CN114567449A - APT attack test behavior identification method, device, storage medium and device - Google Patents

APT attack test behavior identification method, device, storage medium and device Download PDF

Info

Publication number
CN114567449A
CN114567449A CN202011275215.6A CN202011275215A CN114567449A CN 114567449 A CN114567449 A CN 114567449A CN 202011275215 A CN202011275215 A CN 202011275215A CN 114567449 A CN114567449 A CN 114567449A
Authority
CN
China
Prior art keywords
address
information
virtual machine
target
screened
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011275215.6A
Other languages
Chinese (zh)
Inventor
边亮
陈泽宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
360 Digital Security Technology Group Co Ltd
Original Assignee
360 Digital Security Technology Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 360 Digital Security Technology Group Co Ltd filed Critical 360 Digital Security Technology Group Co Ltd
Priority to CN202011275215.6A priority Critical patent/CN114567449A/en
Publication of CN114567449A publication Critical patent/CN114567449A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method, a device, a storage medium and a device for identifying testing behaviors of APT attacks, compared with the existing mode of identifying testing behaviors according to existing characteristic data, in the invention, by acquiring the current output log and basic attribute information of an IP address to be detected, screening the IP address to be detected according to the current output log and the basic attribute information to obtain a target IP address, searching a target virtual machine user associated with the target IP address, and obtaining the virtual machine user characteristic information of the target virtual machine user, generating a test behavior recognition result according to the virtual machine user characteristic information, overcoming the defect that the test behavior of unknown APT attack can not be recognized quickly in the prior art, therefore, the identification process of the test behavior of the APT attack can be optimized, and the quick identification of the test behavior of the unknown APT attack is realized.

Description

APT attack test behavior identification method, device, storage medium and device
Technical Field
The invention relates to the technical field of internet, in particular to a method, equipment, a storage medium and a device for identifying testing behaviors of APT attacks.
Background
At present, in the process of testing and resisting Advanced Persistent Threat Attack (APT) and a security terminal product, the APT attack mostly installs the terminal product in a virtual environment and tests the capability of a malicious tool of the terminal product to resist the security terminal product, thereby evaluating the feasibility of next attack release.
The existing test behavior identification mode of the APT attack can identify the test behavior of the known APT attack according to the existing characteristic data. However, for the test behavior of unknown APT attacks, rapid identification cannot be achieved.
The above is only for the purpose of assisting understanding of the technical aspects of the present invention, and does not represent an admission that the above is prior art.
Disclosure of Invention
The invention mainly aims to provide a method, equipment, a storage medium and a device for identifying testing behaviors of APT attacks, and aims to solve the technical problem of how to optimize the identification process of the testing behaviors of the APT attacks.
In order to achieve the above object, the present invention provides an APT attack test behavior identification method, including the following steps:
acquiring a current output log and basic attribute information of an IP address to be detected;
screening the IP address to be detected according to the current output log and the basic attribute information to obtain a target IP address;
searching a target virtual machine user associated with the target IP address, and acquiring virtual machine user characteristic information of the target virtual machine user;
and generating a test behavior recognition result according to the virtual machine user characteristic information.
Optionally, the step of screening the IP address to be detected according to the current output log and the basic attribute information to obtain a target IP address specifically includes:
judging whether the IP address to be detected is associated with a virtual machine user or not according to the current output log;
when the IP address to be detected is associated with a virtual machine user, taking the IP address to be detected as the IP address to be screened;
and screening the IP address to be screened according to the basic attribute information to obtain a target IP address.
Optionally, the step of screening the IP address to be screened according to the basic attribute information to obtain a target IP address specifically includes:
extracting the basic attribute information to obtain attribution information, service provider information and IP label information;
determining the total score of the IP address to be screened according to the attribution information, the service provider information and the IP label information;
and screening the IP address to be screened according to the total score to obtain a target IP address.
Optionally, the step of determining a total score of the IP address to be screened according to the attribution information, the service provider information, and the IP tag information specifically includes:
generating a basic score of the IP address to be screened according to the attribution information and the service provider information;
generating a correction score of the IP address to be screened according to the IP label information;
and determining the total score of the IP address to be screened according to the basic score and the corrected score.
Optionally, the step of generating a base score of the IP address to be screened according to the attribution information and the service provider information specifically includes:
classifying the IP address to be screened according to the attribution information and the service provider information to obtain the IP address category to be screened;
and searching a basic score corresponding to the IP address category to be screened in a preset mapping relation table, wherein the preset mapping relation table comprises the corresponding relation between the IP address category to be screened and the basic score.
Optionally, the step of generating the corrected score of the IP address to be filtered according to the IP label information specifically includes:
generating a user portrait of the IP address to be screened according to the IP label information;
and analyzing the user portrait of the IP address to be screened based on a preset user portrait analysis model to obtain a corrected value of the IP address to be screened.
Optionally, the step of determining whether the IP address to be detected is associated with a virtual machine user according to the current output log specifically includes:
extracting information of the current output log based on a preset information extraction script to obtain configuration environment information;
matching the configuration environment information with preset virtual machine configuration environment information to obtain a configuration environment matching result;
and judging whether the IP address to be detected is associated with the virtual machine user or not according to the configuration environment matching result.
Optionally, the step of using the IP address to be detected as the IP address to be screened when the IP address to be detected is associated with the virtual machine user specifically includes:
when the IP address to be detected is associated with a virtual machine user, acquiring a historical output log of the IP address to be detected;
determining the number of virtual machine users associated with the IP address to be detected according to the historical output log and the current output log;
judging whether the number of the virtual machine users is larger than a preset threshold value or not;
and when the number of the virtual machines is larger than the preset threshold value, taking the IP address to be detected as the IP address to be screened.
Optionally, the step of generating a test behavior recognition result according to the virtual machine user feature information specifically includes:
matching the user characteristic information of the virtual machine with preset test behavior characteristic information to obtain a characteristic matching result;
when the feature matching result is successful, taking the target virtual machine user as a target test machine user;
and counting the number of users of the target testing machine, and generating a test behavior recognition result according to the number of the users of the target testing machine.
Optionally, the step of counting the number of users of the target testing machine and generating a test behavior recognition result according to the number of users of the target testing machine specifically includes:
counting the number of users of a target testing machine and the number of users of a target virtual machine, and determining a ratio of the users of the testing machine according to the number of the users of the target testing machine and the number of the users of the target virtual machine;
judging whether the user ratio of the testing machine is greater than a preset ratio or not, and obtaining a judgment result;
and generating a test behavior recognition result according to the judgment result.
Optionally, after the step of determining whether the user ratio of the test machine is greater than a preset ratio and obtaining a determination result, the method for identifying the test behavior of the APT attack further includes:
when the user ratio of the testing machine is larger than the preset ratio, generating a reminding strategy according to the user ratio of the testing machine;
and generating reminding information according to the reminding strategy, and sending the reminding information to a preset client.
Optionally, after the step of generating the test behavior recognition result according to the virtual machine user feature information, the method for recognizing the test behavior of the APT attack further includes:
determining a target display template according to the virtual machine user characteristic information;
and displaying the test behavior recognition result based on the target display template.
In addition, in order to achieve the above object, the present invention further provides an APT attack test behavior recognition device, where the APT attack test behavior recognition device includes a memory, a processor, and an APT attack test behavior recognition program stored in the memory and operable on the processor, and the APT attack test behavior recognition program is configured to implement the above-mentioned steps of the APT attack test behavior recognition method.
In addition, in order to achieve the above object, the present invention further provides a storage medium, on which an APT attack test behavior recognition program is stored, and the APT attack test behavior recognition program, when executed by a processor, implements the steps of the APT attack test behavior recognition method as described above.
In addition, in order to achieve the above object, the present invention further provides an apparatus for identifying testing behavior of APT attack, including: the device comprises an acquisition module, a screening module, a searching module and a generating module;
the acquisition module is used for acquiring the current output log and basic attribute information of the IP address to be detected;
the screening module is used for screening the IP address to be detected according to the current output log and the basic attribute information to obtain a target IP address;
the searching module is used for searching a target virtual machine user associated with the target IP address and acquiring virtual machine user characteristic information of the target virtual machine user;
and the generating module is used for generating a test behavior identification result according to the virtual machine user characteristic information.
Optionally, the screening module is further configured to determine whether the to-be-detected IP address is associated with a virtual machine user according to the current output log;
the screening module is further configured to use the to-be-detected IP address as the to-be-screened IP address when the to-be-detected IP address is associated with a virtual machine user;
and the screening module is also used for screening the IP address to be screened according to the basic attribute information to obtain a target IP address.
Optionally, the screening module is further configured to extract information from the basic attribute information to obtain home location information, service provider information, and IP tag information;
the screening module is further configured to determine a total score of the IP address to be screened according to the home location information, the service provider information, and the IP tag information;
and the screening module is also used for screening the IP address to be screened according to the total score to obtain a target IP address.
Optionally, the screening module is further configured to generate a base score of the IP address to be screened according to the home location information and the service provider information;
the screening module is further used for generating a corrected score of the IP address to be screened according to the IP label information;
and the screening module is also used for determining the total score of the IP address to be screened according to the basic score and the corrected score.
Optionally, the screening module is further configured to classify the IP address to be screened according to the attribution information and the service provider information, so as to obtain a category of the IP address to be screened;
the screening module is further configured to search a preset mapping relation table for a basic score corresponding to the category of the IP address to be screened, where the preset mapping relation table includes a corresponding relation between the category of the IP address to be screened and the basic score.
Optionally, the screening module is further configured to generate a user portrait of the IP address to be screened according to the IP tag information;
the screening module is further used for analyzing the user portrait of the IP address to be screened based on a preset user portrait analysis model to obtain a correction value of the IP address to be screened.
In the invention, a current output log and basic attribute information of an IP address to be detected are obtained, the IP address to be detected is screened according to the current output log and the basic attribute information to obtain a target IP address, a target virtual machine user associated with the target IP address is searched, virtual machine user characteristic information of the target virtual machine user is obtained, and a test behavior recognition result is generated according to the virtual machine user characteristic information; compared with the existing method for identifying the test behavior according to the existing characteristic data, the method and the device have the advantages that the target IP address is determined through the current output log of the IP address to be detected and the basic attribute information, the virtual machine user characteristic information of the target virtual machine user related to the target IP address is obtained, the test behavior identification result is generated according to the virtual machine user characteristic information, the defect that the test behavior of unknown APT attack cannot be identified quickly in the prior art is overcome, the test behavior process of the APT attack can be optimized, and the test behavior of the unknown APT attack can be identified quickly.
Drawings
Fig. 1 is a schematic structural diagram of a test behavior recognition device for APT attack in a hardware operating environment according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating a first embodiment of a method for identifying testing behavior of APT attack according to the present invention;
FIG. 3 is a flowchart illustrating a second embodiment of the APT attack test behavior recognition method according to the present invention;
FIG. 4 is a flowchart illustrating a third embodiment of the APT attack test behavior recognition method according to the present invention;
fig. 5 is a block diagram of a first embodiment of the apparatus for identifying testing behavior of APT attack according to the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Referring to fig. 1, fig. 1 is a schematic structural diagram of a test behavior recognition device for APT attack in a hardware operating environment according to an embodiment of the present invention.
As shown in fig. 1, the test behavior recognition device for APT attack may include: a processor 1001, such as a Central Processing Unit (CPU), a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), and the optional user interface 1003 may further include a standard wired interface and a wireless interface, and the wired interface for the user interface 1003 may be a USB interface in the present invention. The network interface 1004 may optionally include a standard wired interface, a WIreless interface (e.g., a WIreless-FIdelity (WI-FI) interface). The Memory 1005 may be a Random Access Memory (RAM) Memory or a Non-volatile Memory (NVM), such as a disk Memory. The memory 1005 may alternatively be a storage device separate from the processor 1001.
Those skilled in the art will appreciate that the configuration shown in fig. 1 does not constitute a definition of a test behavior recognition device for APT attacks, and may include more or fewer components than shown, or some components in combination, or a different arrangement of components.
As shown in fig. 1, a memory 1005, identified as a computer storage medium, may include an operating system, a network communication module, a user interface module, and a test behavior recognition program for APT attacks.
In the test behavior recognition device for APT attack shown in fig. 1, the network interface 1004 is mainly used for connecting to a background server and performing data communication with the background server; the user interface 1003 is mainly used for connecting user equipment; the test behavior recognition device for the APT attack calls the test behavior recognition program for the APT attack stored in the memory 1005 through the processor 1001, and executes the test behavior recognition method for the APT attack provided by the embodiment of the present invention.
Based on the hardware structure, the embodiment of the test behavior identification method of the APT attack is provided.
Referring to fig. 2, fig. 2 is a schematic flow chart of a first embodiment of the method for identifying a test behavior of an APT attack according to the present invention, and proposes the first embodiment of the method for identifying a test behavior of an APT attack according to the present invention.
In a first embodiment, the method for identifying the test behavior of the APT attack includes the following steps:
step S10: and acquiring the current output log and the basic attribute information of the IP address to be detected.
It should be understood that the execution subject of this embodiment is the test behavior recognition device for the APT attack, where the test behavior recognition device for the APT attack may be an electronic device such as a computer or a server, or may also be another device that can implement the same or similar function.
It should be noted that the current output log may be an output log at the current time; the basic attribute information may be information for describing an attribute of the IP address to be detected, such as home location information, service provider information, and IP tag information, which is not limited in this embodiment.
Step S20: and screening the IP address to be detected according to the current output log and the basic attribute information to obtain a target IP address.
It should be understood that, the to-be-detected IP address is screened according to the current output log and the basic attribute information, and the obtaining of the target IP address may be that the to-be-detected IP address is screened through a preset analysis script according to the current output log and the basic attribute information, so as to obtain the target IP address, where the preset analysis script may be an information analysis and monitoring script preset by a user, which is not limited in this embodiment.
Further, in order to quickly and accurately determine a target IP address, the screening the IP address to be detected according to the current output log and the basic attribute information to obtain the target IP address includes:
and judging whether the IP address to be detected is associated with a virtual machine user according to the current output log, taking the IP address to be detected as an IP address to be screened when the IP address to be detected is associated with the virtual machine user, and screening the IP address to be screened according to the basic attribute information to obtain a target IP address.
Further, in consideration of practical application, if whether the to-be-detected IP address is associated with the virtual machine user is determined only according to the current output log, the number of objects involved in the determination process is inevitably too small, and the accuracy is low. When the IP address to be detected is associated with the virtual machine user, the step of screening the IP address to be screened according to the basic attribute information by using the IP address to be detected as the IP address to be screened comprises the following steps:
when the IP address to be detected is associated with a virtual machine user, acquiring a historical output log of the IP address to be detected; determining the number of virtual machine users associated with the IP address to be detected according to the historical output log and the current output log; judging whether the number of the virtual machine users is larger than a preset threshold value or not; and when the number of the virtual machines is larger than the preset threshold value, taking the IP address to be detected as the IP address to be screened.
It should be understood that, the screening of the IP address to be screened according to the basic attribute information to obtain the target IP address may be to extract information from the basic attribute information to obtain attribution information, service provider information and IP tag information, determine a total score of the IP address to be screened according to the attribution information, the service provider information and the IP tag information, and screen the IP address to be screened according to the total score to obtain the target IP address.
Step S30: and searching a target virtual machine user associated with the target IP address, and acquiring the virtual machine user characteristic information of the target virtual machine user.
It should be understood that the searching for the target virtual machine user associated with the target IP address may be searching for the target virtual machine user associated with the target IP address in a preset database, wherein the preset database may be a database preset to store the target virtual machine user.
It is understood that the obtaining of the virtual machine user characteristic information of the target virtual machine user may be directly obtaining the virtual machine user characteristic information of the target virtual machine user based on a preset characteristic information extraction script, where the preset characteristic information extraction script may be an information extraction script preset by a user.
Step S40: and generating a test behavior recognition result according to the virtual machine user characteristic information.
It should be understood that the generating of the test behavior recognition result according to the virtual machine user feature information may be directly analyzing the virtual machine user feature information based on a preset test behavior recognition script to obtain the test behavior recognition result, where the preset test behavior recognition script may be a behavior analysis script preset by a user, the preset test behavior recognition script may be linked with a heuristic rule of a test activity of an advanced threat behavior body to generate the test behavior recognition result, and the heuristic rule may be threat information generated in advance by relying on a large number of test behaviors of the advanced threat behavior body, which is not limited in this embodiment.
Further, in order to improve accuracy of identifying a test behavior of an APT attack, the generating a test behavior identification result according to the virtual machine user feature information includes:
matching the virtual machine user characteristic information with preset test behavior characteristic information to obtain a characteristic matching result, taking the target virtual machine user as a target test machine user when the characteristic matching result is successful, counting the number of the target test machine users, and generating a test behavior recognition result according to the number of the target test machine users.
It should be noted that the preset test behavior feature information may be test behavior feature information pre-stored by a user; the target test machine user may be a user who installs the security end product in a virtual environment and tests the capability of his malicious tools against the security end product.
In a first embodiment, a current output log and basic attribute information of an IP address to be detected are obtained, the IP address to be detected is screened according to the current output log and the basic attribute information, a target IP address is obtained, a target virtual machine user associated with the target IP address is searched, virtual machine user characteristic information of the target virtual machine user is obtained, and a test behavior recognition result is generated according to the virtual machine user characteristic information; compared with the existing method for identifying the test behavior according to the existing characteristic data, in the embodiment, the target IP address is determined through the current output log of the IP address to be detected and the basic attribute information, the virtual machine user characteristic information of the target virtual machine user associated with the target IP address is obtained, and the test behavior identification result is generated according to the virtual machine user characteristic information, so that the defect that the test behavior of unknown APT attack cannot be quickly identified in the prior art is overcome, the test behavior identification process of APT attack can be optimized, and the quick identification of the test behavior of unknown APT attack is realized.
Referring to fig. 3, fig. 3 is a flowchart illustrating a second embodiment of the method for identifying a test behavior of an APT attack according to the present invention, and the second embodiment of the method for identifying a test behavior of an APT attack according to the present invention is proposed based on the first embodiment illustrated in fig. 2.
In the second embodiment, the step S20 includes:
step S201: and judging whether the IP address to be detected is associated with a virtual machine user or not according to the current output log.
It should be understood that, the determining, according to the current output log, whether the to-be-detected IP address is associated with the virtual machine user may be to analyze the current output log based on a preset log analysis script to obtain an analysis result, and determine, according to the analysis result, whether the to-be-detected IP address is associated with the virtual machine user, where the preset log analysis script may be a log information analysis and monitoring script preset by the user, which is not limited in this embodiment.
Further, in order to improve the accuracy of determining whether the to-be-detected IP address is associated with the virtual machine user, the step S201 includes:
extracting information of the current output log based on a preset information extraction script to obtain configuration environment information;
matching the configuration environment information with preset virtual machine configuration environment information to obtain a configuration environment matching result;
and judging whether the IP address to be detected is associated with the virtual machine user or not according to the configuration environment matching result.
It should be noted that the preset information extraction script may be a script for information extraction preset by a user; the configuration environment information may be operating environment information of the software; the preset virtual machine configuration environment information may be running environment information of the virtual machine, which is not limited in this embodiment.
It should be understood that matching the configuration environment information with the preset virtual machine configuration environment information to obtain the configuration environment matching result may be calculating information similarity between the configuration environment information and the preset virtual machine configuration environment information, and determining whether the information similarity is greater than a preset similarity threshold, and when the information similarity is greater than the preset similarity threshold, determining that the configuration environment matching result is a successful matching, where the preset similarity threshold may be a numerical value preset by a user according to an actual situation.
It can be understood that, whether the to-be-detected IP address is associated with the virtual machine user or not is judged according to the configuration environment matching result, and if the configuration environment matching result is successful, the to-be-detected IP address is judged to be associated with the virtual machine user; and when the matching result of the configuration environment is matching failure, judging that the IP address to be detected is not associated with the virtual machine user.
Step S202: and when the IP address to be detected is associated with the virtual machine user, taking the IP address to be detected as the IP address to be screened.
It should be understood that when the IP address to be detected is associated with the virtual machine user, taking the IP address to be detected as the IP address to be screened may be directly taking the IP address to be detected as the IP address to be screened when the IP address to be detected is associated with the virtual machine user.
Further, in consideration of practical application, if whether the to-be-detected IP address is associated with the virtual machine user is determined only according to the current output log, the number of objects involved in the determination process is inevitably too small, and the accuracy is low. The step S202 includes:
when the IP address to be detected is associated with a virtual machine user, acquiring a historical output log of the IP address to be detected;
determining the number of virtual machine users associated with the IP address to be detected according to the historical output log and the current output log;
judging whether the number of the virtual machine users is larger than a preset threshold value or not;
and when the number of the virtual machines is larger than the preset threshold value, taking the IP address to be detected as the IP address to be screened.
It should be noted that the historical output log may be an output log within a preset time range, where the preset time range may be a time period preset by a user according to an actual requirement, and this embodiment is not limited to this; the preset threshold may be a numerical value preset by a user.
It should be understood that the determining the number of virtual machine users associated with the IP address to be detected according to the historical output log and the current output log may be determining the number of historical virtual machine users according to the historical output log, determining the current number of virtual machine users according to the current output log, and adding the number of historical virtual machine users to the current number of virtual machine users to obtain the number of virtual machine users.
It can be understood that when the number of the virtual machines is greater than the preset threshold, it indicates that the IP address to be detected is large and a test behavior may exist, and therefore, the IP address to be detected needs to be used as the IP address to be screened.
Step S203: and screening the IP address to be screened according to the basic attribute information to obtain a target IP address.
It should be understood that, screening the IP address to be screened according to the basic attribute information, and obtaining the target IP address may be performing information extraction on the basic attribute information, obtaining attribution information, service provider information, and IP tag information, determining a total score of the IP address to be screened according to the attribution information, the service provider information, and the IP tag information, and screening the IP address to be screened according to the total score to obtain the target IP address.
In a second embodiment, whether the IP address to be detected is associated with a virtual machine user is determined according to the current output log, when the IP address to be detected is associated with the virtual machine user, the IP address to be detected is used as the IP address to be screened, and the IP address to be screened is screened according to the basic attribute information to obtain a target IP address, so that the target IP address can be determined quickly and accurately.
In the second embodiment, the step S40 includes:
step S401: and matching the user characteristic information of the virtual machine with preset test behavior characteristic information to obtain a characteristic matching result.
It should be noted that the preset test behavior feature information may be test behavior feature information stored by the user in advance.
It should be understood that, the matching of the virtual machine user feature information with the preset test behavior feature information to obtain the feature matching result may be to calculate information similarity between the virtual machine user feature information and the preset test behavior feature information, and determine the feature matching result according to the information similarity between the virtual machine user feature information and the preset test behavior feature information.
Step S402: and when the feature matching result is successful matching, taking the target virtual machine user as a target test machine user.
It should be noted that the target test machine user may be a user who installs the security end product in the virtual environment and tests the capability of his malicious tool against the security end product.
It is understood that when the feature matching result is that matching is successful, the target virtual machine user can be directly used as the target testing machine user.
Step S403: and counting the number of users of the target testing machine, and generating a test behavior recognition result according to the number of the users of the target testing machine.
It should be understood that, the generating of the test behavior recognition result according to the number of users of the target testing machine may be determining whether the number of the target testing machines is greater than a preset threshold, and generating the test behavior recognition result according to the determination result. For example, when the number of target test machines is greater than 0, it is determined that there is test behavior in the target IP address.
Further, in consideration of practical application, if the number of the target testing machines is judged to be greater than the preset threshold value, a test behavior recognition result is generated according to the judgment result, which inevitably results in that the number of the objects involved in the judgment process is too small, and misjudgment is easy to occur. To overcome this drawback, step S403 includes:
counting the number of users of a target testing machine and the number of users of a target virtual machine, and determining a ratio of the users of the testing machine according to the number of the users of the target testing machine and the number of the users of the target virtual machine;
judging whether the user ratio of the testing machine is greater than a preset ratio or not, and obtaining a judgment result;
and generating a test behavior recognition result according to the judgment result.
It should be noted that the number of target virtual machine users may be the number of target virtual machine users associated with the target IP address; the preset ratio may be a ratio preset by a user, and the embodiment is not limited thereto.
It should be appreciated that determining a tester user ratio based on the number of target tester users and the number of target virtual machine users may be dividing the number of target tester users by the number of target virtual machine users to obtain the tester user ratio.
It can be understood that, the test behavior recognition result generated according to the judgment result may be that when the user ratio of the test machine is greater than a preset ratio, the test behavior exists in the target IP address; and when the user ratio of the test machine is smaller than or equal to the preset ratio, judging that no test behavior exists in the target IP address.
Further, in order to prompt a user that a test behavior exists in a target IP address in time, the determining whether the user ratio of the test machine is greater than a preset ratio and obtaining a determination result further includes:
when the user ratio of the testing machine is larger than the preset ratio, generating a reminding strategy according to the user ratio of the testing machine;
and generating reminding information according to the reminding strategy, and sending the reminding information to a preset client.
It should be understood that the generation of the reminding policy according to the ratio of the users of the test machine may be to search a reminding policy corresponding to the ratio of the users of the test machine in a preset reminding policy table, where the preset reminding policy table includes a corresponding relationship between the ratio of the users of the test machine and the reminding policy, and the corresponding relationship is preset by the users, which is not limited in this embodiment.
In the second embodiment, the feature matching result is obtained by matching the virtual machine user feature information with preset test behavior feature information, and when the feature matching result is successful, the target virtual machine user is used as a target test machine user, the number of the target test machine users is counted, and a test behavior recognition result is generated according to the number of the target test machine users, so that the accuracy of test behavior recognition of the APT attack can be improved.
In the second embodiment, after the step S40, the method further includes:
step S50: and determining a target display template according to the virtual machine user characteristic information.
It should be noted that the target display template may be a template for displaying the test behavior recognition result.
It should be understood that the determining of the target display template according to the virtual machine user feature information may be to search a preset display template library for a target display template corresponding to the virtual machine user feature information, where the preset display template library includes a corresponding relationship between the virtual machine user feature information and the target display template.
Step S60: and displaying the test behavior recognition result based on the target display template.
It is to be understood that the presenting the test behavior recognition result based on the target presentation template may be aggregating the test behavior recognition result to the target presentation template for presentation.
In the second embodiment, a target display template is determined according to the virtual machine user characteristic information, and the test behavior recognition result is displayed based on the target display template, so that the test behavior recognition result can be displayed to a user.
Referring to fig. 4, fig. 4 is a flowchart illustrating a third embodiment of the method for identifying a test behavior of an APT attack according to the present invention, and the third embodiment of the method for identifying a test behavior of an APT attack according to the present invention is proposed based on the second embodiment illustrated in fig. 3.
In a third embodiment, the step S203 includes:
step S2031: and extracting the basic attribute information to obtain attribution information, service provider information and IP label information.
It should be noted that the attribution information may be that the attribution is domestic or foreign, etc.; the Service Provider information may be an Internet Service Provider (ISP) or a hosting Service Provider, etc.; the IP tag information may be information used to characterize an IP address.
It should be understood that the extracting the basic attribute information, and obtaining the attribution information, the service provider information and the IP tag information may be extracting the basic attribute information, obtaining an information category identifier, and extracting the basic attribute information according to the information category identifier, and obtaining the attribution information, the service provider information and the IP tag information, wherein the information category identifier may be information for identifying the information type.
Step S2032: and determining the total score of the IP address to be screened according to the attribution information, the service provider information and the IP label information.
Further, in order to reduce the computation amount for determining the total score of the IP addresses to be filtered, step S2032 includes:
generating a basic score of the IP address to be screened according to the attribution information and the service provider information;
generating a correction score of the IP address to be screened according to the IP label information;
and determining the total score of the IP address to be screened according to the basic score and the corrected score.
It should be understood that, determining the total score of the IP address to be screened according to the base score and the modified score may be adding the base score and the modified score to obtain the total score of the IP address to be screened.
Further, in order to improve reliability of a base score of an IP address to be screened, the generating the base score of the IP address to be screened according to the attribution information and the service provider information includes:
classifying the IP address to be screened according to the attribution information and the service provider information to obtain the IP address category to be screened;
and searching a basic score corresponding to the IP address category to be screened in a preset mapping relation table, wherein the preset mapping relation table comprises the corresponding relation between the IP address category to be screened and the basic score.
It should be understood that the basic score corresponding to the IP address category to be screened is searched in the preset mapping relationship table, and the preset mapping relationship table includes a corresponding relationship between the IP address category to be screened and the basic score, where the corresponding relationship between the IP address category to be screened and the basic score may be preset by the user according to an actual situation, which is not limited in this embodiment.
In a specific implementation, for example, when the address category of the IP address to be screened is home, and the service provider is ISP, a base score of 50 is generated; and when the address category of the IP address to be screened is foreign and the service provider is a managed service provider, generating a basic score of 100.
Further, in order to improve reliability of the corrected score of the IP address to be screened, the generating the corrected score of the IP address to be screened according to the IP tag information includes:
generating a user portrait of the IP address to be screened according to the IP label information;
and analyzing the user portrait of the IP address to be screened based on a preset user portrait analysis model to obtain a corrected value of the IP address to be screened.
It should be noted that the preset user portrait analysis model may be a user portrait analysis model preset by a user, which is not limited in this embodiment.
It should be understood that generating a user representation of the IP address to be screened according to the IP tag information may be analyzing the IP tag information based on a preset user representation building model to generate a user representation of the IP address to be screened, where the preset user representation building model may be a user representation building model preset by a user.
Step S2033: and screening the IP address to be screened according to the total score to obtain a target IP address.
It should be understood that, the screening of the IP address to be screened according to the total score to obtain the target IP address may be to judge whether the total score is greater than a preset score, and when the total score is greater than the preset score, the IP address to be screened corresponding to the total score is taken as the target IP address.
In a third embodiment, the basic attribute information is extracted to obtain attribution information, service provider information and IP label information, a total score of the IP address to be screened is determined according to the attribution information, the service provider information and the IP label information, the IP address to be screened is screened according to the total score to obtain a target IP address, and therefore accuracy of identifying the target IP address can be improved.
In addition, an embodiment of the present invention further provides a storage medium, where the storage medium stores an APT attack test behavior recognition program, and the APT attack test behavior recognition program, when executed by a processor, implements the above-mentioned steps of the APT attack test behavior recognition method.
In addition, referring to fig. 5, an embodiment of the present invention further provides a device for identifying a test behavior of an APT attack, where the device for identifying a test behavior of an APT attack includes: the system comprises an acquisition module 10, a screening module 20, a search module 30 and a generation module 40;
the acquiring module 10 is configured to acquire a current output log of the to-be-detected IP address and basic attribute information.
It should be noted that the current output log may be an output log at the current time; the basic attribute information may be information for describing an attribute of the IP address to be detected, such as home location information, service provider information, and IP tag information, which is not limited in this embodiment.
The screening module 20 is configured to screen the to-be-detected IP address according to the current output log and the basic attribute information, so as to obtain a target IP address.
It should be understood that, the to-be-detected IP address is screened according to the current output log and the basic attribute information, and the obtaining of the target IP address may be that the to-be-detected IP address is screened through a preset analysis script according to the current output log and the basic attribute information, so as to obtain the target IP address, where the preset analysis script may be an information analysis and monitoring script preset by a user, which is not limited in this embodiment.
Further, in order to quickly and accurately determine a target IP address, the screening the IP address to be detected according to the current output log and the basic attribute information to obtain the target IP address includes:
and judging whether the IP address to be detected is associated with a virtual machine user according to the current output log, taking the IP address to be detected as an IP address to be screened when the IP address to be detected is associated with the virtual machine user, and screening the IP address to be screened according to the basic attribute information to obtain a target IP address.
Further, in consideration of practical application, if whether the to-be-detected IP address is associated with the virtual machine user is determined only according to the current output log, the number of objects involved in the determination process is inevitably too small, and the accuracy is low. When the IP address to be detected is associated with the virtual machine user, the step of screening the IP address to be screened according to the basic attribute information by using the IP address to be detected as the IP address to be screened comprises the following steps:
when the IP address to be detected is associated with a virtual machine user, acquiring a historical output log of the IP address to be detected; determining the number of virtual machine users associated with the IP address to be detected according to the historical output log and the current output log; judging whether the number of the virtual machine users is larger than a preset threshold value or not; and when the number of the virtual machines is larger than the preset threshold value, taking the IP address to be detected as the IP address to be screened.
It should be understood that, the screening of the IP address to be screened according to the basic attribute information to obtain the target IP address may be to extract information from the basic attribute information to obtain attribution information, service provider information and IP tag information, determine a total score of the IP address to be screened according to the attribution information, the service provider information and the IP tag information, and screen the IP address to be screened according to the total score to obtain the target IP address.
The searching module 30 is configured to search for a target virtual machine user associated with the target IP address, and obtain virtual machine user feature information of the target virtual machine user.
It should be understood that the searching for the target virtual machine user associated with the target IP address may be searching for the target virtual machine user associated with the target IP address in a preset database, wherein the preset database may be a database preset to store the target virtual machine user.
It is understood that the obtaining of the virtual machine user feature information of the target virtual machine user may be directly obtaining the virtual machine user feature information of the target virtual machine user based on a preset feature information extraction script, where the preset feature information extraction script may be an information extraction script preset by a user.
The generating module 40 is configured to generate a test behavior identification result according to the user feature information of the virtual machine.
It should be understood that the generating of the test behavior recognition result according to the virtual machine user feature information may be directly analyzing the virtual machine user feature information based on a preset test behavior recognition script to obtain a test behavior recognition result, where the preset test behavior recognition script may be linked with a heuristic rule of a test activity of an advanced threat behavior entity to generate the test behavior recognition result, and the heuristic rule may be threat information generated in advance by relying on a large number of test behaviors of the advanced threat behavior entity, which is not limited in this embodiment.
Further, in order to improve accuracy of identifying a test behavior of an APT attack, the generating a test behavior identification result according to the virtual machine user feature information includes:
matching the virtual machine user characteristic information with preset test behavior characteristic information to obtain a characteristic matching result, taking the target virtual machine user as a target test machine user when the characteristic matching result is successful, counting the number of the target test machine users, and generating a test behavior recognition result according to the number of the target test machine users.
It should be noted that the preset test behavior feature information may be test behavior feature information pre-stored by a user; the target test machine user may be a user who installs the security end product in a virtual environment and tests the ability of his malicious tools to fight the security end product.
In this embodiment, a current output log and basic attribute information of an IP address to be detected are obtained, the IP address to be detected is screened according to the current output log and the basic attribute information, a target IP address is obtained, a target virtual machine user associated with the target IP address is searched, virtual machine user feature information of the target virtual machine user is obtained, and a test behavior recognition result is generated according to the virtual machine user feature information; compared with the existing method for identifying the test behavior according to the existing characteristic data, in the embodiment, the target IP address is determined through the current output log of the IP address to be detected and the basic attribute information, the virtual machine user characteristic information of the target virtual machine user associated with the target IP address is obtained, and the test behavior identification result is generated according to the virtual machine user characteristic information, so that the defect that the test behavior of unknown APT attack cannot be quickly identified in the prior art is overcome, the test behavior identification process of APT attack can be optimized, and the quick identification of the test behavior of unknown APT attack is realized.
Other embodiments or specific implementation manners of the testing behavior recognition apparatus for APT attack according to the present invention may refer to the above-mentioned method embodiments, and are not described herein again.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are only for description, and do not represent the advantages and disadvantages of the embodiments. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The use of the words first, second, third, etc. do not denote any order, but rather the words first, second, third, etc. are to be interpreted as names.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present invention or portions thereof that contribute to the prior art may be embodied in the form of a software product, where the computer software product is stored in a storage medium (e.g., a Read Only Memory (ROM)/Random Access Memory (RAM), a magnetic disk, an optical disk), and includes several instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention, and all equivalent structures or equivalent processes performed by the present invention or directly or indirectly applied to other related technical fields are also included in the scope of the present invention.
The invention discloses A1 and an APT attack test behavior identification method, which comprises the following steps:
acquiring a current output log and basic attribute information of an IP address to be detected;
screening the IP address to be detected according to the current output log and the basic attribute information to obtain a target IP address;
searching a target virtual machine user associated with the target IP address, and acquiring virtual machine user characteristic information of the target virtual machine user;
and generating a test behavior recognition result according to the virtual machine user characteristic information.
A2, the method for identifying the testing behavior of the APT attack as described in a1, wherein the step of screening the IP address to be detected according to the current output log and the basic attribute information to obtain the target IP address specifically includes:
judging whether the IP address to be detected is associated with a virtual machine user or not according to the current output log;
when the IP address to be detected is associated with a virtual machine user, taking the IP address to be detected as an IP address to be screened;
and screening the IP address to be screened according to the basic attribute information to obtain a target IP address.
A3, the method for identifying testing behavior of APT attack as described in a2, where the step of screening the IP address to be screened according to the basic attribute information to obtain a target IP address specifically includes:
extracting the basic attribute information to obtain attribution information, service provider information and IP label information;
determining the total score of the IP address to be screened according to the attribution information, the service provider information and the IP label information;
and screening the IP address to be screened according to the total score to obtain a target IP address.
A4, the method for identifying testing behavior of APT attack as described in A3, where the step of determining the total score of the to-be-screened IP address according to the attribution information, the service provider information, and the IP tag information specifically includes:
generating a basic score of the IP address to be screened according to the attribution information and the service provider information;
generating a correction score of the IP address to be screened according to the IP label information;
and determining the total score of the IP address to be screened according to the basic score and the corrected score.
A5, the method for identifying testing behavior of APT attack described in a4, where the step of generating the basic score of the to-be-screened IP address according to the attribution information and the service provider information specifically includes:
classifying the IP address to be screened according to the attribution information and the service provider information to obtain the IP address category to be screened;
and searching a basic score corresponding to the IP address category to be screened in a preset mapping relation table, wherein the preset mapping relation table comprises the corresponding relation between the IP address category to be screened and the basic score.
A6, the method for identifying testing behavior of APT attack described in a4, where the step of generating the corrected score of the to-be-screened IP address according to the IP tag information specifically includes:
generating a user portrait of the IP address to be screened according to the IP label information;
and analyzing the user portrait of the IP address to be screened based on a preset user portrait analysis model to obtain a corrected value of the IP address to be screened.
A7, the method for identifying an APT attack test behavior as in a2, where the step of determining whether the to-be-detected IP address is associated with a virtual machine user according to the current output log specifically includes:
extracting information of the current output log based on a preset information extraction script to obtain configuration environment information;
matching the configuration environment information with preset virtual machine configuration environment information to obtain a configuration environment matching result;
and judging whether the IP address to be detected is associated with the virtual machine user or not according to the configuration environment matching result.
A8, the method for identifying a test behavior of an APT attack as described in a2, where the step of using the IP address to be detected as the IP address to be screened is performed when the IP address to be detected is associated with a virtual machine user, specifically includes:
when the IP address to be detected is associated with a virtual machine user, acquiring a historical output log of the IP address to be detected;
determining the number of virtual machine users associated with the IP address to be detected according to the historical output log and the current output log;
judging whether the number of the virtual machine users is larger than a preset threshold value or not;
and when the number of the virtual machines is larger than the preset threshold value, taking the IP address to be detected as the IP address to be screened.
A9, the method for identifying testing behavior of APT attack described in a1, where the step of generating a result of identifying testing behavior according to the user characteristic information of the virtual machine specifically includes:
matching the user characteristic information of the virtual machine with preset test behavior characteristic information to obtain a characteristic matching result;
when the feature matching result is successful, taking the target virtual machine user as a target test machine user;
and counting the number of users of the target testing machine, and generating a test behavior recognition result according to the number of the users of the target testing machine.
A10, the method for identifying test behavior of APT attack described in a9, where the step of counting the number of users of the target test machine and generating the test behavior identification result according to the number of users of the target test machine specifically includes:
counting the number of users of a target testing machine and the number of users of a target virtual machine, and determining a ratio of the users of the testing machine according to the number of the users of the target testing machine and the number of the users of the target virtual machine;
judging whether the user ratio of the testing machine is greater than a preset ratio or not to obtain a judgment result;
and generating a test behavior recognition result according to the judgment result.
A11, the method for identifying testing behavior of APT attack as described in a10, where the step of determining whether the user ratio of the tester is greater than a preset ratio and obtaining a determination result is followed by the step of:
when the user ratio of the testing machine is larger than the preset ratio, generating a reminding strategy according to the user ratio of the testing machine;
and generating reminding information according to the reminding strategy, and sending the reminding information to a preset client.
A12, the method for identifying testing behavior of APT attack as any one of A1-A11, wherein after the step of generating the result of identifying testing behavior according to the user characteristic information of the virtual machine, the method for identifying testing behavior of APT attack further comprises:
determining a target display template according to the virtual machine user characteristic information;
and displaying the test behavior recognition result based on the target display template.
The invention discloses B13 and test behavior recognition equipment for APT attack, which comprises: the testing behavior identification program of the APT attack realizes the steps of the testing behavior identification method of the APT attack when being executed by the processor.
The invention discloses a storage medium C14, wherein the storage medium is stored with an APT attack test behavior recognition program, and the APT attack test behavior recognition program realizes the steps of the APT attack test behavior recognition method when being executed by a processor.
The invention discloses D15 and an APT attack test behavior recognition device, which comprises: the device comprises an acquisition module, a screening module, a searching module and a generating module;
the acquisition module is used for acquiring the current output log and basic attribute information of the IP address to be detected;
the screening module is used for screening the IP address to be detected according to the current output log and the basic attribute information to obtain a target IP address;
the searching module is used for searching a target virtual machine user associated with the target IP address and acquiring virtual machine user characteristic information of the target virtual machine user;
and the generating module is used for generating a test behavior identification result according to the virtual machine user characteristic information.
D16, the device for identifying the testing behavior of the APT attack as D15, the screening module being further configured to determine whether the IP address to be detected is associated with a virtual machine user according to the current output log;
the screening module is further used for taking the IP address to be detected as the IP address to be screened when the IP address to be detected is associated with the virtual machine user;
and the screening module is also used for screening the IP address to be screened according to the basic attribute information to obtain a target IP address.
D17, the apparatus for identifying testing behavior of APT attack as described in D16, where the screening module is further configured to extract information of the basic attribute information, and obtain attribution information, service provider information, and IP tag information;
the screening module is further used for determining a total score of the IP address to be screened according to the attribution information, the service provider information and the IP label information;
and the screening module is also used for screening the IP address to be screened according to the total score to obtain a target IP address.
D18, the apparatus for identifying testing behavior of APT attack as described in D17, the screening module further configured to generate a base score of the to-be-screened IP address according to the attribution information and the service provider information;
the screening module is further used for generating a corrected score of the IP address to be screened according to the IP label information;
and the screening module is also used for determining the total score of the IP address to be screened according to the basic score and the corrected score.
D19, the testing behavior recognition apparatus for APT attack as described in D18, where the screening module is further configured to classify the IP address to be screened according to the attribution information and the service provider information, and obtain a category of the IP address to be screened;
the screening module is further configured to search a preset mapping relation table for a basic score corresponding to the category of the IP address to be screened, where the preset mapping relation table includes a corresponding relation between the category of the IP address to be screened and the basic score.
D20, the testing behavior recognition device for APT attack as D18, the screening module further configured to generate a user representation of the IP address to be screened according to the IP label information;
the screening module is further used for analyzing the user portrait of the IP address to be screened based on a preset user portrait analysis model to obtain a correction value of the IP address to be screened.

Claims (10)

1. A method for identifying testing behaviors of APT attacks is characterized by comprising the following steps:
acquiring a current output log and basic attribute information of an IP address to be detected;
screening the IP address to be detected according to the current output log and the basic attribute information to obtain a target IP address;
searching a target virtual machine user associated with the target IP address, and acquiring virtual machine user characteristic information of the target virtual machine user;
and generating a test behavior recognition result according to the virtual machine user characteristic information.
2. The method according to claim 1, wherein the step of screening the IP address to be detected according to the current output log and the basic attribute information to obtain a target IP address specifically includes:
judging whether the IP address to be detected is associated with a virtual machine user or not according to the current output log;
when the IP address to be detected is associated with a virtual machine user, taking the IP address to be detected as the IP address to be screened;
and screening the IP address to be screened according to the basic attribute information to obtain a target IP address.
3. The method for identifying the testing behavior of the APT attack according to claim 2, wherein the step of screening the IP address to be screened according to the basic attribute information to obtain the target IP address specifically includes:
extracting the basic attribute information to obtain attribution information, service provider information and IP label information;
determining a total score of the IP address to be screened according to the attribution information, the service provider information and the IP label information;
and screening the IP address to be screened according to the total score to obtain a target IP address.
4. The method according to claim 3, wherein the step of determining the total score of the to-be-screened IP address according to the attribution information, the service provider information, and the IP tag information specifically includes:
generating a basic score of the IP address to be screened according to the attribution information and the service provider information;
generating a correction score of the IP address to be screened according to the IP label information;
and determining the total score of the IP address to be screened according to the basic score and the corrected score.
5. The method according to claim 4, wherein the step of generating the basic score of the to-be-screened IP address according to the home location information and the service provider information specifically includes:
classifying the IP address to be screened according to the attribution information and the service provider information to obtain the IP address category to be screened;
and searching a basic score corresponding to the IP address category to be screened in a preset mapping relation table, wherein the preset mapping relation table comprises the corresponding relation between the IP address category to be screened and the basic score.
6. The method according to claim 4, wherein the step of generating the corrected score of the to-be-screened IP address according to the IP tag information specifically includes:
generating a user portrait of the IP address to be screened according to the IP label information;
and analyzing the user portrait of the IP address to be screened based on a preset user portrait analysis model to obtain a corrected value of the IP address to be screened.
7. The method for identifying the testing behavior of the APT attack according to claim 2, wherein the step of determining whether the IP address to be detected is associated with a virtual machine user according to the current output log specifically includes:
extracting information of the current output log based on a preset information extraction script to obtain configuration environment information;
matching the configuration environment information with preset virtual machine configuration environment information to obtain a configuration environment matching result;
and judging whether the IP address to be detected is associated with the virtual machine user or not according to the configuration environment matching result.
8. An APT attack test behavior recognition device, comprising: memory, a processor and a test behavior recognition program of an APT attack stored on the memory and executable on the processor, the test behavior recognition program of an APT attack, when executed by the processor, implementing the steps of the method of test behavior recognition of an APT attack according to any one of claims 1 to 7.
9. A storage medium, characterized in that the storage medium has stored thereon a test behavior recognition program for APT attack, which when executed by a processor implements the steps of the test behavior recognition method for APT attack according to any one of claims 1 to 7.
10. An apparatus for identifying testing behavior of APT attack, comprising: the device comprises an acquisition module, a screening module, a searching module and a generating module;
the acquisition module is used for acquiring the current output log and basic attribute information of the IP address to be detected;
the screening module is used for screening the IP address to be detected according to the current output log and the basic attribute information to obtain a target IP address;
the searching module is used for searching a target virtual machine user associated with the target IP address and acquiring virtual machine user characteristic information of the target virtual machine user;
and the generating module is used for generating a test behavior identification result according to the virtual machine user characteristic information.
CN202011275215.6A 2020-11-13 2020-11-13 APT attack test behavior identification method, device, storage medium and device Pending CN114567449A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011275215.6A CN114567449A (en) 2020-11-13 2020-11-13 APT attack test behavior identification method, device, storage medium and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011275215.6A CN114567449A (en) 2020-11-13 2020-11-13 APT attack test behavior identification method, device, storage medium and device

Publications (1)

Publication Number Publication Date
CN114567449A true CN114567449A (en) 2022-05-31

Family

ID=81711846

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011275215.6A Pending CN114567449A (en) 2020-11-13 2020-11-13 APT attack test behavior identification method, device, storage medium and device

Country Status (1)

Country Link
CN (1) CN114567449A (en)

Similar Documents

Publication Publication Date Title
CN109687991B (en) User behavior identification method, device, equipment and storage medium
CN111191201B (en) User identification method, device, equipment and storage medium based on data embedded point
CN111125695B (en) Account risk assessment method, device, equipment and storage medium
CN112615873B (en) Internet of things equipment safety detection method, equipment, storage medium and device
CN109801151B (en) Financial falsification risk monitoring method, device, computer equipment and storage medium
CN111090615A (en) Method and device for analyzing and processing mixed assets, electronic equipment and storage medium
CN112580047B (en) Industrial malicious code marking method, equipment, storage medium and device
CN110750433A (en) Interface test method and device
CN109670931B (en) Loan user behavior detection method, loan user behavior detection device, loan user behavior detection equipment and loan user behavior detection storage medium
CN112529575A (en) Risk early warning method, equipment, storage medium and device
CN106998336B (en) Method and device for detecting user in channel
CN114003903A (en) Network attack tracing method and device
CN115292163A (en) Application program detection method and device and computer readable storage medium
CN109299592B (en) Man-machine behavior characteristic boundary construction method, system, server and storage medium
CN112632528A (en) Threat information generation method, equipment, storage medium and device
CN112433936A (en) Test method, test device and storage medium
CN114465926B (en) Recursive server monitoring method, device, equipment and storage medium
CN112487270A (en) Method and device for asset classification and accuracy verification based on picture identification
CN114567449A (en) APT attack test behavior identification method, device, storage medium and device
CN113312261A (en) Test case screening method, test case screening equipment, storage medium and device
CN114499911A (en) Attack user identification method, equipment, storage medium and device based on test machine
CN106446687B (en) Malicious sample detection method and device
CN115643044A (en) Data processing method, device, server and storage medium
CN112506765A (en) Software testing method, device, equipment and storage medium
CN112085443A (en) Distribution resource detection method, distribution resource detection device, distribution resource task execution method, distribution resource detection device, distribution task execution device and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination