CN116015819A - SOAR-based attack behavior response method, device and processing equipment - Google Patents

SOAR-based attack behavior response method, device and processing equipment Download PDF

Info

Publication number
CN116015819A
CN116015819A CN202211632093.0A CN202211632093A CN116015819A CN 116015819 A CN116015819 A CN 116015819A CN 202211632093 A CN202211632093 A CN 202211632093A CN 116015819 A CN116015819 A CN 116015819A
Authority
CN
China
Prior art keywords
response
attack behavior
attack
log
alarm information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211632093.0A
Other languages
Chinese (zh)
Inventor
聂志杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Sipuling Technology Co Ltd
Original Assignee
Wuhan Sipuling Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Sipuling Technology Co Ltd filed Critical Wuhan Sipuling Technology Co Ltd
Priority to CN202211632093.0A priority Critical patent/CN116015819A/en
Publication of CN116015819A publication Critical patent/CN116015819A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Computer And Data Communications (AREA)

Abstract

The application provides an attack behavior response method, an attack behavior response device and a processing device based on the SOAR, which are used for responding to network attacks of a large number of devices, and further realize a lightweight response architecture under the condition of realizing high-automation response, so that the network attack response effect with both response efficiency and response quality can be obtained. The attack behavior response method based on the SOAR, provided by the application, comprises the following steps: acquiring attack behavior warning information sent by target safety equipment, wherein a plurality of safety equipment comprising the target safety equipment are accessed into a system in advance; executing data warehousing operation on attack behavior alarm information; determining response operation of the attack behavior alarm information adaptation according to a preset alarm information response strategy, wherein the alarm information response strategy is used for generating different response operations according to different attack behavior alarm information; and linking the plurality of safety devices to execute response operation.

Description

SOAR-based attack behavior response method, device and processing equipment
Technical Field
The application relates to the field of information, in particular to an attack behavior response method, an attack behavior response device and processing equipment based on SOAR.
Background
In the traditional processing process of coping with network attacks, workers need to monitor the work logs of a plurality of security devices at the same time, and the workers need to spend a great deal of time to analyze whether the attack behavior exists, and meanwhile, the same attack behavior exists in the work logs of different sources, so that the response efficiency is further reduced.
Moreover, even if efforts are spent on analyzing the log information related to the accurate attack behavior, the staff still needs to manually perform the seal issuing process on the corresponding IP in other processing devices (such as a firewall or a load balancing device).
Obviously, in the prior art, for network attack response work involving a large number of devices, the whole work flow is complicated and is bulky, and obvious defects in response efficiency and response quality exist.
Disclosure of Invention
The application provides an attack behavior response method, an attack behavior response device and a processing device based on the SOAR, which are used for responding to network attacks of a large number of devices, and further realize a lightweight response architecture under the condition of realizing high-automation response, so that the network attack response effect with both response efficiency and response quality can be obtained.
In a first aspect, the present application provides an attack behavior response method based on SOAR, where the method includes:
acquiring attack behavior warning information sent by target safety equipment, wherein a plurality of safety equipment comprising the target safety equipment are accessed into a system in advance;
executing data warehousing operation on attack behavior alarm information;
determining response operation of the attack behavior alarm information adaptation according to a preset alarm information response strategy, wherein the alarm information response strategy is used for generating different response operations according to different attack behavior alarm information;
and linking the plurality of safety devices to execute response operation.
With reference to the first aspect of the present application, in a first possible implementation manner of the first aspect of the present application, obtaining attack behavior alert information sent by a target security device includes:
and acquiring attack behavior warning information in a log form sent by the target security equipment.
With reference to the first possible implementation manner of the first aspect of the present application, in a second possible implementation manner of the first aspect of the present application, obtaining attack behavior alert information in a log form sent by a target security device includes:
and acquiring the attack behavior alarm information in the form of a log sent by the target security device through a preset interface, wherein the preset interface limits the preset field of the attack behavior alarm log of the accessed target security device to pass.
With reference to the first aspect of the present application, in a third possible implementation manner of the first aspect of the present application, performing a data warehousing operation on attack behavior alert information includes:
analyzing data of attack behavior warning information, and converting the attack behavior warning information into standard attack behavior warning information in a standard form according to preset standard table structure requirements and standard field value requirements;
and storing the marked attack behavior warning information in a preset database to finish the data warehousing operation.
With reference to the first aspect of the present application, in a fourth possible implementation manner of the first aspect of the present application, the method further includes:
according to user dragging operation input by the first visual panel, logically combining a data extraction operator, a log filtering operator, a log correlation operator, a sequence analysis operator, a log statistics operator, a threshold comparison operator and an AI intelligent analysis operator to obtain a plurality of data processing scripts;
and configuring the starting state of each data processing script to obtain an alarm information response strategy, wherein the starting state comprises closing or opening, and a plurality of opened data processing scripts are processed in parallel.
With reference to the first aspect of the present application, in a fifth possible implementation manner of the first aspect of the present application, linking the plurality of security devices, performing a response operation includes:
Determining at least one security device performing the responsive operation;
at least one security device that performs a response operation, which is determined in linkage, performs the response operation among the plurality of security devices.
With reference to the first aspect of the present application, in a sixth possible implementation manner of the first aspect of the present application, the method further includes:
according to the user dragging operation input by the second visual panel, arranging the determined flow sequence of the plurality of safety devices;
linking the plurality of security devices to perform a responsive operation, comprising:
and linking the plurality of safety devices to execute response operation according to the flow sequence.
In a second aspect, the present application provides an attack-response-device based on SOAR, the device including:
the system comprises an acquisition unit, a control unit and a control unit, wherein the acquisition unit is used for acquiring attack behavior warning information sent by target safety equipment, and a plurality of safety equipment comprising the target safety equipment are accessed into a system in advance;
the warehousing unit is used for executing data warehousing operation on the attack behavior alarm information;
the determining unit is used for determining response operation of the attack behavior alarm information adaptation according to a preset alarm information response strategy, wherein the alarm information response strategy is used for generating different response operations according to different attack behavior alarm information;
And the execution unit is used for linking the plurality of safety devices and executing response operation.
With reference to the second aspect of the present application, in a first possible implementation manner of the second aspect of the present application, the acquiring unit is specifically configured to:
and acquiring attack behavior warning information in a log form sent by the target security equipment.
With reference to the first possible implementation manner of the second aspect of the present application, in a second possible implementation manner of the second aspect of the present application, the obtaining unit is specifically configured to:
and acquiring the attack behavior alarm information in the form of a log sent by the target security device through a preset interface, wherein the preset interface limits the preset field of the attack behavior alarm log of the accessed target security device to pass.
With reference to the second aspect of the present application, in a third possible implementation manner of the second aspect of the present application, the warehousing unit is specifically configured to:
analyzing data of attack behavior warning information, and converting the attack behavior warning information into standard attack behavior warning information in a standard form according to preset standard table structure requirements and standard field value requirements;
and storing the marked attack behavior warning information in a preset database to finish the data warehousing operation.
With reference to the second aspect of the present application, in a fourth possible implementation manner of the second aspect of the present application, the apparatus further includes a visualization unit, configured to:
according to user dragging operation input by the first visual panel, logically combining a data extraction operator, a log filtering operator, a log correlation operator, a sequence analysis operator, a log statistics operator, a threshold comparison operator and an AI intelligent analysis operator to obtain a plurality of data processing scripts;
and configuring the starting state of each data processing script to obtain an alarm information response strategy, wherein the starting state comprises closing or opening, and a plurality of opened data processing scripts are processed in parallel.
With reference to the second aspect of the present application, in a fifth possible implementation manner of the second aspect of the present application, the execution unit is specifically configured to:
determining at least one security device performing the responsive operation;
at least one security device that performs a response operation, which is determined in linkage, performs the response operation among the plurality of security devices.
With reference to the second aspect of the present application, in a sixth possible implementation manner of the second aspect of the present application, the apparatus further includes a visualization unit, configured to:
according to the user dragging operation input by the second visual panel, arranging the determined flow sequence of the plurality of safety devices;
The execution unit is specifically used for:
and linking the plurality of safety devices to execute response operation according to the flow sequence.
In a third aspect, the present application provides a processing device, comprising a processor and a memory, the memory having stored therein a computer program, the processor executing the method provided by the first aspect of the present application or any one of the possible implementations of the first aspect of the present application when calling the computer program in the memory.
In a fourth aspect, the present application provides a computer readable storage medium storing a plurality of instructions adapted to be loaded by a processor to perform the method provided in the first aspect of the present application or any one of the possible implementations of the first aspect of the present application.
From the above, the present application has the following advantages:
according to the network attack response work of a large number of devices, under the condition that a plurality of security devices are linked to realize high-automation response, the method is specifically limited to triggering attack response by taking attack behavior alarm information initiated by the security devices, in the prior art, the work logs of the security devices are directly monitored, and the work logs of all the security devices are required to be monitored one by one in a multi-device scene.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly introduced below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of an SOAR-based attack behavior response method of the present application;
FIG. 2 is a schematic structural diagram of an SOAR-based attack-response-device according to the present application;
fig. 3 is a schematic structural view of the processing apparatus of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments herein without making any inventive effort, are intended to be within the scope of the present application.
The terms first, second and the like in the description and in the claims of the present application and in the above-described figures, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments described herein may be implemented in other sequences than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or modules is not necessarily limited to those steps or modules that are expressly listed or inherent to such process, method, article, or apparatus. The naming or numbering of the steps in the present application does not mean that the steps in the method flow must be executed according to the time/logic sequence indicated by the naming or numbering, and the execution sequence of the steps in the flow that are named or numbered may be changed according to the technical purpose to be achieved, so long as the same or similar technical effects can be achieved.
The division of the modules in the present application is a logical division, and may be implemented in another manner in practical application, for example, a plurality of modules may be combined or integrated in another system, or some features may be omitted or not implemented, and in addition, coupling or direct coupling or communication connection between the modules that are shown or discussed may be through some interfaces, and indirect coupling or communication connection between the modules may be in an electrical or other similar form, which is not limited in this application. The modules or sub-modules described as separate components may or may not be physically separate, or may be distributed in a plurality of circuit modules, and some or all of the modules may be selected according to actual needs to achieve the purposes of the present application.
Before introducing the method for responding to the attack behaviors based on the SOAR provided by the application, the background content related to the application is first introduced.
The SOAR-based attack behavior response method, the SOAR-based attack behavior response device and the computer-readable storage medium can be applied to processing equipment and used for responding to network attacks of a large number of equipment, and a lightweight response architecture is further realized under the condition of realizing high-automation response, so that the network attack response effect considering response efficiency and response quality can be obtained.
According to the method for responding to the attack behaviors based on the SOAR, an execution subject of the method can be the attack behavior responding device based on the SOAR, or different types of processing Equipment such as a server, a physical host or User Equipment (UE) and the like integrated with the attack behavior responding device based on the SOAR. The attack behavior response device based on the SOAR can be realized in a hardware or software mode, the UE can be specifically a terminal device such as a smart phone, a tablet computer, a notebook computer, a desktop computer or a personal digital assistant (Personal Digital Assistant, PDA), and the processing device can be set in a device cluster mode.
The processing device according to the present application may be an independent/dedicated device configured in a network architecture, for example, a control center node, or may be an existing device deployed in a network architecture in a form of a functional service, which may be adaptively adjusted according to actual working requirements and application scenarios.
Next, an attack behavior response method based on the SOAR provided in the present application will be described.
First, referring to fig. 1, fig. 1 shows a flow chart of an attack behavior response method based on SOAR, and the attack behavior response method based on SOAR provided in the present application may specifically include steps S101 to S104 as follows:
step S101, attack behavior warning information sent by target safety equipment is obtained, wherein a plurality of safety equipment comprising the target safety equipment are accessed into a system in advance;
it will be appreciated that the present application is directed to a network security application scenario involving a large number of devices or multiple devices, which are typically different types of network nodes such as firewalls, load balancing, security gateways, intrusion prevention systems, web attack tracing systems, advanced threat detection systems, etc., for security devices (security systems) in a related network architecture, for which existing security systems are typically deployed to monitor for the occurrence of an abnormal event.
It can be seen that the attack behavior required to respond in the application is the related behavior identified as the attack behavior by the security device itself, and more generally, the attack behavior monitored by the existing security device.
Thus, when the security device finds out an attack in the process of monitoring related data according to the application function of the security device in the network architecture, the security device sends attack alarm information to the processing device so as to inform that the monitored attack occurs.
The attack behavior warning information describes the relevant behavior information of the attack behavior monitored at this time, and can also describe the basis of how to judge the attack behavior warning information to be judged as the attack behavior.
Correspondingly, the application relates to a security system which is added or formed by a plurality of security devices, and subsequent attack responses are executed within the scope of the security system.
The system may also involve processing of the access security device to determine security daemons, attack response ranges.
Step S102, executing data warehousing operation on attack behavior alarm information;
after attack behavior warning information sent by a certain security device of the access system, namely the target security device, is currently received, a data storage link can be involved, so that attack behavior warning information sent by different security devices can be conveniently collected and processed in a centralized way.
It can be understood that the data storage operation can effectively avoid the processing of repeated attack behaviors from different security devices, and only the repeated attack behaviors in unit time need to be recorded, so that repeated response is not needed in the follow-up process.
Step S103, determining response operation of the attack behavior alarm information adaptation according to a preset alarm information response strategy, wherein the alarm information response strategy is used for generating different response operations according to different attack behavior alarm information;
for how the attack acts respond, obviously, an alarm information response policy may be configured in advance, and the alarm information response policy may also be understood as an alarm information response rule, where the purpose of setting is to obtain a specific response operation adapted to the alarm information of the current attack act, where the second confirmation of the alarm information may also be involved, and obviously, the processing of the specific response operation is performed again under the condition that the effective alarm is determined.
It should be understood that, corresponding to a large number of devices and application scenarios of multiple devices involved in the application, the alarm information response policy is constructed based on multiple devices, and is not simply processed by responding to the attack on one device according to the prior art, but is considered from the whole level of multiple devices, and not only the same attack or the same object behind the attack to be responded is synchronized, but also the response content of adapting the application functions of different security devices is considered.
Simple, for example, firewall nodes and load balancing nodes, which are different in application functions in network architecture, so that the objects that can be processed and the processing modes can be different;
in addition, the response content matched with the position of the safety equipment can be configured according to the specific position of the safety equipment in the network architecture;
for another example, the response content adapted to the security device may be configured according to the importance of the security device or the security protection capability.
Obviously, between different security network devices, the self characteristics of the devices and the characteristics of the devices in the network architecture can be combined to build the adaptive response content, so that the linkage response can be more flexible and accurate when in the current attack behaviors of the multiple devices in the application scene of the multiple devices.
Step S104, linking the plurality of safety devices and executing response operation.
After determining how to respond to the current attack behavior by linking the plurality of security devices, specific implementation work can be performed, and specific response operation is performed by on-line distribution of work instructions, so that the current attack behavior is responded, and the network security effect in all aspects is achieved.
In the network security work, the response operation to the relevant attack behavior is mainly performed on the IP, typically, if the access to the IP corresponding to the attack behavior is blocked, the response operation may be performed on a specific device, a specific user account or other objects related to the attack behavior, and may be updated and adjusted according to actual needs.
For attack behaviour with different risk levels, response operations with different severity levels may also be configured, wherein the identification of risk levels/risk levels may be involved, as well as configuration of adaptation response operations, as an example:
permanently sealing and forbidden high-risk alarms; the medium-risk alarm is blocked for three days (after the three days are finished, the blocking is automatically released); the low-risk alarm is subjected to one-day blocking (automatic blocking release after the end of one-day time) or no blocking operation is issued.
In the above-described operation mechanism, it can be seen that the management work on the line is more facilitated due to the analysis processing and execution processing of the attack behavior response operation centralized by the processing device, in which the SOAR concept introduced in the present application is referred to.
The SOAR, security Orchestration Automation and Response, is used for automating and responding security arrangement, and can be understood as the integration of security arrangement and automation, a security event response platform and a threat information platform, so that the decision capability of coordination and threat treatment of various devices is embodied, and the flexible arrangement of configuration alarm information response strategy and response execution operation can be flexibly carried out among a plurality of security devices under the aim of automatically responding to network attack behaviors on an online platform.
Under the concept of the SOAR, the important attention is paid to the network attack response work of a large number of devices, under the condition of linking a plurality of safety devices to realize high-automation response, the method is specifically limited to triggering attack behavior alarm information initiated by the safety devices as attack response, in the prior art, the working logs of the safety devices are directly monitored, and the working logs of all the safety devices are monitored one by one under the scene of multiple devices.
Further, the following will further describe each step of the embodiment shown in fig. 1 and its possible implementation in practical applications in detail.
As a specific implementation manner, the attack behavior warning information sent to the processing device by the security device in the application may be in a log form, or the attack behavior warning information is an attack behavior warning log.
It can be understood that the work log is a data file that is updated when the security device performs its network security work, and when some related data is monitored to correspond to an attack, the situation is recorded in the work log, and a specific attack alarm log in the work log is recorded.
Therefore, the equipment directly reports the recorded attack behavior alarm log as alarm information to the processing equipment, obviously, the operation is more concise and clear, new data is not required to be generated, and the processing cost is further reduced.
Taking the target security device reporting the attack behavior alert information as an example, the step S101 of obtaining the attack behavior alert information sent by the target security device may specifically include:
and acquiring attack behavior warning information in a log form sent by the target security equipment.
It should be understood that, in the process of acquiring the attack behavior warning information, the processing device may actively extract the attack behavior warning information from the security device, or the security device may actively report the attack behavior warning information to the processing device, which may be flexibly adjusted according to a specific information transmission mode configured in an actual application.
Continuing taking the configuration of a special interface dedicated to the security device reporting the attack behavior warning information as another specific implementation manner, in the process of obtaining the attack behavior warning information in the log form sent by the target security device, the method specifically further may include:
and acquiring the attack behavior alarm information in the form of a log sent by the target security device through a preset interface, wherein the preset interface limits the preset field of the attack behavior alarm log of the accessed target security device to pass.
It can be understood that in terms of a special interface, the filtering strategy is directly configured at the interface, the network attack alarm log is accessed through the limit of a certain field value in the attack alarm log, and other types of logs are directly filtered and not accessed, so that the interference analysis of a large number of common logs can be effectively reduced, the operation amount is reduced, the operation time is saved, and the guarantee is provided for improving the efficiency of subsequent data analysis and data processing.
Furthermore, it should be appreciated that in addition to the filtering policy at the interface, the security device may also provide log type screening functionality, so that the attack behaviour alert log may be screened directly.
For the special interfaces referred to herein, it should be understood that different interfaces may be referred to, and different transmission protocols, such as api, syslog, webservice, are correspondingly configured for different types of interfaces, and quick access of the multi-source alarm log is accomplished through a specified data protocol.
As an example, the process of accessing the attack behavior alarm log at the security device side can be implemented by the following contents:
1. confirming an attack behavior alarm log of the access security equipment/system, wherein the log must contain alarms of network attack classes;
Firstly, security equipment/systems existing in a network architecture are combed, which can generate alarm log information related to network attack is confirmed, and under the condition that network accessibility is ensured, access preparation is started.
2. Confirming a log transmission protocol of the access security device/system;
the data interaction protocol of the access log needs to be confirmed, for example, syslog, kafka, webservice or ftp and other data interaction protocols, and the information can be extracted from the corresponding equipment/system line or can be obtained from related specification data.
3. Searching a corresponding log acquisition mode in a preset scheme library according to a log transmission protocol;
in a scheme library built in the system, the method can preset a log acquisition mode corresponding to a part of conventional protocols, and can perform one-to-one searching according to the protocol type confirmed in the previous step at the moment to determine an adaptive specific log acquisition mode.
For the data storage link of the attack behavior warning information, when the attack behavior warning information initiated by the security devices with different sources is subjected to data storage, the data storage link can also relate to standardized processing of a data format for realizing the effects of centralized recording and centralized processing.
Correspondingly, as yet another practical implementation manner, in the process of executing the data warehousing operation on the attack behavior alert information in step S102, the method specifically may include:
Analyzing data of attack behavior warning information, and converting the attack behavior warning information into standard attack behavior warning information in a standard form according to preset standard table structure requirements and standard field value requirements;
and storing the marked attack behavior warning information in a preset database to finish the data warehousing operation.
It can be understood that when converting the data format, the data analysis work needs to be performed on the attack behavior warning information, so that format conversion can be performed according to the standard table structure requirement (standard table structure design) and the standard field value requirement (standard field value design) corresponding to the standard form, so as to form the standard attack behavior warning information.
In practical application, it is to be understood that field formats of different logs need to be analyzed by adopting different analysis strategies, and capabilities of regular corresponding intelligent extraction, model mapping and the like can be configured on processing equipment, so that analysis work is convenient to execute, standardized processing can be performed on multi-source heterogeneous attack behavior alarm data, and information automatic extraction of the multi-source alarm logs is completed by specifying the analysis strategies.
Specifically, in the process of analyzing the attack behavior alert information, taking the attack behavior alert log as an example (in log form), as an example, the following may be included:
1. Confirming the log type of the access log and the brand model of the manufacturer;
after the attack behavior alarm log of the safety equipment side is accessed through the special interface, standardized processing is needed for the data, but because of independent operation of manufacturers (platforms), each type of log has different field information and each field has different expression forms, therefore, the type of the access log and the information of manufacturer brands, models and the like can be confirmed firstly to provide reference of analysis strategies.
2. Searching a corresponding log analysis strategy in a preset scheme library according to the log type;
according to the method and the system, the log analysis strategies of the conventional safety equipment/system can be built in the processing equipment, one-to-one searching is carried out according to the information such as the log type and the manufacturer equipment model, and the corresponding log analysis strategies can be obtained rapidly.
3. If the existing log analysis strategy is not found, the corresponding log analysis strategy needs to be continuously found;
it will be appreciated that looking up built-in off-the-shelf resolution policies will yield two types of results, one is that the corresponding policy can be found, but not. When the log solution strategy is not found, the method can also provide modes of reminding workers of manual configuration, networking searching and the like to supplement the log solution strategy.
In the supplementing process, the analysis strategy is configured for the field format and the data form of the existing log, and the operations such as translation, cutting, assembling, deleting and expanding are performed on the data to form a new analysis strategy as the supplement content.
4. And analyzing according to the corresponding log analysis strategy.
After finding the log analysis strategy of the adaptation of the attack behavior alarm log to be processed currently, the data analysis of the log can be started, unified alarm log information is output according to standard unified table structure design and field value design and is stored in a corresponding database, and data storage is completed.
For the preset alarm response policy referred to in step S103, the present application may also refer to its preset configuration process,
for the specific content of the configuration process, as a further specific implementation manner, the method may further include:
according to user dragging operation input by the first visual panel, logically combining a data extraction operator, a log filtering operator, a log correlation operator, a sequence analysis operator, a log statistics operator, a threshold comparison operator and an AI intelligent analysis operator to obtain a plurality of data processing scripts;
And configuring the starting state of each data processing script to obtain an alarm information response strategy, wherein the starting state comprises closing or opening, and a plurality of opened data processing scripts are processed in parallel.
It can be seen that in this embodiment, the present application introduces a visual configuration, so as to provide a highly flexible configuration manner of the alarm information response policy for the staff, and ensure, in terms of details, that the update and maintenance of the alarm information response policy can achieve a more convenient and effective processing effect.
It is easy to understand that network attack behaviors can be of various types, and common attack behaviors such as DDoS events, system-level vulnerability exploitation, web vulnerability exploitation, external scanning events, violent cracking events, trojan horse and viruses, virtual coin mining, abnormal communication traffic, phishing mails and the like are different, so that corresponding data processing scripts (alarm information response strategies) are arranged on processing equipment according to different attack rules and technical characteristics, at the moment, the application can drag various data operators through a visual panel to carry out logical relation combination, such as data extraction, log filtering, log association, sequence analysis, log statistics, threshold comparison, AI intelligent analysis and the like, and the corresponding parameter information is matched to assemble an executable automatic task for carrying out association analysis on a warehouse entry log.
In addition, after the data processing scripts of different logic combinations are generated through the visual configuration, the corresponding data processing scripts can be started or stopped as required.
According to the method, the built-in network attack data scripts are considered to be a lot, if the overall parallel processing is carried out, the data processing performance is greatly affected, and in addition, part of the data processing scripts are in an editing or to-be-optimized state, so that the states of the data processing scripts are allowed to be defined, part of the data processing scripts can be started or stopped in batches according to actual conditions, the parallel processing is convenient to carry out later, and flexible adjustment is convenient according to the actual conditions.
In the specific working process of the data processing scripts, the opened data processing scripts are allowed to be processed simultaneously and in parallel, the condition verification is carried out on the attack behavior alarm logs according to the established rule and sequence, the logs conforming to the condition enter the next condition verification one by one, the logs not conforming to the condition are directly stopped from analysis, the whole attack behavior alarm logs can be subjected to data processing to complete secondary research and judgment confirmation, and after the data processing scripts are processed, the adaptive response operation, such as the IP blocking processing, is finally generated.
It should be noted that the generated response operation in the present application may specifically exist in the form of a flag, for example, the risk degree/risk level corresponding to the response operation may directly output after determining the risk degree through the relevant content of the alarm log including the source IP, the destination IP, the access time, the attack frequency, and the attack level, and then directly respond to the corresponding attack behavior with the specific response content guided by the risk degree in the process of executing the response operation.
As another specific implementation manner, in the process of performing the response operation related to the attack behavior by linking the plurality of security devices in the step S104, the response operation related to the attack behavior may also be performed only on a part of the security devices in the flexible response process, that is, in the process of performing the response operation by linking the plurality of security devices in the step S104, the method may specifically further include:
determining at least one security device performing the responsive operation;
and executing the response operation in linkage with the determined at least one safety device executing the response operation in the range of the plurality of safety devices.
It can be understood that, in the foregoing, different response contents can be configured corresponding to the security devices with different application functions, so that adaptive response operations with smaller granularity can be performed between the security devices, and in this embodiment, even part of the security devices can not participate in the response operations of the attack behavior, because the application deploys the corresponding response operations on the whole layer of all the security devices, in the deployment process, the characteristics of the devices and the characteristics of the devices in the network architecture can be combined to build the adaptive security devices and the response contents thereof, so that the method is more simplified, the working instructions related to the response operations can be accurately issued, the invalid instructions are avoided from being received by other security devices, the global linkage of stiff hardening is avoided, and the response effect with more pertinence and accuracy is realized.
In addition, for the security device specifically executing the response operation corresponding to the attack behavior, after determining the execution range, the application may also relate to specific configuration in the aspect of execution flow.
As yet another specific implementation, similar to the above configuration alert information response policies, visual configurations associated with staff members may also be referred to herein.
Specifically, the method of the present application may further include:
according to the user dragging operation input by the second visual panel, arranging the determined flow sequence of the plurality of safety devices;
in this case, step S104, which links the plurality of security devices, may include:
and linking the plurality of safety devices to execute response operation according to the flow sequence.
It can be seen that in this embodiment, the present application also introduces a visual configuration, so as to provide a highly flexible configuration manner for a worker to execute a flow sequence of response work, and ensure, in terms of details, specific execution of an alarm information response policy, so that a more convenient and effective scheduling effect can be achieved.
For the security device performing the response operation, the security application and specific operation capability can be formed by integrating the security processing capability corresponding to the security device side in a plurality of forms such as according to an API interface, a CLI command line, a crawler simulation access and the like through pre-docking.
Also, unlike the data operators involved in the alarm information response policy, in the configuration process of the flow sequence in the embodiment, the method can also involve calling different security applications and specific operation capabilities of the security device side, such as IP blocking capability, security analysis capability (IP traceability, threat intelligence association), work order flow capability (manual approval, OA flow, etc.), and in combination with transferring the network security response work off-line to on-line, performing more efficient logic arrangement of the work flow, so as to form a complete flow script, and the flow script can be used for automatically executing the response operation between the security devices.
In a specific working process of the flow scripts, related treatment command lines can be automatically issued to the corresponding safety equipment side, so that the safety equipment receiving the commands can be caused to automatically execute specific response operations.
And after the response operation is executed on the safety equipment side, the response result can be acquired, and correspondingly, the application can also relate to the content of reporting and displaying the result of the response result on the safety equipment side, for example, in the execution record of the flow script, the execution condition of the safety equipment can be clearly displayed, and a response work closed loop of the whole multi-source alarm log is formed.
As can be seen from the contents of the above embodiments, for the alarm logs of different security devices/systems, the present application starts from two aspects of repeated data convergence and alarm accuracy research and judgment, and performs arrangement of alarm information response strategies in the form of association analysis, so as to complete confirmation of alarm data, and further perform arrangement of flow sequences in the aspect of response operation in the form of flow combination, so as to complete rapid treatment of alarm processing.
The above is an introduction of the method for responding to an attack behavior based on the SOAR provided by the present application, and in order to facilitate better implementation of the method for responding to an attack behavior based on the SOAR provided by the present application, the present application also provides an apparatus for responding to an attack behavior based on the SOAR from the perspective of a functional module.
Referring to fig. 2, fig. 2 is a schematic structural diagram of an attack-response-device based on SOAR of the present application, in which the attack-response-device 200 based on SOAR may specifically include the following structure:
an obtaining unit 201, configured to obtain attack behavior alert information sent by a target security device, where a plurality of security devices including the target security device are accessed into a system in advance;
a warehousing unit 202, configured to perform a data warehousing operation on the attack behavior alert information;
a determining unit 203, configured to determine response operations for adaptation of the attack behavior alert information according to a preset alert information response policy, where the alert information response policy is used to generate different response operations according to different attack behavior alert information;
and the execution unit 204 is used for linking the plurality of safety devices and executing response operation.
In an exemplary implementation, the obtaining unit 201 is specifically configured to:
and acquiring attack behavior warning information in a log form sent by the target security equipment.
In yet another exemplary implementation, the obtaining unit 201 is specifically configured to:
and acquiring the attack behavior alarm information in the form of a log sent by the target security device through a preset interface, wherein the preset interface limits the preset field of the attack behavior alarm log of the accessed target security device to pass.
In yet another exemplary implementation, the binning unit 202 is specifically configured to:
analyzing data of attack behavior warning information, and converting the attack behavior warning information into standard attack behavior warning information in a standard form according to preset standard table structure requirements and standard field value requirements;
and storing the marked attack behavior warning information in a preset database to finish the data warehousing operation.
In yet another exemplary implementation, the apparatus further comprises a visualization unit 205 for:
according to user dragging operation input by the first visual panel, logically combining a data extraction operator, a log filtering operator, a log correlation operator, a sequence analysis operator, a log statistics operator, a threshold comparison operator and an AI intelligent analysis operator to obtain a plurality of data processing scripts;
and configuring the starting state of each data processing script to obtain an alarm information response strategy, wherein the starting state comprises closing or opening, and a plurality of opened data processing scripts are processed in parallel.
In yet another exemplary implementation, the execution unit 204 is specifically configured to:
determining at least one security device performing the responsive operation;
At least one security device that performs a response operation, which is determined in linkage, performs the response operation among the plurality of security devices.
In yet another exemplary implementation, the apparatus further comprises a visualization unit 205 for:
according to the user dragging operation input by the second visual panel, arranging the determined flow sequence of the plurality of safety devices;
the execution unit 204 is specifically configured to:
and linking the plurality of safety devices to execute response operation according to the flow sequence.
The present application further provides a processing device from the perspective of a hardware structure, referring to fig. 3, fig. 3 shows a schematic structural diagram of the processing device of the present application, specifically, the processing device of the present application may include a processor 301, a memory 302, and an input/output device 303, where the processor 301 is configured to implement steps of the SOAR-based attack behavior response method in the corresponding embodiment of fig. 1 when executing a computer program stored in the memory 302; alternatively, the processor 301 is configured to implement functions of each unit in the corresponding embodiment of fig. 2 when executing the computer program stored in the memory 302, and the memory 302 is configured to store the computer program required for the processor 301 to execute the method for responding to an attack behavior based on the SOAR in the corresponding embodiment of fig. 1.
By way of example, a computer program may be split into one or more modules/units, which are stored in the memory 302 and executed by the processor 301 to complete the present application. One or more of the modules/units may be a series of computer program instruction segments capable of performing particular functions to describe the execution of the computer program in a computer device.
The processing devices may include, but are not limited to, a processor 301, a memory 302, and an input output device 303. It will be appreciated by those skilled in the art that the illustrations are merely examples of processing devices, and are not limiting of processing devices, and may include more or fewer components than shown, or may combine some components, or different components, e.g., processing devices may also include network access devices, buses, etc., through which processor 301, memory 302, input output device 303, etc., are connected.
The processor 301 may be a central processing unit (Central Processing Unit, CPU), but may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like, which is a control center for a processing device, with various interfaces and lines connecting the various parts of the overall device.
The memory 302 may be used to store computer programs and/or modules, and the processor 301 implements various functions of the computer device by running or executing the computer programs and/or modules stored in the memory 302 and invoking data stored in the memory 302. The memory 302 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, application programs required for at least one function, and the like; the storage data area may store data created according to the use of the processing device, or the like. In addition, the memory may include high-speed random access memory, and may also include non-volatile memory, such as a hard disk, memory, plug-in hard disk, smart Media Card (SMC), secure Digital (SD) Card, flash Card (Flash Card), at least one disk storage device, flash memory device, or other volatile solid-state storage device.
The processor 301 is configured to execute the computer program stored in the memory 302, and may specifically implement the following functions:
acquiring attack behavior warning information sent by target safety equipment, wherein a plurality of safety equipment comprising the target safety equipment are accessed into a system in advance;
Executing data warehousing operation on attack behavior alarm information;
determining response operation of the attack behavior alarm information adaptation according to a preset alarm information response strategy, wherein the alarm information response strategy is used for generating different response operations according to different attack behavior alarm information;
and linking the plurality of safety devices to execute response operation.
It will be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process of the SOAR-based attack behavior response apparatus, the processing device and the corresponding units described above may refer to the description of the SOAR-based attack behavior response method in the corresponding embodiment of fig. 1, which is not repeated herein.
Those of ordinary skill in the art will appreciate that all or a portion of the steps of the various methods of the above embodiments may be performed by instructions, or by instructions controlling associated hardware, which may be stored in a computer-readable storage medium and loaded and executed by a processor.
For this reason, the present application provides a computer readable storage medium, in which a plurality of instructions capable of being loaded by a processor are stored, so as to execute the steps of the method for responding to an attack behavior based on the SOAR in the corresponding embodiment of fig. 1, and specific operations may refer to the description of the method for responding to an attack behavior based on the SOAR in the corresponding embodiment of fig. 1, which is not repeated herein.
Wherein the computer-readable storage medium may comprise: read Only Memory (ROM), random access Memory (Random Access Memory, RAM), magnetic or optical disk, and the like.
Because the instructions stored in the computer readable storage medium may execute the steps of the method for responding to an attack behavior based on the SOAR in the corresponding embodiment of fig. 1, the method for responding to an attack behavior based on the SOAR in the corresponding embodiment of fig. 1 may realize the beneficial effects that can be realized by the method for responding to an attack behavior based on the SOAR in the corresponding embodiment of fig. 1, which are described in detail in the foregoing descriptions and are not repeated herein.
The above describes in detail the method, apparatus, processing device and computer readable storage medium for response to an attack behavior based on the SOAR provided in the present application, and specific examples are applied herein to illustrate the principles and embodiments of the present application, where the above description of the examples is only for helping to understand the method and core idea of the present application; meanwhile, those skilled in the art will have variations in the specific embodiments and application scope in light of the ideas of the present application, and the present description should not be construed as limiting the present application in view of the above.

Claims (10)

1. An SOAR-based attack-behavior-response method, the method comprising:
Acquiring attack behavior warning information sent by target safety equipment, wherein a plurality of safety equipment comprising the target safety equipment are accessed into a system in advance;
executing data warehousing operation on the attack behavior warning information;
determining response operation of the attack behavior alarm information adaptation according to a preset alarm information response strategy, wherein the alarm information response strategy is used for generating different response operations according to different attack behavior alarm information;
and linking the safety devices to execute the response operation.
2. The method of claim 1, wherein the obtaining attack activity alert information sent by the target security device includes:
and acquiring the attack behavior warning information in the form of a log sent by the target security equipment.
3. The method according to claim 2, wherein the obtaining the attack activity alert information in the form of a log sent from the target security device includes:
and acquiring the attack behavior alarm information in the form of a log sent by the target security device through a preset interface, wherein the preset interface limits the preset field of the attack behavior alarm log of the accessed target security device to pass.
4. The method of claim 1, wherein performing a data warehousing operation on the attack behavior alert information comprises:
analyzing the data of the attack behavior warning information, and converting the attack behavior warning information into standard attack behavior warning information in a standard form according to the preset standard table structure requirement and standard field value requirement;
and storing the marked attack behavior warning information in a preset database to finish the data warehousing operation.
5. The method according to claim 1, wherein the method further comprises:
according to user dragging operation input by the first visual panel, logically combining a data extraction operator, a log filtering operator, a log correlation operator, a sequence analysis operator, a log statistics operator, a threshold comparison operator and an AI intelligent analysis operator to obtain a plurality of data processing scripts;
and configuring an enabling state of each data processing script to obtain the alarm information response strategy, wherein the enabling state comprises closing or opening, and the data processing scripts after opening are processed in parallel.
6. The method of claim 1, wherein said linking said plurality of security devices to perform said responding operation comprises:
Determining at least one security device performing the responsive operation;
and in the range of the safety devices, the at least one safety device which is determined in linkage and used for executing the response operation executes the response operation.
7. The method according to claim 1, wherein the method further comprises:
according to the user dragging operation input by the second visual panel, arranging the determined flow sequence of the plurality of safety devices;
the linking the plurality of security devices, performing the responsive operation, includes:
and linking the plurality of safety devices to execute the response operation according to the flow sequence.
8. An SOAR-based attack-response-device, the device comprising:
the system comprises an acquisition unit, a control unit and a control unit, wherein the acquisition unit is used for acquiring attack behavior warning information sent by target safety equipment, and a plurality of safety equipment comprising the target safety equipment are accessed into a system in advance;
the warehousing unit is used for executing data warehousing operation on the attack behavior warning information;
the determining unit is used for determining response operation of the attack behavior alarm information adaptation according to a preset alarm information response strategy, wherein the alarm information response strategy is used for generating different response operations according to different attack behavior alarm information;
And the execution unit is used for linking the plurality of safety devices and executing the response operation.
9. A processing device comprising a processor and a memory, the memory having stored therein a computer program, the processor executing the method of any of claims 1 to 7 when invoking the computer program in the memory.
10. A computer readable storage medium storing a plurality of instructions adapted to be loaded by a processor to perform the method of any one of claims 1 to 7.
CN202211632093.0A 2022-12-19 2022-12-19 SOAR-based attack behavior response method, device and processing equipment Pending CN116015819A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211632093.0A CN116015819A (en) 2022-12-19 2022-12-19 SOAR-based attack behavior response method, device and processing equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211632093.0A CN116015819A (en) 2022-12-19 2022-12-19 SOAR-based attack behavior response method, device and processing equipment

Publications (1)

Publication Number Publication Date
CN116015819A true CN116015819A (en) 2023-04-25

Family

ID=86020256

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211632093.0A Pending CN116015819A (en) 2022-12-19 2022-12-19 SOAR-based attack behavior response method, device and processing equipment

Country Status (1)

Country Link
CN (1) CN116015819A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116436706A (en) * 2023-06-14 2023-07-14 天津市天河计算机技术有限公司 Network attack blocking method, system, equipment and medium in data center environment
CN116611046A (en) * 2023-06-05 2023-08-18 武汉思普崚技术有限公司 Method, device and system for processing weak password based on SOAR
CN117082524A (en) * 2023-07-05 2023-11-17 天津市邮电设计院有限责任公司 Wireless communication safety protection method, device and system

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116611046A (en) * 2023-06-05 2023-08-18 武汉思普崚技术有限公司 Method, device and system for processing weak password based on SOAR
CN116611046B (en) * 2023-06-05 2024-04-09 武汉思普崚技术有限公司 Method, device and system for processing weak password based on SOAR
CN116436706A (en) * 2023-06-14 2023-07-14 天津市天河计算机技术有限公司 Network attack blocking method, system, equipment and medium in data center environment
CN116436706B (en) * 2023-06-14 2023-08-22 天津市天河计算机技术有限公司 Network attack blocking method, system, equipment and medium in data center environment
CN117082524A (en) * 2023-07-05 2023-11-17 天津市邮电设计院有限责任公司 Wireless communication safety protection method, device and system
CN117082524B (en) * 2023-07-05 2024-06-07 天津市邮电设计院有限责任公司 Wireless communication safety protection method, device and system

Similar Documents

Publication Publication Date Title
CN116015819A (en) SOAR-based attack behavior response method, device and processing equipment
CN112468472B (en) Security policy self-feedback method based on security log association analysis
US10469320B2 (en) Versioning system for network states in a software-defined network
US11022949B2 (en) PLC virtual patching and automated distribution of security context
CN112671807B (en) Threat processing method, threat processing device, electronic equipment and computer readable storage medium
US9961047B2 (en) Network security management
CN111224991B (en) Network security emergency response method and response system
CN110661811A (en) Firewall policy management method and device
CN109144023A (en) A kind of safety detection method and equipment of industrial control system
CN112799358A (en) Industrial control safety defense system
CN112615811A (en) Method for automatically analyzing robustness of network boundary strategy in power information
CN115941317A (en) Network security comprehensive analysis and situation awareness platform
CN108418697B (en) Implementation architecture of intelligent safe operation and maintenance service cloud platform
Sridharan et al. SIEM integration with SOAR
Nintsiou et al. Threat intelligence using Digital Twin honeypots in Cybersecurity
CN113591096A (en) Vulnerability scanning system for comprehensively detecting big data bugs and unsafe configurations
CN113676354A (en) Hybrid cloud operation and maintenance management method and system
US10298445B2 (en) Method for dynamic adjustment of a level of verbosity of a component of a communications network
CN110460558B (en) Method and system for discovering attack model based on visualization
Bakirtzis et al. MISSION AWARE: Evidence-based, mission-centric cybersecurity analysis
EP2911362B1 (en) Method and system for detecting intrusion in networks and systems based on business-process specification
CN112769814B (en) Method and system for comprehensively coordinating network security equipment in linkage manner
CN114221805A (en) Method, device, equipment and medium for monitoring industrial internet data
CN110488772B (en) DCS centralized monitoring method and device and centralized monitoring terminal
CN113608821A (en) Data processing method and device of boundary safety equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination