CN114422257B - Information processing method, device, equipment and medium - Google Patents

Information processing method, device, equipment and medium Download PDF

Info

Publication number
CN114422257B
CN114422257B CN202210083610.7A CN202210083610A CN114422257B CN 114422257 B CN114422257 B CN 114422257B CN 202210083610 A CN202210083610 A CN 202210083610A CN 114422257 B CN114422257 B CN 114422257B
Authority
CN
China
Prior art keywords
information
attack
attacker
acquiring
portraits
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210083610.7A
Other languages
Chinese (zh)
Other versions
CN114422257A (en
Inventor
王鹏
闫海林
蒋家堂
贾紫倩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202210083610.7A priority Critical patent/CN114422257B/en
Publication of CN114422257A publication Critical patent/CN114422257A/en
Application granted granted Critical
Publication of CN114422257B publication Critical patent/CN114422257B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The disclosure provides an information processing method, an information processing device, information processing equipment and an information processing medium, which can be applied to the technical field of network information security and the technical field of finance. The information processing method comprises the following steps: acquiring alarm information and information of the safety equipment, wherein the information comprises information from a threat data platform; acquiring first attack information by tracing and analyzing security equipment alarm information, wherein the first attack information comprises attack path information and virtual identity information of an attacker; acquiring second attack information by performing countercheck analysis on an attacker according to the attack path information and the virtual identity information, wherein the second attack information comprises real identity information of the attacker; constructing an attacker portrait according to the first attack information and the second attack information; and extracting third attack information according to the intelligence information and the attacker portrayal information, wherein the third attack information comprises attack tactical information.

Description

Information processing method, device, equipment and medium
Technical Field
The present disclosure relates to the field of network information security technologies, and in particular, to an information processing method, apparatus, device, medium, and program product.
Background
Under the current network environment, along with the development of network attack technology, how to effectively defend network attack and ensure network security becomes a technical problem to be solved urgently.
In the related art, network attackers can be tracked through a route tracking technology, a log record analysis tracking technology, a data packet mark tracking technology and the like, but when the attackers hide the identity through means such as counterfeit IP, a springboard, an anonymous network and the like, the real identity information of the attackers is difficult to obtain only by adopting the tracking technology, so that the network attacks of the attackers are difficult to effectively defend. If the true identity information of the attacker is further confirmed, the attacker needs to be manually judged based on other evidence information, so that a great amount of time and labor are consumed in the judging process, and the judging speed is low.
Disclosure of Invention
In view of the above, the present disclosure provides information processing methods, apparatuses, devices, media, and program products.
According to a first aspect of the present disclosure, there is provided an information processing method including:
acquiring alarm information and information of the safety equipment, wherein the information comprises information from a threat data platform;
acquiring first attack information by tracing and analyzing security equipment alarm information, wherein the first attack information comprises attack path information and virtual identity information of an attacker;
Acquiring second attack information by performing countercheck analysis on an attacker according to the attack path information and the virtual identity information, wherein the second attack information comprises real identity information of the attacker;
Constructing an attacker portrait according to the first attack information and the second attack information; and
And extracting third attack information according to the information and the attacker portrait information, wherein the third attack information comprises attack tactical information.
According to an embodiment of the present disclosure, acquiring first attack information by tracing and analyzing security device alarm information includes:
Extracting attack characteristic information from security equipment alarm information, wherein the attack characteristic information comprises: spatiotemporal feature information, content feature information, and behavioral feature information;
and acquiring first attack information by tracing and analyzing association relations among space-time characteristic information, content characteristic information and behavior characteristic information of alarm information of different security devices.
According to an embodiment of the present disclosure, acquiring first attack information by tracing and analyzing association relations among spatiotemporal feature information, content feature information and behavior feature information of alarm information of different security devices includes:
inputting first sample data and second sample data into a correlation traceability analysis model, and calculating first correlation similarity, wherein the first sample data comprises first time-space characteristic information, first content characteristic information and first behavior characteristic information extracted from first security equipment alarm information; the second sample data comprises second space-time characteristic information, second content characteristic information and second behavior characteristic information extracted from second safety equipment alarm information;
and under the condition that the first association similarity exceeds a first preset threshold value, determining first attack information according to the first sample data and the second sample data.
According to an embodiment of the present disclosure, according to attack path information and virtual identity information, by performing counteranalysis on an attacker, second attack information is obtained, including:
According to the attack path information and the virtual identity information, acquiring host permission of an attacker by actively detecting vulnerability information;
and acquiring second attack information through the host authority of the attacker.
According to an embodiment of the present disclosure, according to attack path information and attacker virtual identity information, obtaining second attack information by performing counteranalysis on an attacker includes:
Constructing a simulation system according to the attack path information and the attacker virtual identity information;
And acquiring second attack information through the alarm information triggered when the attacker attacks the simulation system.
According to an embodiment of the present disclosure, the above information processing method further includes: the first attack information, the second attack information, and the third attack information are stored in an attacker database.
According to an embodiment of the present disclosure, the above information processing method further includes:
Extracting fourth attack information according to the information, wherein the fourth attack information comprises the identity information of the attack organization and tactical information of the attack organization;
calculating second association similarity between the fourth attack information and the second attack information and/or the third attack information in the attacker database;
and under the condition that the second association similarity exceeds a second preset threshold value, determining that the attacker is from the attack organization.
A second aspect of the present disclosure provides an information processing apparatus including: the device comprises a first acquisition module, a second acquisition module, a third acquisition module, a construction module and a first extraction module. The first acquisition module is used for acquiring alarm information and information of the safety equipment, wherein the information comprises information from a threat data platform. The second acquisition module is used for acquiring first attack information through tracing analysis of the security equipment alarm information, wherein the first attack information comprises attack path information and virtual identity information of an attacker. And the third acquisition module is used for acquiring second attack information by performing countercheck analysis on the attacker according to the attack path information and the virtual identity information, wherein the second attack information comprises the real identity information of the attacker. And the construction module is used for constructing an attacker portrait according to the first attack information and the second attack information. The first extraction module is used for extracting third attack information according to the information and the attacker portrait information, wherein the third attack information comprises attack tactical information.
According to an embodiment of the present disclosure, the second acquisition module includes a first extraction unit and a first acquisition unit. The first extraction unit is configured to extract attack feature information from security device alarm information, where the attack feature information includes: spatiotemporal characteristic information, content characteristic information, and behavioral characteristic information. The first acquisition unit is used for acquiring first attack information by tracing and analyzing association relations among space-time characteristic information, content characteristic information and behavior characteristic information of alarm information of different security devices.
According to an embodiment of the disclosure, the first obtaining unit includes a calculating subunit and a determining subunit, where the calculating subunit is configured to input first sample data and second sample data into the association tracing analysis model, and calculate a first association similarity, where the first sample data includes first time-space feature information, first content feature information, and first behavior feature information extracted from the first security device alarm information; the second sample data includes second spatiotemporal characteristic information, second content characteristic information, and second behavioral characteristic information extracted from the second security device alert information. And the determining subunit is used for determining the first attack information according to the first sample data and the second sample data under the condition that the first association similarity exceeds a first preset threshold value.
According to an embodiment of the present disclosure, the second acquisition module includes a second acquisition unit and a third acquisition unit. The second obtaining unit is configured to obtain host permission of an attacker by actively detecting vulnerability information according to the attack path information and the virtual identity information. And the third acquisition unit is used for acquiring the second attack information through the host authority of the attacker.
According to an embodiment of the present disclosure, the second acquisition module includes a construction unit and a fourth acquisition unit. The construction unit is used for constructing a simulation system according to the attack path information and the attacker virtual identity information. And the fourth acquisition unit is used for acquiring the second attack information through the alarm information triggered when the attacker attacks the simulation system.
According to an embodiment of the present disclosure, the above information processing apparatus further includes a storage module configured to store the first attack information, the second attack information, and the third attack information in an attacker database.
According to an embodiment of the present disclosure, the above information processing apparatus further includes a second extraction module, a calculation module, and a determination module. The second extraction module is used for extracting fourth attack information according to the information, wherein the fourth attack information comprises the identity information of the attack organization and tactical information of the attack organization. And the calculation module is used for calculating the second association similarity between the fourth attack information and the second attack information and/or the third attack information in the attacker database. The determining module is used for determining that the attacker is from the attack organization under the condition that the second association similarity exceeds a second preset threshold value.
A third aspect of the present disclosure provides an electronic device, comprising: one or more processors; and a memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the information processing method described above.
A fourth aspect of the present disclosure also provides a computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to perform the above-described information processing method.
The fifth aspect of the present disclosure also provides a computer program product comprising a computer program which, when executed by a processor, implements the above-described information processing method.
According to the embodiment of the disclosure, the attack path information and the virtual identity information of the attacker can be obtained through the traceability analysis of the alarm information of the security equipment, the attacker is reversely analyzed according to the attack path information and the virtual identity information to obtain the real identity information of the attacker, and the attack path is restored through the combination of the traceability analysis method and the reversely analysis method to obtain the real identity information of the attacker with identity camouflage. And then constructing an attacker portrait according to the real identity information and the attack path information of the attacker, extracting tactical information from the attacker portrait, and further verifying the identity information of the attacker through the tactical information so as to improve the effectiveness and judgment speed of network defense.
Drawings
The foregoing and other objects, features and advantages of the disclosure will be more apparent from the following description of embodiments of the disclosure with reference to the accompanying drawings, in which:
FIG. 1 schematically illustrates an exemplary application system framework of information processing methods, apparatuses, devices, media and program products according to embodiments of the present disclosure;
FIG. 2 schematically illustrates a flow chart of an information processing method according to an embodiment of the present disclosure;
FIG. 3 schematically illustrates a flow chart of a reaction analysis method according to an embodiment of the disclosure;
FIG. 4 schematically illustrates a flow chart of a reaction analysis method according to further embodiments of the present disclosure;
FIG. 5 schematically illustrates a logical block diagram of an information processing flow according to an embodiment of the disclosure;
Fig. 6 schematically shows a block diagram of a structure of an information processing apparatus according to an embodiment of the present disclosure; and
Fig. 7 schematically illustrates a block diagram of an electronic device adapted to implement an information processing method according to an embodiment of the disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is only exemplary and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the present disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and/or the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It should be noted that the terms used herein should be construed to have meanings consistent with the context of the present specification and should not be construed in an idealized or overly formal manner.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a convention should be interpreted in accordance with the meaning of one of skill in the art having generally understood the convention (e.g., "a system having at least one of A, B and C" would include, but not be limited to, systems having a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
It should be noted that the information processing method and apparatus of the present disclosure may be used in the financial field and the network information security technical field, and may also be used in any field other than the financial field, and the application field of the information processing method and apparatus of the present disclosure is not limited.
In the technical scheme of the disclosure, the related processes of collecting, storing, using, processing, transmitting, providing, disclosing, applying and the like of the personal information of the user all conform to the regulations of related laws and regulations, necessary security measures are adopted, and the public order harmony is not violated.
In the technical scheme of the disclosure, the authorization or consent of the user is obtained before the personal information of the user is obtained or acquired.
According to the embodiment of the disclosure, attack path information and virtual identity information of an attacker can be obtained through traceability analysis of alarm information of security equipment, counter analysis is performed on the attacker according to the attack path information and the virtual identity information so as to obtain real identity information of the attacker, and the attack path is restored through combination of traceability and counter analysis methods so as to obtain the real identity information of the attacker with identity camouflage. And then constructing an attacker portrait according to the real identity information and the attack path information of the attacker, extracting tactical information from the attacker portrait, and further verifying the identity information of the attacker through the tactical information so as to improve the effectiveness and judgment speed of network defense.
Fig. 1 schematically illustrates an exemplary application system framework of an information processing method, apparatus, device, medium and program product according to an embodiment of the present disclosure.
As shown in fig. 1, the exemplary application system framework 100 includes an information acquisition processing module 101, a traceability analysis module 102, a reaction module 103, a portrait construction module 104, an information extraction module 105, and a storage module 106.
The information collection module 101 may include an internal information collection unit 101-1, an external information collection unit 101-2, and a data arrangement unit 101-3, the internal information collection unit 101-1 being configured to collect alarm information from an internal security device, and the external information collection unit 101-2 being configured to collect intelligence information from an external threat data platform. The alarm information of the security device may include alarm information of a host, alarm information of a server, alarm information generated by malicious sample operation, and the like. The intelligence information may include threat data intelligence information from published on a common platform. The data sorting unit 101-3 may convert the acquired alarm information and intelligence information of the security device into a unified data format, and may sort and sort the acquired information by calculating the similarity of the information using a calculation method of the Levenshtein distance and the LSC distance golden section.
The traceability analysis module 102 is in communication connection with the information acquisition module 101, and is used for traceably analyzing alarm information of the security device and acquiring first attack information. The traceability analysis module may include a space-time feature extraction unit 102-1, a behavior feature extraction unit 102-2, a content feature extraction unit 102-3, and an associated traceability analysis unit 102-4. The association traceability analysis unit 102-4 can calculate the similarity of the information through the association traceability model, and feature information with high similarity is classified into one type so as to acquire attack path information and virtual identity information of an attacker.
The countering module 103 is communicatively coupled to the trace-source analysis module 102 and may include an active countering unit 103-1 and a passive countering unit 103-2. The active countering unit 103-1 may obtain the vulnerability information by using the virtual identity information of the attacker obtained by the traceability analysis module 102 through means such as port scanning and vulnerability scanning, and further obtain the host authority of the attacker, so as to obtain the real identity information of the attacker. The passive countering unit 103-2 can construct a simulation system by delivering baits, falsified information leakage artifacts and the like to the code hosting platform, and acquire real identity information of an attacker by utilizing alarm information triggered when the attacker attacks the simulation system.
The portrayal construction module 104 is communicatively connected to the trace-source analysis module 102 and the countering module 103, and can construct a spatiotemporal relationship portrayal, an operation behavior portrayal, an abnormal access object portrayal, and the like by using the attack path information acquired from the trace-source analysis module 102, the virtual identity information of the attacker, and the information of the real identity of the attacker acquired from the countering module 103, and can also construct a comprehensive portrayal of the attacker according to the spatiotemporal relationship portrayal, the operation behavior portrayal, and the abnormal access object portrayal.
The information extraction module 105 may be communicatively coupled to the information acquisition module 101. Meanwhile, the information extraction module 105 is in communication connection with the portrait construction module 104, acquires the comprehensive portrait of the attacker from the portrait construction module 104, extracts attack tactics information by combining information acquired from the external information acquisition unit 101-2, and further verifies the real identity of the attacker.
The storage module 106 may be communicatively coupled to the information extraction module 105 and store information associated with an attacker, which may include intelligence information, attack information from a traceability analysis, attack information from a counteranalysis, and so on.
The information processing method of the disclosed embodiment will be described in detail below with reference to fig. 2 to 5 based on the scenario described in fig. 1.
Fig. 2 schematically shows a flowchart of an information processing method according to an embodiment of the present disclosure.
As shown in fig. 2, the information processing method 200 of this embodiment includes operations S210 to S250.
In operation S210, security device alert information and intelligence information are acquired, wherein the intelligence information includes intelligence information from a threat data platform.
According to embodiments of the present disclosure, the security device alert information may include alert information from a security device inside the system, host alert information, server alert information, alert information caused by malicious sample operation, and so forth. The intelligence information may include public threat intelligence information from an external data platform, such as: the related threat information which can be obtained based on the disclosure of the Internet is mainly from the published information sources of the Internet, and various subscribed security information, vulnerability information and other data. The disclosed information can comprise security situation information, various network security early warning information of security event information, analysis results of network monitoring data, IP address reputation and the like, and can be collected by a web crawler.
In operation S220, first attack information is obtained by tracing and analyzing security device alarm information, where the first attack information includes attack path information and virtual identity information of an attacker.
According to the embodiment of the disclosure, taking server alarm information as an example, an attack path can be obtained through tracing analysis through information such as time and occurrence frequency when the server is abnormal, codes of an attack server and the like. For example: the alarm information for server a occurs at 9:00, the alarm information of the server B occurs at 9:02, the alarm information of the server C occurs at 8:59, in case of an alarm once per server, an attack path can be obtained as server C-server a-server B. The IP address of the server which attacks the attacker can be traced along the attack path so as to acquire the virtual identity information of the attacker.
In operation S230, second attack information is obtained by performing counteranalysis on the attacker according to the attack path information and the virtual identity information, wherein the second attack information includes real identity information of the attacker.
According to embodiments of the present disclosure, an attacker may be countered by the virtual identification information, for example: the virtual identity information may be virtual login account information, the virtual login account may be actively detected, when a weak password of the virtual login account information is detected, host permission of an attacker may be obtained through the weak password, and real identity information of the attacker may be obtained through the host of the attacker, for example: may be social account information.
In operation S240, an attacker portrayal is constructed from the first attack information and the second attack information.
According to embodiments of the present disclosure, for example: the operation behavior, operation habit, work and rest time and the like of the attacker can be restored according to the attack path information, and the space-time relationship representation and the operation behavior representation can be carried out on the attacker according to the information. The abnormal access object portrait can be carried out on the attacker according to the virtual identity information and the real identity information of the attacker. The above-mentioned space-time relationship portrayal, operation behavior portrayal and abnormal access target portrayal can be synthesized to construct the comprehensive portrayal of attacker.
In operation S250, third attack information is extracted according to the intelligence information and the attacker portrayal information, wherein the third attack information includes attack tactical information.
According to embodiments of the present disclosure, for example: the intelligence information, due to coming from public network intelligence operators, can extract a part of characteristic information describing the behavior of an attacker through the intelligence information, for example: attack code features, attack behavior path features, etc. In combination with the representation information of the attacker, attack tactic information can be extracted, for example: attack procedure characteristic information, attack technical characteristic information and the like.
According to the embodiment of the disclosure, the attack path information and the virtual identity information of the attacker can be obtained through the traceability analysis of the alarm information of the security equipment, the attacker is reversely analyzed according to the attack path information and the virtual identity information to obtain the real identity information of the attacker, and the attack path is restored through the combination of the traceability analysis method and the reversely analysis method to obtain the real identity information of the attacker with identity camouflage. And then constructing an attacker portrait according to the real identity information and the attack path information of the attacker, extracting tactical information from the attacker portrait, and further verifying the identity information of the attacker through the tactical information so as to improve the effectiveness and judgment speed of network defense.
According to an embodiment of the present disclosure, acquiring first attack information by tracing and analyzing security device alarm information includes:
Extracting attack characteristic information from security equipment alarm information, wherein the attack characteristic information comprises: spatiotemporal feature information, content feature information, and behavioral feature information;
and acquiring first attack information by tracing and analyzing association relations among space-time characteristic information, content characteristic information and behavior characteristic information of alarm information of different security devices.
According to embodiments of the present disclosure, the spatiotemporal feature information may include temporal features and location features of an attacker launching an attack. The content feature information may include attack goal features, attack purpose features, attack time features, attack code features, uniform resource locator features, domain name features, and the like. The behavior feature information may include file operation behavior features, network probe behavior features, and process operation behavior features.
According to the embodiment of the disclosure, the first attack information may be acquired by analyzing the association relationship among the spatiotemporal feature information, the content feature information, and the behavior feature information. For example: the space-time characteristic information extracted from the alarm information of the security device a may include that the place where the attacker initiates the attack is in the first-place a area, the space-time characteristic information extracted from the alarm information of the security device B may include that the place where the attacker initiates the attack is in the first-place a area, the same attacker a from the two attacks can be deduced through the space-time characteristic information, and virtual identity information of the attacker a can be obtained through the alarm information of the security device a and the alarm information of the security device B, for example: may be a virtual IP address.
According to the embodiment of the disclosure, the accuracy of traceability analysis can be improved by extracting the space-time characteristic information, the behavior characteristic information and the content characteristic information which have relevance with the identity of the attacker in a multi-dimensional manner.
According to an embodiment of the present disclosure, acquiring first attack information by tracing and analyzing association relations among spatiotemporal feature information, content feature information and behavior feature information of alarm information of different security devices includes:
inputting first sample data and second sample data into a correlation traceability analysis model, and calculating first correlation similarity, wherein the first sample data comprises first time-space characteristic information, first content characteristic information and first behavior characteristic information extracted from first security equipment alarm information; the second sample data comprises second space-time characteristic information, second content characteristic information and second behavior characteristic information extracted from second safety equipment alarm information;
and under the condition that the first association similarity exceeds a first preset threshold value, determining first attack information according to the first sample data and the second sample data.
According to embodiments of the present disclosure, for example: the space-time characteristic information extracted from one piece of security equipment alarm information can be represented by 'T tl', wherein 'T' represents threat information, 'T' represents attack time, and 'l' represents space characteristics; the behavior characteristic information is represented by 'T a', and 'a' represents the behavior characteristic; the content feature information is denoted by "T c", and "c" denotes a content feature. The space-time characteristic information T tl, the behavior characteristic information T a and the content characteristic information are input into a correlation traceability analysis model by using T c, and first correlation similarity among the space-time characteristic information, the behavior characteristic information and the content characteristic information of different safety equipment alarm information is calculated, wherein the first correlation similarity can be calculated by using an Euler calculation formula shown in a formula (I):
Where d xy represents the distance of the feature vector, and x k、yk each represents the feature vector.
According to embodiments of the present disclosure, for example: the first sample data extracted from the alarm information of the security device a may be (T tl1、Ta1、Tc 1). The second sample data extracted from the alarm information of the security device B may be (T tl2、Ta2、Tc 2). If the calculated first association similarity is greater than a first preset threshold, it may be determined that the alarm information of the security device a and the alarm information of the security device B are generated due to the same attacker initiating a network attack on the security device a and the security device B, and the attack path information and the virtual identity information of the attacker may be determined by the first time-space feature T tl, the first behavior feature T a 1, the first content feature T c 1, the second time-space feature T tl 2, the second behavior feature T a and the second content feature T c in the alarm information of the security device a and the alarm information of the security device B.
According to the embodiment of the disclosure, the first association similarity of different sample data is calculated through the association traceability analysis model, the sample data with high first association similarity is classified into the same attacker, the sample data belonging to the same attacker is subjected to traceability analysis, and the attack path information and the virtual identity information of the attacker are determined, so that the information belonging to the same attacker can be automatically classified and analyzed according to the attack characteristic information, the time consumption problem of manual judgment is effectively solved, and the judgment speed is improved.
Fig. 3 schematically illustrates a flow chart of a reaction analysis method according to an embodiment of the present disclosure.
As shown in fig. 3, the reaction analysis method of this embodiment includes operations S310 to S320.
In operation S310, host permission of an attacker is obtained by actively detecting vulnerability information according to the attack path information and the virtual identity information.
According to the embodiment of the disclosure, the vulnerability information can be actively detected through port scanning, vulnerability scanning and other modes. The vulnerability information can be firewall vulnerabilities or weak passwords, and host authorities of attackers can be obtained by cracking the firewalls or the weak passwords.
In operation S320, second attack information is acquired through the host authority of the attacker.
According to the embodiment of the disclosure, through the host authority of the attacker, information such as the real IP of the attacker, the attack duration, common tools of the attacker and the like can be obtained, and the real identity of the attacker can be directly or indirectly determined.
According to the embodiment of the disclosure, the host authority of the attacker is obtained by actively detecting the vulnerability information, so that the real identity information of the attacker is obtained, and the problem that the attacker is difficult to track due to the fact that the attacker conceals the identity by forging an IP, a springboard and the like can be solved.
Fig. 4 schematically shows a flow chart of a reaction analysis method according to further embodiments of the present disclosure.
As shown in fig. 4, the reaction analysis method of this embodiment includes operations S410 to S420.
In operation S410, a simulation system is constructed according to the attack path information and the attacker virtual identity information.
According to embodiments of the present disclosure, for example: according to the virtual IP address of the attacker, delivering baits and falsified information leakage artifacts to the code hosting platform, and constructing a simulation system, for example: the simulation system may be an office OA system.
In operation S420, second attack information is acquired through the alarm information triggered when the attacker attacks the simulation system.
According to embodiments of the present disclosure, since the simulation system is generally not accessible to humans, it is determinable as an attack when someone accesses it. The manner of acquiring the second attack information through the alarm information triggered when the attacker attacks the simulation system may be to acquire cache data of the attacker browser in a cross-domain manner by using a JSONP (JSON WITH PADDING) protocol, so as to obtain real identity information, such as social account information, of the attacker. The host of the attacker can be controlled after the attacker downloads and executes the Trojan program so as to acquire the real identity information of the attacker.
According to the embodiment of the disclosure, the attack behavior of the attacker is counteracted by constructing the simulation system to obtain the real identity information of the attacker, and the method can directly obtain the relevant information of the attacker when the attacker initiates the attack behavior, so that the accuracy of determining the identity of the attacker through the obtained information is higher.
According to an embodiment of the present disclosure, the above information processing method further includes storing the first attack information, the second attack information, and the third attack information in an attacker database.
According to the embodiment of the disclosure, the attack path information, the virtual identity information of the attacker and the tactical information of the attacker, which are acquired through traceability analysis and countermeasures analysis, can be stored in the attacker database, so that when new information is acquired, the information is matched with the information in the attacker database according to the information in the attacker database, and the real identity of the attacker is verified. For example: in the process of acquiring the alarm information of the new security equipment A, the correlation similarity between the attack path information of the attacker obtained by the traceable analysis and the attack path information of the attacker A in the attacker database is higher, and the attacker possibly being the attacker A of the network attack aiming at the alarm information of the security equipment A can be primarily determined.
According to the embodiment of the disclosure, the information related to the attacker obtained through the traceability analysis and the countermeasures analysis is stored in an attacker database, so that the relevant attack path information and attack tactic information are conveniently queried and matched from the attacker database, and the identity information of the attacker is preliminarily determined. The accuracy of determining the identity of an attacker can also be improved by increasing the information for the same attacker in the attacker database.
According to an embodiment of the present disclosure, the above information processing method further includes:
Extracting fourth attack information according to the information, wherein the fourth attack information comprises the identity information of the attack organization and tactical information of the attack organization;
calculating second association similarity between the fourth attack information and the second attack information and/or the third attack information in the attacker database;
and under the condition that the second association similarity exceeds a second preset threshold value, determining that the attacker is from the attack organization.
According to an embodiment of the present disclosure, an attack organization is generally obtained by algorithm a based on real IP address information for fake virtual IP. So that virtual IPs from the same attack organization will have some degree of associative similarity. For example: the identity information of the attack organization extracted from the information may be virtual address information IP 1, and the virtual address information of the attack organization a in the attacker database is IP 2.
According to embodiments of the present disclosure, the correlation similarity of virtual address information IP 1 and virtual address information IP 2 may be calculated using the calculation methods of the Levenshtein distance and LSC (longest common subsequence) distance golden section. For example: if the second preset threshold is 0.85 and the correlation similarity between the calculated virtual address information IP 1 and the virtual address information IP 2 is 0.7, it can be determined that the attacker a is not from the attack organization a. If the correlation similarity between the calculated virtual address information IP 1 and the virtual address information IP 2 is 0.9, it can be determined that the attacker a is from the attack organization a.
According to the embodiment of the disclosure, the relationship between the attacker and the attack organization can be determined by calculating the association similarity between the attack information of the attack organization and the attack information of the attacker stored in the attacker database, so that the attacker can trace the attack organization to which the attacker belongs quickly, and the problem that the attack organization cannot be traced in the related technology is solved.
Fig. 5 schematically illustrates a logical block diagram of an information processing flow according to an embodiment of the present disclosure.
As shown in fig. 5, the information processing flow of this embodiment includes operations S510 to S560.
In operation S510, security device alert information and intelligence information are acquired, wherein the intelligence information includes intelligence information from a threat data platform.
In operation S520, first attack information is obtained by tracing and analyzing security device alarm information, where the first attack information includes attack path information and virtual identity information of an attacker.
In operation S530, second attack information is obtained by performing countermeasures on the attacker according to the attack path information and the virtual identity information, wherein the second attack information includes real identity information of the attacker.
In operation S540, it is determined whether the second attack information can determine the true identity of the attacker, if so, operation S550 is performed, and if not, operation S520 is performed in return.
In operation S550, an attacker portrayal is constructed from the first attack information and the second attack information.
In operation S560, third attack information is extracted according to the intelligence information and the attacker portrayal information, wherein the third attack information includes attack tactical information, and the first attack information, the second attack information, and the third attack information are stored in the attacker database.
Based on the information processing method, the disclosure also provides an information processing device. The device will be described in detail below in connection with fig. 6.
Fig. 6 schematically shows a block diagram of the information processing apparatus according to the embodiment of the present disclosure.
As shown in fig. 6, the information processing apparatus 600 of this embodiment includes a first acquisition module 610, a second acquisition module 620, a third acquisition module 630, a construction module 640, and a first extraction module 650.
The first obtaining module 610 is configured to obtain security device alarm information and intelligence information, where the intelligence information includes intelligence information from a threat data platform. In an embodiment, the first obtaining module 610 may be configured to perform the operation S210 described above, which is not described herein.
The second obtaining module 620 is configured to obtain first attack information by tracing and analyzing security device alarm information, where the first attack information includes attack path information and virtual identity information of an attacker. In an embodiment, the second obtaining module 620 may be configured to perform the operation S220 described above, which is not described herein.
The third obtaining module 630 is configured to obtain second attack information according to the attack path information and the virtual identity information by performing countercheck analysis on an attacker, where the second attack information includes real identity information of the attacker. In an embodiment, the third obtaining module 630 may be configured to perform the operation S230 described above, which is not described herein.
The construction module 640 is configured to construct an attacker portrait according to the first attack information and the second attack information. In an embodiment, the construction module 640 may be configured to perform the operation S240 described above, which is not described herein.
The first extraction module 650 is configured to extract third attack information according to the intelligence information and the attacker portrayal information, where the third attack information includes attack tactical information. In an embodiment, the first extraction module 650 may be configured to perform the operation S250 described above, which is not described herein.
According to an embodiment of the present disclosure, the second acquisition module includes a first extraction unit and a first acquisition unit. The first extraction unit is configured to extract attack feature information from security device alarm information, where the attack feature information includes: spatiotemporal characteristic information, content characteristic information, and behavioral characteristic information. The first acquisition unit is used for acquiring first attack information by tracing and analyzing association relations among space-time characteristic information, content characteristic information and behavior characteristic information of alarm information of different security devices.
According to an embodiment of the disclosure, the first obtaining unit includes a calculating subunit and a determining subunit, where the calculating subunit is configured to input first sample data and second sample data into the association tracing analysis model, and calculate a first association similarity, where the first sample data includes first time-space feature information, first content feature information, and first behavior feature information extracted from the first security device alarm information; the second sample data includes second spatiotemporal characteristic information, second content characteristic information, and second behavioral characteristic information extracted from the second security device alert information. And the determining subunit is used for determining the first attack information according to the first sample data and the second sample data under the condition that the first association similarity exceeds a first preset threshold value.
According to an embodiment of the present disclosure, the second acquisition module includes a second acquisition unit and a third acquisition unit. The second obtaining unit is configured to obtain host permission of an attacker by actively detecting vulnerability information according to the attack path information and the virtual identity information. And the third acquisition unit is used for acquiring the second attack information through the host authority of the attacker.
According to an embodiment of the present disclosure, the second acquisition module includes a construction unit and a fourth acquisition unit. The construction unit is used for constructing a simulation system according to the attack path information and the attacker virtual identity information. And the fourth acquisition unit is used for acquiring the second attack information through the alarm information triggered when the attacker attacks the simulation system.
According to an embodiment of the present disclosure, the above information processing apparatus further includes a storage module configured to store the first attack information, the second attack information, and the third attack information in an attacker database.
According to an embodiment of the present disclosure, the above information processing apparatus further includes a second extraction module, a calculation module, and a determination module. The second extraction module is used for extracting fourth attack information according to the information, wherein the fourth attack information comprises the identity information of the attack organization and tactical information of the attack organization. And the calculation module is used for calculating the second association similarity between the fourth attack information and the second attack information and/or the third attack information in the attacker database. The determining module is used for determining that the attacker is from the attack organization under the condition that the second association similarity exceeds a second preset threshold value.
Any of the first acquisition module 610, the second acquisition module 620, the third acquisition module 630, the construction module 640, and the first extraction module 650 may be combined in one module to be implemented, or any of the modules may be split into a plurality of modules, according to embodiments of the present disclosure. Or at least some of the functionality of one or more of the modules may be combined with, and implemented in, at least some of the functionality of other modules. According to embodiments of the present disclosure, at least one of the first acquisition module 610, the second acquisition module 620, the third acquisition module 630, the construction module 640, and the first extraction module 650 may be implemented at least in part as hardware circuitry, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or as hardware or firmware in any other reasonable manner of integrating or packaging the circuitry, or as any one of or a suitable combination of three of software, hardware, and firmware. Or at least one of the first acquisition module 610, the second acquisition module 620, the third acquisition module 630, the construction module 640 and the first extraction module 650 may be at least partially implemented as a computer program module, which, when executed, may perform the respective functions.
Fig. 7 schematically illustrates a block diagram of an electronic device adapted to implement an information processing method according to an embodiment of the disclosure.
As shown in fig. 7, an electronic device 700 according to an embodiment of the present disclosure includes a processor 701 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 702 or a program loaded from a storage section 708 into a Random Access Memory (RAM) 703. The processor 701 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or an associated chipset and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. The processor 701 may also include on-board memory for caching purposes. The processor 701 may comprise a single processing unit or a plurality of processing units for performing different actions of the method flows according to embodiments of the disclosure.
In the RAM 703, various programs and data necessary for the operation of the electronic apparatus 700 are stored. The processor 701, the ROM 702, and the RAM 703 are connected to each other through a bus 704. The processor 701 performs various operations of the method flow according to the embodiments of the present disclosure by executing programs in the ROM 702 and/or the RAM 703. Note that the program may be stored in one or more memories other than the ROM 702 and the RAM 703. The processor 701 may also perform various operations of the method flow according to embodiments of the present disclosure by executing programs stored in the one or more memories.
According to an embodiment of the present disclosure, the electronic device 700 may further include an input/output (I/O) interface 705, the input/output (I/O) interface 705 also being connected to the bus 704. The electronic device 700 may also include one or more of the following components connected to the I/O interface 705: an input section 706 including a keyboard, a mouse, and the like; an output portion 707 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, a speaker, and the like; a storage section 708 including a hard disk or the like; and a communication section 709 including a network interface card such as a LAN card, a modem, or the like. The communication section 709 performs communication processing via a network such as the internet. The drive 710 is also connected to the I/O interface 705 as needed. A removable medium 711 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 710 as necessary, so that a computer program read therefrom is mounted into the storage section 708 as necessary.
The present disclosure also provides a computer-readable storage medium that may be embodied in the apparatus/device/system described in the above embodiments; or may exist alone without being assembled into the apparatus/device/system. The computer-readable storage medium carries one or more programs which, when executed, implement methods in accordance with embodiments of the present disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example, but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, the computer-readable storage medium may include ROM 702 and/or RAM 703 and/or one or more memories other than ROM 702 and RAM 703 described above.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the methods shown in the flowcharts. The program code means for causing a computer system to carry out the information processing method provided by the embodiments of the present disclosure when the computer program product is run on the computer system.
The above-described functions defined in the system/apparatus of the embodiments of the present disclosure are performed when the computer program is executed by the processor 701. The systems, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
In one embodiment, the computer program may be based on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted, distributed over a network medium in the form of signals, downloaded and installed via the communication section 709, and/or installed from the removable medium 711. The computer program may include program code that may be transmitted using any appropriate network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In such an embodiment, the computer program may be downloaded and installed from a network via the communication portion 709, and/or installed from the removable medium 711. The above-described functions defined in the system of the embodiments of the present disclosure are performed when the computer program is executed by the processor 701. The systems, devices, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
According to embodiments of the present disclosure, program code for performing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, such computer programs may be implemented in high-level procedural and/or object-oriented programming languages, and/or assembly/machine languages. Programming languages include, but are not limited to, such as Java, c++, python, "C" or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that the features recited in the various embodiments of the disclosure and/or in the claims may be provided in a variety of combinations and/or combinations, even if such combinations or combinations are not explicitly recited in the disclosure. In particular, the features recited in the various embodiments of the present disclosure and/or the claims may be variously combined and/or combined without departing from the spirit and teachings of the present disclosure. All such combinations and/or combinations fall within the scope of the present disclosure.
The embodiments of the present disclosure are described above. These examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described above separately, this does not mean that the measures in the embodiments cannot be used advantageously in combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be made by those skilled in the art without departing from the scope of the disclosure, and such alternatives and modifications are intended to fall within the scope of the disclosure.

Claims (11)

1. An information processing method, comprising:
acquiring alarm information and information of safety equipment, wherein the information comprises information from a threat data platform;
Acquiring first attack information by tracing and analyzing the security equipment alarm information, wherein the first attack information comprises attack path information and virtual identity information of an attacker;
Acquiring second attack information by performing countercheck analysis on the attacker according to the attack path information and the virtual identity information, wherein the second attack information comprises real identity information of the attacker;
constructing an attacker portrait according to the first attack information and the second attack information; and
Extracting third attack information according to the information and the attacker image information, wherein the third attack information comprises attack tactical information;
wherein, the constructing an attacker portrait according to the first attack information and the second attack information includes:
Restoring the operation behavior, operation habit and work and rest time of an attacker according to the attack path information;
Carrying out space-time relation portraits and operation behavior portraits on the attacker according to the operation behaviors, operation habits and work and rest time of the attacker;
performing abnormal access object portraits on the attacker according to the virtual identity information and the real identity information;
constructing the aggressor portraits based on the spatiotemporal relationship portraits, the operational behavior portraits, and the abnormal access object portraits;
and extracting third attack information according to the information and the attacker image information, wherein the third attack information comprises:
And extracting characteristic information of the attacker behavior from the information, and combining the attacker portrait to obtain the third attack information.
2. The method of claim 1, wherein obtaining first attack information by traceably analyzing the security device alert information comprises:
Extracting attack characteristic information from the security device alarm information, wherein the attack characteristic information comprises: spatiotemporal feature information, content feature information, and behavioral feature information;
And acquiring the first attack information by tracing and analyzing the association relationship among the space-time characteristic information, the content characteristic information and the behavior characteristic information of the alarm information of different security devices.
3. The method of claim 2, wherein the acquiring the first attack information by tracing an association relationship among the spatiotemporal feature information, the content feature information, and the behavioral feature information of the different security device alert information includes:
Inputting first sample data and second sample data into a correlation traceability analysis model, and calculating first correlation similarity, wherein the first sample data comprises first time-space characteristic information, first content characteristic information and first behavior characteristic information extracted from first security equipment alarm information; the second sample data comprises second space-time characteristic information, second content characteristic information and second behavior characteristic information extracted from second safety equipment alarm information;
And under the condition that the first association similarity exceeds a first preset threshold value, determining the first attack information according to the first sample data and the second sample data.
4. The method of claim 1, wherein the obtaining second attack information by performing countermeasures on the attacker according to the attack path information and the virtual identification information comprises:
Acquiring host permission of the attacker by actively detecting vulnerability information according to the attack path information and the virtual identity information;
and acquiring the second attack information through the host authority of the attacker.
5. The method of claim 4, wherein the obtaining second attack information by performing counteranalysis on the attacker according to the attack path information and the attacker virtual identity information comprises:
Constructing a simulation system according to the attack path information and the attacker virtual identity information;
And acquiring the second attack information through the alarm information triggered when the attacker attacks the simulation system.
6. The method of claim 1, further comprising:
Storing the first attack information, the second attack information, and the third attack information in an attacker database.
7. The method of claim 6, further comprising:
extracting fourth attack information according to the information, wherein the fourth attack information comprises identity information of an attack organization and tactical information of the attack organization;
Calculating second association similarity between the fourth attack information and the second attack information and/or the third attack information in the attacker database;
And under the condition that the second association similarity exceeds a second preset threshold value, determining that the attacker is from the attack organization.
8. An information processing apparatus comprising:
The first acquisition module is used for acquiring alarm information and information of the safety equipment, wherein the information comprises information from a threat data platform;
The second acquisition module is used for acquiring first attack information by tracing and analyzing the security equipment alarm information, wherein the first attack information comprises attack path information and virtual identity information of an attacker;
The third acquisition module is used for acquiring second attack information by performing countercheck analysis on the attacker according to the attack path information and the virtual identity information, wherein the second attack information comprises real identity information of the attacker;
The construction module is used for constructing an attacker portrait according to the first attack information and the second attack information; and
The first extraction module is used for extracting third attack information according to the information and the attacker image information, wherein the third attack information comprises attack tactical information;
wherein, the construction module is used for:
Restoring the operation behavior, operation habit and work and rest time of an attacker according to the attack path information;
Carrying out space-time relation portraits and operation behavior portraits on the attacker according to the operation behaviors, operation habits and work and rest time of the attacker;
performing abnormal access object portraits on the attacker according to the virtual identity information and the real identity information;
constructing the aggressor portraits based on the spatiotemporal relationship portraits, the operational behavior portraits, and the abnormal access object portraits;
the first extraction module is used for:
And extracting characteristic information of the attacker behavior from the information, and combining the attacker portrait to obtain the third attack information.
9. An electronic device, comprising:
one or more processors;
Storage means for storing one or more programs,
Wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-7.
10. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method according to any of claims 1-7.
11. A computer program product comprising a computer program which, when executed by a processor, implements the method according to any one of claims 1 to 7.
CN202210083610.7A 2022-01-24 2022-01-24 Information processing method, device, equipment and medium Active CN114422257B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210083610.7A CN114422257B (en) 2022-01-24 2022-01-24 Information processing method, device, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210083610.7A CN114422257B (en) 2022-01-24 2022-01-24 Information processing method, device, equipment and medium

Publications (2)

Publication Number Publication Date
CN114422257A CN114422257A (en) 2022-04-29
CN114422257B true CN114422257B (en) 2024-05-14

Family

ID=81278079

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210083610.7A Active CN114422257B (en) 2022-01-24 2022-01-24 Information processing method, device, equipment and medium

Country Status (1)

Country Link
CN (1) CN114422257B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115801431A (en) * 2022-11-29 2023-03-14 国网山东省电力公司信息通信公司 Automatic threat tracing method, system, equipment and medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108540441A (en) * 2018-02-07 2018-09-14 广州锦行网络科技有限公司 A kind of Active Defending System Against and method based on authenticity virtual network
CN111209570A (en) * 2019-12-31 2020-05-29 杭州安恒信息技术股份有限公司 Method for creating safe closed loop process based on MITER ATT & CK
CN111490970A (en) * 2020-02-19 2020-08-04 西安交大捷普网络科技有限公司 Tracing analysis method for network attack
CN112738126A (en) * 2021-01-07 2021-04-30 中国电子科技集团公司第十五研究所 Attack tracing method based on threat intelligence and ATT & CK
CN113055386A (en) * 2021-03-12 2021-06-29 哈尔滨安天科技集团股份有限公司 Method and device for identifying and analyzing attack organization

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108540441A (en) * 2018-02-07 2018-09-14 广州锦行网络科技有限公司 A kind of Active Defending System Against and method based on authenticity virtual network
CN111209570A (en) * 2019-12-31 2020-05-29 杭州安恒信息技术股份有限公司 Method for creating safe closed loop process based on MITER ATT & CK
CN111490970A (en) * 2020-02-19 2020-08-04 西安交大捷普网络科技有限公司 Tracing analysis method for network attack
CN112738126A (en) * 2021-01-07 2021-04-30 中国电子科技集团公司第十五研究所 Attack tracing method based on threat intelligence and ATT & CK
CN113055386A (en) * 2021-03-12 2021-06-29 哈尔滨安天科技集团股份有限公司 Method and device for identifying and analyzing attack organization

Also Published As

Publication number Publication date
CN114422257A (en) 2022-04-29

Similar Documents

Publication Publication Date Title
Nguyen et al. {FLAME}: Taming backdoors in federated learning
AU2019210493B2 (en) Anomaly detection to identify coordinated group attacks in computer networks
Caviglione et al. Tight arms race: Overview of current malware threats and trends in their detection
US20200358819A1 (en) Systems and methods using computer vision and machine learning for detection of malicious actions
US20150047026A1 (en) Anomaly detection to identify coordinated group attacks in computer networks
Yan et al. Rolling colors: Adversarial laser exploits against traffic light recognition
CN111581643B (en) Penetration attack evaluation method and device, electronic device and readable storage medium
Nirmal et al. Web application vulnerabilities-the hacker's treasure
US20210360017A1 (en) System and method of dynamic cyber risk assessment
US11863526B2 (en) Dynamically routing network traffic between defense layers
CN107465702A (en) Method for early warning and device based on wireless network invasion
CN113190839A (en) Web attack protection method and system based on SQL injection
CN114422257B (en) Information processing method, device, equipment and medium
Chen et al. Detection, traceability, and propagation of mobile malware threats
CN115694928A (en) Cloud honeypot of whole-ship computing environment, attack event perception and behavior analysis method
CN115208643A (en) Tracing method and device based on WEB dynamic defense
Fuji et al. Investigation on sharing signatures of suspected malware files using blockchain technology
Kaur et al. Emerging Trends in Cybersecurity Challenges with Reference to Pen Testing Tools in Society 5.0
CN117749446A (en) Attack object tracing method, device, equipment and medium
Yin et al. An attack vector evaluation method for smart city security protection
Mills et al. Using regression to predict potential insider threats
Ouaguid et al. Vulnerability Detection Approaches on Application Behaviors in Mobile Environment
Dahiya Malware detection in IoT
Kim The impact of platform vulnerabilities in AI systems
Hillier et al. Turning the Hunted into the Hunter via Threat Hunting: Life Cycle, Ecosystem, Challenges and the Great Promise of AI

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant