information of at least one second target key element.
It can be seen that, according to the embodiment, more key element information can be obtained based on the obtained key element information, so that the attacker can be traced by using the key element information, and the tracing result is clearer and more accurate.
In the embodiment of the application, a possible implementation manner is provided, the element matrix can be displayed by adopting a first two-dimensional table, one or more key elements for tracing an attacker are recorded in the rows of the first two-dimensional table, one or more key means are recorded in the columns of the first two-dimensional table, and identifiers are recorded in cells formed by intersecting the rows and the columns, wherein the identifiers at least can comprise: if the first identifier is recorded in any cell of the element matrix, the key means corresponding to the column of the cell is used to obtain the information of the key element corresponding to the row of the cell, and then in step S103, at least one first target key means for obtaining the information of the initial attack element is determined by comparing the element matrix according to the obtained information of the initial attack element, which may specifically include the following steps B1 to B2:
step B1, inquiring one or more cells of which the identifiers in the row of the initial attack element are the first identifiers in the element matrix according to the acquired information of the initial attack element;
And B2, taking the key means recorded in the column of one or more cells as at least one first target key means for acquiring the information of the initial attack element.
It can be seen that, in this embodiment, by querying one or more cells in the row where the initial attack element is located in the element matrix, where the identifier is the first identifier, and further using the key means recorded in the column where the one or more cells are located as at least one first target key means for obtaining information of the initial attack element, at least one first target key means for obtaining information of the initial attack element can be quickly found, so that tracing efficiency is improved.
In the embodiment of the present application, a possible implementation manner is provided, where in step S104, after the information of the initial attack element is combined and the information of the at least one first target key element associated with the initial attack element is obtained by the at least one first target key means, the method may further include the following step C1:
step C1, writing the information of the initial attack element and the information of at least one first target key element into a cell corresponding to the element matrix;
the above step A2 may further include the following steps C2 to C5 after acquiring the information of the at least one second target key element associated with the at least one first target key element by the at least one second target key means in combination with the information of the at least one first target key element:
Step C2, writing the information of at least one second target key element into the cell corresponding to the element matrix;
step C3, comparing the element matrixes according to the information of at least one second target key element, and determining at least one third target key means for acquiring the information of at least one second target key element;
acquiring information of at least one third target key element associated with the at least one second target key element through at least one third target key means in combination with the information of the at least one second target key element;
writing information of at least one third target key element into a cell corresponding to the element matrix;
step C4, according to the information of at least one Nth target key element, comparing element matrixes, and determining at least one (N+1) th target key means for acquiring the information of at least one Nth target key element, wherein N is a positive integer;
acquiring information of at least one (n+1) th target key element associated with at least one (N+1) th target key element through at least one (n+1) th target key means in combination with information of at least one (N) th target key element;
writing the information of at least one (n+1) th target key element into a cell corresponding to the element matrix;
And C5, circularly executing the steps, and tracing an attacker by combining the written information when the information writing rate of the cell corresponding to the element matrix is larger than a preset threshold value.
In this step, the information writing rate of the cell corresponding to the element matrix may refer to a ratio of the number of information of the written key element to the number of information of all key elements in the element matrix, and the preset threshold may be set according to the actual requirement, for example, the preset threshold is 95% or 100%, which is not limited in this embodiment. According to the embodiment, by acquiring the information of more key elements, the attacker is traced by utilizing the information of the key elements, and the tracing result is clearer and more accurate.
In the embodiment of the application, a possible implementation manner is provided, the element matrix can be further displayed by adopting a second-class two-dimensional table, one or more key elements for tracing an attacker are recorded in a column of the second-class two-dimensional table, one or more key means are recorded in a row of the second-class two-dimensional table, and an identifier is recorded in a cell formed by intersecting the row and the column, wherein the identifier at least can comprise: if the second identifier is recorded in any cell of the element matrix, the key means corresponding to the row of the cell is used to obtain the information of the key element corresponding to the column of the cell, and then in step S103, at least one first target key means for obtaining the information of the initial attack element is determined by comparing the element matrix according to the obtained information of the initial attack element, which may specifically include the following steps D1 to D2:
Step D1, inquiring one or more cells of which the identifiers in the column of the initial attack element are second identifiers in the element matrix according to the acquired information of the initial attack element;
and D2, taking the key means recorded in the row of one or more cells as at least one first target key means for acquiring the information of the initial attack element.
It can be seen that, in this embodiment, by querying one or more cells in the row where the initial attack element is located in the element matrix, where the identifier is the second identifier, and further using the key means recorded in the row where the one or more cells are located as at least one first target key means for acquiring information of the initial attack element, at least one first target key means for acquiring information of the initial attack element can be quickly found, so that tracing efficiency is improved.
In the embodiment of the present application, a possible implementation manner is provided, where in step S104, after the information of the initial attack element is combined and the information of the at least one first target key element associated with the initial attack element is obtained by the at least one first target key means, the method may further include the following step E1:
e1, writing the information of the initial attack element and the information of at least one first target key element into a cell corresponding to an element matrix;
Step A2 above may further include the following steps E2 to E5 after obtaining the information of the at least one second target key element associated with the at least one first target key element by the at least one second target key means in combination with the information of the at least one first target key element:
e2, writing the information of at least one second target key element into a cell corresponding to the element matrix;
e3, comparing the element matrixes according to the information of the at least one second target key element, and determining at least one third target key means for acquiring the information of the at least one second target key element;
acquiring information of at least one third target key element associated with the at least one second target key element through at least one third target key means in combination with the information of the at least one second target key element;
writing information of at least one third target key element into a cell corresponding to the element matrix;
e4, determining at least one (n+1) th target key means for acquiring the information of at least one (N) th target key element according to the information of at least one (N) th target key element by comparing element matrixes, wherein N is a positive integer;
Acquiring information of at least one (n+1) th target key element associated with at least one (N+1) th target key element through at least one (n+1) th target key means in combination with information of at least one (N) th target key element;
writing the information of at least one (n+1) th target key element into a cell corresponding to the element matrix;
and E5, circularly executing the steps, and tracing an attacker by combining the written information when the information writing rate of the cell corresponding to the element matrix is larger than a preset threshold value.
In this step, the information writing rate of the cell corresponding to the element matrix may refer to a ratio of the number of information of the written key element to the number of information of all key elements in the element matrix, and the preset threshold may be set according to the actual requirement, for example, the preset threshold is 95% or 100%, which is not limited in this embodiment. According to the embodiment, by acquiring the information of more key elements, the attacker is traced by utilizing the information of the key elements, and the tracing result is clearer and more accurate.
The embodiment of the application provides a possible implementation manner, the element matrix further comprises element levels corresponding to one or more key elements, different element levels represent degrees related to an attacker, the step S105 above is based on the information of the initial attack element and the information of at least one first target key element, tracing is performed on the attacker, specifically, the element levels of the initial attack element and the element levels of at least one first target key element are combined, tracing analysis is performed according to the information of the initial attack element and the information of at least one first target key element, and the attacker is imaged.
For example, the element level may be divided into a first level and a second level, where the first level element is an element that is strongly related to an attacker, i.e. if the element information of the attacker can be obtained, the relevant identity of the attacker can be located; the secondary elements are elements strongly related to the attack Fang Fei, namely, the outline of an attacker can be continuously sketched through collecting and acquiring the secondary elements, the element level of the initial attack element and the element level of at least one first target key element are combined, the tracing analysis is carried out according to the information of the initial attack element and the information of at least one first target key element, and the image is drawn on the attacker, so that the tracing efficiency and the tracing accuracy can be improved.
Having introduced various implementations of each link in the embodiment shown in fig. 1, the tracing method for network attack provided by the embodiment of the present application is further described below through a specific embodiment.
In a particular embodiment, the element matrix is constructed prior to tracing the network attack. Fig. 2 shows a constructed element matrix, where the element matrix is shown by using a first two-dimensional table, and one or more key elements for tracing an attacker are recorded in a row of the first two-dimensional table, and are summarized in combination with practical experience in a tracing process, and include IP, domain name, mailbox, and the like, which is not limited by the embodiment of the application.
In fig. 2, the key elements are classified, for example, into a first level and a second level, where the first level element is an element strongly related to an attacker, that is, if the element information of the attacker can be obtained, the relevant identity of the attacker can be located; the secondary elements are elements strongly related to the attack Fang Fei, i.e. the outline of the attacker can be continuously outlined through the collection and the acquisition of the secondary elements. As shown in fig. 2, the element level of the IP is two-level, the element level of the domain name is two-level, and the element level of the mailbox is two-level.
The first two-dimensional table is characterized by recording one or more key means, which are commonly used in the tracing process and are summarized and listed in combination with practical experience, and can be divided into an internal means and an external means, wherein the internal means are mainly related security construction facilities in enterprises, and can include a firewall, an IDS (Intrusion detection system, an intrusion detection system)/an IPS (Intrusion Prevention system, an intrusion prevention system), a WAF (Web Application Firewall, a website application-level intrusion prevention system), an EDR (Endpoint Detection & Response, endpoint detection and Response), and the like, and the embodiment of the present application is not limited thereto.
The external means is mainly non-enterprise internal, and related channels disclosed on the internet can comprise threat information, IP positioning, sandboxes and the like, and the embodiment of the application is not limited to this. The identifier is recorded in a cell formed by intersecting rows and columns of the first two-dimensional table, and the identifier at least comprises: the first identifier may be identified by symbols such as "v", "", "×", etc., and when any cell of the element matrix is described as the first identifier, the key means corresponding to the column of the cell is used to obtain information of the key element corresponding to the row of the cell, that is, the intersection of the horizontal and vertical directions of the element matrix is marked, which means that the information of the corresponding key element can be obtained by the key means. Here, the term "information about the corresponding key element" does not necessarily mean that the information about the corresponding key element is obtained by such means, but means that if the information about the corresponding element is obtained by such means, it is necessary to see whether or not an effective result is obtained, depending on the actual result.
Therefore, when the tracing work is performed, the tracing work can be completed by inquiring and acquiring the information of the key elements through corresponding means according to the element matrix and combining the flow shown in the following figure 3 and filling the result into the matrix, and finally the more complete the information in the matrix is, the clearer the tracing result is.
Fig. 3 shows a flowchart of a method for tracing a network attack according to another embodiment of the present application, and as shown in fig. 3, the method for tracing a network attack may include the following steps S301 to S309.
Step S301, triggering a tracing requirement when capturing the occurrence of a preset attack event, and acquiring information of an initial attack element of the preset attack event.
In this step, an attack event such as a security device monitoring alarm event or an intrusion event is preset, which is not limited in this embodiment. When capturing the occurrence of the preset attack event, the information of the initial attack element of the preset attack event may be obtained, for example, the IP information in the security device monitoring alarm event may be obtained, or the domain name information in the intrusion event may be obtained, which is to be noted only by way of example and not by way of limitation in the present embodiment.
Step S302, obtaining a pre-constructed element matrix, comparing the element matrix according to the obtained information of the initial attack element, and determining at least one first target key means for obtaining the information of the initial attack element.
In this step, according to the obtained information of the initial attack element, one or more cells in the row where the initial attack element is located in the element matrix are queried, and then the key means recorded in the column where the one or more cells are located is used as at least one first target key means for obtaining the information of the initial attack element. For example, if the obtained information of the initial attack element is IP information, then at least one first target key means in the element matrix shown in fig. 2 is queried as a firewall, IDS/IPS, WAF, EDR, etc. in the internal means; and threat intelligence in external means, sandboxes, etc.
Step S303, combining the information of the initial attack element, and acquiring the information of at least one first target key element associated with the initial attack element through at least one first target key means.
In this step, taking the above example as still, the key firewall may obtain information about the key element domain name, the IDS/IPS may obtain information about the key element domain name, etc.
Step S304, writing the information of the initial attack element and the information of at least one first target key element into the corresponding cell of the element matrix.
Step S305, comparing the element matrix according to the information of the at least one first target key element, and determining at least one second target key means for obtaining the information of the at least one first target key element.
Step S306, combining the information of the at least one first target key element, and acquiring the information of the at least one second target key element associated with the at least one first target key element through at least one second target key means.
Step S307, writing the information of at least one second target key element into the cell corresponding to the element matrix.
Step S308, according to the methods from step S305 to step S307, writing the information of at least one N+1th target key element into the cell corresponding to the element matrix.
Step S309, tracing the attacker by combining the written information when the information writing rate of the cell corresponding to the element matrix is larger than a preset threshold value.
In this step, the information writing rate of the cell corresponding to the element matrix refers to a ratio of the number of information of the written key element to the number of information of all key elements in the element matrix, and the preset threshold may be set according to actual requirements, for example, the preset threshold is 95% or 100%, which is not limited in this embodiment. According to the embodiment, by acquiring the information of more key elements, the attacker is traced by utilizing the information of the key elements, and the tracing result is clearer and more accurate.
According to the embodiment of the application, more element information can be acquired through relevant internal or external means according to the acquired initial attack element and the element matrix, and the result is supplemented in the element matrix, meanwhile, the newly acquired element information can be subjected to association analysis again, and the element matrix is compared to acquire a new round of element information and supplement the new round of element information, so that the content of the matrix is continuously enriched, when the updated element information content cannot be acquired any more, the primary tracing work is completed, the technical threshold of the tracing work is reduced, and the confusion and omission caused by excessive dependence on personal capability are avoided, and the tracing efficiency is greatly improved.
In practical application, all the possible embodiments may be combined in any combination manner to form possible embodiments of the present application, which are not described in detail herein.
Based on the tracing method of the network attack provided by each embodiment, the embodiment of the application also provides a tracing device of the network attack based on the same inventive concept.
Fig. 4 shows a block diagram of a tracing apparatus for a network attack according to an embodiment of the present application. As shown in fig. 4, the tracing apparatus for network attack may include a first acquisition module 410, a second acquisition module 420, a determination module 430, a third acquisition module 440, and a tracing module 450.
A first obtaining module 410, configured to obtain information of an initial attack element of a preset attack event when capturing that the preset attack event occurs;
a second obtaining module 420, configured to obtain a pre-constructed element matrix, where the element matrix includes one or more key elements for tracing an attacker, and one or more key means for obtaining information of each key element;
a determining module 430, configured to compare the element matrix according to the obtained information of the initial attack element, and determine at least one first target key means for obtaining the information of the initial attack element;
A third obtaining module 440, configured to obtain, by combining the information of the initial attack element, information of at least one first target key element associated with the initial attack element through at least one first target key means;
the tracing module 450 is configured to trace an attacker based on the information of the initial attack element and the information of the at least one first target key element.
One possible implementation manner is provided in the embodiment of the present application, and the determining module 430 illustrated in fig. 4 above is further configured to: after the third acquisition module acquires the information of at least one first target key element associated with the initial attack element through at least one first target key means in combination with the information of the initial attack element, comparing the element matrix according to the information of the at least one first target key element, and determining at least one second target key means for acquiring the information of the at least one first target key element;
the third acquisition module 440 is further configured to: acquiring information of at least one second target key element associated with the at least one first target key element through at least one second target key means in combination with the information of the at least one first target key element;
The tracing module 450 is further configured to: tracing an attacker based on the information of the initial attack element, the information of the at least one first target key element and the information of the at least one second target key element.
The embodiment of the application provides a possible implementation manner, wherein an element matrix is displayed by adopting a first two-dimensional table, one or more key elements for tracing an attacker are recorded in rows of the first two-dimensional table, one or more key means are recorded in columns of the first two-dimensional table, identifiers are recorded in cells formed by intersecting the rows and the columns, and the identifiers at least comprise: when the first identifier is recorded in any cell of the element matrix, the key means corresponding to the column where the cell is located is used to obtain the information of the key element corresponding to the row where the cell is located, and the determining module 430 shown in fig. 4 is further configured to: inquiring one or more cells of which the identifiers in the row of the initial attack element are the first identifiers in the element matrix according to the acquired information of the initial attack element; the key means recorded in the column of the one or more cells is used as at least one first target key means for acquiring the information of the initial attack element.
In one possible implementation manner provided in the embodiment of the present application, the tracing module 450 illustrated in fig. 4 above is further configured to:
writing the information of the initial attack element and the information of at least one first target key element into a cell corresponding to the element matrix;
writing information of at least one second target key element into a cell corresponding to the element matrix;
writing information of at least one third target key element into a cell corresponding to the element matrix;
writing the information of at least one (n+1) th target key element into a cell corresponding to the element matrix;
and circularly executing the steps, and tracing an attacker by combining the written information when the information writing rate of the cell corresponding to the element matrix is larger than a preset threshold value.
The embodiment of the application provides a possible implementation manner, the element matrix is displayed by adopting a second-class two-dimensional table, one or more key elements for tracing an attacker are recorded in columns of the second-class two-dimensional table, one or more key means are recorded in rows of the second-class two-dimensional table, identifiers are recorded in cells formed by intersecting the rows and the columns, and the identifiers at least comprise: when the second identifier is recorded in any cell of the element matrix, the key means corresponding to the row where the cell is located is used to obtain the information of the key element corresponding to the column where the cell is located, and the determining module 430 shown in fig. 4 is further configured to: inquiring one or more cells of which the identifiers in the column of the initial attack element are second identifiers in the element matrix according to the acquired information of the initial attack element; the key means recorded on the row of one or more cells is used as at least one first target key means for acquiring the information of the initial attack element.
In one possible implementation manner provided in the embodiment of the present application, the tracing module 450 illustrated in fig. 4 above is further configured to:
writing the information of the initial attack element and the information of at least one first target key element into a cell corresponding to the element matrix;
writing information of at least one second target key element into a cell corresponding to the element matrix;
writing information of at least one third target key element into a cell corresponding to the element matrix;
writing the information of at least one (n+1) th target key element into a cell corresponding to the element matrix;
and circularly executing the steps, and tracing an attacker by combining the written information when the information writing rate of the cell corresponding to the element matrix is larger than a preset threshold value.
In one possible implementation manner provided in the embodiment of the present application, the element matrix further includes element levels corresponding to one or more key elements, where different element levels represent degrees related to an attacker, and the tracing module 450 shown in fig. 4 is further configured to:
and performing traceability analysis according to the information of the initial attack element and the information of the at least one first target key element by combining the element level of the initial attack element and the element level of the at least one first target key element, and performing portrayal on an attacker.
Based on the same inventive concept, the embodiment of the present application further provides an electronic device, including a processor and a memory, where the memory stores a computer program, and the processor is configured to run the computer program to execute the tracing method of the network attack of any one of the embodiments.
Based on the same inventive concept, the embodiment of the present application further provides a storage medium, where a computer program is stored, where the computer program is configured to execute the tracing method of the network attack of any one of the embodiments.
It will be clear to those skilled in the art that the specific working processes of the above-described systems, devices and modules may refer to the corresponding processes in the foregoing method embodiments, and are not described herein for brevity.
Those of ordinary skill in the art will appreciate that: the aspects of the present application may be embodied in essence or in whole or in part in a software product stored on a storage medium, comprising program instructions for causing an electronic device (e.g., personal computer, server, network device, etc.) to perform all or part of the steps of the methods of the embodiments of the present application when the program instructions are executed. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a read-only memory (ROM), a random-access memory (RAM), a magnetic disk, or an optical disk, etc.
Alternatively, all or part of the steps of implementing the foregoing method embodiments may be implemented by hardware (such as a personal computer, a server, or an electronic device such as a network device) associated with program instructions, where the program instructions may be stored in a computer-readable storage medium, and where the program instructions, when executed by a processor of the electronic device, perform all or part of the steps of the method according to the embodiments of the present application.
The above embodiments are only for illustrating the technical solution of the present application, and not for limiting the same; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all technical features thereof can be replaced by others within the spirit and principle of the present application; such modifications and substitutions do not depart from the scope of the application.
Claims (10)
1. The tracing method for the network attack is characterized by comprising the following steps:
when capturing that a preset attack event occurs, acquiring information of an initial attack element of the preset attack event;
Obtaining a pre-constructed element matrix, wherein the element matrix comprises one or more key elements for tracing an attacker and one or more key means for obtaining information of each key element;
comparing the element matrixes according to the acquired information of the initial attack elements, and determining at least one first target key means for acquiring the information of the initial attack elements;
acquiring information of at least one first target key element associated with the initial attack element through the at least one first target key means in combination with the information of the initial attack element;
tracing the attacker based on the information of the initial attack element and the information of the at least one first target key element.
2. The method for tracing a network attack according to claim 1, wherein after the information of the initial attack element is combined, the information of at least one first target key element associated with the initial attack element is obtained by the at least one first target key means, the method further comprises:
comparing the element matrix according to the information of the at least one first target key element, and determining at least one second target key means for acquiring the information of the at least one first target key element;
Acquiring information of at least one second target key element associated with the at least one first target key element through the at least one second target key means in combination with the information of the at least one first target key element;
tracing an attacker based on the information of the initial attack element and the information of the at least one first target key element, including:
tracing an attacker based on the information of the initial attack element, the information of the at least one first target key element and the information of the at least one second target key element.
3. The method for tracing a network attack according to claim 2, wherein the element matrix is displayed by using a first type two-dimensional table, wherein one or more key elements for tracing an attacker are recorded in a row of the first type two-dimensional table, one or more key means are recorded in a column of the first type two-dimensional table, and identifiers are recorded in cells formed by intersecting the row and the column, and the identifiers at least comprise: when any cell of the element matrix is recorded with the first identifier, the first identifier represents that the key means corresponding to the column of the cell is used for acquiring the information of the key element corresponding to the row of the cell;
Comparing the element matrix according to the acquired information of the initial attack element, and determining at least one first target key means for acquiring the information of the initial attack element, wherein the first target key means comprises:
inquiring one or more cells in the element matrix, wherein the identifier in the row of the initial attack element is a first identifier, according to the acquired information of the initial attack element;
and taking the key means recorded in the column of the one or more cells as at least one first target key means for acquiring the information of the initial attack element.
4. The method for tracing a network attack according to claim 3, wherein,
after the information of the initial attack element is combined, the information of at least one first target key element associated with the initial attack element is acquired through the at least one first target key means, and the method further comprises: writing the information of the initial attack element and the information of the at least one first target key element into a cell corresponding to the element matrix;
after the information of the at least one second target key element associated with the at least one first target key element is obtained by the at least one second target key means in combination with the information of the at least one first target key element, the method further comprises: writing the information of the at least one second target key element into a cell corresponding to the element matrix;
Comparing the element matrix according to the information of the at least one second target key element, and determining at least one third target key means for acquiring the information of the at least one second target key element;
acquiring information of at least one third target key element associated with the at least one second target key element through the at least one third target key means in combination with the information of the at least one second target key element;
writing the information of the at least one third target key element into a cell corresponding to the element matrix;
comparing the element matrix according to the information of the at least one Nth target key element, and determining at least one (n+1) th target key means for acquiring the information of the at least one Nth target key element;
acquiring information of at least one (n+1) th target key element associated with the at least one (n+1) th target key element through the at least one (n+1) th target key means in combination with the information of the at least one (N) th target key element;
writing the information of the at least one (n+1) th target key element into a cell corresponding to the element matrix;
And tracing an attacker by combining the written information when the information writing rate of the cell corresponding to the element matrix is larger than a preset threshold value.
5. The method for tracing a network attack according to claim 2, wherein the element matrix is displayed by using a second-class two-dimensional table, wherein one or more key elements for tracing an attacker are recorded in columns of the second-class two-dimensional table, one or more key means are recorded in rows of the second-class two-dimensional table, and identifiers are recorded in cells formed by intersecting the rows and the columns, and the identifiers at least comprise: the second identifier, when the second identifier is recorded in any cell of the element matrix, the key means corresponding to the row of the cell is used for acquiring the information of the key element corresponding to the column of the cell;
comparing the element matrix according to the acquired information of the initial attack element, and determining at least one first target key means for acquiring the information of the initial attack element, wherein the first target key means comprises:
inquiring one or more cells in the element matrix, in which the identifier in the column of the initial attack element is a second identifier, according to the acquired information of the initial attack element;
And taking the key means recorded in the row of the one or more cells as at least one first target key means for acquiring the information of the initial attack element.
6. The method for tracing a network attack according to claim 5, wherein,
after the information of the initial attack element is combined, the information of at least one first target key element associated with the initial attack element is acquired through the at least one first target key means, and the method further comprises: writing the information of the initial attack element and the information of the at least one first target key element into a cell corresponding to the element matrix;
after the information of the at least one second target key element associated with the at least one first target key element is obtained by the at least one second target key means in combination with the information of the at least one first target key element, the method further comprises: writing the information of the at least one second target key element into a cell corresponding to the element matrix;
comparing the element matrix according to the information of the at least one second target key element, and determining at least one third target key means for acquiring the information of the at least one second target key element;
Acquiring information of at least one third target key element associated with the at least one second target key element through the at least one third target key means in combination with the information of the at least one second target key element;
writing the information of the at least one third target key element into a cell corresponding to the element matrix;
comparing the element matrix according to the information of the at least one Nth target key element, and determining at least one (n+1) th target key means for acquiring the information of the at least one Nth target key element;
acquiring information of at least one (n+1) th target key element associated with the at least one (n+1) th target key element through the at least one (n+1) th target key means in combination with the information of the at least one (N) th target key element;
writing the information of the at least one (n+1) th target key element into a cell corresponding to the element matrix;
and tracing an attacker by combining the written information when the information writing rate of the cell corresponding to the element matrix is larger than a preset threshold value.
7. The method for tracing a network attack according to claim 1, wherein the element matrix further comprises element levels corresponding to one or more key elements, and different element levels represent degrees related to an attacker;
Tracing an attacker based on the information of the initial attack element and the information of the at least one first target key element, including:
and performing traceability analysis according to the information of the initial attack element and the information of the at least one first target key element by combining the element level of the initial attack element and the element level of the at least one first target key element, and portraying an attacker.
8. A tracing device for network attack, comprising:
the first acquisition module is used for acquiring information of an initial attack element of a preset attack event when the occurrence of the preset attack event is captured;
the second acquisition module is used for acquiring a pre-constructed element matrix, wherein the element matrix comprises one or more key elements for tracing an attacker and one or more key means for acquiring information of each key element;
the determining module is used for comparing the element matrixes according to the acquired information of the initial attack elements and determining at least one first target key means for acquiring the information of the initial attack elements;
the third acquisition module is used for acquiring information of at least one first target key element associated with the initial attack element through the at least one first target key means by combining the information of the initial attack element;
And the tracing module is used for tracing the source of the attacker based on the information of the initial attack element and the information of the at least one first target key element.
9. An electronic device comprising a processor and a memory, wherein the memory has stored therein a computer program, the processor being configured to run the computer program to perform the method of tracing a network attack of any one of claims 1 to 7.
10. A storage medium having a computer program stored therein, wherein the computer program is configured to perform the network attack tracing method of any one of claims 1 to 7 at run-time.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111676939.6A CN114338211B (en) | 2021-12-31 | 2021-12-31 | Network attack tracing method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111676939.6A CN114338211B (en) | 2021-12-31 | 2021-12-31 | Network attack tracing method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114338211A CN114338211A (en) | 2022-04-12 |
| CN114338211B true CN114338211B (en) | 2023-10-20 |
Family
ID=81023773
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111676939.6A Active CN114338211B (en) | 2021-12-31 | 2021-12-31 | Network attack tracing method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114338211B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109067815A (en) * | 2018-11-06 | 2018-12-21 | 深信服科技股份有限公司 | Attack Source Tracing method, system, user equipment and storage medium |
| WO2019037498A1 (en) * | 2017-08-25 | 2019-02-28 | 腾讯科技(深圳)有限公司 | Active tracking method, device and system |
| CN111193749A (en) * | 2020-01-03 | 2020-05-22 | 北京明略软件系统有限公司 | Attack tracing method and device, electronic equipment and storage medium |
| CN111669370A (en) * | 2020-05-15 | 2020-09-15 | 深圳供电局有限公司 | Network attack tracing method and system based on data analysis |
| CN111935192A (en) * | 2020-10-12 | 2020-11-13 | 腾讯科技(深圳)有限公司 | Network attack event tracing processing method, device, equipment and storage medium |
| CN111953527A (en) * | 2020-07-28 | 2020-11-17 | 深圳供电局有限公司 | Network attack recovery system |
| WO2021169293A1 (en) * | 2020-02-27 | 2021-09-02 | 华为技术有限公司 | Attack behavior detection method and apparatus, and attack detection device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| FI20096394A0 (en) * | 2009-12-23 | 2009-12-23 | Valtion Teknillinen | DETECTING DETECTION IN COMMUNICATIONS NETWORKS |
-
2021
- 2021-12-31 CN CN202111676939.6A patent/CN114338211B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2019037498A1 (en) * | 2017-08-25 | 2019-02-28 | 腾讯科技(深圳)有限公司 | Active tracking method, device and system |
| CN109067815A (en) * | 2018-11-06 | 2018-12-21 | 深信服科技股份有限公司 | Attack Source Tracing method, system, user equipment and storage medium |
| CN111193749A (en) * | 2020-01-03 | 2020-05-22 | 北京明略软件系统有限公司 | Attack tracing method and device, electronic equipment and storage medium |
| WO2021169293A1 (en) * | 2020-02-27 | 2021-09-02 | 华为技术有限公司 | Attack behavior detection method and apparatus, and attack detection device |
| CN111669370A (en) * | 2020-05-15 | 2020-09-15 | 深圳供电局有限公司 | Network attack tracing method and system based on data analysis |
| CN111953527A (en) * | 2020-07-28 | 2020-11-17 | 深圳供电局有限公司 | Network attack recovery system |
| CN111935192A (en) * | 2020-10-12 | 2020-11-13 | 腾讯科技(深圳)有限公司 | Network attack event tracing processing method, device, equipment and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| APT攻击检测与反制技术体系的研究;陈瑞东;张小松;牛伟纳;蓝皓月;;电子科技大学学报(06);第72-81页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114338211A (en) | 2022-04-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106657057B (en) | Anti-crawler system and method | |
| CN106375331B (en) | Attack organization mining method and device | |
| CN111046379B (en) | Anti-attack monitoring method and device | |
| CN101902349B (en) | Method and system for detecting scanning behaviors of ports | |
| CN107566390B (en) | Industrial control system network security analysis system and method based on threat information | |
| CN113162953B (en) | Network threat message detection and source tracing evidence obtaining method and device | |
| CN113726780B (en) | Network monitoring method and device based on situation awareness and electronic equipment | |
| CN110809010A (en) | Threat information processing method, device, electronic equipment and medium | |
| CN110493225B (en) | Request transmission method, device, equipment and readable storage medium | |
| CN108924118A (en) | One kind hitting library behavioral value method and system | |
| CN110691072A (en) | Distributed port scanning method, device, medium and electronic equipment | |
| CN110708292A (en) | IP processing method, device, medium and electronic equipment | |
| CN114244564B (en) | Attack defense method, device, equipment and readable storage medium | |
| CN110430212A (en) | The Internet of Things of multivariate data fusion threatens cognitive method and system | |
| CN114338211B (en) | Network attack tracing method and device, electronic equipment and storage medium | |
| CN113676497A (en) | Data blocking method and device, electronic equipment and storage medium | |
| CN111885034B (en) | Internet of things attack event tracking method and device and computer equipment | |
| CN112966264A (en) | XSS attack detection method, device, equipment and machine-readable storage medium | |
| CN110460620B (en) | Website defense method, device, equipment and storage medium | |
| CN112560085B (en) | Privacy protection method and device for business prediction model | |
| CN113824736B (en) | Asset risk handling method, device, equipment and storage medium | |
| CN111131239B (en) | Network security device, method, equipment and medium | |
| CN106993005A (en) | The method for early warning and system of a kind of webserver | |
| Kao et al. | Hacking Tool Identification in Penetration Testing | |
| CN115065509B (en) | Risk identification method and device for statistical inference attack based on deviation function |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |