CN114780956B - Big data analysis-based tracing system - Google Patents

Big data analysis-based tracing system Download PDF

Info

Publication number
CN114780956B
CN114780956B CN202210703137.8A CN202210703137A CN114780956B CN 114780956 B CN114780956 B CN 114780956B CN 202210703137 A CN202210703137 A CN 202210703137A CN 114780956 B CN114780956 B CN 114780956B
Authority
CN
China
Prior art keywords
central control
module
control module
file
damaged
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210703137.8A
Other languages
Chinese (zh)
Other versions
CN114780956A (en
Inventor
钟坚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
One Thing One Code Data Guangzhou Industrial Co ltd
Original Assignee
One Thing One Code Data Guangzhou Industrial Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by One Thing One Code Data Guangzhou Industrial Co ltd filed Critical One Thing One Code Data Guangzhou Industrial Co ltd
Priority to CN202210703137.8A priority Critical patent/CN114780956B/en
Publication of CN114780956A publication Critical patent/CN114780956A/en
Application granted granted Critical
Publication of CN114780956B publication Critical patent/CN114780956B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/568Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Health & Medical Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to the technical field of network security, in particular to a tracing system based on big data analysis. The method comprises an acquisition module, a detection module, a processing module, a central control module, a traceability module and a safety protection module, wherein when a terminal is attacked by a network, the central control module scores an attack log and judges whether the attack log pair forms the network attack or not according to a scoring result, the detection module detects the damage degree and the tampering degree of a terminal file judged to be attacked, the central control module can quickly and accurately judge the damage level of the terminal according to the detection result, control the processing module to repair the damaged file and generate a log database, and control the traceability module to trace the attack address and send the traced suspected IP address to the network safety protection module. The tracing and tracing system can quickly and accurately evaluate the actual damage degree of the terminal so as to improve the safety performance of the terminal.

Description

Big data analysis-based tracing system
Technical Field
The invention relates to the technical field of network security, in particular to a tracing system based on big data analysis.
Background
The network attack is to attack the system and resources by using the loopholes and security defects existing in the network information system. The threat faced by network information systems comes from many aspects and may change over time. Macroscopically, these threats can be classified as human threats and natural threats. Natural threats come from various natural disasters, harsh field environments, electromagnetic interference, natural aging of network equipment, and the like. These threats are purposeless, but can cause damage to the network communication system, compromising communication security. The artificial threat is an artificial attack to a network information system, and aims to destroy, cheat and steal data information and the like in an unauthorized mode by searching for the weakness of the system. Compared with the prior art, the well-designed artificial attack threats are difficult to prevent, have multiple types and large quantity.
Currently, in the existing security protection system, tracing is an essential functional module. However, with the increasing of service servers and the decreasing of hacker attack cost, the tracing and tracing of data information is increasing, and it is very difficult for operation and maintenance personnel in business specialties to trace and trace a certain attack event in thousands of acquired logs. The method not only needs professional operation and maintenance personnel to carry out manual searching, causes higher labor cost and lower tracing efficiency, but also cannot ensure the accuracy of tracing.
Chinese patent publication No. CN202111615214.6. The method comprises the steps of firstly obtaining an access log of a target network service, and detecting a first malicious file in the target network service; extracting attacker information of a target attacker; then, determining other files accessed by the target attacker according to the access log and the attacker information, and using the files as files to be detected; further, according to the file to be detected, the access log, the first malicious file and the attacker information, an attacker portrait of the target attacker is constructed; and finally, carrying out network attack tracing according to the attacker image to obtain a tracing result.
It can be seen that the above solution has the following problems: the system security is low because the actual damage degree of the terminal cannot be quickly evaluated after the system is attacked by the network.
Disclosure of Invention
Therefore, the invention provides a tracing and tracing system based on big data analysis, which is used for solving the problem of low security caused by the fact that the actual damage degree of a terminal cannot be quickly evaluated after the system is attacked by a network in the prior art.
In order to achieve the above object, the present invention provides a tracing system based on big data analysis, including:
the acquisition module is used for acquiring a plurality of attack logs representing attack information in a single preset period;
the detection module is mutually connected with the acquisition module and is used for detecting the attack log information input by the acquisition module and counting and calculating the number of damaged files and the number of tampered files;
the processing module is mutually connected with the detection module and is used for repairing the terminal when the detection module finishes the damage judgment of the terminal and generating a log database in the repairing process;
the central control module is respectively connected with the acquisition module, the detection module and the processing module and is used for judging the property of the attack log in a single preset period and judging the damage degree of a single file and the damage degree of a terminal according to a detection result;
the source tracing module is connected with the central control module and is used for tracing and tracing the attack address when the detection module judges that the terminal system is damaged and sending the traced suspected IP address to the network safety protection module;
and the network safety protection module is connected with the source tracing module and is used for screening the suspected IP address traced by the source tracing module.
Further, the detection module is provided with a preset score P0 of an attack log, when the central control module judges that the acquisition module receives the information, the central control module controls the detection module to score the information acquired by the acquisition module, marks the score as P and judges whether the acquisition module is attacked or not according to P,
if P is less than P0, the central control module judges that the information is safe information, and the acquisition module is not attacked;
if P is larger than or equal to P0, the central control module judges that the information is risk information, the acquisition module is attacked, the central control module controls the detection module to detect the information so as to judge the attack type of the information and count the damage degree of attacked files in the terminal and the number of damaged files in the terminal so as to calculate the damage level of the terminal, after the detection module finishes detection, the central control module controls the processing module to repair the damaged files in the terminal and generate a repair log, and the central control module controls the tracing module to trace and trace the source of the attack address in the log and send the traced suspected IP address to the network security protection module when the repair log is generated.
Further, a first preset damage rate Sa1 and a second preset damage rate Sa2 are further arranged in the central control module, wherein Sa1 is smaller than Sa2, when the central control module determines that the files in the terminal are damaged in a single period, the central control module controls the detection module to count the number of the damaged files in the terminal system and mark the number as Na, when the detection module completes counting the number of the damaged files in the terminal, the detection module sequentially detects the damage rate of each damaged file, and for a single damaged file, the detection module marks the damage rate of the damaged file as Sa.
If Sa is less than or equal to Sa1, the detection module judges that the file is slightly damaged;
if Sa1 is more than Sa and less than or equal to Sa2, the detection module judges that the file is moderately damaged;
if Sa is greater than Sa2, the detection module judges that the file is seriously damaged;
when the detection module finishes the detection of the damage rate of each damaged file, the ratio of the slightly damaged file number to the total number of damaged files in the terminal is recorded as na1, the ratio of the moderately damaged file number to the total number of damaged files in the terminal is recorded as na2, and the ratio of the heavily damaged file number to the total number of damaged files in the terminal is recorded as na3.
If na1 is larger than or equal to 0.85, the central control module judges that the terminal system is damaged at one level, the central control module controls the processing module to carry out file repair on damaged files in the terminal and establish a repair log, and the central control module controls the tracing module to trace and trace the source of an attack address according to the repair log and send the traced suspected IP address to the network safety protection module;
if na1 is more than or equal to 0.5 and less than 0.85 and na2 is more than 0.3, the central control module judges that the terminal is damaged in the second level, controls the processing module to repair files of the terminal system and generate a damaged log, controls the tracing module to trace and trace the source of the attack address according to the damaged log and sends the traced suspected IP address to the network safety protection module;
if na1 is more than or equal to 0.5 and less than 0.85 and na3 is more than 0.3, the central control module judges that the terminal is damaged at three levels, the central control module controls the processing module to generate a damaged log, and controls the tracing module to trace and trace the source of the attack address according to the damaged log and send the traced suspected IP address to the network safety protection module;
if na3 is larger than or equal to 0.5, the central control module judges that the terminal is damaged by four levels, the central control module controls the processing module to generate a damage log and counts data interaction records of the terminal system in a preset period, and the central control module controls the source tracing module to trace and trace the attack address according to the statistical result and send the traced suspected IP address to the network safety protection module.
Further, the central control module is provided with a first preset damaged file number Na1, a second preset damaged file number Na2, a first preset damaged rate correction coefficient α 1 and a second preset damaged rate correction coefficient α 2, where Na1 is smaller than Na2, and α 1 is larger than 0.98 and smaller than α 2 and smaller than 1, and when the detection module completes the statistics of the number Na of damaged files in the terminal, the central control module determines whether to correct each preset damaged rate Sai according to Na.
If Na is less than or equal to Na1, the processing module does not modify Sai, and i =1,2 is set;
if Na1 is more than Na and less than or equal to Na2, the central control module corrects Sai by using alpha 2;
if Na is more than Na2, the central control module corrects Sai by using alpha 1;
when the central control module corrects Sai by using the j-th preset damage rate correction coefficient α j, j =1,2 is set, and the corrected i-th preset damage rate is recorded as Sai ', and Sai' = Sai × α j is set.
Further, a preset tampering rate C0 is also set in the central control module, when the detection module detects that a file in the terminal has a character change, the central control module determines that the file is tampered, the central control module controls the detection module to sequentially count and calculate the proportion of tampered characters in each file to total characters in a corresponding file to determine whether the file is maliciously tampered, and for a single file, the detection module records the proportion of tampered characters in the file to total characters in the file as C.
If C is less than or equal to C0, the central control module preliminarily judges whether the file is tampered with maliciously, and controls the detection module to respectively count the number of key characters subjected to tampering in the file and the total number of the key characters in the file so as to make a secondary judgment on whether the file is tampered with maliciously;
if C is larger than C0, the central control module judges that the file is tampered maliciously and records the file;
and the central control module controls the detection module to count the number of the files subjected to malicious tampering and calculate the ratio nc of the number of the files subjected to malicious tampering and the total number of the files in the terminal when the tampering of the terminal on each file is done to be malicious tampering, and the central control module judges whether to update the damage level of the terminal according to nc.
Further, the central control module is further provided with a first preset malicious tampering proportion nc1 and a first preset malicious tampering proportion nc2, nc1 is smaller than nc2, and in a single preset period, when the central control module judges that tampering of each file in the terminal is malicious tampering, the detection module counts and calculates the proportion nc between the number of the files which are malicious tampered and the total number of the files in the terminal.
If nc is less than nc1, the central control module judges that the terminal is damaged in a second level, the central control module controls the processing module to repair files of the terminal system and generate a damaged log, and the central control module controls the tracing module to trace and trace the source of the attack address according to the damaged log and sends the traced suspected IP address to the network security protection module;
if nc1 is not less than nc and less than nc2, the central control module judges that the terminal is damaged in three levels, the central control module controls the processing module to generate a damaged log, and the central control module controls the tracing module to trace and trace the source of the attack address according to the damaged log and sends the traced suspected IP address to the network security protection module;
if nc is larger than or equal to nc2, the central control module judges that the terminal is damaged by four levels, the central control module controls the processing module to generate a damage log and count data interaction records of the terminal system in a preset period, and the central control module controls the source tracing module to trace and trace the attack address according to the statistical result and send the traced suspected IP address to the network safety protection module.
Further, a preset key character tampering rate Ca0 is also set in the central control module, and when the central control module preliminarily determines that tampering of a single file is non-malicious tampering in a single preset period, the central control module controls the detection module to count and calculate a ratio Ca of tampered key characters in the file to total key characters in the file so as to make a secondary determination as to whether tampering of the file is malicious tampering.
If Ca is less than or equal to Ca0, the central control module judges that the file is tampered with in a non-malicious mode, and the processing module backs up the tampered file and restores the file;
if Ca is larger than Ca0, the central control module judges that the tampering of the file is malicious tampering, and the processing module backs up the tampered file and restores the file;
the central control module counts and calculates the proportion nb of the number of non-maliciously tampered files in the terminal to the total number of files in the terminal system when finishing secondary judgment on whether tampering of each file in the terminal is malicious tampering or not, and judges whether to update the damage level of the terminal according to nb; and the central control module controls the tracing module to trace and trace the attack address according to the data interaction record of the file which is subjected to malicious tampering in the preset period and sends the traced suspected IP address to the network safety protection module.
Further, the central control module is provided with a first preset non-malicious tampered file proportion nb1 and a second preset non-malicious tampered file proportion nb2, nb1 is smaller than nb2, and when the central control module finishes primary judgment of the terminal file as non-malicious tampering, the central control module controls the detection module to count and calculate the proportion nb of the number of the non-malicious tampered files in the terminal to the total number of the files in the terminal system.
If nb is less than or equal to nb1, the central control module judges that the terminal system is damaged at one level, the central control module controls the processing module to perform file repair on damaged files in the terminal and establish a repair log, and the central control module controls the tracing module to trace and trace the source of an attack address according to the repair log and sends the traced suspected IP address to the network security protection module;
if nb1 is greater than nb and less than or equal to nb2, the central control module judges that the terminal is damaged secondarily, the central control module controls the processing module to repair files of the terminal system and generate a damaged log, and controls the tracing module to trace and trace the source of the attack address according to the damaged log and send the traced suspected IP address to the network safety protection module;
if nb is greater than nb2, the central control module determines that the terminal is damaged at three levels, the central control module controls the processing module to generate a damaged log, and the central control module controls the tracing module to trace and trace the source of the attack address according to the damaged log and sends the traced suspected IP address to the network security protection module.
Further, if the central control module determines that a damaged file and a tampered file simultaneously appear in the terminal in a single preset period, the central control module sequentially determines corresponding damage levels of the files according to actual damage conditions of the files and actual tampering conditions of the files, when the damage level obtained by the central control module according to the damaged file is different from the damage level obtained according to the tampered file, the central control module takes a result with a high damage level as the actual damage level of the terminal, controls the processing module to repair the files in the terminal and generate a repair log, controls the traceability module to trace a source according to a log database aiming at an attack address, and sends the traced suspected IP address to the network security protection module.
Furthermore, a log database is also arranged in the system, and is respectively connected with the processing module and the tracing module and used for storing log data, wherein the log database comprises repair log data and damaged log data; when the central control module determines the damage level of the terminal when the terminal is damaged, the central control module controls the processing module to generate corresponding log data according to the damage level of the terminal and transmits the log data to the log database, the central control module controls the processing module to repair files in the terminal according to repair logs in the log database, and the central control module controls the source tracing module to trace and trace attack addresses according to the damage logs in the log database and sends the traced suspected IP addresses to the network security protection module.
Compared with the prior art, the method has the advantages that when the terminal is attacked by the network, the central control module can rapidly judge whether the attack log constitutes the network attack according to the score of the attack log, the detection module detects the damage degree and the tampering degree of the file which is judged to be attacked, the central control module can rapidly and accurately judge the damage level of the terminal according to the detection result, control the processing module to repair the damaged file and generate the log database, and control the tracing module to trace the attack address and send the traced suspected IP address to the network security protection module. The tracking and tracing system can quickly and accurately evaluate the actual damage degree of the terminal so as to improve the safety performance of the terminal.
Further, when the detection module detects that the files in the terminal are damaged in a single period, the detection module counts the number of the damaged files and calculates the proportion of the number of the damaged files to the total number of the files in the terminal, and the central control module rapidly judges the damage level of the terminal according to the proportion, so that the judgment efficiency of the damage level of the terminal is improved.
Furthermore, when the central control module judges that the files are damaged in a single period, the central control module corrects the preset damage rate according to the number of the damaged files, and the accuracy of the system for judging the damage level of the terminal is improved.
Further, when the detection module detects that the characters of the file in the terminal change, the central control module judges that the file is tampered, the central control module quickly and accurately judges whether the file is tampered maliciously according to the proportion of the tampered characters to the total number of the characters in the file, the central control module carries out secondary judgment on the file which is preliminarily judged to be not tampered maliciously, and carries out degree judgment on the maliciously-tampered file so as to accurately judge the maliciously-tampered degree, and the high efficiency and the accuracy of the system for judging the file tampering degree are improved.
Further, when the central control module judges that the tampering of the file in a single period is malicious tampering, the central control module counts and calculates the proportion of the number of the maliciously tampered files to the total number of the files in the terminal, and the central control module efficiently and accurately judges the damage grade of the terminal according to the proportion, so that the accuracy of judging the damage degree of the terminal is further improved.
Furthermore, the central control module further detects the number of the key characters subjected to tampering on the file subjected to non-malicious tampering, counts and calculates the proportion of the number of the key characters subjected to tampering to the total number of the characters in the file, and judges whether the file is subjected to malicious tampering or not according to the proportion and judges the damage level of the terminal according to the judgment result, so that the accuracy of judging the damage degree of the terminal is further improved.
Further, if the central control module detects that the terminal file is damaged and tampered simultaneously in a single preset period, the central control module judges the damage condition and the tampered condition of the terminal respectively, and the central control module takes the result with the high damage level as the actual damage level of the terminal, so that the repair feasibility of the damaged terminal file is improved, and the accuracy of judging the damage degree of the terminal is further improved.
Drawings
Fig. 1 is a schematic structural diagram of a tracing system based on big data analysis according to an embodiment of the present invention.
Detailed Description
In order that the objects and advantages of the invention will be more clearly understood, the invention is further described below with reference to examples; it should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Preferred embodiments of the present invention are described below with reference to the accompanying drawings. It should be understood by those skilled in the art that these embodiments are only for explaining the technical principle of the present invention, and do not limit the scope of the present invention.
Fig. 1 is a flowchart illustrating a tracing system based on big data analysis according to the present invention. The tracing and tracing system based on big data analysis comprises:
the acquisition module is used for acquiring a plurality of attack logs representing attack information in a single preset period;
the detection module is mutually connected with the acquisition module and is used for detecting the attack log information input by the acquisition module and counting and calculating the number of damaged files and the number of tampered files;
the processing module is mutually connected with the detection module and is used for repairing the terminal when the detection module finishes the damage judgment of the terminal and generating a log database in the repairing process;
the central control module is respectively connected with the acquisition module, the detection module and the processing module and is used for judging the property of the attack log in a single preset period and judging the damage degree of a single file and the damage degree of a terminal according to a detection result;
the source tracing module is connected with the central control module and is used for tracing and tracing the attack address when the detection module judges that the terminal system is damaged and sending the traced suspected IP address to the network safety protection module;
and the network safety protection module is connected with the source tracing module and is used for screening the suspected IP address traced by the source tracing module.
Specifically, the detection module is provided with a preset score P0 of an attack log, and when the central control module determines that the acquisition module receives information, the central control module controls the detection module to score the information acquired by the acquisition module, record the score as P, and determine whether the acquisition module is attacked according to P.
If P is less than P0, the central control module judges that the information is safe information, and the acquisition module is not attacked;
if P is larger than or equal to P0, the central control module judges that the information is risk information, the acquisition module is attacked, the central control module controls the detection module to detect the information so as to judge the attack type of the information and count the damage degree of attacked files in the terminal and the number of damaged files in the terminal so as to calculate the damage level of the terminal, after the detection module finishes detection, the central control module controls the processing module to repair the damaged files in the terminal and generate a repair log, and the central control module controls the tracing module to trace and trace the source of the attack address in the log and send the traced suspected IP address to the network security protection module when the repair log is generated.
Specifically, the central control module is further provided with a first preset damage rate Sa1 and a second preset damage rate Sa2, where Sa1 is less than Sa2, when the central control module determines that files in the terminal are damaged in a single period, the central control module controls the detection module to count the number of damaged files in the terminal system and mark the number as Na, when the detection module completes counting of the number of damaged files in the terminal, the detection module sequentially detects the damage rate of each damaged file, and for a single damaged file, the detection module marks the damage rate of the damaged file as Sa.
If Sa is less than or equal to Sa1, the detection module judges that the file is slightly damaged;
if Sa1 is more than Sa and less than or equal to Sa2, the detection module judges that the file is moderately damaged;
if Sa is greater than Sa2, the detection module judges that the file is severely damaged;
when the detection module finishes the detection of the damage rate of each damaged file, the ratio of the slightly damaged file number to the total number of damaged files in the terminal is recorded as na1, the ratio of the moderately damaged file number to the total number of damaged files in the terminal is recorded as na2, and the ratio of the heavily damaged file number to the total number of damaged files in the terminal is recorded as na3.
If na1 is larger than or equal to 0.85, the central control module judges that the terminal system is damaged at one level, the central control module controls the processing module to carry out file repair on damaged files in the terminal and establish a repair log, and the central control module controls the tracing module to trace and trace the source of an attack address according to the repair log and send the traced suspected IP address to the network safety protection module;
if na1 is more than or equal to 0.5 and less than 0.85 and na2 is more than 0.3, the central control module judges that the terminal is damaged in the second level, controls the processing module to repair files of the terminal system and generate a damaged log, controls the tracing module to trace and trace the source of the attack address according to the damaged log and sends the traced suspected IP address to the network safety protection module;
if na1 is more than or equal to 0.5 and less than 0.85 and na3 is more than 0.3, the central control module judges that the terminal is damaged at three levels, the central control module controls the processing module to generate a damaged log, and controls the tracing module to trace and trace the source of the attack address according to the damaged log and send the traced suspected IP address to the network safety protection module;
if na3 is larger than or equal to 0.5, the central control module judges that the terminal is damaged by four levels, the central control module controls the processing module to generate a damage log and counts data interaction records of the terminal system in a preset period, and the central control module controls the source tracing module to trace and trace the attack address according to the statistical result and send the traced suspected IP address to the network safety protection module.
Specifically, the central control module is provided with a first preset damaged file number Na1, a second preset damaged file number Na2, a first preset damaged rate correction coefficient α 1 and a second preset damaged rate correction coefficient α 2, where Na1 is smaller than Na2, and α 1 is larger than 0.98 and smaller than α 2 and smaller than 1, and when the detection module completes the statistics of the number Na of damaged files in the terminal, the central control module determines whether to correct each preset damaged rate according to Na.
If Na is less than or equal to Na1, the processing module does not modify Sai, and i =1,2 is set;
if Na1 is more than Na and less than or equal to Na2, the central control module corrects Sai by using alpha 2;
if Na is more than Na2, the central control module corrects Sai by using alpha 1;
when the central control module corrects Sai by using the j-th preset damage rate correction coefficient α j, j =1,2 is set, and the corrected i-th preset damage rate is recorded as Sai ', and Sai' = Sai × α j is set.
Specifically, a preset tampering rate C0 is further set in the central control module, when the detection module detects that a file in the terminal has a character change, the central control module determines that the file is tampered, the central control module controls the detection module to sequentially count and calculate the ratio of tampered characters in each file to total characters in a corresponding file to determine whether the file is maliciously tampered, and for a single file, the detection module records the ratio of tampered characters in the file to total characters in the file as C.
If C is less than or equal to C0, the central control module preliminarily judges whether the file is tampered with maliciously, and controls the detection module to respectively count the number of key characters subjected to tampering in the file and the total number of the key characters in the file so as to make a secondary judgment on whether the file is tampered with maliciously;
if C is larger than C0, the central control module judges that the file is tampered maliciously and records the file;
and the central control module controls the detection module to count the number of the files subjected to malicious tampering and calculate the ratio nc of the number of the files subjected to malicious tampering and the total number of the files in the terminal when the tampering of the terminal on each file is done to be malicious tampering, and the central control module judges whether to update the damage level of the terminal according to nc.
Specifically, the central control module is further provided with a first preset malicious tampering proportion nc1 and a first preset malicious tampering proportion nc2, nc1 is smaller than nc2, and in a single preset period, when the central control module determines that tampering of each file in the terminal is malicious tampering, the detection module counts and calculates the proportion nc between the number of the malicious tampered files and the total number of the files in the terminal.
If nc is less than nc1, the central control module judges that the terminal is damaged in a second level, the central control module controls the processing module to repair files of the terminal system and generate a damaged log, and the central control module controls the tracing module to trace and trace the source of the attack address according to the damaged log and sends the traced suspected IP address to the network security protection module;
if nc1 is not more than nc and less than nc2, the central control module judges that the terminal is damaged in three levels, the central control module controls the processing module to generate a damaged log, and the central control module controls the tracing module to trace and trace the source of the attack address according to the damaged log and sends the traced suspected IP address to the network security protection module;
if nc is larger than or equal to nc2, the central control module judges that the terminal is damaged by four levels, the central control module controls the processing module to generate a damage log and count data interaction records of the terminal system in a preset period, and the central control module controls the source tracing module to trace and trace the attack address according to the statistical result and send the traced suspected IP address to the network safety protection module.
Specifically, a preset key character tampering rate Ca0 is further set in the central control module, and when the central control module preliminarily determines that tampering of a single file is non-malicious tampering in a single preset period, the central control module controls the detection module to count and calculate a ratio Ca of tampered key characters in the file to total key characters in the file so as to make a secondary determination on whether tampering of the file is malicious tampering.
If the Ca is less than or equal to Ca0, the central control module judges that the tampering of the file is non-malicious tampering, and the processing module backs up the tampered file and restores the file;
if Ca is larger than Ca0, the central control module judges that the tampering of the file is malicious tampering, and the processing module backs up the tampered file and restores the file;
the central control module counts and calculates the proportion nb of the number of non-maliciously tampered files in the terminal to the total number of files in the terminal system when finishing secondary judgment on whether tampering of each file in the terminal is malicious tampering or not, and judges whether to update the damage level of the terminal according to nb; and the central control module controls the tracing module to trace and trace the attack address according to the data interaction record of the file which is subjected to malicious tampering in the preset period and sends the traced suspected IP address to the network safety protection module.
Specifically, the central control module is provided with a first preset non-malicious tampered file proportion nb1 and a second preset non-malicious tampered file proportion nb2, nb1 is smaller than nb2, and when the central control module finishes the initial judgment of the terminal file as non-malicious tampering, the central control module controls the detection module to count and calculate the proportion nb of the number of the non-malicious tampered files in the terminal and the total number of the files in the terminal system.
If nb is less than or equal to nb1, the central control module judges that the terminal system is damaged at one level, the central control module controls the processing module to perform file repair on damaged files in the terminal and establish a repair log, and the central control module controls the tracing module to trace and trace the source of an attack address according to the repair log and sends the traced suspected IP address to the network security protection module;
if nb1 is greater than nb and less than or equal to nb2, the central control module judges that the terminal is damaged secondarily, the central control module controls the processing module to repair files of the terminal system and generate a damaged log, and controls the tracing module to trace and trace the source of the attack address according to the damaged log and send the traced suspected IP address to the network safety protection module;
if nb is greater than nb2, the central control module determines that the terminal is damaged at three levels, the central control module controls the processing module to generate a damaged log, and the central control module controls the tracing module to trace and trace the source of the attack address according to the damaged log and sends the traced suspected IP address to the network security protection module.
Specifically, if the central control module determines that a damaged file and a tampered file simultaneously appear in the terminal in a single preset period, the central control module sequentially determines the corresponding damage levels of the files according to the actual damage condition of the files and the actual tampering condition of the files, when the damage level obtained by the central control module according to the damaged file is different from the damage level obtained according to the tampered file, the central control module takes the result with the high damage level as the actual damage level of the terminal, controls the processing module to repair the files in the terminal and generate a repair log, controls the traceability module to trace the source of the attack address according to a log database, and sends the traced suspected IP address to the network security protection module.
Specifically, the system is further provided with a log database which is respectively connected with the processing module and the tracing module and used for storing log data, wherein the log database comprises repair log data and damaged log data; when the central control module determines the damage level of the terminal when the terminal is damaged, the central control module controls the processing module to generate corresponding log data according to the damage level of the terminal and transmits the log data to the log database, the central control module controls the processing module to repair files in the terminal according to repair logs in the log database, and the central control module controls the source tracing module to trace and trace attack addresses according to the damage logs in the log database and sends the traced suspected IP addresses to the network security protection module.
So far, the technical solutions of the present invention have been described in connection with the preferred embodiments shown in the drawings, but it is easily understood by those skilled in the art that the scope of the present invention is obviously not limited to these specific embodiments. Equivalent changes or substitutions of related technical features can be made by those skilled in the art without departing from the principle of the invention, and the technical scheme after the changes or substitutions can fall into the protection scope of the invention.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention; various modifications and alterations to this invention will become apparent to those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (8)

1. A tracing and source tracing system based on big data analysis is characterized by comprising:
the acquisition module is used for acquiring a plurality of attack logs representing attack information in a single preset period;
the detection module is connected with the acquisition module and used for detecting the attack log information input by the acquisition module and counting and calculating the number of damaged files and the number of tampered files, the detection module is provided with a preset score P0 of the attack log, when the central control module judges that the acquisition module receives the information, the central control module controls the detection module to score the information acquired by the acquisition module, marks the score as P and judges whether the acquisition module is attacked or not according to P,
if P is less than P0, the central control module judges that the information is safe information, and the acquisition module is not attacked;
if P is larger than or equal to P0, the central control module judges that the information is risk information, the acquisition module is attacked, the central control module controls the detection module to detect the information so as to judge the attack type of the information and count the damage degree of attacked files in the terminal and the number of damaged files in the terminal so as to calculate the damage level of the terminal, after the detection module finishes detection, the central control module controls the processing module to repair the damaged files in the terminal and generate a repair log, and the central control module controls the tracing module to trace and trace the source of the attack address in the log and sends the traced suspected IP address to the network security protection module when the repair log is generated;
the processing module is mutually connected with the detection module and is used for repairing the terminal when the detection module finishes the damage judgment of the terminal and generating a log database in the repairing process;
the central control module is respectively connected with the acquisition module, the detection module and the processing module and is used for judging the property of an attack log in a single preset period and judging the damage degree of a single file and a terminal according to a detection result, a first preset damage rate Sa1 and a second preset damage rate Sa2 are further arranged in the central control module, wherein Sa1 is less than Sa2, when the central control module judges that the file in the terminal is damaged in the single period, the central control module controls the detection module to count the number of the damaged files in the terminal system and mark the number as Na, when the detection module completes counting the number of the damaged files in the terminal, the detection module sequentially detects the damage rate of each damaged file, and for the single damaged file, the detection module marks the damage rate of the damaged file as Sa,
if Sa is less than or equal to Sa1, the detection module judges that the file is slightly damaged;
if Sa1 is more than Sa and less than or equal to Sa2, the detection module judges that the file is moderately damaged;
if Sa is greater than Sa2, the detection module judges that the file is seriously damaged;
when the detection module finishes the detection of the damage rate of each damaged file, the ratio of the slightly damaged file number to the total number of damaged files in the terminal is recorded as na1, the ratio of the moderately damaged file number to the total number of damaged files in the terminal is recorded as na2, and the ratio of the heavily damaged file number to the total number of damaged files in the terminal is recorded as na3,
if na1 is larger than or equal to 0.85, the central control module judges that the terminal system is damaged at one level, the central control module controls the processing module to carry out file repair on damaged files in the terminal and establish a repair log, and the central control module controls the tracing module to trace and trace the source of an attack address according to the repair log and send the traced suspected IP address to the network safety protection module;
if na1 is more than or equal to 0.5 and less than 0.85 and na2 is more than 0.3, the central control module judges that the terminal is damaged in the second level, controls the processing module to repair files of the terminal system and generate a damaged log, controls the tracing module to trace and trace the source of the attack address according to the damaged log and sends the traced suspected IP address to the network safety protection module;
if na1 is more than or equal to 0.5 and less than 0.85 and na3 is more than 0.3, the central control module judges that the terminal is damaged at three levels, the central control module controls the processing module to generate a damaged log, and controls the tracing module to trace and trace the source of the attack address according to the damaged log and send the traced suspected IP address to the network safety protection module;
if na3 is larger than or equal to 0.5, the central control module judges that the terminal is damaged by four levels, the central control module controls the processing module to generate a damage log and counts data interaction records of the terminal system in a preset period, and the central control module controls the source tracing module to trace and trace the attack address according to the statistical result and send the traced suspected IP address to the network safety protection module;
the source tracing module is connected with the central control module and is used for tracing and tracing the attack address and sending the traced suspected IP address to the network safety protection module when the detection module judges that the terminal system is damaged;
and the network safety protection module is connected with the source tracing module and is used for screening the suspected IP address traced by the source tracing module.
2. The big data analysis-based tracing and tracing system according to claim 1, wherein said central control module has a first preset number of damaged files Na1, a second preset number of damaged files Na2, a first preset damaged rate correction coefficient α 1 and a second preset damaged rate correction coefficient α 2, where Na1 is greater than Na2, and 0.98 is greater than α 1 and less than α 2, and when said detection module completes the statistics of the number of damaged files Na in the terminal, said central control module determines whether to correct each preset damaged rate Sai according to Na,
if Na is less than or equal to Na1, the processing module does not modify Sai, and i =1,2 is set;
if Na1 is more than Na and less than or equal to Na2, the central control module corrects Sai by using alpha 2;
if Na is more than Na2, the central control module corrects Sai by using alpha 1;
when the central control module corrects Sai by using the j-th preset damage rate correction coefficient α j, j =1,2 is set, and the corrected i-th preset damage rate is recorded as Sai ', and Sai' = Sai × α j is set.
3. The big data analysis-based tracing and tracing system according to claim 1, wherein said central control module further has a preset tampering rate C0, when said detection module detects that a file in the terminal has a character change, the central control module determines that the file has been tampered with, the central control module controls said detection module to sequentially count and calculate the ratio of the tampered character in each file to the total character in the corresponding file to determine whether the file has been tampered with maliciously, for a single file, said detection module records the ratio of the tampered character in the file to the total character in the file as C,
if C is less than or equal to C0, the central control module preliminarily judges whether the file is tampered with maliciously, and the central control module controls the detection module to respectively count the number of key characters subjected to tampering in the file and the total number of the key characters in the file so as to make a secondary judgment on whether the file is tampered with maliciously or not;
if C is larger than C0, the central control module judges that the file is tampered maliciously and records the file;
and the central control module controls the detection module to count the number of the files subjected to malicious tampering and calculate the ratio nc of the number of the files subjected to malicious tampering and the total number of the files in the terminal when the tampering of the terminal on each file is done to be malicious tampering, and the central control module judges whether to update the damage level of the terminal according to nc.
4. The big data analysis-based tracing and tracing system according to claim 3, wherein said central control module further has a first preset malicious tampering ratio nc1 and a first preset malicious tampering ratio nc2, nc1 is less than nc2, in a single preset period, when said central control module determines that tampering for each file in the terminal is malicious tampering, said detection module counts and calculates a ratio nc of the number of the malicious tampered files to the total number of the files in the terminal,
if nc is less than nc1, the central control module judges that the terminal is damaged in a second level, the central control module controls the processing module to repair files of the terminal system and generate a damaged log, and the central control module controls the tracing module to trace and trace the source of the attack address according to the damaged log and sends the traced suspected IP address to the network security protection module;
if nc1 is not more than nc and less than nc2, the central control module judges that the terminal is damaged in three levels, the central control module controls the processing module to generate a damaged log, and the central control module controls the tracing module to trace and trace the source of the attack address according to the damaged log and sends the traced suspected IP address to the network security protection module;
if nc is larger than or equal to nc2, the central control module judges that the terminal is damaged by four levels, the central control module controls the processing module to generate a damage log and count data interaction records of the terminal system in a preset period, and the central control module controls the source tracing module to trace and trace the attack address according to the statistical result and send the traced suspected IP address to the network safety protection module.
5. The big data analysis-based tracing and tracing system according to claim 4, wherein said central control module further has a preset key character tampering rate Ca0, when said central control module preliminarily determines that tampering of a single file is non-malicious tampering in a single preset period, said central control module controls said detection module to count and calculate a ratio Ca of tampered key characters in said file to total key characters in said file to make a secondary determination as to whether tampering of said file is malicious tampering,
if the Ca is less than or equal to Ca0, the central control module judges that the tampering of the file is non-malicious tampering, and the processing module backs up the tampered file and restores the file;
if Ca is larger than Ca0, the central control module judges that the tampering of the file is malicious tampering, and the processing module backs up the tampered file and restores the file;
the central control module counts and calculates the proportion nb of the number of non-maliciously tampered files in the terminal to the total number of files in the terminal system when finishing secondary judgment on whether tampering of each file in the terminal is malicious tampering or not, and judges whether to update the damage level of the terminal according to nb; and the central control module controls the tracing module to trace and trace the attack address according to the data interaction record of the file which is subjected to malicious tampering in the preset period and sends the traced suspected IP address to the network safety protection module.
6. The big data analysis-based tracing and tracing system according to claim 5, wherein said central control module has a first preset non-malicious tampered file ratio nb1 and a second preset non-malicious tampered file ratio nb2, nb1 < nb2, when said central control module completes the preliminary determination of a terminal file as non-malicious tampering, said central control module controls said detection module to count and calculate the ratio nb of the number of non-malicious tampered files in the terminal to the total number of files in the terminal system,
if nb is less than or equal to nb1, the central control module judges that the terminal system is damaged at one level, the central control module controls the processing module to perform file repair on damaged files in the terminal and establish a repair log, and the central control module controls the tracing module to trace and trace the source of an attack address according to the repair log and sends the traced suspected IP address to the network security protection module;
if nb1 is greater than nb and less than or equal to nb2, the central control module judges that the terminal is damaged secondarily, the central control module controls the processing module to repair files of the terminal system and generate a damaged log, and controls the tracing module to trace and trace the source of the attack address according to the damaged log and send the traced suspected IP address to the network safety protection module;
if nb is greater than nb2, the central control module determines that the terminal is damaged at three levels, the central control module controls the processing module to generate a damaged log, and the central control module controls the tracing module to trace and trace the source of the attack address according to the damaged log and sends the traced suspected IP address to the network security protection module.
7. The big data analysis-based tracing and tracing system according to claim 6, wherein if said central control module determines that a damaged file and a tampered file are present in said terminal in a single preset period, said central control module sequentially determines the damage levels of the files according to the actual damage condition of the file and the actual tampering condition of the file, when the damage level obtained by said central control module according to the damaged file is different from the damage level obtained according to the tampered file, said central control module takes the result with the high damage level as the actual damage level of said terminal, said central control module controls said processing module to repair the file in the terminal and generate a log, controls said tracing module to trace and trace the source of the attack address according to a log database, and sends the traced suspected IP address to said network security protection module.
8. The big data analysis-based tracing and tracing system according to claim 1, wherein said system further comprises a log database, which is connected to said processing module and tracing module, respectively, for storing log data, wherein the log database comprises repair log data and damage log data;
when the central control module determines the damage level of the terminal when the terminal is damaged, the central control module controls the processing module to generate corresponding log data according to the damage level of the terminal and transmits the log data to the log database, the central control module controls the processing module to repair files in the terminal according to repair logs in the log database, and the central control module controls the source tracing module to trace and trace an attack address according to the damage logs in the log database and sends the traced suspected IP address to the network security protection module.
CN202210703137.8A 2022-06-21 2022-06-21 Big data analysis-based tracing system Active CN114780956B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210703137.8A CN114780956B (en) 2022-06-21 2022-06-21 Big data analysis-based tracing system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210703137.8A CN114780956B (en) 2022-06-21 2022-06-21 Big data analysis-based tracing system

Publications (2)

Publication Number Publication Date
CN114780956A CN114780956A (en) 2022-07-22
CN114780956B true CN114780956B (en) 2022-10-14

Family

ID=82422005

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210703137.8A Active CN114780956B (en) 2022-06-21 2022-06-21 Big data analysis-based tracing system

Country Status (1)

Country Link
CN (1) CN114780956B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111431910A (en) * 2020-03-27 2020-07-17 博智安全科技股份有限公司 Network attack scoring computing system and method
CN114003903A (en) * 2021-12-28 2022-02-01 北京微步在线科技有限公司 Network attack tracing method and device

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105046147B (en) * 2015-06-19 2018-09-04 国家计算机网络与信息安全管理中心 The monitoring method and device of system under fire degree
CN109495423A (en) * 2017-09-11 2019-03-19 网宿科技股份有限公司 A kind of method and system preventing network attack
CN110764969A (en) * 2019-10-25 2020-02-07 新华三信息安全技术有限公司 Network attack tracing method and device
CN113141335B (en) * 2020-01-19 2022-10-28 奇安信科技集团股份有限公司 Network attack detection method and device
CN114143064B (en) * 2021-11-26 2024-06-18 国网四川省电力公司信息通信公司 Multi-source network security alarm event tracing and automatic disposal method and device

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111431910A (en) * 2020-03-27 2020-07-17 博智安全科技股份有限公司 Network attack scoring computing system and method
CN114003903A (en) * 2021-12-28 2022-02-01 北京微步在线科技有限公司 Network attack tracing method and device

Also Published As

Publication number Publication date
CN114780956A (en) 2022-07-22

Similar Documents

Publication Publication Date Title
CN112819336B (en) Quantification method and system based on network threat of power monitoring system
KR102120214B1 (en) Cyber targeted attack detect system and method using ensemble learning
CN113064932B (en) Network situation assessment method based on data mining
CN113381980B (en) Information security defense method and system, electronic device and storage medium
CN108270722A (en) A kind of attack detection method and device
CN113704328B (en) User behavior big data mining method and system based on artificial intelligence
CN107360127A (en) A kind of Denial of Service attack detection method at a slow speed based on AEWMA algorithms
CN113987504A (en) Vulnerability detection method for network asset management
CN113438249A (en) Attack tracing method based on strategy
CN117478433B (en) Network and information security dynamic early warning system
CN114780956B (en) Big data analysis-based tracing system
CN115664868B (en) Security level determination method, device, electronic equipment and storage medium
CN117421735A (en) Mining evaluation method based on big data vulnerability mining
CN115659351B (en) Information security analysis method, system and equipment based on big data office
CN102111302B (en) Worm detection method
CN114584395B (en) Big data safety protection system and method based on network safety
CN113132414B (en) Multi-step attack mode mining method
CN114884735A (en) Multisource data intelligent evaluation system based on security situation
CN110784469B (en) Method and system for identifying abnormal login by identifying forged MAC address
CN111159155A (en) Database security guarantee system and method based on big data
CN114584342B (en) Network vulnerability recognition and detection system based on data analysis
CN116319021B (en) Lateral movement detection method and device, electronic equipment and storage medium
CN117648689B (en) Automatic response method for industrial control host safety event based on artificial intelligence
KR102406421B1 (en) Explainable advanced persistent threat detect system and method using multiple machine learning
CN117220912A (en) Fault-tolerant distributed network voting method based on reputation evaluation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant