CN116896468A - Protection strategy determining method for network attack event and related equipment - Google Patents

Protection strategy determining method for network attack event and related equipment Download PDF

Info

Publication number
CN116896468A
CN116896468A CN202310871558.6A CN202310871558A CN116896468A CN 116896468 A CN116896468 A CN 116896468A CN 202310871558 A CN202310871558 A CN 202310871558A CN 116896468 A CN116896468 A CN 116896468A
Authority
CN
China
Prior art keywords
attack
protection
strategy
policy
original data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310871558.6A
Other languages
Chinese (zh)
Inventor
尹琴
郭晨萌
李宁
宋洁
李芳�
李�杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Siji Network Security Beijing Co ltd
State Grid Information and Telecommunication Co Ltd
Original Assignee
State Grid Siji Network Security Beijing Co ltd
State Grid Information and Telecommunication Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Siji Network Security Beijing Co ltd, State Grid Information and Telecommunication Co Ltd filed Critical State Grid Siji Network Security Beijing Co ltd
Priority to CN202310871558.6A priority Critical patent/CN116896468A/en
Publication of CN116896468A publication Critical patent/CN116896468A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Abstract

The application provides a protection strategy determining method of a network attack event and related equipment, wherein the method comprises the steps of obtaining original data corresponding to the network attack event; extracting features of the original data to obtain attack features corresponding to the original data; generating a protection strategy corresponding to the attack characteristic based on the attack characteristic in response to determining that the attack characteristic does not exist in a pre-constructed strategy library set; detecting the protection strategy, correcting the protection strategy in response to detecting the strategy conflict effect of the protection strategy and the stored protection strategy in the strategy library set, and storing the corrected protection strategy, so that the technical problem that the network attack cannot be resisted due to the conflict of the strategies stored in the same strategy library in the prior art is solved, and the aim of maintaining network security is fulfilled.

Description

Protection strategy determining method for network attack event and related equipment
Technical Field
The present application relates to the field of data processing technologies, and in particular, to a method and related device for determining a protection policy of a network attack event.
Background
With the development of internet information technology, network applications are deeper and deeper into life and work of people, various network attacks are also layered, and new network attacks may be faced at any time. The power system is a complex network system, and the safe and reliable operation of the power system can ensure the normal operation and power supply of the power system, avoid the serious loss caused by potential safety hazards and is the basis of stable development of the whole society. As such, the power information network is easily targeted for network attacks. Thus, it is particularly important to defend against network attacks.
In the prior art, the attack is usually resisted by adopting a stored protection policy associated with the attack characteristic when the attack characteristic is detected in the network data, but the problem that the protection policy cannot resist the network attack in time may occur. With the gradual refinement of the protection granularity of the protection policies, the stored protection policies may have policy conflict, so that the protection policies cannot take effect and cannot resist network attacks, thereby causing losses.
Disclosure of Invention
Therefore, the present application is directed to a method and related device for determining protection policy of network attack event, so as to overcome all or part of the defects in the prior art.
Based on the above object, the present application provides a method for determining protection policy of network attack event, comprising: acquiring original data corresponding to a network attack event; extracting features of the original data to obtain attack features corresponding to the original data; generating a protection strategy corresponding to the attack characteristic based on the attack characteristic in response to determining that the attack characteristic does not exist in a pre-constructed strategy library set; detecting the protection strategy, correcting the protection strategy in response to detecting that the protection strategy has a strategy conflict effect with the stored protection strategies in the strategy library set, and storing the corrected protection strategy.
Optionally, before feature extraction of the raw data, the method includes: and performing analysis operation, redundancy elimination operation, reduction operation and merging operation on the original data.
Optionally, determining that the attack feature is not present in the pre-built policy repository set includes: determining a category corresponding to the original data based on the attack characteristic; determining a target strategy library corresponding to the category in the strategy library set based on the category; in response to determining that the attack signature is not found in the target policy repository, determining that the attack signature is not present in the set of policy repositories.
Optionally, the protection strategy comprises at least one group of trigger conditions and execution actions corresponding to the trigger conditions; the protection policy has a policy conflict effect with stored protection policies in the policy repository set, including: in response to determining that at least one trigger condition of the protection policy is the same as a trigger condition of the stored protection policy, and that execution actions corresponding to the same trigger condition are different.
Optionally, before detecting the protection policy, the method includes: analyzing the original data to obtain a plurality of fields corresponding to the original data, wherein the fields at least comprise a generation time field, an event identification number field, an event type field, a source IP address field and a destination IP address field of the original data; searching and calculating the original data through a particle swarm algorithm based on the fields and the attack characteristics to obtain a plurality of sets, wherein each set in the plurality of sets comprises at least one field and/or the attack characteristics in the plurality of fields; for each of the plurality of fields, calculating a support corresponding to the field based on the plurality of sets, calculating a confidence corresponding to the field based on the plurality of sets in response to determining that the support corresponding to the field is greater than a preset support, and determining the field as associated data associated with the attack feature in response to determining that the confidence is greater than a preset confidence.
Optionally, the method comprises: the calculating the support degree corresponding to the field based on the multiple sets includes: support (a→b) =n (AUB)/N (I), where Support (a→b) is the Support, N (AUB) is the number of sets that include the field and the attack feature at the same time, N (I) is the total number of sets, a is used to characterize the field, and B is used to characterize the attack feature; the calculating the confidence corresponding to the field based on the plurality of sets includes: confidence (A.fwdarw.B) =P (AUB)/P (A), wherein Confidence (A.fwdarw.B) is the Confidence, P (AUB)/P (A) is used for representing the probability of occurrence of the attack feature in the case of occurrence of the field, A is used for representing the field, and B is used for representing the attack feature.
Optionally, the storing the modified protection policy includes: and storing the attack characteristics, the associated data and the corrected protection strategy association into the strategy library set.
Based on the same inventive concept, the application also provides a protection strategy determining device of the network attack event, comprising: the acquisition module is configured to acquire the original data corresponding to the network attack event; the extraction module is configured to perform feature extraction on the original data so as to obtain attack features corresponding to the original data; the generation module is configured to respond to the fact that the attack features do not exist in a pre-constructed policy library set, and based on the attack features, generate protection policies corresponding to the attack features; and the correction module is configured to detect the protection strategy, correct the protection strategy in response to detecting that the protection strategy has a strategy conflict effect with the stored protection strategies in the strategy library set, and store the corrected protection strategy.
Based on the same inventive concept, the application also provides an electronic device comprising a memory, a processor and a computer program stored on the memory and executable by the processor, the processor implementing the method as described above when executing the computer program.
Based on the same inventive concept, the present application also provides a non-transitory computer-readable storage medium storing computer instructions for causing a computer to perform the method as described above.
From the above, it can be seen that the method for determining the protection policy of the network attack event and the related device provided by the application include obtaining the original data corresponding to the network attack event; and extracting the characteristics of the original data to obtain attack characteristics corresponding to the original data, so that the corresponding protection strategy can be accurately determined based on the attack characteristics. And responding to the fact that the attack features do not exist in the pre-constructed strategy library set, and generating protection strategies corresponding to the attack features based on the attack features, so that the aim of targeted attack resistance is achieved. Detecting the protection strategy, correcting the protection strategy in response to detecting the strategy conflict effect of the protection strategy and the stored protection strategy in the strategy library set, and storing the corrected protection strategy so that the protection strategy in the strategy library set can be timely invoked to resist attack when the same network attack event occurs again, and network security is protected.
Drawings
In order to more clearly illustrate the technical solutions of the present application or related art, the drawings that are required to be used in the description of the embodiments or related art will be briefly described below, and it is apparent that the drawings in the following description are only embodiments of the present application, and other drawings may be obtained according to the drawings without inventive effort to those of ordinary skill in the art.
Fig. 1 is a flow chart of a method for determining a protection policy of a network attack event according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of a protection policy determining device for a network attack event according to an embodiment of the present application;
fig. 3 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the application.
Detailed Description
The present application will be further described in detail below with reference to specific embodiments and with reference to the accompanying drawings, in order to make the objects, technical solutions and advantages of the present application more apparent.
It should be noted that unless otherwise defined, technical or scientific terms used in the embodiments of the present application should be given the ordinary meaning as understood by one of ordinary skill in the art to which the present application belongs. The terms "first," "second," and the like, as used in embodiments of the present application, do not denote any order, quantity, or importance, but rather are used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that elements or items preceding the word are included in the element or item listed after the word and equivalents thereof, but does not exclude other elements or items. The terms "connected" or "connected," and the like, are not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "upper", "lower", "left", "right", etc. are used merely to indicate relative positional relationships, which may also be changed when the absolute position of the object to be described is changed.
As described in the background section, with the acceleration of informatization, security threats faced by networks are increasing, and network attack events are frequent. The power system is a complex network system, so that the power information network is easy to be a network attack target, and is particularly important to resist the network attack. In the prior art, when the attack characteristics are detected in the network data, the stored protection policies associated with the attack characteristics are adopted to resist the attack, but the problem that the protection policies cannot resist the network attack in time may occur. With the gradual refinement of the protection granularity of the protection policy, the stored protection policy may have policy conflict, so that the protection policy cannot take effect and cannot resist network attack, thereby causing loss.
In view of this, an embodiment of the present application proposes a protection policy determining method for a network attack event, referring to fig. 1, including the following steps:
step 101, obtaining original data corresponding to a network attack event.
In this step, in order to pertinently defend against the attack of the network attack event, the original data corresponding to the network attack event needs to be acquired and analyzed, and the network attack event may be, for example, threat information, event information, attack behavior, terminal log, vulnerability management, and the like, where the attack behavior includes attack behaviors such as web attack, DDOS attack, vulnerability scanning, brute force cracking, and the like. The original data corresponding to the network attack event may be data actively acquired in a network attack event library stored in a history, or may be data actively transmitted to the power system and identified as a network attack event.
It should be noted that, the network attack event may be transmitted to the power system through a standard interface, and the power system receives the data through a Syslog or Kafka or APT mode, where the meaning, type and length of the field must be definitely defined in the interface specification corresponding to the standard interface, and the encryption mode of data transmission with the power system in the data reporting process and the authentication mode of the definitely interface must be definitely defined in the access specification. The original data corresponding to the network attack event supports the protocols HTTP, STMP, FTP, MODBUS, TELNET and the like.
And 102, extracting features of the original data to obtain attack features corresponding to the original data.
In this step, the original data is subjected to feature extraction, and the original data can be subjected to feature extraction through a pre-trained model, so that the purpose of accurately extracting the features of the original data is achieved. And obtaining the attack characteristics corresponding to the original data, so that the corresponding protection strategy can be accurately determined based on the attack characteristics.
And step 103, generating a protection strategy corresponding to the attack characteristic based on the attack characteristic in response to determining that the attack characteristic does not exist in the pre-constructed strategy library set.
In the step, under the condition that the attack features do not exist in the pre-constructed policy library set, the fact that the stored policies in the policy library set cannot resist the attack is explained, and protection policies corresponding to the attack features are generated based on the attack features so as to resist the attack in a targeted manner. The protection policy describes how to do specifically when successfully matched to the attack feature, what actions are to be performed, e.g., actions may be pass-through, block, message rewrite, define variables, variable assignment, log, script execution, etc.
And 104, detecting the protection strategy, correcting the protection strategy in response to detecting that the protection strategy has a strategy conflict effect with the stored protection strategies in the strategy library set, and storing the corrected protection strategy.
In this step, the generated protection policy needs to be stored in the policy repository set, so that the network attack can be timely resisted through the stored policy in the policy repository set. However, the protection policy may have a policy conflict effect with the protection policies stored in the policy repository set, so that the protection policy cannot resist the network attack, and therefore, detection needs to be performed on the protection policy. Under the condition that the protection strategy has a strategy conflict effect with the stored protection strategy, the protection strategy needs to be corrected so that when the same network attack event occurs again, the protection strategy in the strategy library set can be timely called to resist attack, and network security is protected.
Through the scheme, the original data corresponding to the network attack event is obtained; and extracting the characteristics of the original data to obtain attack characteristics corresponding to the original data, so that the corresponding protection strategy can be accurately determined based on the attack characteristics. And responding to the fact that the attack features do not exist in the pre-constructed strategy library set, and generating protection strategies corresponding to the attack features based on the attack features, so that the aim of targeted attack resistance is achieved. Detecting the protection strategy, correcting the protection strategy in response to detecting the strategy conflict effect of the protection strategy and the stored protection strategy in the strategy library set, and storing the corrected protection strategy so that the protection strategy in the strategy library set can be timely invoked to resist attack when the same network attack event occurs again, and network security is protected.
In some embodiments, prior to feature extraction of the raw data, the method comprises: and performing analysis operation, redundancy elimination operation, reduction operation and merging operation on the original data.
In this embodiment, the original data is processed in advance, so that accuracy of a subsequent generation protection strategy is improved, and interference of invalid data is avoided. And analyzing the original data to comprehensively understand the original data, so that the redundancy removing operation and the reduction operation of the original data can be sequentially carried out conveniently. And removing redundant data in the original data through redundancy removing operation, and removing interference of the redundant data. And performing reduction operation on the data after redundancy removal to further compress the data quantity, and finally merging the reduced data into original data. The interference of useless data is reduced, and the subsequent utilization efficiency of the data is improved.
In some embodiments, determining that the attack signature is not present in the pre-built set of policy libraries comprises: determining a category corresponding to the original data based on the attack characteristic; determining a target strategy library corresponding to the category in the strategy library set based on the category; in response to determining that the attack signature is not found in the target policy repository, determining that the attack signature is not present in the set of policy repositories.
In this embodiment, attack features are of different types, and exemplary, the attack features may be classified based on sources corresponding to the attack features, and may be classified into threat information class, event information class, attack behavior class, terminal log class, vulnerability management class, and the like. Based on the attack characteristics, the category corresponding to the original data can be determined, and the purpose of refining the original data is achieved. The categories also correspond to policy libraries in the policy library set, and the policy library set is refined so that the attack feature can be quickly found in the policy library set. And under the condition that the attack characteristic is not found in the target strategy library corresponding to the category, the condition that the attack characteristic does not exist in the target strategy library is indicated. It should be noted that, the target policy repository may be further refined so as to further improve the purpose of searching the corresponding protection policy, and the target policy repository may be exemplarily divided into an expert knowledge repository, an information parameter repository, and a feature rule repository of the feature rule model.
In some embodiments, the protection policy includes at least one set of trigger conditions and execution actions corresponding thereto; the protection policy has a policy conflict effect with stored protection policies in the policy repository set, including: in response to determining that at least one trigger condition of the protection policy is the same as a trigger condition of the stored protection policy, and that execution actions corresponding to the same trigger condition are different.
In this embodiment, the protection policy needs to be matched to the corresponding triggering condition to start the corresponding protection policy. However, there may be a case where the protection policy is the same as the trigger condition of the stored protection policy and the execution action is different, and thus, there may be a case where the network attack cannot be resisted even if the execution action is executed, and there may be an operation where the execution action of the protection policy and the stored protection policy is completely contradictory, thereby causing the protection policy to be unable to be started. When the situation occurs, determining that the protection strategy has strategy conflict effect with the stored protection strategies in the strategy library set. The occurrence of the strategy conflict effect is timely determined, so that the problems can be timely solved later, and network security can be effectively maintained through a protection strategy.
It should be noted that, the trigger condition and the description form of the behavior action in the automatically generated protection policy may be "if condition then action (IETF, execute the corresponding action if the condition is satisfied)". In order to maintain consistency, a policy structure is formulated by combining the characteristics of IETF, wherein the structure comprises triggering conditions for linkage policy execution, executed behavior actions, an execution body, an execution target and the like, and the specific representation modes are as follows: the priority (priority, subject, target, condition, trigger, action, flag, TTL), wherein the priority represents the priority of the protection strategy, the range is 0-255, the smaller the number, the higher the priority, and the set of all protection strategies is represented by POLICY; the SUBJECT represents an execution SUBJECT of the protection policy, and a set of all execution SUBJECTs is represented by a SUBJECT; TARGET represents the acting object (there may be multiple objects) of the strategy, and the set of all objects is represented by TARGET; the CONDITION represents the triggering CONDITION of the protection strategy, and all the triggering CONDITION sets are represented by the CONDITION; the ACTION represents the execution ACTION of the protection strategy, which can be a business logic ACTION or a safety protection ACTION, and all ACTION sets are represented by the ACTION; the flag represents the type of the policy and has a value of true or false, wherein true represents that the policy subject performs an action on the object target under the condition as action, and false represents that the execution of the policy is prohibited; TTL represents the active time of the behavior of the side-road in seconds.
It should be further noted that, the policy conflict effect existing between the protection policy and the stored protection policy further includes cross conflict between policies, that is, a large number of cross policies exist in the target policy library, and the attack feature or the associated data may need to be matched for multiple times to find the final execution action. The above conflict greatly reduces the efficiency of executing actions by the policies, so that to merge such crossed policies, policies with continuity are merged to reduce the number of policies and improve the working efficiency of the security device. The common abnormality detection methods are: rule conflict detection based on a decision tree, rule conflict detection algorithm based on generalization, anomaly detection algorithm based on a firewall decision table, anomaly detection algorithm based on a bit vector, and the like.
The effect of policy conflict between a protection policy and a stored protection policy also includes modal conflicts, meaning inconsistencies in the description of the policy that occur when two or more policies of opposite sign act on the same subject, object, and execution action. Modality conflicts can be divided into 3 types: (1) authorization policy conflict: authorization policy conflicts occur when the affirmative authorization policy and the refusal authorization policy have the same subject, object, and measure. (2) responsibility policy conflict: a responsibility policy conflict occurs when one forward responsibility policy requires the principal to perform a particular action, while the other reverse responsibility policy (also called a throttling policy) prohibits the principal from performing the action. (3) responsibilities and authorization policy conflict: responsibility and authorization policy conflicts occur when a responsibility policy requires a principal to perform a particular action, but one of the refusal to authorization policies prohibits the principal's ability to perform the action. Most modal conflicts can be detected by a static method of enumerating conflicting feature attributes, and if there is an intersection of conflicting feature attributes for two or more policies in the target policy repository, then there is a modal conflict between them.
The effect of the policy conflict between the protection policy and the stored protection policy also comprises application conflict, which generally means that the external constraint among the policies is in conflict, that is, the content of the policies is in conflict with the situation that the external constraint definitely prescribes that the external constraint is not allowed to occur. The application-related conflict according to the difference of the external constraint targets can be classified into the following 5 kinds: (1) subject association conflict: meaning that the subjects of both authorization policies are the same, conflicts resulting from executing the measures on different sets of objects. (2) object association conflict: meaning that different subjects perform different actions on the same object may result in conflicting actions. (3) measure association conflict: meaning that different subjects perform the same actions on the same object may result in conflicting actions. (4) a master guest association conflict: when the guests and principals of two forward authorization policies overlap, some actions may be defined as conflicts by the administrator application. (5) host-guest self-association conflict: external constraints may make special demands on the subject, object of the policy, so-called self-management problems, for example requiring that the manager cannot perform operations to manage himself. Most application-related conflicts cannot be found through static method inspection, and it can be found from the description of the type of the application-related conflict that the key to generating the application-related conflict is that the same associated objects exist between policies, so that the application-related conflict can be detected through a dynamic method of attaching attribute tags to the associated objects of the policies.
The full life cycle management of the protection strategy comprises the management of the whole flow from the creation to the submission, the auditing, the release, the updating, the deletion and the like of the strategy. In the generation process of the protection strategy, the extraction of attack characteristics, the triggering of the defending action and the mapping relation between the attack characteristics and the defending action are required to be considered. Factors causing the update of the protection strategies comprise threat types, security defense measures, changes of network topology, optimization and combination changes among the protection strategies, and timeliness and linkage are needed in the update of the protection strategies. The deletion of protection policies refers to protection policies that are merged when policies are optimally merged or protection policies that are no longer adapted due to threat changes and security changes.
In some embodiments, prior to detecting the protection policy, the method includes: analyzing the original data to obtain a plurality of fields corresponding to the original data, wherein the fields at least comprise a generation time field, an event identification number field, an event type field, a source IP address field and a destination IP address field of the original data; searching and calculating the original data through a particle swarm algorithm based on the fields and the attack characteristics to obtain a plurality of sets, wherein each set in the plurality of sets comprises at least one field and/or the attack characteristics in the plurality of fields; for each of the plurality of fields, calculating a support corresponding to the field based on the plurality of sets, calculating a confidence corresponding to the field based on the plurality of sets in response to determining that the support corresponding to the field is greater than a preset support, and determining the field as associated data associated with the attack feature in response to determining that the confidence is greater than a preset confidence.
In this embodiment, the attack feature is not independent in the original data, and often appears together with other data, so that association analysis is performed on the attack feature, and association data associated with the attack feature is determined in the original data set, so as to find the association between the original data and the attack feature. The other data can be a field capable of reflecting basic information corresponding to the original data, and other data related to the attack feature, namely related data, needs to be searched, so that the attack feature can be detected in the network data under the condition that the related data are contained in the network data, the range of identifying the network attack is enlarged, and the response speed of the protection strategy is accelerated. The association data associated with the presence of the attack feature may be determined by a combination of a particle swarm algorithm and an association rule algorithm. First, other data often present together with the attack feature needs to be confirmed in the original data, and multiple sets are calculated according to competition and cooperation relation search among individuals in the population, wherein each set in the multiple sets comprises at least one field and/or the attack feature in multiple fields, and the sets may be (event type field, attack feature), (event identification number field, event type field, attack feature), (event type field) by way of example. The collection acquisition efficiency is improved through a particle swarm algorithm. The support degree is the frequency of the attack characteristics and the fields appearing in the same set at the same time, and the fields with the support degree larger than the preset support degree corresponding to the fields are determined to be the fields which often appear with the attack characteristics, wherein the preset support degree can be determined through historical experience. However, only by the field whose support degree is greater than the preset support degree, the relationship between the field and the attack feature cannot be accurately determined, and thus, there may be a case where the field itself occurs frequently in the original data. In order to verify that the association of the field with the attack feature is reliable, confidence verification needs to be performed on the field, it is determined that the field is not frequent data in the original data, that is, it is determined that the confidence corresponding to the field is greater than a preset confidence, and the field can be determined as data associated with the attack feature, where the preset confidence can be determined through historical experience. Finally, the purpose of quickly and accurately determining the associated data associated with the attack characteristics is achieved.
In some embodiments, comprising: the calculating the support degree corresponding to the field based on the multiple sets includes: support (a→b) =n (AUB)/N (I), where Support (a→b) is the Support, N (AUB) is the number of sets that include the field and the attack feature at the same time, N (I) is the total number of sets, a is used to characterize the field, and B is used to characterize the attack feature; the calculating the confidence corresponding to the field based on the plurality of sets includes: confidence (A.fwdarw.B) =P (AUB)/P (A), wherein Confidence (A.fwdarw.B) is the Confidence, P (AUB)/P (A) is used for representing the probability of occurrence of the attack feature in the case of occurrence of the field, A is used for representing the field, and B is used for representing the attack feature.
In this embodiment, the support indicates the frequency with which the field and the attack feature appear simultaneously in one set, where a plurality of fields may also exist simultaneously in one set. Therefore, the number of the sets of the field and the attack feature which exist simultaneously is determined firstly, and then divided by the total number of the sets, so that the support degree corresponding to the field can be calculated. Under the condition of relatively high support, the frequency of the field and the attack characteristic which are shown together is relatively high; in the case where the degree of support is relatively small, the frequency with which the description field and the attack feature appear together is relatively low. In order to verify that the association of the field and the attack feature is reliable, a confidence coefficient corresponding to the field needs to be calculated, and the confidence coefficient is used for representing the probability of the attack feature appearing simultaneously under the condition that the field appears. Illustratively, if the confidence is 100%, then it is stated that the attack feature must appear when the field appears. The specific formula is used for further describing how to determine the associated data of the attack characteristics, so that the determination process is more visual and accurate.
In some embodiments, the storing the modified protection policy includes: and storing the attack characteristics, the associated data and the corrected protection strategy association into the strategy library set.
In this embodiment, the attack feature, the associated data and the modified protection policy are stored in the target policy repository in the policy repository set, so that the protection policy in the target policy repository can more comprehensively resist the attack of the network security event. The attack characteristic and the associated data are often generated in the original data, so that the associated data are stored together with the attack characteristic and the protection strategy, and the network data can be considered to have the attack characteristic under the condition that the associated data are detected when the network data are detected, so that the protection of the network data is started, and network attack events can be timely and effectively resisted.
It should be noted that, the method of the embodiment of the present application may be performed by a single device, for example, a computer or a server. The method of the embodiment can also be applied to a distributed scene, and is completed by mutually matching a plurality of devices. In the case of such a distributed scenario, one of the devices may perform only one or more steps of the method of an embodiment of the present application, the devices interacting with each other to accomplish the method.
It should be noted that the foregoing describes some embodiments of the present application. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments described above and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
Based on the same inventive concept, the application also provides a protection strategy determining device for network attack event, corresponding to the method of any embodiment.
Referring to fig. 2, the protection policy determining device for network attack event includes:
an acquisition module 10 configured to acquire original data corresponding to a network attack event;
the extracting module 20 is configured to perform feature extraction on the original data so as to obtain attack features corresponding to the original data;
a generating module 30, configured to generate a protection policy corresponding to the attack feature based on the attack feature in response to determining that the attack feature does not exist in the pre-constructed policy library set;
The correction module 40 is configured to detect the protection policy, correct the protection policy in response to detecting that a policy conflict effect exists between the protection policy and a stored protection policy in the policy repository set, and store the corrected protection policy.
Acquiring original data corresponding to a network attack event through the device; and extracting the characteristics of the original data to obtain attack characteristics corresponding to the original data, so that the corresponding protection strategy can be accurately determined based on the attack characteristics. And responding to the fact that the attack features do not exist in the pre-constructed strategy library set, and generating protection strategies corresponding to the attack features based on the attack features, so that the aim of targeted attack resistance is achieved. Detecting the protection strategy, correcting the protection strategy in response to detecting the strategy conflict effect of the protection strategy and the stored protection strategy in the strategy library set, and storing the corrected protection strategy so that the protection strategy in the strategy library set can be timely invoked to resist attack when the same network attack event occurs again, and network security is protected.
In some embodiments, the method further comprises an operation module, wherein the operation module is further configured to perform a parsing operation, a redundancy removing operation, a reduction operation and a merging operation on the original data before performing feature extraction on the original data.
In some embodiments, the generating module 30 is further configured to determine, based on the attack feature, a category to which the original data corresponds; determining a target strategy library corresponding to the category in the strategy library set based on the category; in response to determining that the attack signature is not found in the target policy repository, determining that the attack signature is not present in the set of policy repositories.
In some embodiments, the modification module 40 is further configured such that the protection policy includes at least one set of trigger conditions and execution actions corresponding thereto; in response to determining that at least one trigger condition of the protection policy is the same as a trigger condition of the stored protection policy, and that execution actions corresponding to the same trigger condition are different.
In some embodiments, the system further includes a determining module, where the determining module is further configured to parse the original data to obtain a plurality of fields corresponding to the original data before detecting the protection policy, where the plurality of fields includes at least a generation time field, an event identification number field, an event type field, a source IP address field, and a destination IP address field of the original data; searching and calculating the original data through a particle swarm algorithm based on the fields and the attack characteristics to obtain a plurality of sets, wherein each set in the plurality of sets comprises at least one field and/or the attack characteristics in the plurality of fields; for each of the plurality of fields, calculating a support corresponding to the field based on the plurality of sets, calculating a confidence corresponding to the field based on the plurality of sets in response to determining that the support corresponding to the field is greater than a preset support, and determining the field as associated data associated with the attack feature in response to determining that the confidence is greater than a preset confidence.
In some embodiments, the determining module is further configured to calculate a support corresponding to the field based on the plurality of sets, including: support (a→b) =n (AUB)/N (I), where Support (a→b) is the Support, N (AUB) is the number of sets that include the field and the attack feature at the same time, N (I) is the total number of sets, a is used to characterize the field, and B is used to characterize the attack feature; the calculating the confidence corresponding to the field based on the plurality of sets includes: confidence (A.fwdarw.B) =P (AUB)/P (A), wherein Confidence (A.fwdarw.B) is the Confidence, P (AUB)/P (A) is used for representing the probability of occurrence of the attack feature in the case of occurrence of the field, A is used for representing the field, and B is used for representing the attack feature.
In some embodiments, the determination module is further configured to store the attack signature, the association data, and the revised protection policy association into the policy repository set.
For convenience of description, the above devices are described as being functionally divided into various modules, respectively. Of course, the functions of each module may be implemented in the same piece or pieces of software and/or hardware when implementing the present application.
The device of the foregoing embodiment is configured to implement the protection policy determining method of the corresponding network attack event in any of the foregoing embodiments, and has the beneficial effects of the corresponding method embodiment, which is not described herein.
Based on the same inventive concept, the application also provides an electronic device corresponding to the method of any embodiment, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor realizes the method for determining the protection strategy of the network attack event according to any embodiment when executing the program.
Fig. 3 shows a more specific hardware architecture of an electronic device according to this embodiment, where the device may include: a processor 1010, a memory 1020, an input/output interface 1030, a communication interface 1040, and a bus 1050. Wherein processor 1010, memory 1020, input/output interface 1030, and communication interface 1040 implement communication connections therebetween within the device via a bus 1050.
The processor 1010 may be implemented by a general-purpose CPU (Central Processing Unit ), microprocessor, application specific integrated circuit (Application Specific Integrated Circuit, ASIC), or one or more integrated circuits, etc. for executing relevant programs to implement the technical solutions provided in the embodiments of the present disclosure.
The Memory 1020 may be implemented in the form of ROM (Read Only Memory), RAM (Random Access Memory ), static storage device, dynamic storage device, or the like. Memory 1020 may store an operating system and other application programs, and when the embodiments of the present specification are implemented in software or firmware, the associated program code is stored in memory 1020 and executed by processor 1010.
The input/output interface 1030 is used to connect with an input/output module for inputting and outputting information. The input/output module may be configured as a component in a device (not shown in the figure) or may be external to the device to provide corresponding functionality. Wherein the input devices may include a keyboard, mouse, touch screen, microphone, various types of sensors, etc., and the output devices may include a display, speaker, vibrator, indicator lights, etc.
Communication interface 1040 is used to connect communication modules (not shown) to enable communication interactions of the present device with other devices. The communication module may implement communication through a wired manner (such as USB, network cable, etc.), or may implement communication through a wireless manner (such as mobile network, WIFI, bluetooth, etc.).
Bus 1050 includes a path for transferring information between components of the device (e.g., processor 1010, memory 1020, input/output interface 1030, and communication interface 1040).
It should be noted that although the above-described device only shows processor 1010, memory 1020, input/output interface 1030, communication interface 1040, and bus 1050, in an implementation, the device may include other components necessary to achieve proper operation. Furthermore, it will be understood by those skilled in the art that the above-described apparatus may include only the components necessary to implement the embodiments of the present description, and not all the components shown in the drawings.
The electronic device in the foregoing embodiment is configured to implement the protection policy determining method for the corresponding network attack event in any of the foregoing embodiments, and has the beneficial effects of the corresponding method embodiment, which is not described herein.
Based on the same inventive concept, the present application also provides a non-transitory computer readable storage medium corresponding to the method of any embodiment, wherein the non-transitory computer readable storage medium stores computer instructions for causing the computer to execute the method for determining the protection policy of the network attack event according to any embodiment.
The computer readable media of the present embodiments, including both permanent and non-permanent, removable and non-removable media, may be used to implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device.
The computer instructions stored in the storage medium of the foregoing embodiments are used to make the computer execute the method for determining the protection policy of the network attack event according to any one of the foregoing embodiments, and have the beneficial effects of the corresponding method embodiments, which are not described herein.
Those of ordinary skill in the art will appreciate that: the discussion of any of the embodiments above is merely exemplary and is not intended to suggest that the scope of the application (including the claims) is limited to these examples; the technical features of the above embodiments or in the different embodiments may also be combined within the idea of the application, the steps may be implemented in any order, and there are many other variations of the different aspects of the embodiments of the application as described above, which are not provided in detail for the sake of brevity.
Additionally, well-known power/ground connections to Integrated Circuit (IC) chips and other components may or may not be shown within the provided figures, in order to simplify the illustration and discussion, and so as not to obscure the embodiments of the present application. Furthermore, the devices may be shown in block diagram form in order to avoid obscuring the embodiments of the present application, and also in view of the fact that specifics with respect to implementation of such block diagram devices are highly dependent upon the platform within which the embodiments of the present application are to be implemented (i.e., such specifics should be well within purview of one skilled in the art). Where specific details (e.g., circuits) are set forth in order to describe example embodiments of the application, it should be apparent to one skilled in the art that embodiments of the application can be practiced without, or with variation of, these specific details. Accordingly, the description is to be regarded as illustrative in nature and not as restrictive.
While the application has been described in conjunction with specific embodiments thereof, many alternatives, modifications, and variations of those embodiments will be apparent to those skilled in the art in light of the foregoing description. For example, other memory architectures (e.g., dynamic RAM (DRAM)) may use the embodiments discussed.
The present embodiments are intended to embrace all such alternatives, modifications and variances which fall within the broad scope of the appended claims. Therefore, any omissions, modifications, equivalent substitutions, improvements, and the like, which are within the spirit and principles of the embodiments of the application, are intended to be included within the scope of the application.

Claims (10)

1. A method for determining a protection policy for a network attack event, comprising:
acquiring original data corresponding to a network attack event;
extracting features of the original data to obtain attack features corresponding to the original data;
generating a protection strategy corresponding to the attack characteristic based on the attack characteristic in response to determining that the attack characteristic does not exist in a pre-constructed strategy library set;
detecting the protection strategy, correcting the protection strategy in response to detecting that the protection strategy has a strategy conflict effect with the stored protection strategies in the strategy library set, and storing the corrected protection strategy.
2. The method of claim 1, wherein prior to feature extraction of the raw data, the method comprises:
And performing analysis operation, redundancy elimination operation, reduction operation and merging operation on the original data.
3. The method of claim 1, wherein determining that the attack signature is not present in the pre-constructed set of policy libraries comprises:
determining a category corresponding to the original data based on the attack characteristic;
determining a target strategy library corresponding to the category in the strategy library set based on the category;
in response to determining that the attack signature is not found in the target policy repository, determining that the attack signature is not present in the set of policy repositories.
4. The method of claim 1, wherein the protection policy includes at least one set of trigger conditions and execution actions corresponding thereto;
the protection policy has a policy conflict effect with stored protection policies in the policy repository set, including:
in response to determining that at least one trigger condition of the protection policy is the same as a trigger condition of the stored protection policy, and that execution actions corresponding to the same trigger condition are different.
5. The method of claim 1, wherein prior to detecting the protection policy, the method comprises:
Analyzing the original data to obtain a plurality of fields corresponding to the original data, wherein the fields at least comprise a generation time field, an event identification number field, an event type field, a source IP address field and a destination IP address field of the original data;
searching and calculating the original data through a particle swarm algorithm based on the fields and the attack characteristics to obtain a plurality of sets, wherein each set in the plurality of sets comprises at least one field and/or the attack characteristics in the plurality of fields;
for each of the plurality of fields, calculating a support corresponding to the field based on the plurality of sets, calculating a confidence corresponding to the field based on the plurality of sets in response to determining that the support corresponding to the field is greater than a preset support, and determining the field as associated data associated with the attack feature in response to determining that the confidence is greater than a preset confidence.
6. The method according to claim 5, comprising:
the calculating the support degree corresponding to the field based on the multiple sets includes:
Support(A→B)=N(AUB)/N(I),
Wherein Support (a→b) is the Support, N (AUB) is the number of sets including the field and the attack feature at the same time, N (I) is the total number of sets, a is used to characterize the field, and B is used to characterize the attack feature;
the calculating the confidence corresponding to the field based on the plurality of sets includes:
Confidence(A→B)=P(AUB)/P(A),
wherein Confidence (a→b) is the Confidence, P (AUB)/P (a) is used to characterize the probability of occurrence of the attack feature in the case where the field occurs, a is used to characterize the field, and B is used to characterize the attack feature.
7. The method of claim 5, wherein storing the modified protection policy comprises:
and storing the attack characteristics, the associated data and the corrected protection strategy association into the strategy library set.
8. A protection policy determining device for a network attack event, comprising:
the acquisition module is configured to acquire the original data corresponding to the network attack event;
the extraction module is configured to perform feature extraction on the original data so as to obtain attack features corresponding to the original data;
the generation module is configured to respond to the fact that the attack features do not exist in a pre-constructed policy library set, and based on the attack features, generate protection policies corresponding to the attack features;
And the correction module is configured to detect the protection strategy, correct the protection strategy in response to detecting that the protection strategy has a strategy conflict effect with the stored protection strategies in the strategy library set, and store the corrected protection strategy.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of any one of claims 1 to 7 when the program is executed by the processor.
10. A non-transitory computer readable storage medium storing computer instructions for causing a computer to perform the method of any one of claims 1 to 7.
CN202310871558.6A 2023-07-14 2023-07-14 Protection strategy determining method for network attack event and related equipment Pending CN116896468A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310871558.6A CN116896468A (en) 2023-07-14 2023-07-14 Protection strategy determining method for network attack event and related equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310871558.6A CN116896468A (en) 2023-07-14 2023-07-14 Protection strategy determining method for network attack event and related equipment

Publications (1)

Publication Number Publication Date
CN116896468A true CN116896468A (en) 2023-10-17

Family

ID=88310439

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310871558.6A Pending CN116896468A (en) 2023-07-14 2023-07-14 Protection strategy determining method for network attack event and related equipment

Country Status (1)

Country Link
CN (1) CN116896468A (en)

Similar Documents

Publication Publication Date Title
Tang et al. Nodemerge: Template based efficient data reduction for big-data causality analysis
US11483318B2 (en) Providing network security through autonomous simulated environments
EP3205072B1 (en) Differential dependency tracking for attack forensics
US11429625B2 (en) Query engine for remote endpoint information retrieval
CN114787805A (en) Automatic semantic modeling of system events
US10282542B2 (en) Information processing apparatus, information processing method, and computer readable medium
CN109074454B (en) Automatic malware grouping based on artifacts
US9147067B2 (en) Security method and apparatus
CN112602081A (en) Enhancing network security and operational monitoring with alarm confidence assignment
CN113162794B (en) Next attack event prediction method and related equipment
US11539719B2 (en) Target aware adaptive application for anomaly detection at the network edge
US20170155683A1 (en) Remedial action for release of threat data
CN111183620B (en) Intrusion investigation
US20170277887A1 (en) Information processing apparatus, information processing method, and computer readable medium
CN112995236B (en) Internet of things equipment safety management and control method, device and system
Zhang The utility of inconsistency in information security and digital forensics
Odebade et al. Mitigating anti-forensics in the cloud via resource-based privacy preserving activity attribution
CN116896468A (en) Protection strategy determining method for network attack event and related equipment
CN113364766B (en) APT attack detection method and device
JP2020017065A (en) Vehicle unauthorized access countermeasure device and vehicle unauthorized access countermeasure method
CN114900375A (en) Malicious threat detection method based on AI graph analysis
CN112084504A (en) Virus file processing method and device, electronic equipment and readable storage medium
WO2020161780A1 (en) Action plan estimation device, action plan estimation method, and computer-readable recording medium
KR102535251B1 (en) Cyber security report generation method of electronic apparatus
US10353712B2 (en) Utilizing signatures to discover and manage derelict assets of an information technology environment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination