CN117061216A

CN117061216A - Automatic blocking method, device, equipment and storage medium for network attack

Info

Publication number: CN117061216A
Application number: CN202311153638.4A
Authority: CN
Inventors: 张大伟
Original assignee: Beijing Youtejie Information Technology Co ltd
Current assignee: Beijing Youtejie Information Technology Co ltd
Priority date: 2023-09-07
Filing date: 2023-09-07
Publication date: 2023-11-14

Abstract

The invention discloses an automatic blocking method, device and equipment for network attack and a storage medium. The method comprises the following steps: collecting attack alarm logs aiming at target demand parties in a plurality of network devices, and acquiring all target attack alarm logs related to target network attack events according to the alarm time of each attack alarm log; extracting key parameters of each log from each target attack alarm log, and calculating alarm scores of multiple dimensions according to the key parameters of each log and a multi-dimensional alarm score model preset by a target demand party; calculating threat scores matched with the target network attack event according to the alarm scores of the multiple dimensions and a preset threat score calculation formula; and when the threat score exceeds a preset score threshold, automatically blocking each source IP address matched with each target attack alarm log. By the technical scheme, the evaluation of the scores of the network attacks realizes the accurate sensing and automatic blocking of high-risk attack sources.

Description

Automatic blocking method, device, equipment and storage medium for network attack

Technical Field

The present invention relates to the field of network security, and in particular, to a method, an apparatus, a device, and a storage medium for automatically blocking a network attack.

Background

With the rapid development of information technology, network security threats are increasingly rising, and the security of network facilities is directly affected. For information technology companies, networks are an important basic setting thereof, and have extremely high requirements on network security, so that when network security attacks occur, network security facilities need to timely detect network attack sources and timely seal dangerous network attack source addresses.

However, the traditional method for evaluating the threat of the network attack is more preferable to the evaluation of the damage degree of the threat to the target system, but the evaluation result is relatively simple, such as the threat level is simply classified into a low level, a medium level and a high level.

The traditional network attack threat assessment method cannot accurately assess the current changeable network attack, the assessment result is low in accuracy, the IP address of the network attack is required to be blocked manually, the network attack treatment efficiency is low, and a large amount of manpower and material resources are wasted.

Disclosure of Invention

The invention provides an automatic blocking method, device, equipment and storage medium for network attack, which are used for providing a more accurate network attack threat assessment mode and improving the network attack treatment efficiency.

In a first aspect, an embodiment of the present invention provides an automatic blocking method for a network attack, including:

collecting attack alarm logs aiming at target demand parties in a plurality of network devices, and acquiring all target attack alarm logs related to target network attack events according to the alarm time of each attack alarm log;

extracting key parameters of each log from each target attack alarm log, and calculating alarm scores of multiple dimensions according to the key parameters of each log and a multi-dimensional alarm score model preset by a target demand party;

calculating threat scores matched with the target network attack event according to the alarm scores of the multiple dimensions and a preset threat score calculation formula;

and when the threat score exceeds a preset score threshold, automatically blocking each source IP address matched with each target attack alarm log.

In a second aspect, an embodiment of the present invention provides an automatic blocking device for network attack, including:

an alarm score calculation module for: extracting key parameters of each log from each target attack alarm log, and calculating alarm scores of multiple dimensions according to the key parameters of each log and a multi-dimensional alarm score model preset by a target demand party;

A threat score calculation module for: calculating threat scores matched with the target network attack event according to the alarm scores of the multiple dimensions and a preset threat score calculation formula;

the automatic blocking module is used for: and when the threat score exceeds a preset score threshold, automatically blocking each source IP address matched with each target attack alarm log.

In a third aspect, an embodiment of the present invention further provides an automatic blocking device for network attack, including:

at least one processor; and

a memory communicatively coupled to the at least one processor; wherein,

the memory stores a computer program executable by the at least one processor, the computer program comprising

The computer program is executed by the at least one processor to enable the at least one processor to perform the method for automatically blocking a network attack according to any one of the embodiments of the present invention.

In a fourth aspect, embodiments of the present invention also provide a computer-readable storage medium, including:

the computer readable storage medium stores computer instructions for causing a processor to implement the method for automatically blocking a network attack according to any one of the embodiments of the present invention when executed.

The embodiment of the invention provides an automatic blocking method, device, equipment and storage medium for network attack, which are used for acquiring an alarm log of network equipment aiming at a target demand party, acquiring a required target attack alarm log according to time information of the alarm log, simultaneously carrying a multi-dimensional alarm score model according to key parameters in the target attack alarm log, and calculating threat scores matched with target network attack events, wherein the mode of acquiring the key parameters and calculating the threat scores is beneficial to quickly knowing network attack information and determining the threat of the network attack more accurately; further, when the threat score exceeds a preset score threshold, the source IP address corresponding to the network attack is automatically blocked, so that the network attack treatment efficiency is improved, and a large amount of manpower and material resources are saved.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

Fig. 1 is a flowchart of an automatic blocking method for network attack according to a first embodiment of the present invention;

fig. 2 is a flowchart of an automatic blocking method for network attack according to a second embodiment of the present invention;

fig. 3 is a flowchart of an automatic blocking method for network attack according to a third embodiment of the present invention;

fig. 4 is a flowchart of an automatic blocking method for network attack according to a fourth embodiment of the present invention;

fig. 5 is a flowchart of an automatic blocking method for network attack according to a fifth embodiment of the present invention;

fig. 6 is a schematic structural diagram of an automatic blocking device for network attack according to a sixth embodiment of the present invention;

fig. 7 is a schematic structural diagram of an electronic device embodying an embodiment of the present invention.

Detailed Description

In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.

It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

Example 1

Fig. 1 is a flowchart of an automatic blocking method for network attacks according to an embodiment of the present invention, where the embodiment may be used in a case where a network facility handles multiple types of network attacks. The method can be executed by an automatic blocking device/facility of the network attack, the automatic blocking device of the network attack can be realized in a form of hardware and/or software, and meanwhile, the automatic blocking facility of the network attack can be configured in a network security platform, a server, network equipment or a computer terminal, and the embodiment of the invention is not limited to the above.

As shown in fig. 1, the method includes:

step 110, collecting the attack alarm logs aiming at the target demand side in a plurality of network devices, and acquiring all target attack alarm logs related to the target network attack event according to the alarm time of each attack alarm log.

It can be appreciated that in a single network attack, multiple network devices may be attacked simultaneously, each with its corresponding attack alarm log generated.

The target demand party can be understood as a client party under network attack, the attack alarm log is a system log generated by network equipment receiving the network attack, wherein key information of the network attack, such as alarm time of the network attack, attack address of the network attack, attack mode or attacked system, etc., are recorded; the target network attack event is a network attack event which needs to be specifically treated at this time; the target attack alarm log is a corresponding alarm log generated by the target network attack event, and the content of the target attack alarm log comprises key information of the target network attack event.

Specifically, a plurality of devices each include a large number of attack alarm logs, and the same attack alarm log may include specific information of multiple network attacks, so that it is necessary to screen out target network attack events from multiple network attack information that may occur in the log. It can be appreciated that the log generated at the same time of the network attack can be regarded as the target attack alarm log, so that all target attack alarm logs associated with the target network attack event can be specifically determined according to the alarm time of the attack alarm log, that is, the attack alarm log generated at the alarm time is the target network attack event.

And 120, respectively extracting key parameters of each log from each target attack alarm log, and calculating alarm scores of multiple dimensions according to the key parameters of each log and a multi-dimensional alarm score model preset by a target demander.

The key parameters of the log are parameters required by calculation in the multidimensional alarm score model and can be obtained through the key information correspondence in the target attack alarm log; the multi-dimensional alarm score model is a model preset by a demand party according to the actual situation of the demand party, log key parameters can be enabled to be in one-to-one correspondence with multi-dimensional alarm scores through the model, and specifically, the multi-dimensional model can be understood as being determined by target key parameters of a plurality of different angles; further, the alarm score is the score of the corresponding log key parameter in a certain dimension in the multidimensional alarm score model, and it can be understood that the larger the alarm score in the certain dimension is, the more importance is attached to the attack of the target demand party on the dimension.

For example, after each target attack alarm log is obtained, log key parameters can be extracted through the target attack alarm log, and after the target key parameters are introduced into a multi-dimensional alarm score model preset by a target demand party, multi-dimensional alarm scores required by the target demand party can be obtained.

And 130, calculating threat scores matched with the target network attack event according to the alarm scores of the multiple dimensions and a preset threat score calculation formula.

The threat score calculation formula is formed by combining log key parameters and is used for calculating a threat score of the target network attack event, specifically, the threat score represents the hazard degree of the target network attack event, and the higher the threat score is, the greater the hazard degree of the target network attack event is.

Specifically, after the alarm scores of multiple dimensions are obtained, the alarm scores of the multiple dimensions are brought into a preset threat score calculation formula, threat scores matched with the target network attack event are calculated through the threat score calculation formula, and the calculated threat scores are larger, so that the hazard of the target network attack event is represented to be larger.

And 140, when the threat score exceeds a preset score threshold, automatically blocking each source IP address matched with each target attack alarm log.

Because of the diversity of network attacks, an attacker is an original address of a hidden attack, and may attack from multiple real IP addresses or virtual IP addresses, i.e., a target network attack may come from multiple source IP addresses at the same time, and attack multiple destination IP address devices. And when the threat score exceeds a preset score threshold, all the source IP addresses matched with the target attack alarm logs are automatically blocked.

The score threshold is preset by the target demand side, whether the target network attack is automatically blocked is judged, and when the threat score exceeds the preset score threshold, the automatic blocking is carried out on each source IP address matched with each target attack alarm log.

According to the technical scheme, the attack alarm logs of the target demand party are acquired for a plurality of network devices, all target attack alarm logs related to the target network attack event are acquired according to the alarm time of each attack alarm log, the target attack alarm logs contain key information of the target network attack, and the key information acquisition mode of the network attack is beneficial to staff to quickly acquire the corresponding key information of the network attack and improves the process of knowing the key information of the network attack; further, after the target attack alarm log is obtained, log key parameters can be extracted from the target attack alarm log, after the log key parameters are introduced into a multi-dimensional alarm score model, multi-dimensional alarm scores corresponding to the target network attack can be obtained, and threat scores matched with the target network attack event are brought into a threat score calculation formula and calculated through the alarm scores; the score calculation mode is beneficial to improving the accuracy of threat judgment on network attack; and according to the threat score and the preset score threshold, when the threat score is larger than the preset score threshold, each source IP address matched with each target attack alarm log is automatically blocked, and the automatic blocking mode can improve the blocking efficiency of target network attack events and save manpower and material resources.

Example two

Fig. 2 is a flowchart of an automatic blocking method for network attack according to a second embodiment of the present invention, where the method for obtaining all target attack alarm logs associated with a target network attack event is further defined based on the method of the foregoing embodiment, and may be applied to the foregoing embodiments, and specifically as shown in fig. 2, the method includes:

step 210, collecting attack alarm logs aiming at target demand side in a plurality of network devices, extracting time information in each attack alarm log, and converting each alarm time into an alarm time under a uniform time format.

The extraction may include analyzing the classifying process, that is, analyzing the target attack alarm logs, and classifying the target attack alarm logs containing the same time information into one type; the time information may be understood as a specific time at which the blog content is generated.

Specifically, after each attack alarm log is obtained, because network protocols corresponding to each device are different, the alarm log content forms and time forms are different, and the log content may be composed of octals or hexadecimal, so that the attack alarm log needs to be analyzed, and the analyzed alarm time information content is converted into a uniform time format and classified into one type.

For example, the time information may be converted into a uniform time format: "timestamp":

"2011-09-12T13:00:42.000Z". This time format may include the year, month, day, minute, second of the generation of the alert log content and a specific world standard time, such as 000Z representing world zero time zone time.

Step 220, clustering the attack alarm logs according to the alarm time to obtain at least one cluster, and taking each cluster as all attack alarm logs associated with a single network attack event.

It can be appreciated that, since each attack alarm log may include multiple different network attacks, it is necessary to perform clustering processing on the attack alarm logs to determine all attack alarm logs associated with different network attack events.

The attack alarm logs generated at the same time are considered to be from the same network attack, the clustering process is to integrate and classify all the associated attack alarm logs of the same network attack, and all the classified associated attack alarm logs of the same network attack form a cluster, and all the attack alarm logs possibly generate a plurality of clusters.

And 230, acquiring target cluster clusters from the cluster clusters, and taking the target cluster clusters as all target attack alarm logs associated with the target network attack event.

The target cluster is a collection cluster of all attack alarm logs associated with the target network attack event.

Specifically, all target attack alarm logs associated with the target network attack event can be obtained through the target cluster.

Step 240, classifying each attack alarm log according to the device type of the network device collecting each attack alarm log.

Because of the diversity of the current network attack, a single network attack may attack multiple network devices at the same time, and meanwhile, the network devices have different content forms of network attack alarm logs due to different physical or network protocols, before extracting the content, the logs generated by different network devices need to be classified according to the device types of the network devices of each target attack alarm log, so as to facilitate content extraction.

Wherein the network device may comprise: WAF (Web Application Firewall ) devices, firewall devices, and IPS (Intrusion Prevention System ) devices, etc.

By way of example, various logs of different types of devices such as WAF, firewall, IPS, etc. can be collected by agent devices (agents) based on syslog protocol, and correspondingly categorized according to the device type.

And 250, carrying out data analysis on each target attack alarm log according to an analysis mode matched with the category to which each target attack alarm log belongs, and obtaining each log key parameter corresponding to each target attack alarm log.

Because the network devices may have different parsing modes due to different physical or network protocols, the network devices need to parse the corresponding types according to the belonging classifications to obtain the corresponding key parameters of each log.

Optionally, after the corresponding key parameters of each log are acquired, the key parameters are summarized into a unified file format.

Illustratively, the attack name, the target name, the attack type, the attacked system may be extracted according to the ETL parsing rule to determine the field and field value (value) separators, the separators between fields, extract the key fields, and establish a unified field_name: field_value format.

Step 260, extracting key parameters of each log from each target attack alarm log, and calculating alarm scores of multiple dimensions according to the key parameters of each log and a multi-dimensional alarm score model preset by a target demander.

Step 270, calculating threat scores matched with the target network attack event according to the alarm scores of the multiple dimensions and a preset threat score calculation formula.

And 280, when the threat score exceeds a preset score threshold, automatically blocking each source IP address matched with each target attack alarm log.

According to the technical scheme of the embodiment, all target attack alarm logs are determined according to the alarm time of each attack alarm log, meanwhile, the attack alarm logs are classified according to different network equipment, analysis and extraction of log information are facilitated, and the classified extraction mode is beneficial to automatically classifying huge log data and improving the information collection efficiency; further, by extracting key parameters of each log, calculating alarm scores of multiple dimensions according to the key parameters of each log and a multi-dimensional alarm score model preset by a target demand party, and calculating threat scores matched with target network attack events, the threat score calculation mode can determine threat scores matched with the target network attack events from network attack information of the multiple dimensions, thereby being beneficial to improving accuracy and efficiency of network attack evaluation, and finally, when the threat scores exceed a preset score threshold, carrying out automatic blocking processing on each source IP address matched with each target attack alarm log, thereby being beneficial to reducing manpower and material resources required by blocking, improving efficiency of blocking processes and saving time.

Example III

Fig. 3 is a flowchart of an automatic blocking method for network attack according to a third embodiment of the present invention. The embodiment further optimizes a specific mode of calculating the alarm score of multiple dimensions according to the key parameters of each log and the multi-dimensional alarm score model preset by the target demand party based on the above embodiments, and can be combined with the above embodiments.

As shown in fig. 3, the method specifically may include:

step 310, collecting attack alarm logs aiming at target demand side in a plurality of network devices, and acquiring all target attack alarm logs related to target network attack events according to the alarm time of each attack alarm log.

Step 320, extracting key parameters of each log from each target attack alarm log.

And 330, calculating to obtain the actual value of at least one common dimension parameter corresponding to all the target attack alarm logs and the actual value of at least one characteristic dimension parameter corresponding to each target attack alarm log according to the key parameters of each log.

The common dimension is a common network attack dimension parameter of all network attacks, and the characteristic dimension is a specific network attack dimension parameter of a single network attack. It can be understood that, due to the difference of the security evaluation modes of the network facilities of the target demand side, the importance degree of each log key parameter is different, for example, the target demand side a may pay more attention to the log key parameter a, and the target demand side a may not pay more attention to the log key parameter B, so whether part of the log key parameters need to be calculated or not may be specifically determined by the target demand side according to the self situation.

Optionally, the common dimension parameters include: access relationships, threat phases, threat alert levels, and threat alert states;

the characteristic dimension parameters include: source address geographical location, source address history, destination address geographical location, and destination address history;

the access relation value comprises an external network to an internal network, an internal network to an internal network and an internal network to an external network;

the value of the threat stage comprises information detection, malicious release, vulnerability exploitation, command and control, lateral expansion and attack implementation;

the threat alert level comprises a low level, a medium level and a high level;

the value of the threat alarm state comprises false alarm, unsuccessful, to-be-analyzed and successful;

the value of the source address geographic position comprises a non-foreign address and a foreign address;

the source address history condition comprises the values of more than 15 times in 30 days, more than 1 time in 30 days, 15 times or less and once in 30 days;

the destination address geographic location includes a non-foreign address and a foreign address;

the historical destination address condition values include a number of occurrences greater than 15 times in 30 days, a number of occurrences greater than 1 time in 30 days and 15 times or less, and a number of occurrences once in 30 days.

In a specific example, if it is determined that the source IP in all the target attack alarm logs is an intranet IP and the destination IP is an extranet IP, the actual value of the common dimension parameter, which is the access relationship corresponding to all the target attack alarm logs, may be determined to be "intranet-to-intranet". For another example, if the destination IP address in the target attack alarm log a is a home address, it may be determined that the actual value of the characteristic dimension parameter, which is the geographical location of the destination address corresponding to the target attack alarm log a, is a "non-foreign address".

Step 340, determining alarm scores of the common dimension parameters corresponding to all the target attack alarm logs and alarm scores of the characteristic dimension parameters corresponding to each target attack alarm log according to the scores corresponding to the different values of the common dimension parameters and the characteristic dimension parameters preset by the target demand side.

The corresponding score may be understood as a corresponding score represented by different values of different dimension parameters set up by the target demander according to the actual situation of the target demander.

Specifically, by determining the alarm scores of all the common dimension and characteristic dimension parameters in all the target attack alarm logs, the corresponding hazard degrees of different key information of the target network attack event are determined.

It may be understood that, after the target values of the common dimension parameters hit by the actual values of the common dimension parameters corresponding to all the target attack alarm logs are acquired, the score corresponding to the hit target value may be determined as the alarm score of each common dimension parameter corresponding to all the target attack alarm logs, and in a similar manner, the target values of the characteristic dimension parameters hit by the actual values of at least one characteristic dimension parameter corresponding to each target attack alarm log may be acquired similarly, and then the score corresponding to the hit target value may be determined as the alarm score of each characteristic dimension parameter corresponding to each target attack alarm log.

And 350, calculating threat scores matched with the target network attack event according to the alarm scores of the multiple dimensions and a preset threat score calculation formula.

Optionally, substituting alarm scores of multiple dimensions into the following formula to calculate and obtain threat scores matched with the target network attack;

threat score = access relationship score (Σsource address geographic location score source address history score/m+Σdestination address location score destination address history score/n) (threat stage score threat alert level score/first setting value) threat alert status score/second setting value;

And m is the number of occurrence of the source address history, n is the number of occurrence of the destination address history, the first set value and the second set value are weighted average parameters, and weighted average processing can be carried out on the threat stage score, the threat alarm level score and the threat alarm state score through the weighted evaluation parameters.

Specifically, the first setting value and the second setting value may be determined according to the threat stage score, the threat alert level score, and the specific score of the threat alert state score set by the target demand side, which are not limited herein.

Specifically, a threat score of the target network attack event can be obtained through a threat score calculation formula, and the threat score reflects the hazard degree of the target network attack event.

And 360, when the threat score exceeds a preset score threshold, automatically blocking each source IP address matched with each target attack alarm log.

According to the embodiment of the invention, the common dimension parameters and the specific dimension parameters in all the target attack alarm logs are calculated according to the key parameters of each log, the alarm score corresponding to each dimension parameter can be determined, the alarm score is brought into a threat score calculation formula, the threat score of the target network attack event can be obtained, and the score determination mode is beneficial to accurately evaluating the target network attack harmfulness and improving the efficiency and accuracy of the network attack harmfulness evaluation; furthermore, when the threat score exceeds a preset score threshold, automatic blocking processing is performed on each source IP address matched with each target attack alarm log, and the automatic processing mode is beneficial to improving the treatment efficiency of dangerous source IP addresses and saving time.

Example IV

Fig. 4 is a flowchart of an automatic blocking method for network attack according to a fourth embodiment of the present invention, where the method in this embodiment makes further optimization restrictions based on the method in each embodiment, specifically defines a method for automatically blocking each source IP address matched with each target attack alarm log, and may be combined with each embodiment.

As shown in fig. 4, the method specifically may include:

step 410, collecting the attack alarm logs aiming at the target demand side in a plurality of network devices, and acquiring all target attack alarm logs associated with the target network attack event according to the alarm time of each attack alarm log.

Step 420, extracting key parameters of each log from each target attack alarm log, and calculating alarm scores of multiple dimensions according to the key parameters of each log and a multi-dimensional alarm score model preset by a target demander.

Step 430, calculating threat scores matched with the target network attack event according to the alarm scores of the multiple dimensions and a preset threat score calculation formula.

Step 440, determining whether the threat score exceeds a preset score threshold.

Specifically, when the threat score exceeds the preset score threshold, step 450 is performed; otherwise, step 480 is executed, ending.

Step 450, extracting the source IP addresses matched with all the target attack alarm logs, and executing step 460 as the alternative IP addresses.

The source IP address is the IP address of all the aggressors associated with the target network attack event, and the alternative IP address may be understood as a backup of the source IP address, which is identical to the content of the source IP address.

Step 460, comparing each alternative IP address with the abnormal IP information base, filtering the IP addresses of the alternative IP addresses that do not exist in the abnormal IP information base, and executing step 470.

The abnormal IP information library is an address storage library, and comprises all harmful abnormal IP addresses.

Step 470, comparing the remaining candidate IP addresses with the white list address library, filtering the IP addresses existing in the white list address library in the candidate IP addresses, and performing all blocking processing on the remaining candidate IP addresses, so as to execute step 480.

The white list address library is a network IP address considered safe by the target demand party, and the address in the white list address library is a safe access address.

Specifically, if the threat score exceeds a preset score threshold, comparing each alternative IP address with addresses in the abnormal IP information library and the white list address library, and if the alternative IP address does not exist in the abnormal IP information library and does not exist in the white list address library, automatically blocking the source IP address corresponding to the alternative IP address.

Optionally, after the automatic sealing process, a partial mis-seal of the IP address is included.

Step 480, end.

According to the embodiment of the invention, the attack alarm logs of the target demand party are acquired for a plurality of network devices, all the target attack alarm logs related to the target network attack event are acquired according to the alarm time of each attack alarm log, the target attack alarm logs contain the key information of the target network attack, and the key information acquisition mode of the network attack is beneficial to the staff to quickly acquire the key information of the corresponding network attack and improve the process of knowing the key information of the network attack; further, after the target attack alarm log is obtained, log key parameters can be extracted from the target attack alarm log, after the log key parameters are introduced into a multi-dimensional alarm score model, multi-dimensional alarm scores corresponding to the target network attack can be obtained, and threat scores matched with the target network attack event are brought into a threat score calculation formula and calculated through the alarm scores; the score calculation mode is beneficial to improving the accuracy of threat judgment on network attack; and comparing the threat score with a preset score threshold, and when the threat score is larger than the preset score threshold and the source IP address belongs to an abnormal IP information base but not to a white list address base, automatically blocking the source IP address.

Example five

Fig. 5 is a flowchart of an automatic blocking method for network attack according to a fifth embodiment of the present invention, and optimization is performed on the automatic blocking method according to the foregoing embodiments, specifically as shown in fig. 5.

As shown in fig. 5, includes:

step 510, collecting the attack alarm logs aiming at the target demand side in a plurality of network devices, and acquiring all target attack alarm logs associated with the target network attack event according to the alarm time of each attack alarm log.

Specifically, various logs of WAF, firewall, IPS and other different types of equipment can be collected by the agent based on syslog protocol to be classified, and all target attack alarm logs associated with target network attack events are obtained; extracting an attack name, a target name, an attack type and an attacked system in the target attack alarm log according to the ETL analysis rule to determine field (field) and field value (value) separators and separators among fields, extracting key fields and establishing a unified field_name: field_value format.

Step 520, extracting each log key parameter from each target attack alarm log, and calculating alarm scores of multiple dimensions according to each log key parameter and a multi-dimensional alarm score model preset by a target demander.

As described above, after obtaining the actual value of at least one common dimension parameter corresponding to all the target attack alarm logs and the actual value of at least one characteristic dimension parameter corresponding to each target attack alarm log, determining the alarm score of each common dimension parameter corresponding to all the target attack alarm logs and the alarm score of each characteristic dimension parameter corresponding to each target attack alarm log according to the score corresponding to each common dimension parameter and different value of each characteristic dimension parameter preset by the target demand side.

Illustratively, the scores of the different values of the access relationship are as follows: the access relation epsilon { [ external network- > internal network ], [ internal network- > external network ] }, score epsilon A {1,3,5};

the scores of different values of the geographic positions of the source addresses are as follows: source address e { [ non-foreign address ], [ foreign address ] }, score e B {1,5};

the scores of different values of the source address history occurrence are as follows: source address history occurrence e { [ 15 in 30 days ], [ 1<n < = 15 times in 30 days ], [ 1 time after 30 days ] }, score e C {1,3,5};

the scores of different values of the geographic positions of the destination address are as follows: destination address e { [ non-foreign address ], [ foreign address ] }, score e D {1,5};

The scores of different values of the history of the destination address are as follows: destination address history occurrence E { [ 15 in 30 days ], [ 1<n < = 15 times in 30 days ], [ 1 time after 30 days ] }, score E {1,3,5};

the scores of the different values of the threat stage are as follows: threat stage e { [ information probe ], [ malicious launch ], [ exploit ], [ command and control ], [ lateral expansion ], [ implement attack ] }, score e F {1,2,3,4,5,6};

the scores of the different values of the threat alert level are as follows: threat alert level e { [ low ], [ medium ], [ high ] }, score e G {2,4,6};

the scores of the different values of the threat alert state are as follows: the state of threat alert e { [ false alarm ], [ unsuccessful ], [ to be analyzed ], [ successful ] }, score e H {0,1,2,3};

in a specific example, if the actual value of the common dimension parameter of the access relationship corresponding to all the target attack alarm logs is [ extranet- > intranet ], the alarm score of the common dimension parameter of the access relationship corresponding to all the target attack alarm logs may be determined to be 1.

And 530, calculating threat scores matched with the target network attack event according to the alarm scores of the multiple dimensions and a preset threat score calculation formula.

By way of example, the risk condition of the alert may be scored by compiling SPL statements to automatically count the threat alert generated, the type of equipment involved in the alert, the alert stage, and the threat alert level. The threat score is based on alarm score weighted summation of multiple dimensions, and the calculation formula is specifically as follows:

wherein m is the historical occurrence times of the source address, and n is the historical occurrence times of the destination address.

Step 540, judging whether the threat score exceeds 100 points or not.

Illustratively, 100 is divided into preset score thresholds.

Specifically, if the threat score exceeds 100 points, step 550 is executed, otherwise step 590 is executed, and the process ends.

Step 550, judging whether the source IP address exists in the abnormal IP information base.

Specifically, if the source IP address exists in the abnormal IP information base, step 560 is executed, otherwise step 590 is executed, and the process ends.

Specifically, since there may be multiple source IP addresses, determining whether a source IP address exists in the abnormal IP information repository may be performed by acquiring one source IP address at a time, and then circularly traversing all the source IP addresses, which may include traversing the query for multiple source IP addresses in step 550.

Step 560, judging whether the source IP address exists in the white list address library.

Specifically, if the source IP address exists in the white list address library, step 590 is executed, and if not, step 570 is executed.

Step 570, permanently blocking the source IP address, and executing step 580.

Illustratively, interception blocking is automatically performed on the attack source IP address, such as permanent blocking by information hitting foreign addresses.

Step 580, decapsulate the mis-encapsulated IP address, and execute step 590.

And after the source IP addresses are permanently blocked, the blocked source IP addresses can be sent to the manual verification platform, and the manual verification platform performs unsealing of the mistakenly-sealed IP addresses.

Step 590, end.

According to the embodiment of the invention, the attack alarm logs of the target demand party are acquired for a plurality of network devices, all the target attack alarm logs related to the target network attack event are acquired according to the alarm time of each attack alarm log, the target attack alarm logs contain the key information of the target network attack, and the key information acquisition mode of the network attack is beneficial to the staff to quickly acquire the key information of the corresponding network attack and improve the process of knowing the key information of the network attack; further, after the target attack alarm log is obtained, log key parameters can be extracted from the target attack alarm log, after the log key parameters are introduced into a multi-dimensional alarm score model, multi-dimensional alarm scores corresponding to the target network attack can be obtained, and threat scores matched with the target network attack event are brought into a threat score calculation formula and calculated through the alarm scores; the score calculation mode is beneficial to improving the accuracy of threat judgment on network attack; and comparing the threat score with a preset score threshold value according to the threat score, and when the threat score is larger than the preset score threshold value and the source IP address belongs to an abnormal IP information base but not to a white list address base, automatically sealing and banning the source IP address, wherein the automatic sealing and banning mode can improve the efficiency of sealing and banning the target network attack event and save manpower and material resources

Example six

Fig. 6 is a schematic structural diagram of an automatic blocking device for network attack according to a sixth embodiment of the present invention, as shown in fig. 6, the device includes: the alarm log acquisition module 610, the alarm score calculation module 620, the threat score calculation module 630 and the automatic disablement module 640.

The alarm log obtaining module 610 is configured to collect attack alarm logs for target requesters in a plurality of network devices, and obtain all target attack alarm logs associated with a target network attack event according to alarm time of each attack alarm log.

The alarm score calculation module 620 is configured to extract key parameters of each log from each target attack alarm log, and calculate alarm scores of multiple dimensions according to the key parameters of each log and a multidimensional alarm score model preset by a target demander;

the threat score calculation module 630 is configured to calculate a threat score matched with the target network attack event according to the alarm scores of the multiple dimensions and a preset threat score calculation formula;

and the automatic blocking module 640 is configured to perform automatic blocking processing on each source IP address matched with each target attack alarm log when the threat score exceeds a preset score threshold.

The embodiment of the invention provides an automatic blocking method, device, equipment and storage medium for network attack, which are used for acquiring an alarm log of network equipment aiming at a target demand party, acquiring a required target attack alarm log according to time information of the alarm log, simultaneously carrying a multi-dimensional alarm score model according to key parameters in the target attack alarm log, and calculating threat scores matched with target network attack events, wherein the mode of acquiring the key parameters and calculating the threat scores is beneficial to quickly knowing network attack information and determining the threat of the network attack more accurately; further, when the threat score exceeds a preset score threshold, the source IP address of the corresponding network attack is automatically blocked, so that the network attack treatment efficiency is improved, and a large amount of manpower and material resources are saved

Based on the above embodiments, the alarm log obtaining module 610 may include:

the time format unifying unit is used for extracting time information in each attack alarm log and converting each alarm time into alarm time under the unified time format;

the clustering processing unit is used for carrying out clustering processing on each attack alarm log according to each alarm time to obtain at least one cluster, and taking each cluster as all attack alarm logs associated with a single network attack event;

And the target attack alarm log acquisition unit is used for acquiring target cluster clusters from the cluster clusters and taking the target cluster clusters as all target attack alarm logs associated with the target network attack event.

On the basis of the above embodiments, the log classification module may further include: after collecting attack alarm logs aiming at a target demand side in a plurality of network devices, classifying each attack alarm log according to the device type of the network device collecting each attack alarm log;

accordingly, the alert score calculation module 620 may be specifically configured to:

and according to the analysis mode matched with the classification to which each target attack alarm log belongs, carrying out data analysis on each target attack alarm log to obtain each log key parameter corresponding to each target attack alarm log.

Based on the above embodiments, the alert score calculating module 620 may further include:

the actual value calculation unit is used for calculating the actual value of at least one common dimension parameter corresponding to all the target attack alarm logs and the actual value of at least one characteristic dimension parameter corresponding to each target attack alarm log according to the key parameters of each log;

The alarm score determining unit is used for determining alarm scores of the common dimension parameters corresponding to all target attack alarm logs and alarm scores of the characteristic dimension parameters corresponding to each target attack alarm log according to the scores which are preset by the target demand side and correspond to different values of the common dimension parameters and the characteristic dimension parameters respectively.

On the basis of the above embodiments, the common dimension parameters include: access relationships, threat phases, threat alert levels, and threat alert states;

the characteristic dimension parameters comprise a source address geographic position, a source address historical condition, a destination address geographic position and a destination address historical condition;

the threat alert level comprises a low level, a medium level and a high level;

Based on the above embodiments, the threat score calculation module 630 may be specifically configured to:

substituting the alarm scores of the multiple dimensions into the following formula, and calculating to obtain threat scores matched with the target network attack;

Based on the above embodiments, the automatic disabling module 640 may include:

the IP address backup unit is used for extracting source IP addresses matched with all target attack alarm logs as alternative IP addresses;

The first comparison unit is used for comparing each alternative IP address with the abnormal IP information library and filtering the IP addresses which are not in the abnormal IP information library in the alternative IP addresses;

and the second comparison unit is used for comparing the rest candidate IP addresses with the white list address library, filtering the IP addresses existing in the white list address library in the candidate IP addresses, and then performing all blocking processing on the rest candidate IP addresses.

Optionally, the automatic blocking module 640 may further include a deblocking unit, configured to deblock the IP address that is misclassified.

The automatic blocking device for network attack provided by the embodiment of the invention can execute any automatic blocking method for network attack in any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the executing method.

Example seven

Fig. 7 shows a schematic diagram of the structure of an electronic device 10 that may be used to implement an embodiment of the invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. Electronic equipment may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.

As shown in fig. 7, the electronic device 10 includes at least one processor 11, and a memory, such as a Read Only Memory (ROM) 12, a Random Access Memory (RAM) 13, etc., communicatively connected to the at least one processor 11, in which the memory stores a computer program executable by the at least one processor, and the processor 11 may perform various appropriate actions and processes according to the computer program stored in the Read Only Memory (ROM) 12 or the computer program loaded from the storage unit 18 into the Random Access Memory (RAM) 13. In the RAM 13, various programs and data required for the operation of the electronic device 10 may also be stored. The processor 11, the ROM 12 and the RAM 13 are connected to each other via a bus 14. An input/output (I/O) interface 15 is also connected to bus 14.

Various components in the electronic device 10 are connected to the I/O interface 15, including: an input unit 16 such as a keyboard, a mouse, etc.; an output unit 17 such as various types of displays, speakers, and the like; a storage unit 18 such as a magnetic disk, an optical disk, or the like; and a communication unit 19 such as a network card, modem, wireless communication transceiver, etc. The communication unit 19 allows the electronic device 10 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.

The processor 11 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of processor 11 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, digital Signal Processors (DSPs), and any suitable processor, controller, microcontroller, etc. The processor 11 performs the various methods and processes described above, such as an automatic blocking method for network attacks.

In some embodiments, a method of automatically blocking network attacks may be implemented as a computer program tangibly embodied on a computer-readable storage medium, such as storage unit 18. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 10 via the ROM 12 and/or the communication unit 19. When the computer program is loaded into RAM 13 and executed by processor 11, one or more steps of an automatic disablement method of a network attack as described above may be performed. Alternatively, in other embodiments, processor 11 may be configured in any other suitable manner (e.g., by means of firmware) to perform an automatic blocking method of a network attack.

Various implementations of the systems and techniques described here above can be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), complex Programmable Logic Devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.

A computer program for carrying out methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be implemented. The computer program may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.

In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. The computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.

To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) through which a user can provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.

The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), blockchain networks, and the internet.

The computing system may include clients and servers. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical hosts and VPS service are overcome.

It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps described in the present invention may be performed in parallel, sequentially, or in a different order, so long as the desired results of the technical solution of the present invention are achieved, and the present invention is not limited herein.

The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.

Claims

1. An automatic blocking method for network attack, which is characterized by comprising the following steps:

and automatically blocking and disabling each source IP address matched with each target attack alarm log.

2. The method of claim 1, wherein obtaining all target attack alarm logs associated with the target network attack event based on the alarm time of each attack alarm log comprises:

extracting time information in each attack alarm log, and converting each alarm time into alarm time in a unified time format;

clustering the attack alarm logs according to the alarm time to obtain at least one cluster, and taking each cluster as all attack alarm logs associated with a single network attack event;

and acquiring a target cluster from each cluster as all target attack alarm logs associated with the target network attack event.

3. The method of claim 1, further comprising, after collecting attack alert logs for the target demander in the plurality of network devices:

classifying each attack alarm log according to the equipment type of the network equipment for collecting each attack alarm log;

In each target attack alarm log, extracting key parameters of each log respectively, wherein the key parameters comprise:

4. A method according to any one of claims 1-3, wherein calculating a multi-dimensional alert score based on each log key parameter and a multi-dimensional alert score model preset by the target demander comprises:

according to the key parameters of each log, calculating to obtain the actual value of at least one common dimension parameter corresponding to all target attack alarm logs and the actual value of at least one characteristic dimension parameter corresponding to each target attack alarm log respectively;

and determining alarm scores of the common dimension parameters corresponding to all target attack alarm logs and alarm scores of the characteristic dimension parameters corresponding to each target attack alarm log according to scores which are preset by a target demand party and respectively correspond to different values of the common dimension parameters and the characteristic dimension parameters.

5. The method of claim 4, wherein the common dimension parameter comprises: access relationships, threat phases, threat alert levels, and threat alert states;

the threat alert level comprises a low level, a medium level and a high level;

6. The method of claim 5, wherein calculating a threat score matching the target cyber attack based on the alarm scores of the plurality of dimensions and a preset threat score calculation formula, comprises:

7. The method of claim 1, wherein automatically disabling each source IP address that matches each target attack alert log comprises:

extracting source IP addresses matched with all target attack alarm logs as alternative IP addresses;

comparing each alternative IP address with the abnormal IP information library, and filtering the IP addresses which are not in the abnormal IP information library in the alternative IP addresses;

and comparing the rest candidate IP addresses with the white list address library, filtering the IP addresses existing in the white list address library in the candidate IP addresses, and performing all blocking processing on the rest candidate IP addresses.

8. An automatic blocking device for network attack, comprising:

The alarm log acquisition module is used for collecting the attack alarm logs aiming at the target demand side in a plurality of network devices and acquiring all target attack alarm logs related to the target network attack event according to the alarm time of each attack alarm log;

the alarm score calculation module is used for respectively extracting key parameters of each log from each target attack alarm log and calculating alarm scores of multiple dimensions according to the key parameters of each log and a multi-dimensional alarm score model preset by a target demand party;

the threat score calculation module is used for calculating threat scores matched with the target network attack event according to the alarm scores of the multiple dimensions and a preset threat score calculation formula;

and the automatic blocking module is used for automatically blocking each source IP address matched with each target attack alarm log when the threat score exceeds a preset score threshold value.

9. An automatic blocking device for network attack, characterized in that the automatic blocking device for network attack comprises:

at least one processor; and

a memory communicatively coupled to the at least one processor; wherein,

the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the method of automatically blocking a network attack according to any of claims 1-7.

10. A computer readable storage medium storing computer instructions for causing a processor to implement the method for automatically blocking a network attack according to any of claims 1-7 when executed.