CN115664863B - Network attack event processing method, device, storage medium and equipment - Google Patents
Network attack event processing method, device, storage medium and equipment Download PDFInfo
- Publication number
- CN115664863B CN115664863B CN202211679280.4A CN202211679280A CN115664863B CN 115664863 B CN115664863 B CN 115664863B CN 202211679280 A CN202211679280 A CN 202211679280A CN 115664863 B CN115664863 B CN 115664863B
- Authority
- CN
- China
- Prior art keywords
- node
- data structure
- information
- target
- nodes
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The embodiment of the application provides a network attack event processing method, a device, a storage medium and equipment, wherein in the method, a visual image is established by taking a process or a host of a target attack event as a starting point, nodes are added according to a calling relation of the process to restore the occurrence process of the whole event, then the visual image is converted into an abstract data structure, and then an analysis judgment system of the data structure storing a plurality of predefined network attack events is input to acquire a judgment result aiming at the target attack event. Therefore, the induction processing of specific network attack events is enhanced through the visual operation, and the next attack similar to the intrusion event can be effectively defended through the joint use of the converted abstract data structure and the analysis and judgment system.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and an apparatus for processing a network attack event, a storage medium, and an electronic device.
Background
The network attack event refers to an information security event that attacks the information system by using configuration defects, protocol defects, program defects or using brute force attacks of the information system through a network or other technical means, and causes abnormality of the information system or causes potential harm to the current operation of the information system. Processing network attack events is a common and effective means of countering network attack behavior.
At present, the alarming mode aiming at the network attack event in the related technology is mainly focused on log type reflection. However, this method can only perform automatic determination treatment on the network attack event with the disclosed intrusion method and its log-associated structure, or after the analysis by an analyst, the intrusion path and its log-associated structure can be pre-determined, and it is not possible to efficiently process specific network attack events which are not analyzed in a summary manner.
Disclosure of Invention
An objective of the embodiments of the present application is to provide a method, an apparatus, a storage medium, and a device for processing a network attack event, which are aimed at solving the problem that specific network attack events which are not analyzed in a inductive manner cannot be processed efficiently in the related art.
In a first aspect, a method for processing a network attack event provided in an embodiment of the present application includes:
a process or a host computer where a target attack event occurs is taken as an initial node, a visual graph of the target attack event is established, and nodes are added in the visual graph according to a calling relationship of the process;
converting the visual map into a target data structure; the target data structure is an abstract representation of node information and node association information contained in the visual map;
inputting the target data structure into an analysis and judgment system to obtain a judgment result aiming at the target attack event; the analysis and judgment system stores a plurality of data structures of predefined network attack events.
In the implementation process, a visualization is built by taking a process or a host computer of the occurrence of a target attack event as a starting point, nodes are added according to a calling relation of the process to restore the occurrence process of the whole event, then the visualization is converted into an abstract data structure, and then an analysis and judgment system storing a plurality of data structures of the predefined network attack event is input to acquire a judgment result aiming at the target attack event. Therefore, the induction processing of specific network attack events is enhanced through the visual operation, and the next attack similar to the intrusion event can be effectively defended through the joint use of the converted abstract data structure and the analysis and judgment system.
Further, in some embodiments, the method further comprises:
adding nodes in the visual graph according to the external information of the nodes;
the external information is information for each node queried through an external data source.
In the implementation process, the whole event tree can be perfected by supplementing external information, so that the occurrence process of the target attack event is reflected.
Further, in some embodiments, adding the node in the visualization according to the external information of the node includes:
and if the current node comprises corresponding external information, determining the external information as a new node in the visual graph and associating the current node.
In the implementation process, the corresponding nodes are perfected through the linkage of the external information, so that the occurrence and development processes of the whole intrusion event can be accurately restored.
Further, in some embodiments, the adding nodes in the visual graph according to the calling relation of the process includes:
and determining the process called by the current node as the next-stage node of the current node.
In the implementation process, nodes are gradually added according to the upper and lower level structures called by the event process, so that the occurrence and development processes of the whole intrusion event can be accurately restored.
Further, in some embodiments, the method further comprises:
generating a traceability page based on the target data structure, wherein the traceability page is used for correcting the visual map; the correction modes are as follows:
adding, including adding new nodes, adding new node information, and adding new node association information;
deleting, including deleting the existing node, deleting the existing node information, and deleting the existing node association information;
modification, including modifying existing node information, modifying existing node association information.
In the implementation process, the traceability page of the entity reflecting the whole intrusion attack process is generated through data backtracking, so that the summarization analysis of system operation and maintenance personnel can be facilitated.
Further, in some embodiments, the node information includes basic information of the nodes, and the node association information includes call, annotation, utilization, access, expected call relationships between the nodes.
In the implementation process, the target attack event is analyzed and processed based on the basic information of the nodes and the calling, annotating, utilizing, accessing and expected calling relations among the nodes, so that the induction processing of the specific network attack event is enhanced.
Further, in some embodiments, the analysis and judgment system is configured to calculate a similarity between the target data structure and a stored data structure; the determination result is a determination score indicating a degree of similarity between the target data structure and a stored data structure;
the method further comprises the steps of:
and if the judgment score of the target attack event exceeds a preset threshold, outputting an alarm.
In the implementation process, the analysis and judgment system compares the characteristic similarity degree between the target attack event and the predefined multiple network attack events and outputs the similarity score, so that the combined use of the abstract data structure and the analysis and judgment system is realized, and the next attack similar to the intrusion event can be effectively defended.
In a second aspect, an embodiment of the present application provides a network attack event processing device, where the device includes:
the system comprises a building module, a processing module and a processing module, wherein the building module is used for building a visual graph of a target attack event by taking a process or a host computer of the target attack event as an initial node, and adding nodes into the visual graph according to a calling relation of the process and external information; the external information is information which is inquired by an external data source and is aimed at each process or host;
the conversion module is used for converting the visual image into a target data structure; the target data structure is an abstract representation of node information and node association information contained in the visual map;
the input module is used for inputting the target data structure into an analysis judging system to obtain a judging result aiming at the target attack event; the analysis and judgment system stores a plurality of data structures of predefined network attack events.
In a third aspect, an electronic device provided in an embodiment of the present application includes: a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the steps of the method according to any one of the first aspects when the computer program is executed.
In a fourth aspect, embodiments of the present application provide a computer-readable storage medium having instructions stored thereon, which when executed on a computer, cause the computer to perform the method according to any of the first aspects.
In a fifth aspect, embodiments of the present application provide a computer program product, which when run on a computer, causes the computer to perform the method according to any one of the first aspects.
Additional features and advantages of the disclosure will be set forth in the description which follows, or in part will be obvious from the description, or may be learned by practice of the techniques disclosed herein.
In order to make the above objects, features and advantages of the present application more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of a method for processing a network attack event according to an embodiment of the present application;
fig. 2 is a schematic diagram of a workflow of an intrusion event tracing analysis scheme according to an embodiment of the present application;
fig. 3 is a block diagram of a network attack event processing device according to an embodiment of the present application;
fig. 4 is a block diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only to distinguish the description, and are not to be construed as indicating or implying relative importance.
As described in the background art, the related art has a problem that specific network attack events which are not analyzed in a generalization manner cannot be efficiently handled. Based on this, the embodiment of the application provides a network attack event processing scheme to solve the problem.
The embodiments of the present application are described below:
as shown in fig. 1, fig. 1 is a flowchart of a network attack event processing method provided in an embodiment of the present application, where the method may be applied to a device that needs to defend against a network attack event.
The method comprises the following steps:
in step 101, a process or a host computer where a target attack event occurs is taken as an initial node, a visual graph of the target attack event is established, and nodes are added in the visual graph according to a calling relationship of the process;
the target attack event referred to in this step may be an underhandled or an underhandled cyber attack event. The Visualization (Visualization) is a theory, method and technology that uses computer graphics and image processing technology to convert data into graphics or images to be displayed on a screen, and then performs interactive processing. In this embodiment, when the visual map of the target attack event is built, a key processing node is selected as a starting point, where the key processing node may be a process of the target attack event, or may be a host initiating the attack. This starting node may be determined by a monitoring log retrieval system, which is typically used to store a monitoring log, in which a corresponding log record is generated when a process or host is attacked, so that the device may look up and analyze the monitoring log in the monitoring log retrieval system to determine the process or host in which the target attack event occurred.
After the initial node is determined, the node is added according to the calling relation of the process, so that the visual graph is gradually perfected, and the visual graph which can be used for intrusion tracing and takes the process as a main trunk is obtained. In some embodiments, it may comprise: and determining the process called by the current node as the next-stage node of the current node. That is, with the attacked host or the process as the starting node, the node is gradually added according to the calling relationship of the process, for example, the key process running on the attacked host has the process 1 and the process 2, then the process 1 and the process 2 can be used as the next node of the starting node, then the process 3 called by the process 1 is used as the next node of the process 1, the process 4 called by the process 2 is used as the next node of the process 2, and so on. In this way, nodes are gradually added according to the upper and lower level structures called by the event process, and the occurrence and development processes of the whole intrusion event can be accurately restored.
In some embodiments, the above method may further comprise: adding nodes in the visual graph according to the external information of the nodes; the external information is information for each node queried through an external data source. The external information here is information for each process or host that is queried by the external data source, so that it can reflect the process of the occurrence of the target attack event, including important associated auxiliary information. Optionally, the external data source may include at least one of: sandboxes, vulnerability libraries, cloud search and kill engines. That is, the external information may be information acquired by a sandbox, such as an expected attack process, a call API (Application Programming Interface ), etc., or vulnerability library information, such as a vulnerability type, a hazard level, etc., or cloud searching and killing information, such as a Trojan family, an external connection IP, etc. By adding the information in the visual graph, the whole event tree can be perfected, so that the occurrence process of the target attack event is reflected.
Optionally, adding the node in the visualization may include: and if the current node comprises corresponding external information, determining the external information as a new node in the visual graph and associating the current node. That is, in the existing process nodes, some nodes may have auxiliary data that can be queried by the external data source, that is, corresponding external information, the corresponding external information is also determined to be a new node, and an association relationship is established, for example, auxiliary data corresponding to the starting node of the attacked host is found through the vulnerability database, the auxiliary data is determined to be a new node, and the new node is associated with the starting node. Therefore, the occurrence and development processes of the whole invasion event can be further accurately restored.
It should be noted that, the aforementioned processes may include normal processes and also abnormal processes; in addition, when the visual map is perfected, the device can receive an editing instruction input by a system operation and maintenance personnel, and perform corresponding editing operation on the visual map. That is, the system operation and maintenance personnel can perform manual intervention on the visual graph, including editing node contents, adding nodes, deleting nodes and the like, so that the visual graph is more accurate by means of adjustment of the system operation and maintenance personnel.
Converting the visual map into a target data structure at step 102; the target data structure is an abstract representation of node information and node association information contained in the visual map;
the method comprises the following steps: after the visual image of the target attack event is perfected, an abstract data structure of the visual image is generated, and data preparation is carried out for subsequent automatic processing. The target data structure mentioned in this step is an abstract representation of Node information and Node association information contained in the visual map, that is, the target data structure may be considered as a data model containing Node data and Link data, where the Node data is data representing nodes contained in the visual map, and the Link data is data representing association relationships between the nodes. The data model reflects the specific structure of similar events, is equivalent to the characteristic index of the network attack event of the type, and has important post application significance.
In some embodiments, the node information mentioned in this step may include basic information of the nodes, and the node association information mentioned in this step may include call, comment, utilization, access, and expected call relationships between the nodes. The basic information of the node may include internal information and external information. The internal information may include host information such as an ID, an IP address, a MAC address, etc. of the host, and process information such as a unique identification of a process (including a process ID, MD5 or SHA256 values of the process), a process name, a command line for calling the process, information indicating whether the process is network-connected and a connection address when the process is network-connected, information indicating whether the process writes a file, a file name when the process is writing a file, a frequency of process timer call, etc. The external information can comprise information searched by a vulnerability database, such as basic information of vulnerability names, threat levels and the like; the information searched by the sandbox can also be included, such as process information of an expected calling process, calling information of an API address and the like; information found by the cloud search engine, such as Trojan names, families, attack types, etc., basic information of the externally connected IP, etc., can also be included. Accordingly, the association information of the process and the external information node may include association relations such as Trojan annotation, vulnerability exploitation, API call, IP access, expected call of the process, and the like. The information can accurately and completely reflect the occurrence process of the target attack event.
In some embodiments, the target data structure may be a force steering algorithm based data structure. The force steering algorithm is an algorithm for a graph layout, which generally comprises the steps of: and (3) carrying out mechanical modeling on the network data, and obtaining a stable layout through simulation for a certain time. Specifically, the force guiding algorithm calculates a combined force of the attractive force and the repulsive force by calculation for each node, and then moves the position of the node from the combined force. The data structure based on the force guiding algorithm has good symmetry and local aggregation, and can clearly show the affinity and sparsity between nodes. Therefore, the key data of the nodes in the visual graph of the target attack event are forcefully guided to the data structure for storage, so that the main structure of the target attack event can be better reflected.
The analysis and judgment system referred to in this step may be considered as a tool or module for automating the processing of the target data structure. The analysis judging system stores a plurality of predefined data structures of network attack events, wherein the predefined data structures can be defined by system operation staff according to characteristic indexes of various network attack events, namely, the data structures are prejudged by the system operation staff, and the corresponding network attack events can comprise the existing network attack events or specific network attack events. After the device inputs the target data structure into the analysis and judgment system, the analysis and judgment system can compare the target data structure with the predefined data structures so as to output a judgment result aiming at the target attack event, so that the judgment result can show the threat degree of the target attack event, the device can execute subsequent treatment operation based on the judgment result, and system operation staff can also take corresponding measures based on the judgment result.
In particular, in some embodiments, the analysis and judgment system may be used to calculate a similarity between the target data structure and the stored data structure; the determination result is a determination score indicating a degree of similarity between the target data and the stored data structure. That is, the analysis and judgment system may calculate the similarity between the target data structure and the stored data structure, thereby outputting a judgment score, the higher the judgment score, the greater the likelihood that the host is subjected to the same intrusion. The similarity between the two data structures may be calculated based on a force-guiding point-line matching degree algorithm in a traditional manner, or may be calculated based on a neural engine graph algorithm, which is not limited in this application. In addition, if the decision score for the target attack event exceeds a preset threshold, the device may output an alert. The preset threshold value can be set according to the requirements of specific scenes, when the obtained judgment score exceeds the preset threshold value, the host computer is shown to encounter the same network attack event with the greatest probability, and because the network attack is often implemented for multiple times, the device can output an alarm to prevent the next similar network attack event.
Also, the data structure through the visualization operation may be converted into a predefined data structure, that is, when the decision score output by the analysis and judgment system for the target data structure exceeds a preset threshold, the analysis and judgment system may store the target data structure, and use the target data structure as a part of the predefined data structure to make a decision on the data structure input later. In addition, in some embodiments, the device may skip the visualization step, directly convert to obtain an abstract data structure based on the process or host computer where the target attack event occurs, the calling relationship of the related process, external information, and the like, and when defending against the next intrusion, the device may be implemented based on a comparison result between the data structure obtained by the direct conversion and a predefined data structure. Therefore, the processing efficiency of the equipment on the next similar intrusion event is effectively improved.
Further, in some embodiments, the above method may further include: generating a traceability page based on the target data structure, wherein the traceability page is used for correcting the visual map; the correction modes are as follows: adding, including adding new nodes, adding new node information, and adding new node association information; deleting, including deleting the existing node, deleting the existing node information, and deleting the existing node association information; modification, including modifying existing node information, modifying existing node association information. That is, besides automation processing, the device can save node information and node association information contained in the visual graph after perfecting the visual graph, and generate a tracing page of an entity reflecting the whole intrusion attack process through data backtracking, so as to facilitate the summary analysis of system operation and maintenance personnel. And the system operation and maintenance personnel can revise the visual graph through the traceability page, including adding and deleting nodes and adding and deleting node information and node associated information, so that after a target attack event occurs, the target attack event is immediately generalized and treated through the embodiment scheme, and then the traceability page is provided for the system operation and maintenance personnel to revise the later stage, thereby optimizing the judgment of the intrusion event. When the node association information is added, the system operation staff can also label weights for reflecting the importance degree of the corresponding node association information, for example, the node association information can be divided into three grades of emphasis, ordinary and irrelevant, and the edges corresponding to the node association information of the three grades are respectively represented by solid lines, broken lines and dotted lines on the visual diagram, or the weights of the corresponding edges are represented by different numerical values. Thus, the scoring priority of the corresponding process/information in the analysis and judgment system can be increased, so that the accuracy of the judgment score output by the system is improved.
In addition, the traceability page can be a page in an HTML (Hyper Text Markup Language ) format, and in some scenes, the traceability page can be composed of an alarm list, a process relation and an event entity, wherein the alarm list can be used for displaying the current analyzed threat situation of the system and assisting in judging the treatment priority; the part of the process relation can be used for showing the visual graph and providing the function of editing the visual graph; the event entity part can be used for searching out directly controllable nodes from a target data structure, can be used for deeply inquiring a more detailed log, and can also be used for executing blocking/isolating operation. The aforementioned target data structure may be JSON format, which may be considered as a backbone of the visual graph, and includes a search ID capable of searching the saved node information and node association information, so that, in use, the device may use the target data structure to search the corresponding node information and node association information, thereby generating the traceable page.
In the embodiment of the application, a visualization is built by taking a process or a host computer of a target attack event as a starting point, nodes are added according to a calling relation of the process to restore the occurrence process of the whole event, then the visualization is converted into an abstract data structure, and then an analysis and judgment system of the data structure storing a plurality of predefined network attack events is input to acquire a judgment result aiming at the target attack event. Therefore, the induction processing of specific network attack events is enhanced through the visual operation, and the next attack similar to the intrusion event can be effectively defended through the joint use of the converted abstract data structure and the analysis and judgment system.
For a more detailed description of the solution of the present application, a specific embodiment is described below:
before the embodiment, an alarm mode adopted for network intrusion threat is mainly focused on log-type reflection, logs are combined through an algorithm, and log-associated intrusion events (namely network attack events) are calculated. However, because the event analysis adopts automatic judgment and treatment on the existing intrusion event and the known intrusion event structure, the effective automatic treatment on the latest unknown intrusion threat cannot be effectively generated, and when the unusual intrusion event is encountered, system operation and maintenance personnel lack a timely and rapid means for induction and treatment. Based on this, the present embodiment provides an intrusion event tracing analysis scheme for improving the capability of analyzing and processing network security problems.
The workflow of this scheme is shown in fig. 2, comprising:
s201, establishing a visual graph of a current intrusion event; specifically, a monitoring log retrieval system and an external information calling system are utilized to search and analyze monitoring log and external information, and the information is added into a visual graph in a node mode according to view editing operation (adding, deleting and changing nodes), so that the whole intrusion event process is reflected; for example, when an intrusion event which is not automatically treated or is not completely treated automatically occurs, a key processing node is firstly selected, the processing node can be a process of occurrence of the intrusion event, or can be a host which starts to be attacked, the intrusion event is established and a new visual diagram is started by taking the processing node as a starting point, the intrusion event is restored, then nodes can be gradually added according to an upper-level structure and a lower-level structure which are called by the event process in the view processing system, and the corresponding nodes can be perfected through linkage of external data such as vulnerability library information, sandbox information, cloud searching information and the like, so that the occurrence and development processes of the whole intrusion event are restored;
s202, generating an abstract data structure; specifically, after the visual graph of the intrusion event is recorded, key data of each node are saved, and force-directed (point-to-point force-directed) data structures are stored, wherein the saved key data comprise an ID of a process, a network position of a host, a calling frequency of a process timer, a calling relationship before and after the process, trojan families and externally connected IP acquired by cloud searching and killing, expected attack processes acquired by a sandbox, calling APIs and the like;
s203, generating an entity traceability page; specifically, according to the stored key data, the associated data such as the monitoring log and the external information are combined, and an entity tracing page reflecting the whole intrusion attack process is generated through data tracing, so that later correction and analysis are facilitated;
s204, automatically processing an intrusion event; specifically, the abstract data structure is sent to a preset analysis and judgment system, the analysis and judgment system compares the similarity degree between the abstract data structure and the characteristics of a plurality of predefined intrusion events and outputs a similarity score, and the higher the score is, the greater the probability of being subjected to the same intrusion is; for example, four process trees, namely a process tree A, B, C, D, are stored in the analysis and judgment system, each process tree corresponds to a specific intrusion event, if the abstract data structure converted from the visual map of the current intrusion event is D1, and the similarity score between D1 and the process tree D is 73, and exceeds the preset threshold 70, it indicates that the specific intrusion event corresponding to the current intrusion event and the process tree D is the same, so that a defense system can be adopted to block the specific intrusion event, thereby effectively defending the next attack of similar intrusion events.
The order of S203 and S204 is not fixed.
From the above, the embodiment of the application strengthens the induction processing of specific intrusion events through the visual operation and external data supplementation, and has at least the following advantages: firstly, integrating a monitoring log with external information by means of visual operation, so that operation and maintenance personnel can conveniently deduce and restore the arrangement process of the current intrusion event; secondly, the converted abstract data structure has the association relation of the event process, and the external important information reflects the specific structure of the similar event, is equivalent to the characteristic index of the type of intrusion event, and has important post-application significance; thirdly, the converted abstract data structure is used in combination with an automatic defense system, so that the next attack similar to an intrusion event can be effectively defended; fourth, the converted abstract data structure can display the traceability page again, so that analysts can conveniently summarize the abstract data structure, and rule judgment on intrusion events is optimized.
Corresponding to the foregoing embodiments of the method, the present application further provides embodiments of a network attack event processing device and a terminal to which the network attack event processing device is applied:
as shown in fig. 3, fig. 3 is a block diagram of a network attack event processing apparatus provided in an embodiment of the present application, where the apparatus includes:
the establishing module 31 is configured to establish a visual graph of a target attack event by using a process or a host computer where the target attack event occurs as an initiating node, and add a node into the visual graph according to a calling relationship of the process and external information; the external information is information which is inquired by an external data source and is aimed at each process or host;
a conversion module 32 for converting the visual map into a target data structure; the target data structure is an abstract representation of node information and node association information contained in the visual map;
the input module 33 is configured to input the target data structure into an analysis and judgment system, so as to obtain a judgment result for the target attack event; the analysis and judgment system stores a plurality of data structures of predefined network attack events.
The implementation process of the functions and roles of each module in the above device is specifically shown in the implementation process of the corresponding steps in the above method, and will not be described herein again.
The application further provides an electronic device, please refer to fig. 4, and fig. 4 is a block diagram of an electronic device according to an embodiment of the application. The electronic device may include a processor 410, a communication interface 420, a memory 430, and at least one communication bus 440. Wherein the communication bus 440 is used to enable direct connection communication of these components. The communication interface 420 of the electronic device in the embodiment of the present application is used for performing signaling or data communication with other node devices. The processor 410 may be an integrated circuit chip with signal processing capabilities.
The processor 410 may be a general-purpose processor, including a central processing unit (CPU, central Processing Unit), a network processor (NP, network Processor), etc.; but may also be a Digital Signal Processor (DSP), application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. The disclosed methods, steps, and logic blocks in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor 410 may be any conventional processor or the like.
The Memory 430 may be, but is not limited to, random access Memory (RAM, random Access Memory), read Only Memory (ROM), programmable Read Only Memory (PROM, programmable Read-Only Memory), erasable Read Only Memory (EPROM, erasable Programmable Read-Only Memory), electrically erasable Read Only Memory (EEPROM, electric Erasable Programmable Read-Only Memory), and the like. The memory 430 has stored therein computer readable instructions which, when executed by the processor 410, can cause the electronic device to perform the steps described above in relation to the method embodiment of fig. 1.
Optionally, the electronic device may further include a storage controller, an input-output unit.
The memory 430, the memory controller, the processor 410, the peripheral interface, and the input/output unit are electrically connected directly or indirectly to each other to realize data transmission or interaction. For example, the elements may be electrically coupled to each other via one or more communication buses 440. The processor 410 is configured to execute executable modules stored in the memory 430, such as software functional modules or computer programs included in the electronic device.
The input-output unit is used for providing the user with the creation task and creating the starting selectable period or the preset execution time for the task so as to realize the interaction between the user and the server. The input/output unit may be, but is not limited to, a mouse, a keyboard, and the like.
It will be appreciated that the configuration shown in fig. 4 is merely illustrative, and that the electronic device may also include more or fewer components than shown in fig. 4, or have a different configuration than shown in fig. 4. The components shown in fig. 4 may be implemented in hardware, software, or a combination thereof.
The embodiment of the application further provides a storage medium, where instructions are stored, and when the instructions run on a computer, the computer program is executed by a processor to implement the method described in the method embodiment, so that repetition is avoided, and no further description is given here.
The present application also provides a computer program product which, when run on a computer, causes the computer to perform the method of the method embodiments.
In the several embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other manners as well. The apparatus embodiments described above are merely illustrative, for example, flow diagrams and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, the functional modules in the embodiments of the present application may be integrated together to form a single part, or each module may exist alone, or two or more modules may be integrated to form a single part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely exemplary embodiments of the present application and is not intended to limit the scope of the present application, and various modifications and variations may be suggested to one skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principles of the present application should be included in the protection scope of the present application. It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
The foregoing is merely specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
Claims (9)
1. A method for processing a network attack event, the method comprising:
a process or a host computer where a target attack event occurs is taken as an initial node, a visual graph of the target attack event is established, nodes are added in the visual graph according to the calling relation of the process, and the nodes are added in the visual graph according to the external information of the nodes; the external information is information for each node which is queried through an external data source;
converting the visual map into a target data structure; the target data structure is an abstract representation of node information and node association information contained in the visual map; the target data structure is a data structure based on a force steering algorithm;
inputting the target data structure into an analysis and judgment system to obtain a judgment result aiming at the target attack event; the analysis judging system stores a plurality of data structures of predefined network attack events; the analysis and judgment system is used for calculating the similarity between the target data structure and the stored data structure.
2. The method according to claim 1, wherein adding nodes in the visual graph according to the external information of the nodes comprises:
and if the current node comprises corresponding external information, determining the external information as a new node in the visual graph and associating the current node.
3. The method according to claim 1, wherein adding nodes in the visual map according to the call relation of the process comprises:
and determining the process called by the current node as the next-stage node of the current node.
4. The method according to claim 1, wherein the method further comprises:
generating a traceability page based on the target data structure, wherein the traceability page is used for correcting the visual map; the correction modes are as follows:
adding, including adding new nodes, adding new node information, and adding new node association information;
deleting, including deleting the existing node, deleting the existing node information, and deleting the existing node association information;
modification, including modifying existing node information, modifying existing node association information.
5. The method of claim 1, wherein the node information comprises basic information of nodes, and the node association information comprises call, annotation, utilization, access, expected call relationships between nodes.
6. The method of claim 1, wherein the determination result is a determination score indicating a degree of similarity between the target data structure and a stored data structure;
the method further comprises the steps of:
and if the judgment score of the target attack event exceeds a preset threshold, outputting an alarm.
7. A network attack event handling apparatus, the apparatus comprising:
the system comprises a building module, a processing module and a processing module, wherein the building module is used for building a visual graph of a target attack event by taking a process or a host computer of the target attack event as an initial node, and adding nodes into the visual graph according to a calling relation of the process and external information; the external information is information which is inquired by an external data source and is aimed at each process or host;
the conversion module is used for converting the visual image into a target data structure; the target data structure is an abstract representation of node information and node association information contained in the visual map; the target data structure is a data structure based on a force steering algorithm;
the input module is used for inputting the target data structure into an analysis judging system to obtain a judging result aiming at the target attack event; the analysis judging system stores a plurality of data structures of predefined network attack events; the analysis and judgment system is used for calculating the similarity between the target data structure and the stored data structure.
8. A computer readable storage medium, characterized in that a computer program is stored thereon, which computer program, when being executed by a processor, implements the method according to any of claims 1 to 6.
9. An electronic device, comprising: memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the method according to any one of claims 1 to 6 when the computer program is executed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211679280.4A CN115664863B (en) | 2022-12-27 | 2022-12-27 | Network attack event processing method, device, storage medium and equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211679280.4A CN115664863B (en) | 2022-12-27 | 2022-12-27 | Network attack event processing method, device, storage medium and equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115664863A CN115664863A (en) | 2023-01-31 |
| CN115664863B true CN115664863B (en) | 2023-04-21 |
Family
ID=85023419
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211679280.4A Active CN115664863B (en) | 2022-12-27 | 2022-12-27 | Network attack event processing method, device, storage medium and equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115664863B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114363036A (en) * | 2021-12-30 | 2022-04-15 | 绿盟科技集团股份有限公司 | Network attack path acquisition method and device and electronic equipment |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112202759B (en) * | 2020-09-28 | 2021-09-07 | 广州大学 | APT attack identification and attribution method, system and storage medium based on homology analysis |
| US11362996B2 (en) * | 2020-10-27 | 2022-06-14 | Centripetal Networks, Inc. | Methods and systems for efficient adaptive logging of cyber threat incidents |
| CN114637892A (en) * | 2022-01-28 | 2022-06-17 | 中国科学院信息工程研究所 | Overview map generation method of system log dependency map for attack investigation and recovery |
-
2022
- 2022-12-27 CN CN202211679280.4A patent/CN115664863B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114363036A (en) * | 2021-12-30 | 2022-04-15 | 绿盟科技集团股份有限公司 | Network attack path acquisition method and device and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115664863A (en) | 2023-01-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108520180B (en) | Multi-dimension-based firmware Web vulnerability detection method and system | |
| US10505986B1 (en) | Sensor based rules for responding to malicious activity | |
| CN114172701A (en) | Knowledge graph-based APT attack detection method and device | |
| CN110929267A (en) | Code vulnerability detection method, device, equipment and storage medium | |
| CN112131571B (en) | Threat tracing method and related equipment | |
| CN110109888A (en) | A kind of document handling method and device | |
| KR101696694B1 (en) | Method And Apparatus For Analysing Source Code Vulnerability By Using TraceBack | |
| CN115146263B (en) | User account collapse detection method and device, electronic equipment and storage medium | |
| CN115664863B (en) | Network attack event processing method, device, storage medium and equipment | |
| CN111104670B (en) | APT attack identification and protection method | |
| CN110210221B (en) | File risk detection method and device | |
| CN114186278A (en) | Database abnormal operation identification method and device and electronic equipment | |
| CN115859273A (en) | Method, device and equipment for detecting abnormal access of database and storage medium | |
| CN112989403B (en) | Database damage detection method, device, equipment and storage medium | |
| CN114528552A (en) | Security event correlation method based on vulnerability and related equipment | |
| CN116483735B (en) | Method, device, storage medium and equipment for analyzing influence of code change | |
| CN114756401B (en) | Abnormal node detection method, device, equipment and medium based on log | |
| CN117294527B (en) | Attack judging method, device, storage medium and equipment | |
| US20180174019A1 (en) | Artificial intelligence analysis service | |
| CN113965414B (en) | Network monitoring method and device, electronic equipment and storage medium | |
| CN115333930B (en) | Log classification method and device based on scene, electronic equipment and storage medium | |
| CN117614643A (en) | Threat information analysis method, threat information analysis system, computer equipment and storage medium | |
| CN115361182A (en) | Botnet behavior analysis method and device, electronic equipment and medium | |
| CN117938446A (en) | Attack detection method and device and electronic equipment | |
| CN114003914A (en) | File security detection method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |