CN116996306A - Invasion attack path tracing method, invasion attack path tracing device, electronic equipment and medium - Google Patents
Invasion attack path tracing method, invasion attack path tracing device, electronic equipment and medium Download PDFInfo
- Publication number
- CN116996306A CN116996306A CN202311027818.8A CN202311027818A CN116996306A CN 116996306 A CN116996306 A CN 116996306A CN 202311027818 A CN202311027818 A CN 202311027818A CN 116996306 A CN116996306 A CN 116996306A
- Authority
- CN
- China
- Prior art keywords
- attack
- address
- asset
- event
- events
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 66
- 230000009545 invasion Effects 0.000 title claims description 10
- 230000002265 prevention Effects 0.000 claims abstract description 13
- 238000010586 diagram Methods 0.000 claims description 51
- 238000004590 computer program Methods 0.000 claims description 24
- 238000001514 detection method Methods 0.000 claims description 16
- 238000012545 processing Methods 0.000 claims description 16
- 230000000694 effects Effects 0.000 claims description 15
- 238000009434 installation Methods 0.000 claims description 10
- 230000001174 ascending effect Effects 0.000 claims description 7
- 230000002194 synthesizing effect Effects 0.000 claims description 6
- 238000012163 sequencing technique Methods 0.000 claims 1
- 230000008569 process Effects 0.000 description 11
- 230000015654 memory Effects 0.000 description 10
- 238000004891 communication Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 7
- 230000006399 behavior Effects 0.000 description 5
- 238000011835 investigation Methods 0.000 description 5
- 230000002085 persistent effect Effects 0.000 description 4
- 238000004458 analytical method Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 230000014509 gene expression Effects 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000000717 retained effect Effects 0.000 description 2
- 206010033799 Paralysis Diseases 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 230000008260 defense mechanism Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 230000003631 expected effect Effects 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 230000035515 penetration Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000000758 substrate Substances 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The disclosure provides an intrusion attack path tracing method, and relates to the technical field of information security. The method comprises the following steps: acquiring an alarm log and an asset IP address set of intrusion prevention equipment, wherein the alarm log comprises n pieces of alarm information, and n is an integer greater than 1; generating an attack event according to each alarm message, and determining an attack stage of each attack event and a time stamp of the occurrence of the intrusion, wherein the attack stage is one of a plurality of attack stages of an intrusion attack chain; for each asset IP address in the asset IP address set, tracing an attack path of the asset IP address being attacked based on a plurality of attack events under the condition that the asset IP address is determined to have m attack events. The disclosure also provides an intrusion attack path tracing device, electronic equipment, a storage medium and a program product.
Description
Technical Field
The present disclosure relates to the field of information security technologies, and in particular, to the field of intrusion prevention, and more particularly, to an intrusion attack path tracing method, apparatus, electronic device, medium, and program product.
Background
Global network security situation is getting more severe, and large-scale network attack accidents are coming out endlessly. 5 months 2018, wannacry lux virus rolls worldwide, 150 countries and regions are affected, and education, enterprises, medical treatment, transportation and other industries are affected. In month 8 2018, the open information of the users of the hua-ban chain hotel is publically sold in the darknet, and 140GB of user information comprising names, mobile phone numbers, mailboxes and identification card numbers is revealed. In 10 months 2018, three traffic organization IT systems in Sweden are under DDoS attack, and the official network service is paralyzed and public transportation is severely blocked. The national network attack situation is more severe, and the number of attacks on the key information infrastructure is increased.
The continuously evolving network threat environment brings more complex attack scenes, and an attacker of the network space does not use only a single attack behavior in the past, but uses multiple complex attacks to mutually cooperate in a long-term process so as to achieve the purpose of illegally making benefits. Traditional network defense systems are mainly used for resisting attacks by installing security detection tool firewalls, intrusion detection systems, antivirus software, security evaluation systems and the like. A common problem with such device-based detection is that only known threats can be detected, and that the attack alert can only reflect a single point, single moment attack, and cannot perceive complex, long-duration advanced persistent threat (Advanced Persistent Threat, APT) attacks.
Disclosure of Invention
In view of the above, the present disclosure provides an intrusion attack path tracing method, apparatus, electronic device, medium and program product.
According to a first aspect of the present disclosure, there is provided an intrusion attack path tracing method, including: acquiring an alarm log and an asset IP address set of intrusion prevention equipment, wherein the alarm log comprises n pieces of alarm information, and n is an integer greater than 1; generating an attack event according to each alarm message, and determining an attack stage of each attack event and a time stamp of the occurrence of the intrusion, wherein the attack stage is one of a plurality of attack stages of an intrusion attack chain; for each asset IP address in the set of asset IP addresses, performing the following: under the condition that the asset IP address generates m attack events, determining an attack role and an attack attribute of each attack event in m attack events, wherein m is a positive integer smaller than n, the attack role comprises an attacker or a victim, and the attack attribute comprises the attacked or non-attacked; according to a preset event merging rule, merging m attack events into p attack events, wherein p is less than or equal to m and p is a positive integer; synthesizing the attack phases, time stamps, attack roles and attack sinking attributes of p attack events to generate an attack time sequence diagram of the IP address of the asset; and processing the attack time sequence diagram based on the intrusion attack chain, and tracing an attack path of the IP address of the asset to be attacked.
According to the embodiment of the disclosure, the plurality of attack phases of the intrusion attack chain are sequentially from low to high: target detection, weaponization, delivery and delivery, exploit, installation tools, command and control, malicious activity.
According to an embodiment of the present disclosure, determining an attack role and an attack notch attribute for the asset IP address for each of m attack events includes: determining the address category of the asset IP address in a corresponding attack event from each piece of alarm information, wherein the address category comprises a source IP address or a target IP address; and determining the attack roles of the IP address of the asset in the corresponding attack event according to the address types.
According to an embodiment of the present disclosure, determining an attack role of the asset IP address in a corresponding attack event according to an address category includes: when the address category of the asset IP address is a source IP address, determining an attack role as a victim; and determining the attack role as an attacker when the address class of the asset IP address is the target IP address.
According to an embodiment of the disclosure, determining an attack role and an attack notch attribute of the asset IP address for each of m attack events further includes, for each of the m attack events, performing the following operations: under the condition that the attack stage of the attack event is any one of target detection, weaponization, delivery and vulnerability exploitation, determining that the attack attribute of the asset IP address in the attack event is unaddressed; and under the condition that the attack stage of the attack event is any one of installation tools, command and control and malicious activities, determining the sinking attribute of the IP address of the asset in the attack event as the sinking.
According to an embodiment of the present disclosure, the event merge rule includes: under the condition that a plurality of attack events occur at the same moment and are in different attack phases, only the attack event with the highest attack phase is reserved; and under the condition that a plurality of attack events occur in the same preset time period and are in the same attack stage, only the first attack event is reserved.
According to an embodiment of the present disclosure, processing an attack time sequence diagram based on an intrusion attack chain, tracing an attack path of the asset IP address being attacked, includes: on an attack time sequence diagram, carrying out ascending sort on p attack events according to a time stamp and an attack stage to generate an attack tree topology comprising nodes and links, wherein the p attack events are used as p nodes, the p nodes form at least one link from a father node to a child node according to sort, and the father node is in a lower attack stage than the child node; and tracing an attack path of the attacked asset IP address according to the attack tree topology.
According to an embodiment of the present disclosure, tracing an attack path of the asset IP address being attacked according to the attack tree topology, further includes: updating nodes and links in the attack tree topology based on the time lapse; tracing an attack path of the IP address of the asset being attacked based on the updated attack tree topology.
A second aspect of the present disclosure provides an intrusion attack path tracing apparatus, including: the data acquisition module is used for acquiring an alarm log of the intrusion prevention device and an asset IP address set, wherein the alarm log comprises n alarm information, and n is an integer greater than 1; the attack event generation module is used for generating an attack event according to each alarm message, determining an attack stage of each attack event and a time stamp of invasion occurrence, wherein the attack stage is one of a plurality of attack stages of an invasion attack chain; the asset attack path tracing module is used for executing the following operations aiming at each asset IP address in the asset IP address set: under the condition that the asset IP address generates m attack events, determining an attack role and an attack attribute of each attack event in m attack events, wherein m is a positive integer smaller than n, the attack role comprises an attacker or a victim, and the attack attribute comprises the attacked or non-attacked; according to a preset event merging rule, merging m attack events into p attack events, wherein p is less than or equal to m and p is a positive integer; synthesizing the attack phases, time stamps, attack roles and attack sinking attributes of p attack events to generate an attack time sequence diagram of the IP address of the asset; and processing the attack time sequence diagram based on the intrusion attack chain, and tracing an attack path of the IP address of the asset to be attacked.
A third aspect of the present disclosure provides an electronic device, comprising: one or more processors; and a memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the intrusion attack path tracing method described above.
A fourth aspect of the present disclosure also provides a computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to perform the intrusion attack path tracing method described above.
A fifth aspect of the present disclosure also provides a computer program product, including a computer program, which when executed by a processor implements the intrusion attack path tracing method described above.
Drawings
The foregoing and other objects, features and advantages of the disclosure will be more apparent from the following description of embodiments of the disclosure with reference to the accompanying drawings, in which:
fig. 1 schematically illustrates a system architecture suitable for intrusion attack path tracing methods and apparatus according to embodiments of the present disclosure;
FIG. 2A schematically illustrates a flow chart of an intrusion attack path tracing method according to an embodiment of the present disclosure;
FIG. 2B schematically illustrates a schematic diagram of an intrusion attack path tracing method according to an embodiment of the present disclosure;
FIG. 3 schematically illustrates a schematic diagram of a plurality of attack phases of an intrusion attack chain according to an embodiment of the present disclosure;
FIG. 4A schematically illustrates a flow chart of determining an attack role for each asset IP address in each attack event, in accordance with an embodiment of the present disclosure;
FIG. 4B schematically illustrates a schematic diagram of determining an attack role for each asset IP address in each attack event, in accordance with an embodiment of the present disclosure;
FIG. 5 schematically illustrates a flow chart of determining the trap attribute of each asset IP address in each attack event, in accordance with an embodiment of the present disclosure;
FIG. 6A schematically illustrates a time series diagram of an attack of an asset IP address prior to event merging according to an embodiment of the present disclosure;
FIG. 6B schematically illustrates a time series diagram of an attack of an asset IP address after event merging, according to an embodiment of the disclosure;
FIG. 7 schematically illustrates a flow chart of an attack path tracing an IP address of a asset according to an embodiment of the present disclosure;
FIG. 8 schematically illustrates a flow diagram of an attack path tracing an asset IP address according to an attack tree topology, in accordance with an embodiment of the present disclosure;
fig. 9 schematically illustrates a block diagram of an intrusion attack path tracing device according to an embodiment of the present disclosure;
Fig. 10 schematically illustrates a block diagram of an electronic device adapted to implement an intrusion attack path tracing method according to an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is only exemplary and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the present disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and/or the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It should be noted that the terms used herein should be construed to have meanings consistent with the context of the present specification and should not be construed in an idealized or overly formal manner.
Where expressions like at least one of "A, B and C, etc. are used, the expressions should generally be interpreted in accordance with the meaning as commonly understood by those skilled in the art (e.g.," a system having at least one of A, B and C "shall include, but not be limited to, a system having a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
Some of the block diagrams and/or flowchart illustrations are shown in the figures. It will be understood that some blocks of the block diagrams and/or flowchart illustrations, or combinations of blocks in the block diagrams and/or flowchart illustrations, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the instructions, when executed by the processor, create means for implementing the functions/acts specified in the block diagrams and/or flowchart. The techniques of this disclosure may be implemented in hardware and/or software (including firmware, microcode, etc.). Additionally, the techniques of this disclosure may take the form of a computer program product on a computer-readable storage medium having instructions stored thereon, the computer program product being for use by or in connection with an instruction execution system.
In the technical scheme of the invention, the related user information (including but not limited to user personal information, user image information, user equipment information, such as position information and the like) and data (including but not limited to data for analysis, stored data, displayed data and the like) are information and data authorized by a user or fully authorized by all parties, and the processing of the related data such as collection, storage, use, processing, transmission, provision, disclosure, application and the like are all conducted according to the related laws and regulations and standards of related countries and regions, necessary security measures are adopted, no prejudice to the public welfare is provided, and corresponding operation inlets are provided for the user to select authorization or rejection.
Before describing in detail specific embodiments of the present disclosure, technical terms are first explained in order to facilitate a better understanding of the present disclosure.
Intrusion attack chain (Intrusion Kill Chain): the framework is a technical framework for protecting the security of computers and networks, which is proposed in 2011, and the framework is widely applied to the field of information security. The intrusion attack chain considers that the intrusion behavior of an attacker is an ordered set of means and paths taken to penetrate the information system, attack a target over the course of time, and is an analysis and modeling of the intrusion behavior and expected effects of the hacker. The intrusion attack chain contains 7 phases (target detection, weaponization, delivery and delivery, exploitation, installation tools, commands and control, malicious activity), which are followed by typical intrusion attacks to schedule and execute.
In order to resist the increasingly severe network attack, most enterprises and organizations deploy intrusion detection devices in the network, but the intrusion detection devices have high alarm redundancy and more false alarms, can only identify single-point and single-moment alarms, and cannot sense complex APT attacks.
Based on the above, the embodiment of the disclosure provides an intrusion attack path tracing method, an intrusion attack path tracing device, electronic equipment, a storage medium and a program product, and relates to the technical field of cloud computing. The method comprises the following steps: acquiring an alarm log and an asset IP address set of intrusion prevention equipment, wherein the alarm log comprises n pieces of alarm information, and n is an integer greater than 1; generating an attack event according to each alarm message, and determining an attack stage of each attack event and a time stamp of the occurrence of the intrusion, wherein the attack stage is one of a plurality of attack stages of an intrusion attack chain; for each asset IP address in the set of asset IP addresses, performing the following: under the condition that the asset IP address generates m attack events, determining an attack role and an attack attribute of each attack event in m attack events, wherein m is a positive integer smaller than n, the attack role comprises an attacker or a victim, and the attack attribute comprises the attacked or non-attacked; according to a preset event merging rule, merging m attack events into p attack events, wherein p is less than or equal to m and p is a positive integer; synthesizing the attack phases, time stamps, attack roles and attack sinking attributes of p attack events to generate an attack time sequence diagram of the IP address of the asset; and processing the attack time sequence diagram based on the intrusion attack chain, and tracing an attack path of the IP address of the asset to be attacked.
Fig. 1 schematically illustrates a system architecture suitable for intrusion attack path tracing methods and apparatus according to embodiments of the present disclosure. It should be noted that fig. 1 is only an example of a system architecture to which embodiments of the present disclosure may be applied to assist those skilled in the art in understanding the technical content of the present disclosure, but does not mean that embodiments of the present disclosure may not be used in other devices, systems, environments, or scenarios.
As shown in fig. 1, a system architecture 100 according to this embodiment may include terminal devices 101, 102, 103, a network 104, and a server 105. The network 104 is used as a medium to provide communication links between the terminal devices 101, 102, 103 and the server 105. The network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
The user may interact with the server 105 via the network 104 using the terminal devices 101, 102, 103 to receive or send messages or the like. Various communication client applications, such as shopping class applications, web browser applications, search class applications, instant messaging tools, mailbox clients, social platform software, etc. (by way of example only) may be installed on the terminal devices 101, 102, 103.
The terminal devices 101, 102, 103 may be a variety of electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, laptop and desktop computers, and the like.
The server 105 may be a server providing various services, such as a background management server (by way of example only) providing support for websites browsed by users using the terminal devices 101, 102, 103. The background management server may analyze and process the received data such as the user request, and feed back the processing result (e.g., the web page, information, or data obtained or generated according to the user request) to the terminal device.
It should be noted that, the intrusion attack path tracing method provided by the embodiments of the present disclosure may be generally executed by the server 105. Accordingly, the intrusion attack path tracing device provided by the embodiments of the present disclosure may be generally disposed in the server 105. The intrusion attack path tracing method provided by the embodiments of the present disclosure may also be performed by a server or a server cluster that is different from the server 105 and is capable of communicating with the terminal devices 101, 102, 103 and/or the server 105. Accordingly, the intrusion attack path tracing apparatus provided by the embodiments of the present disclosure may also be provided in a server or a server cluster that is different from the server 105 and is capable of communicating with the terminal devices 101, 102, 103 and/or the server 105.
It should be understood that the number of terminal devices, networks and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
The intrusion attack path tracing method according to the embodiments of the present disclosure will be described in detail below with reference to fig. 2A to 8 based on the system architecture described in fig. 1.
Fig. 2A schematically illustrates a flowchart of an intrusion attack path tracing method according to an embodiment of the present disclosure. Fig. 2B schematically illustrates a schematic diagram of an intrusion attack path tracing method according to an embodiment of the present disclosure.
As shown in fig. 2A and 2B, the intrusion attack path tracing method of this embodiment may include operations S210 to S230, and the intrusion attack path tracing method may be performed by the server 105.
In operation S210, an alarm log of an intrusion prevention device (IPS, intrusion Prevention System), which contains n pieces of alarm information, and an asset IP address set, are acquired, n being an integer greater than 1.
For example, the set of asset IP addresses may be a list of enterprise asset IP addresses, internally containing a plurality of asset IP addresses for a particular target enterprise.
In operation S220, an attack event is generated according to each alarm information, and an attack stage of each attack event and a time stamp of occurrence of an intrusion are determined, wherein the attack stage is one of a plurality of attack stages of an intrusion attack chain.
In operation S230, the following operations S2301 to S2304 are performed for each asset IP address in the asset IP address set.
In operation S2301, in a case where it is determined that m attack events occur to the asset IP address, an attack role and an attack attribute of the asset IP address for each of the m attack events are determined, m is a positive integer smaller than n, the attack role includes an attacker or victim, and the attack attribute includes a trapped or non-trapped.
In operation S2302, m attack events are merged into p attack events according to a preset event merging rule, p is less than or equal to m, and p is a positive integer.
In operation S2303, the attack phases, the time stamps, the attack roles and the attack trap attributes of the p attack events are integrated, and an attack time sequence diagram of the asset IP address is generated.
In operation S2304, the attack time series diagram is processed based on the intrusion attack chain, and an attack path where the asset IP address is attacked is traced.
According to the embodiment of the disclosure, an alarm log and an asset IP address set of intrusion prevention equipment are used as basic input, each alarm message is firstly divided into different attack events, attack events are generated, and attack stages and time stamps of the attack events are determined; then, under the condition that each asset IP address is invaded, determining an attack role and an attack and subsidence attribute of each asset IP address in a corresponding attack event; and then after event merging, integrating the attack stage, the time stamp, the attack roles and the attack trap attributes of all the attack events, generating an attack time sequence diagram of each asset IP address, and finally tracing the attack path of each asset IP address under attack based on the attack time sequence diagram. By the method, based on the conceptual background of the intrusion attack chain, the attack path is effectively restored, the intrusion attack is traced, and the network security threat sensing and early warning capability is improved. Therefore, the method and the device can solve the problems that the intrusion defending equipment is high in redundancy, high in false alarm rate and discrete and incapable of operating, most of the discovery is single-moment alarming, and complex, advanced and persistent attacks cannot be perceived.
The intrusion attack path tracing method provided by the embodiment of the disclosure is a multidimensional intrusion attack path reasoning algorithm, and comprises attack event threat degree marks, asset importance level division, alarm occurrence events and attack stages where alarms are located.
Fig. 3 schematically illustrates a schematic diagram of a plurality of attack phases of an intrusion attack chain according to an embodiment of the present disclosure.
As shown in fig. 3, in the embodiment of the present disclosure, the attack phases of the intrusion attack chain are sequentially from low to high: target detection, weaponization, delivery and delivery, exploit, installation tools, command and control, malicious activity.
For example, in the target investigation phase, target identification, selection, analysis and verification are mainly achieved; in the weaponization stage, the remote access Trojan and the vulnerability are mainly bound to a deliverable malicious file called a network weapon; in the delivery and delivery phase, primarily delivering malicious files to the target environment; in the vulnerability exploitation stage, malicious files of an attacker on a target system are mainly triggered; in the stage of installing tools, mainly installing a rear door and maintaining durability; in the command and control phase, the main control server issues commands and controls the malicious software on the controlled and damaged nodes. In the malicious activity stage, data penetration, network propagation and system interruption are mainly realized.
The intrusion attack chain model indicates that the intrusion attack is occurring in stages and that the attack behavior can be interrupted by establishing an effective defense mechanism at each stage. The number of attack stages is 7, and the attack stages are respectively as follows according to the deep degree sequence of attack development: target detection, weaponization, delivery and delivery, exploit, installation tools, command and control, malicious activity.
Thus, based on the 7-step intrusion chain model of the prior art, the intrusion chain contains 7 phases, which are followed by the typical intrusion attacks to plan and execute.
In operation S220 described above, an attack event is generated from the input alarm log, and only events unrelated to the set of asset IP addresses are focused on in this process. Because each attack event corresponds to the attack stage according to 7 attack stages of the intrusion attack chain, and each attack event includes a time stamp of occurrence of the intrusion, the generated attack event is shown in the following table 1, for example:
TABLE 1
It can be seen that the embodiments of the present disclosure correspond the alarm log of the intrusion prevention device to the multi-stage attack event.
After generating the attack event unrelated to the set of asset IP addresses, the present disclosure needs to process the intrusion event of the asset, that is, it goes to operation S230, and in case that it is determined that m attack events occur to the asset IP address for each asset IP address in the set of asset IP addresses, the attack path of the attack to which the asset IP address is attacked is traced based on a plurality of attack events, which may specifically include operations S2301 to S2304.
Fig. 4A schematically illustrates a flow chart of determining the attack roles of asset IP addresses in each attack event according to an embodiment of the present disclosure.
As shown in fig. 4A, in the embodiment of the present disclosure, the determining the attack role and the attack attribute of the asset IP address for each of m attack events in the above operation S2301 may include operations S401 to S402.
In operation S401, an address class of the asset IP address in the corresponding attack event is determined from each alarm information, wherein the address class includes a source IP address or a target IP address.
In operation S402, an attack role of the asset IP address in a corresponding attack event is determined according to the address category.
For example, for each asset IP address in the set of asset IP addresses, in the case where it is determined that m attack events occur for the asset IP address, that is, at least one attack event occurs for the asset IP address, it is necessary to determine an attack role and an attack attribute of the asset IP address in the m attack events.
According to the embodiment of the disclosure, the address type of each asset IP address in the corresponding attack event which has occurred can be judged as the source IP address or the target IP address from each alarm message, and then the attack role of the asset IP address in the corresponding attack event which has occurred is determined based on the address types.
Fig. 4B schematically illustrates a schematic diagram of determining an attack role for each asset IP address in each attack event, according to an embodiment of the present disclosure.
Further, as shown in fig. 4B, in the embodiment of the present disclosure, determining, according to the address class, an attack role of the asset IP address in a corresponding attack event includes: when the address category of the asset IP address is a source IP address, determining an attack role as a victim; and determining the attack role as an attacker when the address class of the asset IP address is the target IP address.
For example, if the address class of a certain asset IP address in the corresponding attack event that has occurred is the source IP address, it indicates that the asset IP address has actually been controlled by a hacker, and belongs to the victim.
For another example, in table 1, as can be seen from a certain piece of alarm information in the alarm log, an intrusion event occurs in the asset IP address 2.2.2.2, the attack stage corresponding to the intrusion attack chain is the target investigation stage, the address class of the asset IP address 2.2.2.2 in the target investigation stage is the target IP address, and then it can be determined that the attack role of the asset IP address 2.2.2.2 in the attack event in the target investigation stage is the attacker.
Fig. 5 schematically illustrates a flow chart of determining the trap attribute of each asset IP address in each attack event, according to an embodiment of the present disclosure.
As shown in fig. 5, in the embodiment of the present disclosure, the above-mentioned operation S2301 determines the attack role and the attack attribute of the asset IP address for each of m attack events, and further includes executing the following operations S501 to S502 for each of m attack events.
In operation S501, in a case where the attack phase of the attack event is any one of target investigation, weaponization, delivery and delivery, and exploit, the attribute of the asset IP address' S attack in the attack event is determined to be non-attack.
In operation S502, in a case where the attack stage of the attack event is any one of the installation tool, the command and the control, and the malicious activity, it is determined that the attribute of the attack of the asset IP address in the attack event is the already-attacked.
According to the embodiment of the disclosure, the attack attribute of each asset IP address in the corresponding attack event can be determined based on the attack stage of the attack event of each asset IP address. In the case of relatively high attack phases (installation tools, commands and control, malicious activity), the attribute of the attack of the asset IP address can be determined as the already-attacked; otherwise, in cases where the attack phase is relatively low (target detection, weaponization, delivery and delivery, exploit), the attribute of the asset IP address's attack may be determined to be non-attack or in the process of being attacked.
Next, the present disclosure, after determining the attack roles and the attack attributes of the respective asset IP addresses in the corresponding attack events, has n attack events equal to the number of alarm information since one attack event has been generated per alarm information. In order to reduce a large amount of low-value alarm information, event merging can be performed on the n attack events under the complex condition that the alarm information is generated in units of seconds or milliseconds and alarms of different stages are generated at the same moment.
In the embodiment of the present disclosure, the event merging rule in operation S2302 described above includes:
under the condition that a plurality of attack events occur at the same moment and are in different attack phases, only the attack event with the highest attack phase is reserved;
and under the condition that a plurality of attack events occur in the same preset time period and are in the same attack stage, only the first attack event is reserved.
By the embodiment of the disclosure, a plurality of attack events with the same quantity as the alarm information are merged, so that a large quantity of low-value alarm information can be reduced, complexity of tracing the attack path is reduced, and accuracy of tracing the attack path is improved.
To embody the effect of the event merging rules set above, fig. 6A schematically illustrates an attack time-series diagram of asset IP addresses before event merging according to an embodiment of the present disclosure. Fig. 6B schematically illustrates a time series diagram of an attack of an asset IP address after event merging according to an embodiment of the present disclosure.
As shown in fig. 6A, one square in the figure represents 1 attack event before event merging; s represents attack stage, and values 1 to 7 respectively correspond to 7 stages of an intrusion attack chain; the abscissa t represents time; every 1 graph is all the attack events that occur for 1 asset IP address. It can be seen that n=17, i.e. a total of 17 attack events occur. Wherein an attack event occurs at time t0, denoted (t 0, s 2), s2 representing the attack phase of this attack event at time t0 as phase 2, i.e. the weaponization phase.
Similarly, an attack event (t 1, s 7) occurs at time t 1; an attack event (t 2, s 5) occurs at time t 2; an attack event (t 3, s 7) occurs at time t 3; an attack event (t 4, s 4) occurs at time t 4; at time t5, 4 attack events occur, labeled (t 5, s 1), (t 5, s 4), (t 5, s 5), (t 5, s 7), respectively; an attack event (t 6, s 2) occurs at time t 6; an attack event (t 7, s 4) occurs at time t 7; at time t8, 3 attack events occur, labeled (t 8, s 2), (t 8, s 3), (t 8, s 6), respectively; at time t9, 2 attack events occur, labeled (t 9, s 5), (t 9, s 7), respectively; an attack event (t 10, s 2) occurs at time t 10.
Therefore, if the events are not merged, a large amount of low-value alarm information can be generated along with the continuous generation of the alarm information, and the attack path tracing of the IP address of the asset is not facilitated.
Based on the preset event merging rule, on one hand, under the condition that a plurality of attack events occur at the same time and are in different attack phases, only the attack event with the highest attack phase is reserved. Thus, as shown in fig. 6A, 4 attack events occur at time t5, and only the highest attack stage (t 5, s 7) is retained; at time t8, 3 attack events occur, only the highest attack stage (t 8, s 6) is reserved; at time t9, 2 attack events occur, only the highest attack phase (t 9, s 7) is retained.
On the other hand, when a plurality of attack events occur within the same preset time period and are in the same attack stage, only the first attack event is reserved. For example, the preset time period may be a time period with a duration of 5 units, so, as shown in fig. 6A, in a time period with 5 units where the moments t1, t3 and t5 are located, 3 attack events (t 1, s 7), (t 3, s 7) and (t 5, s 7) in the same attack stage occur, and only the first attack event (t 1, s 7) may be reserved; similarly, in a period of 5 units from time t6 to time t10, 2 attack events (t 6, s 2), (t 10, s 2) in the same attack stage occur, and only the first attack event (t 6, s 2) may be reserved.
After this event merging, an attack time series diagram as shown in fig. 6B is obtained.
As shown in fig. 6B, m attack events are merged into p attack events according to a preset event merging rule. After event merging, p=8, namely the original 17 attack events are reduced to 8, so that the situation that the attack events are complicated due to the expansion of the alarm information is obviously reduced, a large amount of low-value alarm information is reduced, the complexity of tracing the attack path is reduced, and the accuracy of tracing the attack path is improved.
It can be understood that, according to the intrusion attack chain model, the attacker steps up the high-level attack behavior along with the time, respectively: target detection, weaponization, delivery and delivery, exploit, installation tool, command and control, malicious activity.
The attack activities with lower stage levels are generally performed at earlier times, so that the attack process can be traced back in a manner of pointing from "lower left" to "upper right" on the attack time series diagram.
Fig. 7 schematically illustrates a flow chart of an attack path tracing an IP address of a source asset according to an embodiment of the present disclosure.
As shown in fig. 7, in the embodiment of the disclosure, the foregoing operation S2304 processes the attack time sequence diagram based on the intrusion attack chain, and tracing the attack path of the IP address of the asset being attacked may include operations S701 to S702.
In operation S701, on the attack time sequence diagram, p attack events are ordered in ascending order according to the time stamp and the attack stage, and an attack tree topology including nodes and links is generated, where p attack events are used as p nodes, and the p nodes form at least one link from a parent node to a child node according to the ordering, and the parent node is in a lower attack stage than the child node.
For example, as shown in fig. 6B, from the node (t 0, s 2) at time t1 to the node (t 0, s 2) at time t2, it is the ascending order according to the time stamp (or time) and the attack stage, and a link is obtained, which is denoted by (t 0, s 2) → (t 1, s 7); similarly, the node (t 2, s 5) can only point to the child node, namely the node (t 8, s 6), which is higher than the own node in the attack stage and is later than the own node in time, so as to obtain a link, which is expressed as (t 2, s 5) → (t 8, s 6); and so on, in the case of ascending order according to the time stamp and attack stage, 6 links shown by arrows in the figure can be obtained.
In operation S702, an attack path in which the asset IP address is attacked is traced according to the attack tree topology.
On the attack time sequence diagram, the abscissa is moment, the ordinate is attack stage, and the attack time sequence diagram is ascending, so that the attack process is traced in a mode of pointing from the lower left to the upper right, namely, p attack events are sequenced in ascending order according to the time stamp and the attack stage, and an attack tree topology comprising nodes and links is generated.
For example, on the attack time series graph, for each newly generated node (i.e., an attack event, represented by a block in the graph, and referred to as a node in the following), the attack stage and the time size are compared with each other node, the child node is found, and the child node is updated and pointed to the current node.
According to the embodiment of the disclosure, on an attack time sequence diagram, based on the conceptual background of an intrusion attack chain, an attack process is traced in a mode of pointing from the lower left to the upper right, an attack tree topology comprising nodes and links is generated based on attack events of all assets, an attack path of each asset with an IP address being attacked is traced by the attack tree topology, historical traces of the system being intruded are effectively restored, and network security threat sensing and early warning capability is improved. In this way, the problem that the APT attack cannot be perceived by a single alarm can be solved.
Fig. 8 schematically illustrates a flow chart of an attack path tracing an asset IP address according to an attack tree topology according to an embodiment of the present disclosure.
As shown in fig. 8, in the embodiment of the present disclosure, the operation S702 may trace the attack path of the IP address of the asset being attacked according to the attack tree topology, and may further include operations S801 to S802.
In operation S801, nodes and links in the attack tree topology are updated based on the time lapse.
In operation S802, an attack path in which the asset IP address is attacked is traced based on the updated attack tree topology.
According to the embodiment of the disclosure, since the alarm log is continuously generated, the attack event generation of the intrusion attack path tracing and the attack tree topology can be updated in real time, the historical trace of the system intruded is further restored in real time, and the network security threat sensing and early warning capability is improved.
In summary, in the intrusion attack path tracing method provided by the embodiment of the present disclosure, the alarm log and the asset IP address set of the intrusion protection device are used as basic inputs, each alarm message is firstly divided into different attack events, an attack event is generated, and the attack stage and the timestamp of each attack event are determined; then, under the condition that each asset IP address is invaded, determining an attack role and an attack and subsidence attribute of each asset IP address in a corresponding attack event; and then after event merging, integrating the attack stage, the time stamp, the attack roles and the attack trap attributes of all the attack events, generating an attack time sequence diagram of each asset IP address, and finally tracing the attack path of each asset IP address under attack based on the attack time sequence diagram. By the method, based on the conceptual background of the intrusion attack chain, the attack path is effectively restored, the intrusion attack is traced, and the network security threat sensing and early warning capability is improved. Therefore, the method and the device can solve the problems that the intrusion defending equipment is high in redundancy, high in false alarm rate and discrete and incapable of operating, most of the discovery is single-moment alarming, and complex, advanced and persistent attacks cannot be perceived.
Moreover, the traditional security event requires a security manager to manually remove the alarm of the intrusion detection device, the silk drawing and cocoon breaking restore the intrusion overall, the security professional capability of the manager is required to be high, a great amount of time is required, and the effect is often poor. The method provides an attack path restoration algorithm based on an intrusion attack chain, which takes the asset as a visual angle to restore the whole process of the intrusion attack, greatly reduces the log research amount of a security manager, improves the operation and maintenance efficiency of the manager and reduces the operation and maintenance difficulty.
It should be noted that the method has been successfully applied to a certain enterprise situation awareness platform, and a good detection effect is obtained. Practice proves that the method can trace the attack path of each asset IP address attacked by utilizing the attack tree topology, effectively restore the historical trace of the system invaded, and improve the network security threat sensing and early warning capability.
The disclosure also provides an intrusion attack path tracing device. The device will be described in detail below in connection with fig. 9.
Fig. 9 schematically illustrates a block diagram of an intrusion attack path tracing device according to an embodiment of the present disclosure.
As shown in fig. 9, the intrusion attack path tracing apparatus 900 of this embodiment includes a data acquisition module 910, an attack event generation module 920, and an asset attack path tracing module 930.
The data acquisition module 910 is configured to acquire an alarm log of the intrusion prevention device and an asset IP address set, where the alarm log includes n alarm information, and n is an integer greater than 1. In an embodiment, the data acquisition module 910 may be configured to perform the operation S210 described above, which is not described herein.
The attack event generation module 920 is configured to generate an attack event according to each alarm information, determine an attack stage of each attack event and a timestamp of occurrence of an intrusion, where the attack stage is one of multiple attack stages of the intrusion attack chain. In an embodiment, the attack event generation module 920 may be configured to perform the operation S220 described above, which is not described herein.
The asset attack path tracing module 930 is configured to perform, for each asset IP address in the asset IP address set, the following operations: under the condition that the asset IP address generates m attack events, determining an attack role and an attack attribute of each attack event in m attack events, wherein m is a positive integer smaller than n, the attack role comprises an attacker or a victim, and the attack attribute comprises the attacked or non-attacked; according to a preset event merging rule, merging m attack events into p attack events, wherein p is less than or equal to m and p is a positive integer; synthesizing the attack phases, time stamps, attack roles and attack sinking attributes of p attack events to generate an attack time sequence diagram of the IP address of the asset; and processing the attack time sequence diagram based on the intrusion attack chain, and tracing an attack path of the IP address of the asset to be attacked. In an embodiment, the asset attack path tracing module 930 may be configured to perform the operation S230 described above, which is not described herein.
Any of the data acquisition module 910, the attack event generation module 920, and the asset attack path tracing module 930 may be combined in one module to be implemented, or any of the modules may be split into multiple modules, according to embodiments of the present disclosure. Alternatively, at least some of the functionality of one or more of the modules may be combined with at least some of the functionality of other modules and implemented in one module. According to embodiments of the present disclosure, at least one of the data acquisition module 910, the attack event generation module 920, and the asset attack path tracing module 930 may be implemented, at least in part, as hardware circuitry, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in hardware or firmware in any other reasonable manner of integrating or packaging the circuitry, or in any one of or a suitable combination of three of software, hardware, and firmware. Alternatively, at least one of the data acquisition module 910, the attack event generation module 920, and the asset attack path tracing module 930 may be at least partially implemented as a computer program module that, when executed, may perform the corresponding functions.
Fig. 10 schematically illustrates a block diagram of an electronic device adapted to implement an intrusion attack path tracing method according to an embodiment of the present disclosure.
As shown in fig. 10, an electronic device 1000 according to an embodiment of the present disclosure includes a processor 1001 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 1002 or a program loaded from a storage section 1008 into a Random Access Memory (RAM) 1003. The processor 1001 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or an associated chipset and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. The processor 1001 may also include on-board memory for caching purposes. The processor 1001 may include a single processing unit or multiple processing units for performing different actions of the method flows according to embodiments of the present disclosure.
In the RAM 1003, various programs and data necessary for the operation of the electronic apparatus 1000 are stored. The processor 1001, the ROM 1002, and the RAM 1003 are connected to each other by a bus 1004. The processor 1001 performs various operations of the method flow according to the embodiment of the present disclosure by executing programs in the ROM 1002 and/or the RAM 1003. Note that the program may be stored in one or more memories other than the ROM 1002 and the RAM 1003. The processor 1001 may also perform various operations of the method flow according to the embodiments of the present disclosure by executing programs stored in the one or more memories.
According to an embodiment of the disclosure, the electronic device 1000 may also include an input/output (I/O) interface 1005, the input/output (I/O) interface 1005 also being connected to the bus 1004. The electronic device 1000 may also include one or more of the following components connected to the I/O interface 1005: an input section 1006 including a keyboard, a mouse, and the like; an output portion 1007 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), etc., and a speaker, etc.; a storage portion 1008 including a hard disk or the like; and a communication section 1009 including a network interface card such as a LAN card, a modem, or the like. The communication section 1009 performs communication processing via a network such as the internet. The drive 1010 is also connected to the I/O interface 1005 as needed. A removable medium 1011, such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like, is installed as needed in the drive 1010, so that a computer program read out therefrom is installed as needed in the storage section 1008.
The present disclosure also provides a computer-readable storage medium that may be embodied in the apparatus/device/system described in the above embodiments; or may exist alone without being assembled into the apparatus/device/system. The computer-readable storage medium carries one or more programs that, when executed, implement an intrusion attack path tracing method according to an embodiment of the present disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example, but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, the computer-readable storage medium may include ROM 1002 and/or RAM 1003 and/or one or more memories other than ROM 1002 and RAM 1003 described above.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the methods shown in the flowcharts. When the computer program product runs in a computer system, the program code is used for enabling the computer system to realize the intrusion attack path tracing method provided by the embodiment of the disclosure.
The above-described functions defined in the system/apparatus of the embodiments of the present disclosure are performed when the computer program is executed by the processor 1001. The systems, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
In one embodiment, the computer program may be based on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted in the form of signals on a network medium, distributed, and downloaded and installed via the communication section 1009, and/or installed from the removable medium 1011. The computer program may include program code that may be transmitted using any appropriate network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In such an embodiment, the computer program may be downloaded and installed from a network via the communication portion 1009, and/or installed from the removable medium 1011. The above-described functions defined in the system of the embodiments of the present disclosure are performed when the computer program is executed by the processor 1001. The systems, devices, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
According to embodiments of the present disclosure, program code for performing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, such computer programs may be implemented in high-level procedural and/or object-oriented programming languages, and/or assembly/machine languages. Programming languages include, but are not limited to, such as Java, c++, python, "C" or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that the features recited in the various embodiments of the disclosure and/or in the claims may be provided in a variety of combinations and/or combinations, even if such combinations or combinations are not explicitly recited in the disclosure. In particular, the features recited in the various embodiments of the present disclosure and/or the claims may be variously combined and/or combined without departing from the spirit and teachings of the present disclosure. All such combinations and/or combinations fall within the scope of the present disclosure.
The embodiments of the present disclosure are described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described above separately, this does not mean that the measures in the embodiments cannot be used advantageously in combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be made by those skilled in the art without departing from the scope of the disclosure, and such alternatives and modifications are intended to fall within the scope of the disclosure.
Claims (12)
1. An intrusion attack path tracing method, comprising:
acquiring an alarm log and an asset IP address set of intrusion prevention equipment, wherein the alarm log comprises n alarm information, and n is an integer greater than 1;
Generating an attack event according to each alarm message, and determining an attack stage of each attack event and a time stamp of invasion occurrence, wherein the attack stage is one of a plurality of attack stages of an invasion attack chain;
for each asset IP address in the set of asset IP addresses, performing the following:
under the condition that the asset IP address is determined to generate m attack events, determining an attack role and an attack attribute of the asset IP address in each attack event in the m attack events, wherein m is a positive integer smaller than n, the attack role comprises an attacker or a victim, and the attack attribute comprises a trapped or non-trapped state;
merging the m attack events into p attack events according to a preset event merging rule, wherein p is less than or equal to m and p is a positive integer;
synthesizing the attack phases, the time stamps, the attack roles and the attack sinking attributes of the p attack events to generate an attack time sequence diagram of the IP address of the asset;
and processing the attack time sequence diagram based on the intrusion attack chain, and tracing an attack path of the attacked asset IP address.
2. The method of claim 1, wherein the plurality of attack phases of the intrusion attack chain are, in order from low to high: target detection, weaponization, delivery and delivery, exploit, installation tools, command and control, malicious activity.
3. The method of claim 1, wherein said determining the attack role and the attack notch attribute of the asset IP address for each of the m attack events comprises:
determining the address category of the IP address of the asset in the corresponding attack event from each piece of alarm information, wherein the address category comprises a source IP address or a target IP address;
and determining the attack role of the IP address of the asset in the corresponding attack event according to the address category.
4. A method according to claim 3, wherein said determining an attack role of the asset IP address in a corresponding attack event according to the address class comprises:
when the address category of the asset IP address is a source IP address, determining the attack role as a victim;
and when the address category of the asset IP address is the target IP address, determining the attack role as an attacker.
5. The method of claim 2, wherein the determining the attack role and the attack notch attribute for the asset IP address for each of the m attack events further comprises, for each of the m attack events:
Under the condition that the attack stage of the attack event is any one of target detection, weaponization, delivery and vulnerability exploitation, determining that the attack attribute of the asset IP address in the attack event is unaddressed;
and under the condition that the attack stage of the attack event is any one of installation tools, command and control and malicious activities, determining the sinking attribute of the IP address of the asset in the attack event as the sinking.
6. The method of claim 1, wherein the event merge rule comprises:
under the condition that a plurality of attack events occur at the same moment and are in different attack phases, only the attack event with the highest attack phase is reserved;
and under the condition that a plurality of attack events occur in the same preset time period and are in the same attack stage, only the first attack event is reserved.
7. The method of claim 1, wherein the processing the attack time series graph based on the intrusion attack chain tracing an attack path in which the asset IP address is attacked comprises:
in the attack time sequence diagram, the p attack events are sequenced in an ascending order according to the time stamp and the attack stage, and an attack tree topology comprising nodes and links is generated, wherein the p attack events are used as p nodes, the p nodes form at least one link from a father node to a child node according to the sequencing, and the father node is in a lower attack stage compared with the child node;
And tracing an attack path of the attacked asset IP address according to the attack tree topology.
8. The method of claim 7, wherein tracing an attack path of the asset IP address being attacked according to the attack tree topology, further comprising:
updating nodes and links in the attack tree topology based on time lapse;
tracing an attack path of the IP address of the asset being attacked based on the updated attack tree topology.
9. An intrusion attack path tracing device, comprising:
the system comprises a data acquisition module, a data processing module and an intrusion prevention device, wherein the data acquisition module is used for acquiring an alarm log and an asset IP address set of the intrusion prevention device, the alarm log comprises n alarm information, and n is an integer greater than 1;
the attack event generation module is used for generating an attack event according to each alarm message, and determining an attack stage of each attack event and a time stamp of invasion occurrence, wherein the attack stage is one of a plurality of attack stages of an invasion attack chain;
the asset attack path tracing module is used for executing the following operations aiming at each asset IP address in the asset IP address set:
under the condition that the asset IP address is determined to generate m attack events, determining an attack role and an attack attribute of the asset IP address in each attack event in the m attack events, wherein m is a positive integer smaller than n, the attack role comprises an attacker or a victim, and the attack attribute comprises a trapped or non-trapped state;
Merging the m attack events into p attack events according to a preset event merging rule, wherein p is less than or equal to m and p is a positive integer;
synthesizing the attack phases, the time stamps, the attack roles and the attack sinking attributes of the p attack events to generate an attack time sequence diagram of the IP address of the asset;
and processing the attack time sequence diagram based on the intrusion attack chain, and tracing an attack path of the attacked asset IP address.
10. An electronic device, comprising:
one or more processors;
storage means for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-8.
11. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method according to any of claims 1-8.
12. A computer program product comprising a computer program which, when executed by a processor, implements the method according to any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311027818.8A CN116996306A (en) | 2023-08-15 | 2023-08-15 | Invasion attack path tracing method, invasion attack path tracing device, electronic equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311027818.8A CN116996306A (en) | 2023-08-15 | 2023-08-15 | Invasion attack path tracing method, invasion attack path tracing device, electronic equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116996306A true CN116996306A (en) | 2023-11-03 |
Family
ID=88528265
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311027818.8A Pending CN116996306A (en) | 2023-08-15 | 2023-08-15 | Invasion attack path tracing method, invasion attack path tracing device, electronic equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116996306A (en) |
-
2023
- 2023-08-15 CN CN202311027818.8A patent/CN116996306A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10944772B2 (en) | Connected security system | |
| US20220210200A1 (en) | Ai-driven defensive cybersecurity strategy analysis and recommendation system | |
| AU2017224993B2 (en) | Malicious threat detection through time series graph analysis | |
| EP3291120B1 (en) | Graph database analysis for network anomaly detection systems | |
| US10104102B1 (en) | Analytic-based security with learning adaptability | |
| CN104303152B (en) | Detect abnormal to recognize the methods, devices and systems that collaboration group is attacked in Intranet | |
| De Vries et al. | Systems for detecting advanced persistent threats: A development roadmap using intelligent data analysis | |
| CN113486351A (en) | Civil aviation air traffic control network safety detection early warning platform | |
| US10630726B1 (en) | Cybersecurity threat detection and mitigation system | |
| US20180189697A1 (en) | Methods and apparatus for processing threat metrics to determine a risk of loss due to the compromise of an organization asset | |
| US20200014697A1 (en) | Whitelisting of trusted accessors to restricted web pages | |
| EP2892197A1 (en) | IP reputation | |
| CN102790706A (en) | Safety analyzing method and device of mass events | |
| Zimba | A Bayesian attack-network modeling approach to mitigating malware-based banking cyberattacks | |
| Goethals et al. | A review of scientific research in defensive cyberspace operation tools and technologies | |
| Jain et al. | Cybersecurity solutions using AI techniques | |
| CN116996306A (en) | Invasion attack path tracing method, invasion attack path tracing device, electronic equipment and medium | |
| Stoddart | Gaining access: attack and defense methods and legacy systems | |
| Chen et al. | Which is the greenest way home? A lightweight eco-route recommendation framework based on personal driving habits | |
| CN114598546B (en) | Application defense method, device, apparatus, medium and program product | |
| Rahul et al. | The Cyber Security Challenges: A Survey of Chief Information Security Officer in Indian Context | |
| Alam et al. | Cyber-physical Attacks and IoT | |
| Lakshmi Narayanan et al. | Design and Implementation of Cyber Threat Intelligence Data Mining Model | |
| Shah et al. | Combining exploratory analysis and automated analysis for anomaly detection in real-time data streams | |
| Vaidya et al. | Application for Network Security Situation Awareness |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |