CN114422257A - Information processing method, device, equipment and medium - Google Patents

Information processing method, device, equipment and medium Download PDF

Info

Publication number
CN114422257A
CN114422257A CN202210083610.7A CN202210083610A CN114422257A CN 114422257 A CN114422257 A CN 114422257A CN 202210083610 A CN202210083610 A CN 202210083610A CN 114422257 A CN114422257 A CN 114422257A
Authority
CN
China
Prior art keywords
information
attack
attacker
intelligence
alarm
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210083610.7A
Other languages
Chinese (zh)
Other versions
CN114422257B (en
Inventor
王鹏
闫海林
蒋家堂
贾紫倩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202210083610.7A priority Critical patent/CN114422257B/en
Publication of CN114422257A publication Critical patent/CN114422257A/en
Application granted granted Critical
Publication of CN114422257B publication Critical patent/CN114422257B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present disclosure provides an information processing method, apparatus, device, and medium, which can be applied to the technical field of network information security and the technical field of finance. The information processing method includes: acquiring alarm information and intelligence information of safety equipment, wherein the intelligence information comprises intelligence information from a threat data platform; obtaining first attack information by analyzing alarm information of the security equipment by tracing, wherein the first attack information comprises attack path information and virtual identity identification information of an attacker; according to the attack path information and the virtual identity identification information, performing reverse control analysis on the attacker to obtain second attack information, wherein the second attack information comprises real identity identification information of the attacker; constructing an attacker portrait according to the first attack information and the second attack information; and extracting third attack information according to the information and the attacker portrait information, wherein the third attack information comprises attack tactical information.

Description

Information processing method, device, equipment and medium
Technical Field
The present disclosure relates to the field of network information security technologies, and in particular, to an information processing method, apparatus, device, medium, and program product.
Background
In the current network environment, with the development of network attack technology, how to effectively defend network attack and guarantee network security become a technical problem to be solved urgently.
In the related art, a network attacker can be tracked through a route tracking technology, a log record analysis tracking technology, a data packet marking tracking technology and the like, but when the attacker hides the identity of the attacker through means of forging an IP (Internet protocol), a springboard, an anonymous network and the like, the actual identity information of the attacker is difficult to obtain only by adopting the tracking technology, so that the network attack of the attacker is difficult to effectively defend. If the real identity information of the attacker needs to be further confirmed, manual judgment needs to be carried out based on other evidence information, so that a large amount of time and labor are consumed in the judgment process, and the judgment speed is low.
Disclosure of Invention
In view of the above, the present disclosure provides an information processing method, apparatus, device, medium, and program product.
According to a first aspect of the present disclosure, there is provided an information processing method including:
acquiring alarm information and intelligence information of safety equipment, wherein the intelligence information comprises intelligence information from a threat data platform;
obtaining first attack information by analyzing alarm information of the security equipment by tracing, wherein the first attack information comprises attack path information and virtual identity identification information of an attacker;
according to the attack path information and the virtual identity identification information, performing reverse control analysis on the attacker to obtain second attack information, wherein the second attack information comprises real identity identification information of the attacker;
constructing an attacker portrait according to the first attack information and the second attack information; and
and extracting third attack information according to the intelligence information and the attacker portrait information, wherein the third attack information comprises attack tactical information.
According to the embodiment of the disclosure, the first attack information is obtained by analyzing the alarm information of the security device by tracing, which includes:
extracting attack characteristic information from the security device alarm information, wherein the attack characteristic information comprises: spatio-temporal feature information, content feature information, and behavior feature information;
and obtaining first attack information by analyzing the incidence relation among the time-space characteristic information, the content characteristic information and the behavior characteristic information of the alarm information of different safety devices through tracing.
According to the embodiment of the disclosure, obtaining first attack information by analyzing the association relationship among the spatio-temporal characteristic information, the content characteristic information and the behavior characteristic information of the alarm information of different security devices by tracing, includes:
inputting first sample data and second sample data into an association traceability analysis model, and calculating first association similarity, wherein the first sample data comprises first time-space characteristic information, first content characteristic information and first behavior characteristic information extracted from first safety equipment alarm information; the second sample data comprises second spatio-temporal characteristic information, second content characteristic information and second behavior characteristic information which are extracted from the second safety equipment alarm information;
and under the condition that the first associated similarity exceeds a first preset threshold, determining first attack information according to the first sample data and the second sample data.
According to the embodiment of the disclosure, according to the attack path information and the virtual identity information, by performing a counter-attack analysis on an attacker, second attack information is obtained, which includes:
according to the attack path information and the virtual identity identification information, acquiring host authority of an attacker by actively detecting vulnerability information;
and acquiring second attack information through the host authority of the attacker.
According to the embodiment of the disclosure, according to the attack path information and the virtual identity identification information of the attacker, the second attack information is obtained by performing a counter analysis on the attacker, and the method includes:
constructing a simulation system according to the attack path information and the attacker virtual identity identification information;
and acquiring second attack information through alarm information triggered when an attacker attacks the simulation system.
According to an embodiment of the present disclosure, the information processing method further includes: the first attack information, the second attack information, and the third attack information are stored in an attacker database.
According to an embodiment of the present disclosure, the information processing method further includes:
extracting fourth attack information according to the intelligence information, wherein the fourth attack information comprises identity identification information of an attack organization and tactical information of the attack organization;
calculating second association similarity between the fourth attack information and second attack information and/or third attack information in an attacker database;
and determining that the attacker comes from the attack organization under the condition that the second correlation similarity exceeds a second preset threshold value.
A second aspect of the present disclosure provides an information processing apparatus comprising: the device comprises a first acquisition module, a second acquisition module, a third acquisition module, a construction module and a first extraction module. The first acquisition module is used for acquiring alarm information and intelligence information of the safety equipment, wherein the intelligence information comprises the intelligence information from the threat data platform. And the second acquisition module is used for acquiring first attack information by analyzing the alarm information of the security device through tracing, wherein the first attack information comprises attack path information and virtual identity identification information of an attacker. And the third acquisition module is used for acquiring second attack information by performing reverse control analysis on the attacker according to the attack path information and the virtual identity identification information, wherein the second attack information comprises real identity identification information of the attacker. And the construction module is used for constructing the attacker portrait according to the first attack information and the second attack information. The first extraction module is used for extracting third attack information according to the information and the attacker portrait information, wherein the third attack information comprises attack tactical information.
According to an embodiment of the present disclosure, the second acquisition module includes a first extraction unit and a first acquisition unit. The first extraction unit is used for extracting attack characteristic information from the security device warning information, wherein the attack characteristic information comprises: spatio-temporal feature information, content feature information, and behavior feature information. The first obtaining unit is used for obtaining first attack information by analyzing the incidence relation among the spatio-temporal characteristic information, the content characteristic information and the behavior characteristic information of the alarm information of different safety equipment through tracing.
According to the embodiment of the disclosure, the first obtaining unit comprises a calculating subunit and a determining subunit, wherein the calculating subunit is configured to input the first sample data and the second sample data into an association traceability analysis model, and calculate a first association similarity, wherein the first sample data includes first temporal-spatial feature information, first content feature information, and first behavior feature information extracted from the first security device alarm information; the second sample data includes second spatiotemporal feature information, second content feature information, and second behavior feature information extracted from the second security device alert information. And the determining subunit is used for determining the first attack information according to the first sample data and the second sample data under the condition that the first association similarity exceeds a first preset threshold value.
According to an embodiment of the present disclosure, the second acquisition module includes a second acquisition unit and a third acquisition unit. And the second acquisition unit is used for acquiring the host authority of the attacker by actively detecting the vulnerability information according to the attack path information and the virtual identity identification information. And the third acquisition unit is used for acquiring the second attack information through the host authority of the attacker.
According to an embodiment of the present disclosure, the second obtaining module includes a constructing unit and a fourth obtaining unit. The construction unit is used for constructing the simulation system according to the attack path information and the attacker virtual identity identification information. And the fourth acquisition unit is used for acquiring second attack information through alarm information triggered when an attacker attacks the simulation system.
According to an embodiment of the present disclosure, the information processing apparatus further includes a storage module, configured to store the first attack information, the second attack information, and the third attack information in an attacker database.
According to an embodiment of the present disclosure, the information processing apparatus further includes a second extraction module, a calculation module, and a determination module. The second extraction module is used for extracting fourth attack information according to the intelligence information, wherein the fourth attack information comprises identity identification information of an attack organization and tactical information of the attack organization. And the calculation module is used for calculating second association similarity between the fourth attack information and the second attack information and/or the third attack information in the attacker database. And the determining module is used for determining that the attacker comes from the attack organization under the condition that the second correlation similarity exceeds a second preset threshold value.
A third aspect of the present disclosure provides an electronic device, comprising: one or more processors; a memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the above-described information processing method.
The fourth aspect of the present disclosure also provides a computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to perform the above-mentioned information processing method.
The fifth aspect of the present disclosure also provides a computer program product comprising a computer program which, when executed by a processor, implements the above-described information processing method.
According to the embodiment of the disclosure, attack path information and virtual identity identification information of an attacker can be obtained through tracing analysis of the alarm information of the security device, the attacker is subjected to reverse analysis according to the attack path information and the virtual identity identification information to obtain real identity information of the attacker, and the attack path is restored through the combination of the tracing analysis method and the reverse analysis method, so that real identity information of the attacker subjected to identity camouflage can be obtained. And then, an attacker portrait is constructed according to the real identity information and the attack path information of the attacker, tactical information is extracted from the attacker portrait, the identity information of the attacker can be further verified through the tactical information, and the effectiveness and the judgment speed of network defense are improved.
Drawings
The foregoing and other objects, features and advantages of the disclosure will be apparent from the following description of embodiments of the disclosure, which proceeds with reference to the accompanying drawings, in which:
FIG. 1 schematically illustrates an exemplary application system framework for an information processing method, apparatus, device, medium, and program product according to embodiments of the disclosure;
FIG. 2 schematically shows a flow chart of an information processing method according to an embodiment of the present disclosure;
FIG. 3 schematically illustrates a flow diagram of a method of reverse-mode analysis, in accordance with an embodiment of the present disclosure;
FIG. 4 schematically illustrates a flow diagram of a reverse analysis method according to further embodiments of the present disclosure;
FIG. 5 schematically illustrates a logical block diagram of an information processing flow according to an embodiment of the present disclosure;
fig. 6 schematically shows a block diagram of the structure of an information processing apparatus according to an embodiment of the present disclosure; and
fig. 7 schematically shows a block diagram of an electronic device adapted to implement an information processing method according to an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
It should be noted that the information processing method and apparatus of the present disclosure may be used in the financial field and the technical field of network information security, and may also be used in any field other than the financial field.
In the technical scheme of the disclosure, the collection, storage, use, processing, transmission, provision, disclosure, application and other processing of the personal information of the related user are all in accordance with the regulations of related laws and regulations, necessary confidentiality measures are taken, and the customs of the public order is not violated.
In the technical scheme of the disclosure, before the personal information of the user is acquired or collected, the authorization or the consent of the user is acquired.
According to the embodiment of the disclosure, attack path information and virtual identity identification information of an attacker can be obtained through tracing analysis of alarm information of security equipment, the attacker is subjected to reverse analysis according to the attack path information and the virtual identity identification information to obtain real identity information of the attacker, the attack path is restored through combination of the tracing analysis method and the reverse analysis method, and real identity information of the attacker subjected to identity masquerading can be obtained. And then, an attacker portrait is constructed according to the real identity information and the attack path information of the attacker, tactical information is extracted from the attacker portrait, the identity information of the attacker can be further verified through the tactical information, and the effectiveness and the judgment speed of network defense are improved.
Fig. 1 schematically illustrates an exemplary application system framework of an information processing method, apparatus, device, medium, and program product according to embodiments of the present disclosure.
As shown in FIG. 1, the exemplary application system framework 100 includes an information collection processing module 101, a traceability analysis module 102, a reflexion module 103, a representation construction module 104, an information extraction module 105, and a storage module 106.
The information acquisition module 101 may include an internal information acquisition unit 101-1, an external information acquisition unit 101-2, and a data organization unit 101-3, where the internal information acquisition unit 101-1 is configured to acquire alarm information from internal security devices, and the external information acquisition unit 101-2 is configured to acquire information from an external threat data platform. The alarm information of the security device may include alarm information of the host, alarm information of the server, alarm information generated by the operation of the malicious sample, and the like. The intelligence information may include threat data intelligence information from public platforms. The data sorting unit 101-3 may convert the acquired alarm information and intelligence information of the security device into a unified data format, may calculate the similarity of the information by using a calculation method of Levenshtein distance and LSC distance golden section, and sort the acquired information.
The traceability analysis module 102 is in communication connection with the information acquisition module 101, and is configured to perform traceability analysis on the alarm information of the security device to obtain the first attack information. The tracing analysis module may include a spatio-temporal feature extraction unit 102-1, a behavior feature extraction unit 102-2, a content feature extraction unit 102-3, and an association tracing analysis unit 102-4. The association tracing analysis unit 102-4 may calculate similarity of information through the association tracing model, and classify feature information with high similarity into a class, so as to obtain attack path information and virtual identity information of an attacker.
The reflection module 103 is in communication connection with the traceability analysis module 102 and may include an active reflection unit 103-1 and a passive reflection unit 103-2. The active reverse system unit 103-1 may obtain vulnerability information through port scanning, vulnerability scanning, and other means by using the virtual identity identification information of the attacker obtained by the traceable analysis module 102, and further obtain the host authority of the attacker to obtain the real identity identification information of the attacker. The passive anti-counterfeiting unit 103-2 can construct a simulation system by delivering baits, false information leakage artifacts and the like to the code hosting platform, and acquire the real identity information of an attacker by using alarm information triggered when the attacker attacks the simulation system.
The sketch constructing module 104 is in communication connection with the tracing analysis module 102 and the countering module 103, and can construct a spatio-temporal relationship sketch, an operation behavior sketch, an abnormal access object sketch and the like according to attack path information and attacker virtual identity information acquired from the tracing analysis module 102 and attacker real identity information acquired from the countering module 103, and can also construct a comprehensive sketch of an attacker according to the spatio-temporal relationship sketch, the operation behavior sketch and the abnormal access object sketch.
The information extraction module 105 may be communicatively coupled to the information collection module 101. Meanwhile, the information extraction module 105 is in communication connection with the portrait construction module 104, acquires the comprehensive portrait of the attacker from the portrait construction module 104, extracts attack tactical information by combining with the information acquired from the external information acquisition unit 101-2, and further verifies the real identity of the attacker.
The storage module 106 may be communicatively connected to the information extraction module 105, and store information associated with an attacker, which may include intelligence information, attack information obtained by tracing analysis, attack information obtained by reverse analysis, and the like.
The information processing method of the disclosed embodiment will be described in detail below with fig. 2 to 5 based on the scenario described in fig. 1.
Fig. 2 schematically shows a flow chart of an information processing method according to an embodiment of the present disclosure.
As shown in fig. 2, the information processing method 200 of this embodiment includes operations S210 to S250.
In operation S210, security device alert information and intelligence information are obtained, wherein the intelligence information includes intelligence information from a threat data platform.
According to an embodiment of the present disclosure, the security device alarm information may include alarm information from security devices inside the system, host alarm information, server alarm information, alarm information caused by malicious sample operation, and the like. The intelligence information may include public threat intelligence information from an external data platform, such as: the related threat intelligence obtained based on the open of the internet is mainly from the published intelligence sources of the internet and various subscribed safety information, vulnerability information and other data. The public information can comprise security situation information, various network security early warning information of security event information, network monitoring data analysis results, IP address credit and the like, and can be collected through a web crawler.
In operation S220, first attack information is obtained by analyzing the security device alarm information by tracing, where the first attack information includes attack path information and virtual identity information of an attacker.
According to the embodiment of the disclosure, taking the server alarm information as an example, the attack path can be obtained through tracing analysis according to the time and frequency of the server when the server is abnormal, and the code of the attack server. For example: the alarm information of server a occurs at 9: 00, the alarm information of the server B occurs in 9: 02, the alarm information of the server C occurs in 8: 59, in case of one alarm per server, the attack path can be obtained as server C-server a-server B. The IP address of the server from which the attacker attacks can be found along the attack path tracing to obtain the virtual identification information of the attacker.
In operation S230, second attack information is obtained by performing a counter-control analysis on the attacker according to the attack path information and the virtual id information, where the second attack information includes real id information of the attacker.
According to the embodiment of the present disclosure, an attacker can be countered by the virtual identification information, for example: the virtual identification information may be virtual login account information, the virtual login account may be actively detected, when a weak password of the virtual login account information is detected, the host authority of the attacker may be obtained through the weak password, and the real identification information of the attacker may be obtained through the host of the attacker, for example: may be social account information.
In operation S240, an attacker portrait is constructed according to the first attack information and the second attack information.
According to an embodiment of the present disclosure, for example: the operation behavior, operation habit, work and rest time and the like of the attacker can be restored according to the attack path information, and the spatio-temporal relationship portrait and the operation behavior portrait can be performed on the attacker according to the information. The abnormal access object portrait of the attacker can be performed according to the virtual identity identification information and the real identity identification information of the attacker. The spatio-temporal relationship image, the operation behavior image and the abnormal access object image can be integrated to construct an integrated image of an attacker.
In operation S250, third attack information is extracted according to the intelligence information and the attacker portrait information, wherein the third attack information includes attack tactical information.
According to an embodiment of the present disclosure, for example: intelligence information since it comes from public network intelligence operators, it can extract a part of characteristic information describing the behavior of the attacker through the intelligence information, such as: attack code features, attack behavior path features, and the like. In combination with the portrait information of the attacker, the attack tactical information can be extracted, for example: attack process characteristic information, attack technology characteristic information, and the like.
According to the embodiment of the disclosure, attack path information and virtual identity identification information of an attacker can be obtained through tracing analysis of the alarm information of the security device, the attacker is subjected to reverse analysis according to the attack path information and the virtual identity identification information to obtain real identity information of the attacker, and the attack path is restored through the combination of the tracing analysis method and the reverse analysis method, so that real identity information of the attacker subjected to identity camouflage can be obtained. And then, an attacker portrait is constructed according to the real identity information and the attack path information of the attacker, tactical information is extracted from the attacker portrait, the identity information of the attacker can be further verified through the tactical information, and the effectiveness and the judgment speed of network defense are improved.
According to the embodiment of the disclosure, the first attack information is obtained by analyzing the alarm information of the security device by tracing, which includes:
extracting attack characteristic information from the security device alarm information, wherein the attack characteristic information comprises: spatio-temporal feature information, content feature information, and behavior feature information;
and obtaining first attack information by analyzing the incidence relation among the time-space characteristic information, the content characteristic information and the behavior characteristic information of the alarm information of different safety devices through tracing.
According to an embodiment of the present disclosure, the spatiotemporal feature information may include temporal features and location features of an attack initiated by an attacker. The content characteristic information may include attack target characteristics, attack purpose characteristics, attack time characteristics, attack code characteristics, uniform resource locator characteristics, domain name characteristics, and the like. The behavior feature information may include file operation behavior features, network probe behavior features, and process operation behavior features.
According to the embodiment of the disclosure, the first attack information can be obtained by analyzing the association relationship among the spatio-temporal characteristic information, the content characteristic information and the behavior characteristic information. For example: the spatio-temporal characteristic information extracted from the alarm information from the security device a may include that the attack site of the attacker is in the first region a, the spatio-temporal characteristic information extracted from the alarm information from the security device B may include that the attack site of the attacker is in the first region a, the two attacks may be presumed to originate from the same attacker a through the spatio-temporal characteristic information, and the virtual identification information of the attacker a may be acquired through the alarm information of the security device a and the alarm information of the security device B, for example: may be a virtual IP address.
According to the embodiment of the disclosure, the accuracy of the traceability analysis can be improved by extracting the spatio-temporal characteristic information, the behavior characteristic information and the content characteristic information which are associated with the identity of the attacker through multiple dimensions.
According to the embodiment of the disclosure, obtaining first attack information by analyzing the association relationship among the spatio-temporal characteristic information, the content characteristic information and the behavior characteristic information of the alarm information of different security devices by tracing, includes:
inputting first sample data and second sample data into an association traceability analysis model, and calculating first association similarity, wherein the first sample data comprises first time-space characteristic information, first content characteristic information and first behavior characteristic information extracted from first safety equipment alarm information; the second sample data comprises second spatio-temporal characteristic information, second content characteristic information and second behavior characteristic information which are extracted from the second safety equipment alarm information;
and under the condition that the first associated similarity exceeds a first preset threshold, determining first attack information according to the first sample data and the second sample data.
According to an embodiment of the present disclosure, for example: the time-space characteristic information extracted from a piece of safety equipment alarm information can be used as' Ttl"to represent," T "represents threat intelligence," T "represents attack time," l "represents spatial signature; using 'T' for behavior feature informationa"to mean," a "means a behavioral characteristic; using "T" for content characteristic informationc"to indicate," c "indicates a content feature. The space-time characteristic information' Ttl", behavior characteristic information" Ta", the content characteristic information is" Tc"input the correlation tracing analysis model, calculate the first correlation similarity between the spatio-temporal characteristic information, the behavior characteristic information, and the content characteristic information of the alarm information of different safety equipments, the first correlation similarity can be calculated by using the euler calculation formula shown in formula (one):
Figure BDA0003485254050000111
wherein d isxyDistance, x, representing a feature vectork、ykBoth represent feature vectors.
According to an embodiment of the present disclosure, for example: the first sample data extracted from the alarm information of the security device a may beIs (T)tl1、Ta1、Tc1). The second sample data extracted from the alarm information of the security device B may be (T)tl2、Ta2、Tc2). If the calculated first correlation similarity is greater than a first preset threshold, it can be determined that the alarm information of the security device a and the alarm information of the security device B are generated by the same attacker initiating network attacks on the security device a and the security device B, and the first time-space characteristic T in the alarm information of the security device a and the first time-space characteristic T in the alarm information of the security device B can be determinedtl1. First behavior feature Ta1. First content characteristic Tc1 and a second spatio-temporal feature Ttl2. Second behavior feature Ta2. Second content characteristic TcAnd 2, determining attack path information and virtual identity information of an attacker.
According to the embodiment of the disclosure, the first association similarity of different sample data is calculated through the association traceability analysis model, the sample data with high first association similarity is classified as the same attacker, the sample data belonging to the same attacker is subjected to traceability analysis, the attack path information and the virtual identity information of the attacker are determined, the information belonging to the same attacker can be automatically classified and analyzed according to the attack characteristic information, the time-consuming problem of manual judgment is effectively solved, and the judgment speed is increased.
FIG. 3 schematically illustrates a flow chart of a method of reverse-mode analysis in accordance with an embodiment of the present disclosure.
As shown in fig. 3, the reverse analysis method of this embodiment includes operations S310 to S320.
In operation S310, the host authority of the attacker is obtained by actively detecting the vulnerability information according to the attack path information and the virtual identity information.
According to the embodiment of the disclosure, vulnerability information can be actively detected through modes such as port scanning, vulnerability scanning and the like. The vulnerability information can be firewall vulnerability or weak password, and the host authority of an attacker can be obtained by cracking the firewall or the weak password.
In operation S320, second attack information is acquired through the host authority of the attacker.
According to the embodiment of the disclosure, through the host right of the attacker, information that the real identity of the attacker can be directly or indirectly determined, such as the real IP of the attacker, the work and rest time of the attacker, common tools of the attacker and the like, can be obtained.
According to the embodiment of the disclosure, the host authority of the attacker is obtained by actively detecting the vulnerability information, so that the real identity information of the attacker is obtained, and the problem that the attacker hides the identity of the attacker in ways of forging IP (Internet protocol), springboard and the like to cause difficulty in tracking can be solved.
FIG. 4 schematically illustrates a flow diagram of a reverse-production analysis method according to further embodiments of the present disclosure.
As shown in fig. 4, the reverse analysis method of this embodiment includes operations S410 to S420.
In operation S410, a simulation system is constructed according to the attack path information and the attacker virtual identity information.
According to an embodiment of the present disclosure, for example: according to the virtual IP address of an attacker, bait and false information leakage artifacts can be delivered to the code hosting platform, and a simulation system is constructed, for example: the simulation system may be an office OA system.
In operation S420, second attack information is acquired through alarm information triggered when an attacker attacks the simulation system.
According to the embodiment of the disclosure, since the simulation system is not accessed by people in general, when accessed by people, the attack behavior can be determined. The manner of obtaining the second attack information may be to obtain cache data of the attacker browser by using a jsonp (json with tagging) protocol across domains to obtain real identity information of the attacker, such as social account information, through alarm information triggered when the attacker attacks the simulation system. The attacker can be induced to download the disguised remote control Trojan, and after the attacker downloads the execution Trojan program, the host of the attacker can be controlled to obtain the real identity identification information of the attacker.
According to the embodiment of the disclosure, the attack behavior of the attacker is countered in a mode of constructing the simulation system to obtain the real identity identification information of the attacker, and due to the mode, the relevant information of the attacker can be directly obtained when the attacker launches the attack behavior, so that the accuracy of determining the identity of the attacker through the obtained information is higher.
According to an embodiment of the present disclosure, the information processing method further includes storing the first attack information, the second attack information, and the third attack information in an attacker database.
According to the embodiment of the disclosure, the attack path information, the virtual identity identification information of the attacker and the tactical information of the attacker, which are obtained through the tracing analysis and the reverse analysis, can be stored in the attacker database, so that when new information is obtained, the information is matched with the information in the attacker database according to the information in the attacker database, and the real identity of the attacker is verified. For example: in the case of obtaining the new alarm information of the security device a, the correlation similarity between the attacker attack path information obtained through the tracing analysis and the attack path information of the attacker a in the attacker database is high, and it can be preliminarily determined that the attacker of the network attack on the alarm information of the security device a may be the attacker a.
According to the embodiment of the disclosure, information related to an attacker obtained through source tracing analysis and reverse system analysis is stored in an attacker database, so that the attacker database can be used for inquiring and matching related attack path information and attack tactical information for preliminarily determining identity information of the attacker. The accuracy of determining the identity of the attacker can be improved by continuously increasing the information aiming at the same attacker in the attacker database.
According to an embodiment of the present disclosure, the information processing method further includes:
extracting fourth attack information according to the intelligence information, wherein the fourth attack information comprises identity identification information of an attack organization and tactical information of the attack organization;
calculating second association similarity between the fourth attack information and second attack information and/or third attack information in an attacker database;
and determining that the attacker comes from the attack organization under the condition that the second correlation similarity exceeds a second preset threshold value.
According to the embodiment of the disclosure, a certain attack organization usually obtains a forged virtual IP through an algorithm A on the basis of real IP address information. There will be some degree of associative similarity for virtual IPs from the same attacking organization. For example: the identity information of the attack organization extracted from the intelligence information can be virtual address information IP1From the virtual address information of the attack organization A in the attacker database as IP2
According to the embodiment of the disclosure, the virtual address information IP can be calculated by utilizing the calculation method of the Levenshtein distance and the LSC (locality) distance golden section1And the virtual address information is IP2The correlation similarity of (2). For example: the second preset threshold is 0.85, if the calculated virtual address information IP is obtained1And the virtual address information is IP2Is 0.7, it can be determined that attacker a is not from attacking organization a. If the virtual address information IP is obtained by calculation1And the virtual address information is IP2Is 0.9, it can be determined that attacker a is from attacking organization a.
According to the embodiment of the disclosure, the relationship between the attacker and the attack organization can be determined by calculating the correlation similarity between the attack information of the attack organization extracted from the intelligence information and the attack information of the attacker stored in the attacker database, so that the attack organization to which the attacker belongs can be quickly tracked through the attacker, and the problem that the attack organization cannot be tracked in the related technology is solved.
FIG. 5 schematically shows a logic block diagram of an information processing flow according to an embodiment of the present disclosure.
As shown in fig. 5, the information processing flow of this embodiment includes operations S510 to S560.
In operation S510, security device alert information and intelligence information are obtained, wherein the intelligence information includes intelligence information from a threat data platform.
In operation S520, first attack information is obtained by analyzing the security device alarm information by tracing, where the first attack information includes attack path information and virtual identity information of an attacker.
In operation S530, second attack information is obtained by performing a counter-control analysis on the attacker according to the attack path information and the virtual id information, where the second attack information includes real id information of the attacker.
In operation S540, it is determined whether the second attack information can determine the true identity of the attacker, if so, operation S550 is performed, and if not, operation S520 is returned to.
In operation S550, an attacker portrait is constructed according to the first attack information and the second attack information.
In operation S560, third attack information is extracted according to the intelligence information and the attacker portrait information, wherein the third attack information includes attack tactical information, and the first attack information, the second attack information, and the third attack information are all stored in an attacker database.
Based on the information processing method, the disclosure also provides an information processing device. The apparatus will be described in detail below with reference to fig. 6.
Fig. 6 schematically shows a block diagram of the structure of an information processing apparatus according to an embodiment of the present disclosure.
As shown in fig. 6, the information processing apparatus 600 of this embodiment includes a first acquisition module 610, a second acquisition module 620, a third acquisition module 630, a construction module 640, and a first extraction module 650.
The first obtaining module 610 is used for obtaining the alarm information and the intelligence information of the security device, wherein the intelligence information includes the intelligence information from the threat data platform. In an embodiment, the first obtaining module 610 may be configured to perform the operation S210 described above, which is not described herein again.
The second obtaining module 620 is configured to obtain first attack information by analyzing the security device alarm information through tracing, where the first attack information includes attack path information and virtual identity information of an attacker. In an embodiment, the second obtaining module 620 may be configured to perform the operation S220 described above, which is not described herein again.
The third obtaining module 630 is configured to obtain second attack information by performing a counter analysis on the attacker according to the attack path information and the virtual identity information, where the second attack information includes real identity information of the attacker. In an embodiment, the third obtaining module 630 may be configured to perform the operation S230 described above, which is not described herein again.
The construction module 640 is configured to construct an attacker portrait according to the first attack information and the second attack information. In an embodiment, the building module 640 may be configured to perform the operation S240 described above, which is not described herein again.
The first extraction module 650 is configured to extract third attack information according to the intelligence information and the attacker portrait information, where the third attack information includes attack tactical information. In an embodiment, the first extracting module 650 may be configured to perform the operation S250 described above, and is not described herein again.
According to an embodiment of the present disclosure, the second acquisition module includes a first extraction unit and a first acquisition unit. The first extraction unit is used for extracting attack characteristic information from the security device warning information, wherein the attack characteristic information comprises: spatio-temporal feature information, content feature information, and behavior feature information. The first obtaining unit is used for obtaining first attack information by analyzing the incidence relation among the spatio-temporal characteristic information, the content characteristic information and the behavior characteristic information of the alarm information of different safety equipment through tracing.
According to the embodiment of the disclosure, the first obtaining unit comprises a calculating subunit and a determining subunit, wherein the calculating subunit is configured to input the first sample data and the second sample data into an association traceability analysis model, and calculate a first association similarity, wherein the first sample data includes first temporal-spatial feature information, first content feature information, and first behavior feature information extracted from the first security device alarm information; the second sample data includes second spatiotemporal feature information, second content feature information, and second behavior feature information extracted from the second security device alert information. And the determining subunit is used for determining the first attack information according to the first sample data and the second sample data under the condition that the first association similarity exceeds a first preset threshold value.
According to an embodiment of the present disclosure, the second acquisition module includes a second acquisition unit and a third acquisition unit. And the second acquisition unit is used for acquiring the host authority of the attacker by actively detecting the vulnerability information according to the attack path information and the virtual identity identification information. And the third acquisition unit is used for acquiring the second attack information through the host authority of the attacker.
According to an embodiment of the present disclosure, the second obtaining module includes a constructing unit and a fourth obtaining unit. The construction unit is used for constructing the simulation system according to the attack path information and the attacker virtual identity identification information. And the fourth acquisition unit is used for acquiring second attack information through alarm information triggered when an attacker attacks the simulation system.
According to an embodiment of the present disclosure, the information processing apparatus further includes a storage module, configured to store the first attack information, the second attack information, and the third attack information in an attacker database.
According to an embodiment of the present disclosure, the information processing apparatus further includes a second extraction module, a calculation module, and a determination module. The second extraction module is used for extracting fourth attack information according to the intelligence information, wherein the fourth attack information comprises identity identification information of an attack organization and tactical information of the attack organization. And the calculation module is used for calculating second association similarity between the fourth attack information and the second attack information and/or the third attack information in the attacker database. And the determining module is used for determining that the attacker comes from the attack organization under the condition that the second correlation similarity exceeds a second preset threshold value.
According to the embodiment of the present disclosure, any plurality of the first obtaining module 610, the second obtaining module 620, the third obtaining module 630, the constructing module 640, and the first extracting module 650 may be combined in one module to be implemented, or any one of them may be split into a plurality of modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of the other modules and implemented in one module. According to an embodiment of the present disclosure, at least one of the first obtaining module 610, the second obtaining module 620, the third obtaining module 630, the constructing module 640, and the first extracting module 650 may be at least partially implemented as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented by hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or implemented by any one of three implementations of software, hardware, and firmware, or by a suitable combination of any several of them. Alternatively, at least one of the first obtaining module 610, the second obtaining module 620, the third obtaining module 630, the constructing module 640 and the first extracting module 650 may be at least partially implemented as a computer program module, which may perform a corresponding function when executed.
Fig. 7 schematically shows a block diagram of an electronic device adapted to implement an information processing method according to an embodiment of the present disclosure.
As shown in fig. 7, an electronic device 700 according to an embodiment of the present disclosure includes a processor 701, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)702 or a program loaded from a storage section 708 into a Random Access Memory (RAM) 703. The processor 701 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 701 may also include on-board memory for caching purposes. The processor 701 may comprise a single processing unit or a plurality of processing units for performing the different actions of the method flows according to embodiments of the present disclosure.
In the RAM 703, various programs and data necessary for the operation of the electronic apparatus 700 are stored. The processor 701, the ROM 702, and the RAM 703 are connected to each other by a bus 704. The processor 701 performs various operations of the method flows according to the embodiments of the present disclosure by executing programs in the ROM 702 and/or the RAM 703. It is noted that the programs may also be stored in one or more memories other than the ROM 702 and RAM 703. The processor 701 may also perform various operations of method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.
Electronic device 700 may also include input/output (I/O) interface 705, which input/output (I/O) interface 705 is also connected to bus 704, according to an embodiment of the present disclosure. The electronic device 700 may also include one or more of the following components connected to the I/O interface 705: an input portion 706 including a keyboard, a mouse, and the like; an output section 707 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage section 708 including a hard disk and the like; and a communication section 709 including a network interface card such as a LAN card, a modem, or the like. The communication section 709 performs communication processing via a network such as the internet. A drive 710 is also connected to the I/O interface 705 as needed. A removable medium 711 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 710 as necessary, so that a computer program read out therefrom is mounted into the storage section 708 as necessary.
The present disclosure also provides a computer-readable storage medium, which may be contained in the apparatus/device/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, a computer-readable storage medium may include the ROM 702 and/or the RAM 703 and/or one or more memories other than the ROM 702 and the RAM 703 described above.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the method illustrated in the flow chart. When the computer program product runs in a computer system, the program code is used for causing the computer system to realize the information processing method provided by the embodiment of the disclosure.
The computer program performs the above-described functions defined in the system/apparatus of the embodiments of the present disclosure when executed by the processor 701. The systems, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
In one embodiment, the computer program may be hosted on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted in the form of a signal on a network medium, distributed, downloaded and installed via the communication section 709, and/or installed from the removable medium 711. The computer program containing program code may be transmitted using any suitable network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In such an embodiment, the computer program can be downloaded and installed from a network through the communication section 709, and/or installed from the removable medium 711. The computer program, when executed by the processor 701, performs the above-described functions defined in the system of the embodiment of the present disclosure. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
According to embodiments of the present disclosure, program code for executing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more procedural and/or object oriented programming languages, and in particular, these computer programs may be implemented using high level procedural and/or object oriented programming languages, and/or assembly/machine languages. The programming language includes, but is not limited to, programming languages such as Java, C + +, python, the "C" language, or the like. The program code may execute entirely on the user computing device, partly on the user device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
The embodiments of the present disclosure have been described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.

Claims (11)

1. An information processing method comprising:
acquiring alarm information and intelligence information of safety equipment, wherein the intelligence information comprises intelligence information from a threat data platform;
analyzing the security device alarm information by tracing to obtain first attack information, wherein the first attack information comprises attack path information and virtual identity identification information of an attacker;
according to the attack path information and the virtual identity identification information, performing reverse control analysis on the attacker to obtain second attack information, wherein the second attack information comprises real identity identification information of the attacker;
constructing an attacker portrait according to the first attack information and the second attack information; and
and extracting third attack information according to the intelligence information and the attacker image information, wherein the third attack information comprises attack tactical information.
2. The method of claim 1, wherein obtaining first attack information by analyzing the security device alarm information by tracing comprises:
extracting attack characteristic information from the security device alarm information, wherein the attack characteristic information comprises: spatio-temporal feature information, content feature information, and behavior feature information;
and obtaining the first attack information by analyzing the association relationship among the time-space characteristic information, the content characteristic information and the behavior characteristic information of the alarm information of different safety devices by tracing.
3. The method according to claim 2, wherein the obtaining the first attack information by analyzing the association relationship among the spatio-temporal feature information, the content feature information and the behavior feature information of different security device alarm information by tracing comprises:
inputting first sample data and second sample data into an association traceability analysis model, and calculating first association similarity, wherein the first sample data comprises first time-space characteristic information, first content characteristic information and first behavior characteristic information extracted from first safety equipment warning information; the second sample data comprises second spatio-temporal characteristic information, second content characteristic information and second behavior characteristic information extracted from second safety equipment alarm information;
and under the condition that the first associated similarity exceeds a first preset threshold, determining the first attack information according to the first sample data and the second sample data.
4. The method according to claim 1, wherein the obtaining second attack information by performing a counter-measure analysis on the attacker according to the attack path information and the virtual identity information includes:
according to the attack path information and the virtual identity identification information, acquiring the host authority of the attacker through actively detecting vulnerability information;
and acquiring the second attack information through the host authority of the attacker.
5. The method according to claim 4, wherein the obtaining second attack information by performing a counter-measure analysis on the attacker according to the attack path information and the attacker virtual identity information includes:
constructing a simulation system according to the attack path information and the attacker virtual identity identification information;
and acquiring the second attack information through alarm information triggered when the attacker attacks the simulation system.
6. The method of claim 1, further comprising:
storing the first attack information, the second attack information, and the third attack information in an attacker database.
7. The method of claim 6, further comprising:
extracting fourth attack information according to the intelligence information, wherein the fourth attack information comprises identity identification information of an attack organization and tactical information of the attack organization;
calculating a second association similarity between the fourth attack information and the second attack information and/or the third attack information in the attacker database;
determining that the attacker comes from the attack organization if the second associated similarity exceeds a second preset threshold.
8. An information processing apparatus comprising:
the system comprises a first acquisition module, a second acquisition module and a third acquisition module, wherein the first acquisition module is used for acquiring alarm information and intelligence information of the safety equipment, and the intelligence information comprises the intelligence information from a threat data platform;
the second obtaining module is used for obtaining first attack information by analyzing the security device alarm information through tracing, wherein the first attack information comprises attack path information and virtual identity identification information of an attacker;
a third obtaining module, configured to obtain second attack information by performing a counter analysis on the attacker according to the attack path information and the virtual identity identification information, where the second attack information includes real identity identification information of the attacker;
the construction module is used for constructing an attacker portrait according to the first attack information and the second attack information; and
and the first extraction module is used for extracting third attack information according to the information and the attacker portrait information, wherein the third attack information comprises attack tactical information.
9. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-7.
10. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method of any one of claims 1 to 7.
11. A computer program product comprising a computer program which, when executed by a processor, implements a method according to any one of claims 1 to 7.
CN202210083610.7A 2022-01-24 2022-01-24 Information processing method, device, equipment and medium Active CN114422257B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210083610.7A CN114422257B (en) 2022-01-24 2022-01-24 Information processing method, device, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210083610.7A CN114422257B (en) 2022-01-24 2022-01-24 Information processing method, device, equipment and medium

Publications (2)

Publication Number Publication Date
CN114422257A true CN114422257A (en) 2022-04-29
CN114422257B CN114422257B (en) 2024-05-14

Family

ID=81278079

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210083610.7A Active CN114422257B (en) 2022-01-24 2022-01-24 Information processing method, device, equipment and medium

Country Status (1)

Country Link
CN (1) CN114422257B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115801431A (en) * 2022-11-29 2023-03-14 国网山东省电力公司信息通信公司 Automatic threat tracing method, system, equipment and medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108540441A (en) * 2018-02-07 2018-09-14 广州锦行网络科技有限公司 A kind of Active Defending System Against and method based on authenticity virtual network
CN111209570A (en) * 2019-12-31 2020-05-29 杭州安恒信息技术股份有限公司 Method for creating safe closed loop process based on MITER ATT & CK
CN111490970A (en) * 2020-02-19 2020-08-04 西安交大捷普网络科技有限公司 Tracing analysis method for network attack
CN112738126A (en) * 2021-01-07 2021-04-30 中国电子科技集团公司第十五研究所 Attack tracing method based on threat intelligence and ATT & CK
CN113055386A (en) * 2021-03-12 2021-06-29 哈尔滨安天科技集团股份有限公司 Method and device for identifying and analyzing attack organization

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108540441A (en) * 2018-02-07 2018-09-14 广州锦行网络科技有限公司 A kind of Active Defending System Against and method based on authenticity virtual network
CN111209570A (en) * 2019-12-31 2020-05-29 杭州安恒信息技术股份有限公司 Method for creating safe closed loop process based on MITER ATT & CK
CN111490970A (en) * 2020-02-19 2020-08-04 西安交大捷普网络科技有限公司 Tracing analysis method for network attack
CN112738126A (en) * 2021-01-07 2021-04-30 中国电子科技集团公司第十五研究所 Attack tracing method based on threat intelligence and ATT & CK
CN113055386A (en) * 2021-03-12 2021-06-29 哈尔滨安天科技集团股份有限公司 Method and device for identifying and analyzing attack organization

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115801431A (en) * 2022-11-29 2023-03-14 国网山东省电力公司信息通信公司 Automatic threat tracing method, system, equipment and medium

Also Published As

Publication number Publication date
CN114422257B (en) 2024-05-14

Similar Documents

Publication Publication Date Title
US11310268B2 (en) Systems and methods using computer vision and machine learning for detection of malicious actions
Sudhakar et al. An emerging threat Fileless malware: a survey and research challenges
US20230231875A1 (en) Detecting and mitigating poison attacks using data provenance
US11165815B2 (en) Systems and methods for cyber security alert triage
Naway et al. A review on the use of deep learning in android malware detection
US11570211B1 (en) Detection of phishing attacks using similarity analysis
EP2828753B1 (en) Anomaly detection to identify coordinated group attacks in computer networks
CN111581643B (en) Penetration attack evaluation method and device, electronic device and readable storage medium
US20210360017A1 (en) System and method of dynamic cyber risk assessment
CN106685899B (en) Method and device for identifying malicious access
CN107612924A (en) Attacker's localization method and device based on wireless network invasion
CN112134837A (en) Method and system for detecting Web attack behavior
Lakhno et al. Design of adaptive system of detection of cyber-attacks, based on the model of logical procedures and the coverage matrices of features
Thuraisingham Cyber security and artificial intelligence for cloud-based internet of transportation systems
Hayatle et al. Dempster-shafer evidence combining for (anti)-honeypot technologies
CN107465702A (en) Method for early warning and device based on wireless network invasion
CN113190839A (en) Web attack protection method and system based on SQL injection
Suryati et al. Impact analysis of malware based on call network API with heuristic detection method
CN114422257B (en) Information processing method, device, equipment and medium
CN107509200A (en) Equipment localization method and device based on wireless network invasion
CN114357447A (en) Attacker threat scoring method and related device
CN116260628A (en) Active tracing method based on honey network
Ouaguid et al. Vulnerability Detection Approaches on Application Behaviors in Mobile Environment
CN107517226A (en) Alarm method and device based on wireless network invasion
CN112989355A (en) Vulnerability threat perception method, device, storage medium and equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant