CN115022060B

CN115022060B - Real-time filtering method and device for network attack

Info

Publication number: CN115022060B
Application number: CN202210664477.4A
Authority: CN
Inventors: 张洋
Original assignee: Wuhan Sipuling Technology Co Ltd
Current assignee: Wuhan Sipuling Technology Co Ltd
Priority date: 2022-06-13
Filing date: 2022-06-13
Publication date: 2024-02-27
Anticipated expiration: 2042-06-13
Also published as: CN115022060A

Abstract

The application provides a real-time filtering method and device for network attacks. The method comprises the following steps: and presetting a log filtering condition according to the key steps of the preset network attack event to be detected, presetting a filtering analysis detection model according to a log filtering flow corresponding to the log filtering condition, and carrying out filtering analysis detection on each structured behavior log to be processed by utilizing the filtering analysis detection model in real time to obtain the detection result of the behavior log to be processed. The whole process mainly relies on key steps of network attack events to be detected to detect the network attack, so that the network attack detection is not limited by whether threat events are known in advance, the attacks such as threat event variety or abnormal traffic can be effectively detected, the abnormal behavior log generated by the first attacked asset host can be found in real time, the network attack is prevented from being continuously spread among a plurality of asset devices through a local area network, and the loss caused by the network attack can be greatly reduced.

Description

Real-time filtering method and device for network attack

Technical Field

The present disclosure relates to the field of computer security technologies, and in particular, to a method and an apparatus for filtering network attacks in real time.

Background

With the deep application of new generation IT technologies such as cloud computing, big data and the like in various industries, the IT scale and the complexity of government and enterprise institutions are continuously improved, and the scale of various data such as network traffic, logs and the like is greatly improved. Meanwhile, network attack and defense are increasingly vigorous, and the technical methods of network attack are also evolving into various methods, such as: cross site scripting attack (XSS), cross site request forging (CRSF), injection attack, file upload vulnerabilities, web framework vulnerabilities, and the like. Typically, such cyber attacks are hidden from normal use, i.e., the behavior logs generated by the cyber attacks are scattered over different types of hosts and hidden from other normal behavior logs. In order to better protect the network, it is necessary to detect network attacks in time.

The existing network security protection mainly adopts security protection software and hardware equipment with traditional meanings such as a firewall, a WAF (Web Application Firewall, website application level intrusion prevention system), an IPS (Intrusion Prevention System ) and the like, and utilizes security field protection characteristics and signature detection technology to detect network attacks. However, the detection mode can only detect known threat events, and attacks such as variant threat events or abnormal traffic can be stranded, so that network attacks can be rapidly spread among a plurality of asset devices through a local area network, and larger losses are caused.

Disclosure of Invention

The application provides a real-time filtering method and device for network attacks, which can be used for solving the technical problem that the existing detection mode can only detect known threat events and is not in favor of attacks such as threat event variation or abnormal traffic.

In a first aspect, an embodiment of the present application provides a method for filtering network attacks in real time, where the method includes:

acquiring a behavior log generated by each asset of the whole network in real time;

generalizing the behavior log into a structured to-be-processed behavior log;

inputting the behavior log to be processed into a pre-constructed filtering analysis detection model for log filtering analysis detection to obtain a detection result of the behavior log to be processed; the filtering analysis detection model is used for executing a log filtering flow corresponding to log filtering conditions, and the log filtering conditions are determined according to key steps of the pre-built network attack event to be detected.

With reference to the first aspect, in an implementation manner of the first aspect, the key steps of the network attack event to be detected are pre-constructed by:

determining an intrusion scene of the network attack event to be detected by using a reverse engineering method according to the protection characteristics and the quantification of the characteristic structures of the safety field and the data characteristics of each behavior log caused by the network attack event to be detected;

and extracting key steps of the network attack event to be detected according to the intrusion scene of the network attack event to be detected.

With reference to the first aspect, in an implementation manner of the first aspect, the filtering analysis detection model is established by:

generating log filtering conditions of a DSL mode according to the key steps of the network attack event to be detected and a preset detection rule;

acquiring EPL filter sentences from log filter conditions of the DSL mode;

splitting the key conditions in the EPL filter sentence into a plurality of key characters by using a word segmentation algorithm;

generating an abstract syntax tree corresponding to the key condition according to the plurality of key characters;

generating a log filtering flow corresponding to the log filtering condition according to the abstract syntax tree;

and obtaining a filtering analysis detection model according to the log filtering flow.

With reference to the first aspect, in an implementation manner of the first aspect, the inputting the behavior log to be processed into a pre-constructed filtering analysis detection model to perform log filtering analysis detection, to obtain a detection result of the behavior log to be processed includes:

converting the behavior log to be processed into a KEY-VALUE data structure to obtain converted data;

acquiring a condition to be processed from the converted data;

splitting the condition to be processed into a plurality of characters to be processed by using the word splitter algorithm;

and executing the log filtering flow on a plurality of characters to be processed, and generating a detection result of the behavior log to be processed.

With reference to the first aspect, in an implementation manner of the first aspect, the executing the log filtering process on the plurality of characters to be processed, generating a detection result of the behavior log to be processed includes:

comparing each character to be processed with each key character in sequence;

and if all the characters to be processed are completely consistent with all the key characters, generating a result that the behavior log to be processed is an abnormal log caused by the network attack event to be detected.

With reference to the first aspect, in an implementation manner of the first aspect, the method further includes:

if all the characters to be processed are not completely consistent with all the key characters, generating a result that the behavior log to be processed is a normal log;

and discarding the to-be-processed behavior logs with the detection results of normal logs.

With reference to the first aspect, in an implementation manner of the first aspect, the acquiring a behavior log generated in real time by each asset in the whole network includes:

and acquiring a behavior log generated by each asset of the whole network in real time by using the monitoring network card.

In a second aspect, an embodiment of the present application provides a real-time filtering apparatus for network attack, where the apparatus includes:

the behavior log real-time acquisition module is used for acquiring behavior logs generated by all the assets in the whole network in real time;

the structured processing module is used for generalizing the behavior log into a structured behavior log to be processed;

the filtering analysis detection module is used for inputting the behavior log to be processed into a pre-constructed filtering analysis detection model to carry out log filtering analysis detection so as to obtain a detection result of the behavior log to be processed; the filtering analysis detection model is used for executing a log filtering flow corresponding to log filtering conditions, and the log filtering conditions are determined according to key steps of the pre-built network attack event to be detected.

With reference to the second aspect, in an implementation manner of the second aspect, the key steps of the network attack event to be detected are pre-constructed by the following ways:

With reference to the second aspect, in an implementation manner of the second aspect, the filtering analysis detection model is established by:

acquiring EPL filter sentences from log filter conditions of the DSL mode;

With reference to the second aspect, in an implementation manner of the second aspect, the filtering analysis detection module includes:

the conversion sub-module is used for converting the behavior log to be processed into a KEY-VALUE data structure to obtain converted data;

a condition acquisition sub-module, configured to acquire a condition to be processed from the converted data;

the word segmentation sub-module is used for splitting the condition to be processed into a plurality of characters to be processed by using the word segmentation algorithm;

and the log filtering sub-module is used for executing the log filtering flow on a plurality of characters to be processed and generating a detection result of the behavior log to be processed.

With reference to the second aspect, in an implementation manner of the second aspect, the log filtering submodule is specifically configured to:

comparing each character to be processed with each key character in sequence;

With reference to the second aspect, in an implementation manner of the second aspect, the log filtering submodule is specifically further configured to:

With reference to the second aspect, in one implementation manner of the second aspect, the behavior log real-time acquisition module is specifically configured to:

In the real-time filtering method, log filtering conditions are determined according to key steps of a pre-built network attack event to be detected, a filtering analysis detection model is built according to a log filtering flow corresponding to the log filtering conditions, and finally each structured log to be processed is filtered, analyzed and detected by the filtering analysis detection model to obtain a detection result of the log to be processed. The method relies on key steps of network attack events to be detected to detect network attacks, so that the network attack detection is not limited by whether threat events are known in advance, attacks such as threat event variety or abnormal traffic can be effectively detected, abnormal behavior logs generated by a first attacked asset host can be found in real time, holes can be timely repaired, the network attacks are prevented from being continuously spread among a plurality of asset devices through a local area network, and loss caused by the network attacks can be greatly reduced.

Drawings

Fig. 1 is an exemplary schematic diagram of a network attack detectable by a real-time filtering method for network attacks according to an embodiment of the present application;

fig. 2 is a schematic overall workflow diagram of a real-time filtering method for network attack according to an embodiment of the present application;

fig. 3 is a schematic diagram of a specific implementation of a log filtering process executed by the filtering analysis detection model according to an embodiment of the present application;

fig. 4 is a schematic structural diagram of a real-time filtering device for network attack according to an embodiment of the present application.

Detailed Description

For the purpose of making the objects, technical solutions and advantages of the present application more apparent, the embodiments of the present application will be described in further detail below with reference to the accompanying drawings.

In order to solve the problem that the existing detection mode can only detect known threat events, and attacks such as variant threat events or abnormal traffic are ungraded, so that network attacks can be rapidly spread among a plurality of asset devices through a local area network to cause larger loss, the embodiment of the application provides a real-time filtering method of the network attacks. The following description of the embodiments is provided by way of example only with reference to the accompanying drawings.

The real-time filtering method for network attacks provided by the embodiment of the application can be used for detecting a type of network attacks which cause behavior characteristics of an asset host to be abnormal, the network attacks are usually hidden and developed in the normal use requirement process, and abnormal behavior logs generated by the asset host due to the network attacks are usually hidden in a large number of other normal behavior logs. Exemplary, fig. 1 is an exemplary schematic diagram of a network attack detectable by a method for filtering network attacks in real time according to an embodiment of the present application. In one example, as shown in FIG. 1, the network attack is a persistent blue carrying Satan Lesovirus variant, after attacking the asset host, the asset host will execute the virus parent file st.exe, after which the file ms.exe and file client.exe will be downloaded. Wherein, file ms.exe is a self-decompressed file, and file blue.exe and file star.exe contained therein are used for executing persistent blue hole attacks. Once the attack is successful, the file star.exe will load the payload (down 64. Dll), which down64.Dll is responsible for executing the payload, i.e. downloading and running st.exe. Client exe is a Satan lux virus, which can perform file encryption operations and pop up lux information. The steps of downloading st.exe and executing st.exe are repeatedly executed every time the network attack infects one through IP scanning, so that the network attack can be rapidly spread through the local area network.

In addition, the method for filtering the network attack in real time provided by the embodiment of the application can also be used for detecting other network attacks which can cause the asset host to generate abnormal behavior logs.

Fig. 2 is an overall workflow diagram of a real-time filtering method for network attack according to an embodiment of the present application. As shown in fig. 2, the method for filtering network attack in real time provided in the embodiment of the present application specifically includes the following steps:

s201: and obtaining a behavior log generated by each asset of the whole network in real time.

Specifically, a monitoring network card can be utilized to obtain a behavior log generated by each asset of the whole network in real time. In addition, the collection can also be performed by adopting a local area network bypass probe mode, and the embodiment of the application is not limited to the collection.

S202: generalizing the behavior log into a structured pending behavior log.

Specifically, unstructured behavior logs collected by the whole network asset devices are generalized into structured behavior log data by using regular expressions, and then the structured behavior log data are sent to a message queue in real time. Wherein the structured behavioral log data is determined as a behavioral log to be processed.

Thus, the behavior log is generalized into the structured to-be-processed behavior log, the data structure is more regular and uniform, and the subsequent further analysis is facilitated.

S203: inputting the behavior log to be processed into a pre-constructed filtering analysis detection model for log filtering analysis detection to obtain a detection result of the behavior log to be processed.

The filtering analysis detection model is used for executing a log filtering flow corresponding to log filtering conditions, and the log filtering conditions are determined according to key steps of the pre-built network attack event to be detected.

The following describes a filtering analysis detection model provided in an embodiment of the present application.

Specifically, the key steps of the network attack event to be detected can be pre-constructed by the following ways:

firstly, determining an intrusion scene of a network attack event to be detected by using a reverse engineering method according to security domain protection characteristics, quantification of characteristic structures and data characteristics of each behavior log caused by the network attack event to be detected.

And then, extracting key steps of the network attack event to be detected according to the intrusion scene of the network attack event to be detected.

Specifically, the network vulnerabilities aimed at by different network attack events are different, so that different network attack events correspond to different intrusion scenarios.

Illustratively, the security guard needs to protect against cyber attack events such as the "persistent blue-carrying Satan Lesu virus variant" shown in FIG. 1. According to the data characteristics of each behavior log caused by a network attack event with Satan Lesu virus variety and the quantification of security domain protection characteristics and characteristic structures, reverse engineering determines that the intrusion scene of the network attack event is an attack on an intranet host by utilizing a vulnerability MS17-010, and further continuously releases virus parent files to further infect other hosts. According to the intrusion scene of the network attack event, the key steps of the network attack event to be detected are extracted, and the key steps comprise downloading a virus parent file st.exe, executing the virus parent file st.exe, downloading a file ms.exe, a file client.exe and the like.

Therefore, the key steps of constructing the network attack event to be detected by adopting the mode can be matched with the network attack event of the same type, namely, whether the network attack event is a known threat event or not, the network attack event can be detected as long as the asset host is caused to generate the same behavior characteristics, so that the network attack event can be timely and accurately detected in the face of attacks such as threat event variation or abnormal traffic.

After the key step of constructing the network attack event to be detected, a filtering analysis detection model can be established by the following steps:

step one, generating log filtering conditions of a DSL mode according to key steps of a network attack event to be detected and preset detection rules.

Illustratively, the log filter criteria may include three filter criteria: the data source of the first filtering condition is DNS analysis log, the filtering condition is 'quote threat information', and log, analysis domain name=threat information, host can be set in specific implementation. The second filtering condition is that the data source is Windows host log, the filtering condition is "create plan task", and the specific implementation is that the application name contains mssecsvc2. The data source of the third filtering condition is a TCP traffic log, and the filtering condition is "destination interface=445, 135, 137, 138, 139".

DSL (Domain Specific Language ) mode is a computer programming language with limited expressivity for a domain, often used to focus on a specified domain or problem. Log filtering conditions for the DSL schema are generated, that is, XML files are generated according to the DSL schema.

And step two, acquiring EPL filter sentences from log filter conditions of the DSL mode.

Wherein, the EPL (Event Process Language, event processing language) statement filtering expression is a statement conforming to the SQL-92 standard. The EPL filter statement is a value corresponding to a key (key) labeled as a method in the XML file, wherein the value is the EPL statement. Therefore, the requirement of high-efficiency real-time identification of the detection system can be met, and security technical service personnel can flexibly arrange similar security problems on a rule page.

Illustratively, taking the example that the log filtering condition includes mssecsvc2 as an application name, after the log filtering condition is converted into an XML file, in the attribute of the XML file, < object > < type > < method > select, < from window (app_name= "mssecvc 2") </method > </object > tag, representing that the object is a filtering semantic object, what is executable is the content in the method tag, that is, the system identifiable EPL filtering statement select from window (app_name= "mssecvc 2").

In addition, other attributes except method in the XML file are initialized by conventional entity objects.

Therefore, EPL sentences in the method labels have the characteristic of high recognizable system, the EPL sentences can be converted into java language objects and then into java executable byte code files without being converted into java language objects like other XML objects, and the key step of compiling the java files into executable byte code files in the java language is omitted, so that EPL filter sentences can be directly compiled into byte codes, the construction speed of an abstract syntax tree is accelerated, and meanwhile, virtual calls, forced conversion and branches can be eliminated for compiling, analyzing and executing program codes in the java language, so that the operation efficiency is improved when the java operation environment compiles the byte codes into the native codes.

And thirdly, splitting the key conditions in the EPL filter sentence into a plurality of key characters by using a word segmentation algorithm.

The key condition is the content of the query object corresponding to the log filtering condition, and the EPL filtering statement in the log filtering condition is, for example, select from window (app_name= "mssecvc 2"), where the key condition is the value "mssecvc2" of the app_name of the query object. Mssecvc2 is split into a plurality of key characters, m, s, s, e, c, v, c and 2 respectively, in sequence using a word splitter algorithm.

And step four, generating an abstract syntax tree corresponding to the key condition according to the plurality of key characters.

Specifically, the abstract syntax tree (Abstract Syntax Tree, AST) is an abstract representation of the source code syntax structure. It represents the syntax structure of a programming language in the form of a tree, each node on the tree representing a structure in the source code. The syntax herein does not show every detail that appears in the real syntax, e.g. nested brackets are implicit in the tree structure and are not presented in the form of nodes. Instead, executing a conditional jump statement like if-condition-then may be represented using a node with two branches.

In the embodiment of the present application, each key character may be distributed on each node of the abstract syntax tree, or a plurality of key characters may be distributed on the same node, and a binary search tree is established to quickly find data of a matching condition, which is not limited in the embodiment of the present application.

And fifthly, generating a log filtering flow corresponding to the log filtering condition according to the abstract syntax tree.

Specifically, the log filtering process is a process of sequentially comparing key conditions in the behavior log to be processed with each key character.

And step six, obtaining a filtering analysis detection model according to the log filtering flow.

After the filtering analysis detection model is established by adopting the steps, the behavior log to be processed is input into the pre-established filtering analysis detection model for log filtering analysis detection, so as to obtain the detection result of the behavior log to be processed, and the method specifically comprises the following steps:

and firstly, converting the behavior log to be processed into a KEY-VALUE data structure to obtain converted data. Therefore, the structured log after generalization is consumed from the message queue, the whole network log is converted into the Key-Value data structure, the condition that the known object attribute generates a serialization object error due to unknown or newly added attribute when the whole network devices consume the real-time structured log data can be avoided, and the code structure is not required to be modified due to redefining the object attribute due to attribute change, so that the method has the principle of highly decoupling design with specific service. For example, in the whole-web log of the KEY-VALUE data structure in the message queue, the VALUE corresponding to the KEY labeled method may be represented by EPL statement select from Map < KEY, VALUE > where (app_name= "mssecvc 2").

And secondly, acquiring the conditions to be processed from the converted data.

Specifically, the converted data is the to-be-processed behavior log of the KEY-VALUE data structure. The condition to be processed is the value corresponding to the query object in the behavior log to be processed. Illustratively, the EPL filter statement is select from window (app_name= "mssecvc 2"), and the query object app_name= "a" in the behavior log to be processed of the KEY-VALUE data structure is a condition to be processed.

And thirdly, splitting the condition to be processed into a plurality of characters to be processed by using a word splitter algorithm.

And fourthly, executing a log filtering process on the plurality of characters to be processed, and generating a detection result of the behavior log to be processed.

Specifically, the fourth step may be achieved by:

first, each character to be processed is compared with each key character in turn.

And then judging whether all the characters to be processed are completely consistent with all the key characters.

And then, if all the characters to be processed are completely consistent with all the key characters, generating a result that the behavior log to be processed is an abnormal log caused by the network attack event to be detected. And if all the characters to be processed are not completely consistent with all the key characters, generating a result that the behavior log to be processed is a normal log.

And finally, discarding the to-be-processed behavior logs with the detection results of normal logs.

Fig. 3 is a schematic diagram of a specific implementation of a log filtering process performed by the filtering analysis detection model according to an embodiment of the present application. As shown in fig. 3, in a specific implementation, starting from the first node in statement sequence (sentence sequence), matching is performed sequentially by using a pattern algorithm, and the data is calculated to meet the condition until the last node is matched; if any character in the middle does not meet the condition, the return termination query can be executed, and if the data does not meet the condition, the data is abandoned and filtered. Specifically, the log filter flow is performed in a manner similar to if-condition-then conditional jump statements, if statement sequence (statement sequence), for example: the element formats of EPL statement select < key, value > sphere (app_name= "mssecvc 2") all meet the preset requirements, then enter while, otherwise, can enter return according to different conditions. If the element format is incorrect and enters return, a result that the EPL statement definition is incorrect or the checked field type format is incorrect is returned, and if the Map < Key, value > memory contains contents which do not accord with the Key-Value data format, a result that the data cannot analyze errors is returned. After entering while, the EPL statement is first decomposed into a body part and a condition part, for example: the main part is select from Map < key, value >, the condition part is where (app_name= "mssecvc 2"), and then the data of Map in the memory is segmented. In the condition, the judgment is carried out in a true and false proposition judgment mode, and the judgment can not meet the requirement of an equation or an inequality condition (compare op: noteq). For data meeting the condition requirements, a valid variable (variable name: b) is obtained; for data that does not meet the condition, a constant value of 0 will be obtained as a marker that this time does not match. In body, it is required as a Branch (Branch) to obtain a valid variable, or constant, that has satisfied the condition requirements. The condition, if-body, else-body are expressions of acquisition of various conditional structures for the condition of the complex scene, and are consistent with the action of the condition. After the result of word segmentation (assignment) matching is obtained through judgment of various conditional structures or conditions, n variables are obtained, and meanwhile suspected matching of the word segmentation is possible, wherein the common practice is that the Bin op is: -the best matching character is taken to ensure its accuracy. And finally, matching the memory data in the current Map < key-value >, acquiring the results of matching all the segmentation words, and assembling the results into the fields required to be displayed in the body, thereby completing the filtering flow.

In this way, according to the real-time filtering method for network attack provided by the embodiment of the application, the log filtering conditions are determined according to the key steps of the pre-constructed network attack event to be detected, then the filtering analysis detection model is constructed according to the log filtering flow corresponding to the log filtering conditions, and finally the filtering analysis detection model is utilized to carry out filtering analysis detection on each structured log to be processed to obtain the detection result of the log to be processed. The method relies on key steps of network attack events to be detected to detect network attacks, so that the network attack detection is not limited by whether threat events are known in advance, attacks such as threat event variety or abnormal traffic can be effectively detected, abnormal behavior logs generated by a first attacked asset host can be found in real time, holes can be timely repaired, the network attacks are prevented from being continuously spread among a plurality of asset devices through a local area network, and loss caused by the network attacks can be greatly reduced.

The following are device embodiments of the present application, which may be used to perform method embodiments of the present application. For details not disclosed in the device embodiments of the present application, please refer to the method embodiments of the present application.

Fig. 4 is a schematic structural diagram of a real-time filtering device for network attack according to an embodiment of the present application. As shown in fig. 4, the device provided in the embodiment of the present application has a function of implementing the above-mentioned real-time filtering method of network attack, where the function may be implemented by hardware, or may be implemented by executing corresponding software by hardware. The apparatus may include: the system comprises a behavior log real-time acquisition module 401, a structuring processing module 402 and a filtering analysis detection module 403. Wherein:

and the behavior log real-time acquisition module 401 is used for acquiring the behavior log generated by each asset in real time in the whole network.

The structured processing module 402 is configured to generalize the behavior log into a structured pending behavior log.

The filtering analysis detection module 403 is configured to input the behavior log to be processed into a pre-constructed filtering analysis detection model for log filtering analysis detection, so as to obtain a detection result of the behavior log to be processed. The filtering analysis detection model is used for executing a log filtering flow corresponding to log filtering conditions, and the log filtering conditions are determined according to key steps of the pre-constructed network attack event to be detected.

In one implementation, the key steps to detect a network attack event are pre-constructed by:

and determining the intrusion scene of the network attack event to be detected by using a reverse engineering method according to the protection characteristics and the quantification of the characteristic structures of the safety field and the data characteristics of each behavior log caused by the network attack event to be detected.

In one implementation, the filter analysis detection model is built by:

and generating log filtering conditions of the DSL mode according to the key steps of the network attack event to be detected and preset detection rules.

And acquiring the EPL filter statement from the log filter condition of the DSL mode.

The keyword in the EPL filter statement is split into a plurality of keyword characters using a segmenter algorithm.

And generating an abstract syntax tree corresponding to the key condition according to the plurality of key characters.

And generating a log filtering flow corresponding to the log filtering condition according to the abstract syntax tree.

In one implementation, the filter analysis detection module 403 includes:

and the conversion sub-module is used for converting the behavior log to be processed into a KEY-VALUE data structure to obtain converted data.

And the condition acquisition sub-module is used for acquiring the condition to be processed from the converted data.

And the word segmentation sub-module is used for splitting the condition to be processed into a plurality of characters to be processed by using a word segmentation algorithm.

The log filtering sub-module is used for executing a log filtering process on the plurality of characters to be processed and generating a detection result of the behavior log to be processed.

In one implementation, the log filtering sub-module is specifically configured to:

and comparing each character to be processed with each key character in sequence.

In one implementation, the log filtering submodule is specifically further configured to:

and if all the characters to be processed are not completely consistent with all the key characters, generating a result that the behavior log to be processed is a normal log.

In one implementation, the behavior log real-time acquisition module 401 is specifically configured to:

In the real-time filtering device for network attack provided by the embodiment of the application, the log filtering conditions are determined according to the key steps of the pre-constructed network attack event to be detected, the filtering analysis detection model is constructed according to the log filtering flow corresponding to the log filtering conditions, and finally, the filtering analysis detection model is utilized to carry out filtering analysis detection on each structured log to be processed to obtain the detection result of the log to be processed. The whole device carries out network attack detection by depending on key steps of a network attack event to be detected, so that the network attack detection is not limited by whether a threat event is known in advance, the attack such as a threat event variety or abnormal flow can be effectively detected, the abnormal behavior log generated by a first attacked asset host can be found in real time, the loophole can be timely repaired, the network attack is prevented from being continuously diffused among a plurality of asset devices through a local area network, and the loss caused by the network attack can be greatly reduced.

The foregoing detailed description has been provided for the purposes of illustration in connection with specific embodiments and exemplary examples, but such description is not to be construed as limiting the application. Those skilled in the art will appreciate that various equivalent substitutions, modifications and improvements may be made to the technical solution of the present application and its embodiments without departing from the spirit and scope of the present application, and these all fall within the scope of the present application. The scope of the application is defined by the appended claims.

Claims

1. A method for filtering network attacks in real time, the method comprising:

generalizing the behavior log into a structured to-be-processed behavior log;

inputting the behavior log to be processed into a pre-constructed filtering analysis detection model for log filtering analysis detection to obtain a detection result of the behavior log to be processed; the filtering analysis detection model is used for executing a log filtering flow corresponding to log filtering conditions, and the log filtering conditions are determined according to key steps of a pre-constructed network attack event to be detected;

the key steps of the network attack event to be detected are pre-constructed in the following way:

extracting key steps of the network attack event to be detected according to the intrusion scene of the network attack event to be detected;

the filtering analysis detection model is established by the following steps:

acquiring EPL filter sentences from log filter conditions of the DSL mode;

2. The method of claim 1, wherein the inputting the behavior log to be processed into a pre-constructed filtering analysis detection model for log filtering analysis detection to obtain a detection result of the behavior log to be processed comprises:

acquiring a condition to be processed from the converted data;

3. The method of claim 2, wherein the performing the log filtering process on the plurality of characters to be processed to generate the detection result of the behavior log to be processed includes:

comparing each character to be processed with each key character in sequence;

4. A method according to claim 3, further comprising:

5. The method of claim 1, wherein the obtaining a behavior log generated in real time for each asset across the network comprises:

6. A real-time filtering apparatus for network attacks, the apparatus comprising:

the filtering analysis detection module is used for inputting the behavior log to be processed into a pre-constructed filtering analysis detection model to carry out log filtering analysis detection so as to obtain a detection result of the behavior log to be processed; the filtering analysis detection model is used for executing a log filtering flow corresponding to log filtering conditions, and the log filtering conditions are determined according to key steps of a pre-constructed network attack event to be detected;

the filtering analysis detection model is established by the following steps:

acquiring EPL filter sentences from log filter conditions of the DSL mode;