CN117176480B - Method and system for tracing attack event - Google Patents

Abstract

The present invention relates to the field of network security, and in particular, to a method and system for tracing an attack event. According to the method, according to the source IP and the destination IP of the query result of the initial search condition in the tracing request, according to the first tracing direction, a pane search condition corresponding to each display pane is generated, and according to the pane search condition, data of each pane is queried, wherein the data queried through the pane search condition meets the requirement of any two adjacent panes, the source IP of the data in the downstream pane is the destination IP of the data in the upstream pane, so that a user can automatically generate the data with the upstream-downstream association relation only by inputting the initial search condition, the tracing of the user is facilitated, the tracing period is shortened, the tracing efficiency is improved, the data is not lost, and the tracing result is not influenced.

Description

Method and system for tracing attack event

Technical Field

The present invention relates to the field of network security, and in particular, to a method and system for tracing an attack event.

Background

Attack tracing (attach trace back) is a network security technology that aims to track and identify the source and origin of network attacks. It is mainly through analyzing attack traffic, log records and other relevant information to determine the true identity and location of the attacker.

At present, attack tracing mainly depends on manual complicated retrieval, complex retrieval conditions are needed to be constructed according to attack data by manual intervention, multidimensional data retrieval tracing is carried out on the data, relevant processes of the attack are restored, finally, an attack chain view is formed, basis is provided for subsequent threat coping and repairing, threat resisting capacity is enhanced, and loss of attacked persons is effectively reduced.

Disclosure of Invention

In order to overcome the problems in the related art, the application provides a tracing method of attack events. Acquiring a tracing request input for the attack event; the tracing request comprises initial retrieval conditions, a first tracing direction and a display style of a pane; the pane is used for displaying the queried data; generating pane retrieval conditions corresponding to each pane according to the source IP and the destination IP of the query result of the initial retrieval conditions and the first tracing direction, and querying data of each pane according to the pane retrieval conditions; wherein, the data queried by the pane retrieval condition satisfies the source IP of the data in the downstream pane in any two adjacent panes, which is the destination IP of the data in the upstream pane; and carrying out data display on each pane according to the display style so as to carry out the tracing based on the data displayed by each pane.

In some embodiments, the generating, according to the first tracing direction, the pane search condition corresponding to each pane according to the source IP and the destination IP of the query result of the initial search condition includes: acquiring initial data queried according to the initial retrieval conditions; the initial data is displayed in an initial pane; under the condition that the first tracing direction is rightward, the initial pane is the pane of the most upstream, and pane retrieval conditions corresponding to a first preset number of downstream panes of the initial pane respectively are generated according to the destination IP of the initial data; wherein, in any two adjacent panes, the source IP of the data in the downstream pane is generated based on the destination IP of the data in the upstream pane; under the condition that the first tracing direction is leftward, the initial pane is the most downstream pane, and pane retrieval conditions corresponding to a second preset number of upstream panes of the initial pane respectively are generated according to the source IP of the initial data; generating destination IP of data in an upstream pane based on source IP of data in a downstream pane in any two adjacent panes; and under the condition that the first tracing direction is bidirectional, the initial pane is a midstream pane, pane retrieval conditions corresponding to a third preset number of upstream panes of the initial pane are generated according to the source IP of the initial data, and pane retrieval conditions corresponding to a fourth preset number of downstream panes of the initial pane are generated according to the destination IP of the initial data.

In some embodiments, each pane corresponds to at least one data queue, and data queried based on pane retrieval conditions is stored in the data queue corresponding to the pane; the data display is carried out on each pane according to the display style, and the method comprises the following steps: reading data from the data queue according to threads of the set thread number, and displaying the data in a pane corresponding to the data queue; the method for setting the number of threads comprises the following steps: predicting future data volume by using a data volume prediction model; the data quantity prediction model is obtained by training based on a data quantity time sequence sample; the data quantity time sequence sample comprises data quantity data in a period before a marking time and a marking value of the marking time; querying the number of history threads corresponding to the future data volume in the history record; the history record stores the corresponding relation between the data quantity and the number of threads meeting the processing capacity requirement; and completing the setting based on the historical thread number.

In some embodiments, the tracing based on the data presented in each pane includes: acquiring at least one item of label data selected in any first pane and a selected second tracing direction; generating adjacent pane retrieval conditions corresponding to adjacent panes of the arbitrary first pane in the second tracing direction according to the source IP and the destination IP of the target data; wherein, in the case that the second tracing direction is leftward, the adjacent pane is an upstream pane of the arbitrary first pane, and in the case that the second tracing direction is rightward, the adjacent pane is a downstream pane of the arbitrary first pane; and querying the data of the adjacent panes according to the adjacent pane retrieval conditions and displaying the data to trace the source.

In some embodiments, the querying and exposing the data of the adjacent panes for the tracing includes: and in response to tracing out the most upstream attacker and the most downstream victim, generating an attack chain according to the marked data in the adjacent panes between the first pane where the attacker is positioned and the second pane where the victim is positioned.

In some embodiments, after querying the data of each pane, generating pane search conditions corresponding to a fifth preset number of upstream panes of the current most upstream pane and caching, and generating pane search conditions corresponding to a sixth preset number of downstream panes of the current most downstream pane and caching; the tracing based on the data displayed by each pane comprises the following steps: receiving a sliding tracing operation, wherein the sliding tracing operation comprises a third tracing direction and tracing quantity; responding to the sliding tracing operation, under the condition that the third tracing direction is rightward, acquiring pane retrieval conditions corresponding to the tracing number of the current most downstream pane from the cache, and finishing data query and display; and under the condition that the third tracing direction is leftward, acquiring pane retrieval conditions corresponding to the upstream panes of the tracing number of the current most upstream pane from the cache, and finishing data query and display.

In some embodiments, the amount of data queried is the amount of data of the preset number of pages each time according to the pane retrieval condition; the tracing based on the data displayed by each pane comprises the following steps: responding to page turning operation of a preset page for any first pane, inquiring page turning data of the preset page according to a pane retrieval condition corresponding to the any first pane, and displaying the page turning data on the any first pane; generating associated pane retrieval conditions of associated panes corresponding to any first pane according to the source IP and the destination IP of the queried page turning data; the associated pane comprises an upstream pane and/or a downstream pane of the arbitrary first pane; and querying and displaying the data of the associated pane according to the associated pane retrieval conditions, or caching the associated pane retrieval conditions to respond to page turning operation aiming at the associated pane, and querying and displaying the data of the associated pane according to the associated pane retrieval conditions.

In some embodiments, the data presentation is performed based on the front end, and the data query is performed based on the back end; generating a pane retrieval condition corresponding to each pane according to the source IP and the destination IP of the query result of the initial retrieval condition and the first tracing direction, and querying data of each pane according to the pane retrieval condition, wherein the method comprises the following steps: the back end returns the query result to the front end for display; the front end generates pane retrieval conditions corresponding to each pane according to the first tracing direction based on the source IP and the destination IP of the query result returned by the back end, and returns the pane retrieval conditions to the back end; the backend queries the data of each pane based on the pane retrieval conditions.

In some embodiments, the tracing based on the data presented in each pane includes: updating presentation data in any second pane based on target search conditions included in a search request in response to receiving the search request for the data in the any second pane, and updating pane search conditions of an associated pane of the any second pane and updating presentation data in the associated pane in response to a marking operation for attack data in the any second pane; or, in response to receiving a search request for data in any second pane, generating first prompt information when a pane search condition corresponding to any second pane is not matched with a target search condition included in the search request, wherein the first prompt information is used for prompting a user whether to return to an initial pane for searching, in response to the user selecting to return to the initial pane for searching, performing data searching on the initial pane based on the target search condition to obtain a search result, and in response to a marking operation for attack data in the search result, updating pane search conditions of an associated pane of the initial pane and updating display data in the associated pane; or, in response to receiving a search request for data in any second pane, generating second prompt information when a pane search condition corresponding to any second pane is not matched with a target search condition included in the search request, wherein the second prompt information is used for prompting a user whether to newly create a pane for attack event tracing, in response to selecting a newly created pane by the user, creating a new pane, using the target search condition as the initial search condition, generating a pane search condition of each new pane, querying data and displaying the new pane.

The application also provides a tracing system for the attack event. The system comprises: the acquisition unit acquires a tracing request input for the attack event; the tracing request comprises initial retrieval conditions, a first tracing direction and a display style of a pane; the pane is used for displaying the queried data; the query unit generates pane retrieval conditions corresponding to each pane according to the first tracing direction and the source IP and the destination IP of the query result of the initial retrieval conditions, and queries the data of each pane according to the pane retrieval conditions; wherein, the data queried by the pane retrieval condition satisfies the source IP of the data in the downstream pane in any two adjacent panes, which is the destination IP of the data in the upstream pane; and the display unit is used for displaying data on each pane according to the display style so as to trace the source based on the data displayed on each pane.

The technical scheme provided by the embodiment of the application can comprise the following beneficial effects: according to the source IP and the destination IP of the query result of the initial search condition in the tracing request, according to the first tracing direction, a pane search condition corresponding to each display pane is generated, and according to the pane search condition, data of each pane is queried, wherein the data queried by the pane search condition meets the requirement of any two adjacent panes, the source IP of the data in the downstream pane is the destination IP of the data in the upstream pane, so that a user can automatically generate the data with the upstream-downstream association relation only by inputting the initial search condition, the tracing of the user is facilitated, the tracing period is shortened, the tracing efficiency is improved, the data cannot be lost, and the tracing result cannot be influenced.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.

Fig. 1 is a method flow diagram of a tracing method of an attack event shown in the present application.

Fig. 2 is a flow chart of a method for searching conditions of a survival pane.

Fig. 3 is a flow chart of a method for setting the number of threads according to the present application.

Fig. 4 is a flowchart of a method for assisting a user in tracing the source.

Fig. 5 is a schematic flow chart of a method for tracing a sliding window shown in the present application.

Fig. 6 is a flowchart of a tracing method for improving tracing efficiency.

Fig. 7 is a flow chart of a method for completing data query by front-end and back-end coordination.

Fig. 8 is a flowchart of an attack tracing method shown in the present application.

Fig. 9 is a schematic structural diagram of a tracing system for an attack event shown in the present application.

Detailed Description

Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples are not representative of all implementations consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with some aspects of the present application as detailed in the accompanying claims.

The terminology used in the present application is for the purpose of describing particular embodiments only and is not intended to be limiting of the present application. As used in this application and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the associated listed items. It will also be appreciated that the term "if," as used herein, may be interpreted as "at … …" or "at … …" or "responsive to a determination," depending on the context.

In some attack tracing related technologies, manual tedious retrieval is mainly relied on. For example, when an alarm occurs, the user needs to manually construct a search condition according to the alarm information to confirm the alarm data, then construct a search condition for querying the upstream and downstream data of the alarm data according to the alarm data, complete the query of the upstream and downstream data, and the user needs to construct a plurality of search conditions to possibly track an attacker. The related art thus has at least the following drawbacks: first, the attacker can be tracked only by frequently replacing the search condition, which is very complicated, low in search efficiency and not friendly to users. Secondly, there is no association relation between the data retrieved by the manual construction of the retrieval condition, however, the association relation between the data needs to be confirmed by constructing the attack chain, so that association and carding are needed manually, the efficiency is low, and errors are easy to occur. Thirdly, the amount of historical data of manual query is often very huge, so that a user can conveniently continue to construct search conditions to trace the source, a part of queried data is often discarded, attack data is possibly discarded, tracing results are affected, and an attack chain view is formed.

In view of this, the present application proposes a tracing method for attack events. According to the method, according to the source IP and the destination IP of the query result of the initial search condition in the tracing request, according to the first tracing direction, a pane search condition corresponding to each display pane is generated, and according to the pane search condition, data of each pane is queried, wherein the data queried through the pane search condition meets the requirement of any two adjacent panes, the source IP of the data in the downstream pane is the destination IP of the data in the upstream pane, so that a user can automatically generate the data with the upstream-downstream association relation only by inputting the initial search condition, the tracing of the user is facilitated, the searching tracing period is shortened, the tracing efficiency is improved, the data is not lost, and the tracing result is not influenced.

The following description of the embodiments is made with reference to the accompanying drawings. Referring to fig. 1, fig. 1 is a method flow diagram of a tracing method for an attack event shown in the present application. As shown in FIG. 1, the method may include S102-S106.

S102, acquiring a tracing request input for the attack event; the trace-source request includes an initial search condition, a first trace-source direction and a display style of the pane.

In some cases, an attack event, such as an attack event alert, may occur. Information related to the attack event, such as the IP of the alerting device, the alert level, etc., may be included in the alerts. The user may generate the initial search condition based on these alert information. For example, the IP of the alarm device may be used as the destination IP, as the initial search condition.

The trace-source request may then be generated for data trace-source based on the initial conditions.

The first tracing direction is used for indicating a tracing direction desired by a user, and in relation to the pane search condition generated in S104, reference may be made to the related description of S104.

The pane is used to display the queried data.

The display style refers to the display style of the pane, and can be configured according to requirements. The presentation style may include the number of panes and the pane presentation content.

The pane number refers to the pane number of the front page display. Such as configuration 3, the front end may present 3 panes. If configuration 4, the front end may present 4 panes.

The pane presentation content refers to a setting of pane content. For example, thumbnail display or detail display, small font display or large font display may be configured, field information displayed in a pane may be configured, and the like. The front end can complete data display in the pane according to the display style.

S104, generating pane retrieval conditions corresponding to each pane according to the first tracing direction and the source IP and the destination IP of the query result of the initial retrieval conditions, and querying the data of each pane according to the pane retrieval conditions; wherein, the data queried by the window search condition satisfies the source IP of the data in the downstream window is the destination IP of the data in the upstream window in any two adjacent windows.

Some data (i.e. query results) can be queried through the initial retrieval conditions, and the retrieval conditions (i.e. pane retrieval conditions) for querying upstream and downstream data of the data are needed to be generated according to the data fields in the method, so that the purposes of assisting a user in tracing sources are achieved by replacing manual searching rules and constructing the retrieval conditions.

Upstream and downstream are relative concepts. The upstream data of a certain data means the data whose destination IP is the source IP of the data, and the downstream data of a certain data means the data whose source IP is the destination IP of the data. The pane showing upstream data is an upstream pane showing the pane of the data, and the pane showing downstream data is a downstream pane showing the pane of the data. The present application does not limit the order and hierarchy of the upstream and downstream panes in the page. For example, the upstream pane may be displayed on the left or on the right of the downstream pane, or even some other pane may be inserted in the middle. The level of the upstream pane may be smaller than the downstream level or larger than the downstream level. The hierarchy is understood to be a number for recording the relationship upstream and downstream of the pane. For example, the higher the number, the higher the hierarchy, and the more downstream. In some embodiments, the upstream pane may be displayed to the left of the downstream pane, with the smaller the number, the lower the level, upstream.

The pane search condition refers to a search condition for querying upstream and/or downstream data of the query result. The pane search criteria are generated based on the source IP and the destination IP of the query result. The generated pane retrieval condition is related to the first tracing direction. The tracing direction represents the direction the user wants to trace to.

For example, the user needs to trace downstream, and the first tracing direction can be set to the right, so that the target IP of the query result is used as a source IP generation pane retrieval condition; if the user needs to trace upstream, the first tracing direction can be set to the left, so that the source IP of the query result is used as a destination IP generation pane retrieval condition. If the user needs bidirectional tracing, the first tracing direction can be set to be bidirectional, so that the target IP of the query result is taken as the source IP, the source IP of the query result is taken as the destination IP, and pane retrieval conditions are respectively generated.

The generated pane search condition is related to the number of panes to be displayed. For example, 3 panes need to be displayed, then the query result queried according to the initial search condition can be placed in one pane, and the pane search conditions corresponding to the other two panes can be generated according to the query result.

It will be appreciated that in some embodiments, a greater number of pane search criteria may be generated to be cached, and the cached pane search criteria may be utilized to complete the data search and presentation when sliding to the corresponding pane. For example, 3 panes need to be displayed, but a pane search condition of 6 panes may be generated, and a plurality of 3 pane search conditions may be cached first, and search is completed while waiting to slide to the corresponding pane.

After obtaining the pane search condition, the data search can be completed and displayed. In some manners, a corresponding data queue may be configured for each pane, and the search conditions and/or the searched data corresponding to the panes may be stored in the data queue and waiting to be sent to the front end for presentation.

And S106, carrying out data display on each pane according to the display style so as to carry out the tracing based on the data displayed by each pane.

The step can call a thread, read data from a data queue, send the data to the front end and render the data according to the presentation style so as to present the data in each pane.

For example, the front end displays 3 panes, and then a thread can be called to acquire a certain amount of data (which may be all the retrieved data or part of the retrieved data (such as the first 3 pages)) from a data queue corresponding to the three panes, and send the data to the front end for displaying.

In some ways, only preset fields related to the data are displayed in the pane, and the details of the data can be expanded through expansion options. For example, the pane may only show the source IP, destination IP, session ID 3 tuple of the data, and after clicking on the expanded details, the details of the data may be shown. Thereby facilitating the user to interpret detailed attack information.

The user can also browse the data in the pane through the front end to determine attack data, and can track an attacker by sliding the pane. Because the search conditions corresponding to the pane are automatically generated, the user does not need to configure the search conditions in the process of sliding the pane, so that the user operation is simplified, and the tracking efficiency is improved.

For example, 3 panes of data are presented. The initial search condition is source ip= =1.1.1.1 destination= IP 2.2.2.2. The first tracing direction is rightward. Then the pane search criteria for source ip+=2.2.2.2 can be generated by S102-S106. If the source IP of the data detected using the pane search condition of source ip= = 2.2.2.2, destination ip= 3.3.3.3, the pane search condition of source ip= 3.3.3.3 may be further generated, and the data search may be completed. Assuming that the source IP of the retrieved data is = 3.3.3.3, the destination IP is = 4.4.4.4, then three panes can be generated as shown in table 1. The user can trace data right or left by selecting a sliding pane, can also select a certain piece of data in a certain pane as risk data, and can newly generate a plurality of panes for data tracking.

Table 1:

the means described in S102 to S106 has at least the following technical effects: firstly, the user only needs to input initial search conditions and slide a pane to complete attacker tracking, so that the operation is simple, the search efficiency and the tracking efficiency are improved, and the method is friendly to the user. Secondly, because the search conditions are automatically generated, and the relevance exists between the search conditions, the queried data also has the relevance, so that the relevance between the data does not need to be confirmed manually in the process of reconstructing the attack chain, the efficiency is high, and the error is not easy to occur. Thirdly, since the search condition is automatically generated, the subsequent search condition generation can be performed based on all the retrieved data, the data cannot be lost, the attack data cannot be lost, the tracing result is improved, and the attack chain view cannot be affected.

In some embodiments, multiple tracing directions can be provided for the user, and the user can select the tracing directions when inputting the initial retrieval condition, so as to complete tracing meeting the user requirements, thereby improving the user satisfaction.

Referring to fig. 2, fig. 2 is a flow chart of a method for searching conditions in a survival pane according to the present application. The method illustrated in fig. 2 is an illustration of S104. The method as shown in fig. 2 may include S202-S208.

S202, acquiring initial data queried according to the initial retrieval conditions; the initial data is presented in an initial pane.

The initial pane is a preset pane in panes to be displayed, and the position and the hierarchy of the pane are related to the tracing direction selected by the user. The specific description is given in the subsequent steps.

The step can be based on the initial search condition to inquire initial data from a database and complete the presentation of the initial data.

S204, when the first tracing direction is rightward, the initial pane is the pane of the most upstream, and pane search conditions corresponding to a first preset number of downstream panes of the initial pane are generated according to the destination IP of the initial data.

Wherein in any two adjacent panes, a source IP of data in the downstream pane is generated based on a destination IP of data in the upstream pane.

The tracing direction selected by the user is rightward, which indicates that the user needs to trace downstream. The initial pane may be the lowest-level, most upstream pane among the panes that present data, and may be arranged at the leftmost edge of the page. For example, data of 3 panes needs to be presented, then the initial pane may be the leftmost pane.

Pane search conditions for a pane downstream of the initial pane may then be generated based on the destination IP for which the initial data was analyzed. The source IP of the pane search condition is the destination IP of the initial data.

The data retrieval and presentation may then be completed based on the pane retrieval conditions of the downstream pane of the initial pane, and pane retrieval conditions of the downstream pane of the initial pane may be generated from the retrieved data. And so on until a first preset number of pane search criteria are generated. The first preset number may be greater than or equal to the number of panes to be displayed minus 1. For example, 3 panes need to be displayed, the first preset number may be 5, the data retrieval and display of the 3 panes may be completed by using the initial retrieval condition and the first 2 pane retrieval conditions, and the remaining 3 pane retrieval conditions may be cached, and the data retrieval is completed when the user waits to slide to the corresponding pane.

For example, 3 panes of data are presented. The initial search condition is source ip= =1.1.1.1 destination= IP 2.2.2.2. The first tracing direction is rightward, and the first preset number is 2. Then a pane search condition for source ip= 2.2.2.2 may be generated. If the source IP of the data detected using the pane search condition of source ip= = 2.2.2.2, destination ip= 3.3.3.3, the pane search condition of source ip= 3.3.3.3 may also be generated, completing the data search. If the first preset number is greater than 2, the pane search condition cache can be continuously generated.

S206, when the first tracing direction is leftward, the initial pane is the most downstream pane, and pane search conditions corresponding to a second preset number of upstream panes of the initial pane are generated according to the source IP of the initial data. Wherein, in any two adjacent panes, the destination IP of the data in the upstream pane is generated based on the source IP of the data of the downstream pane.

The tracing direction selected by the user is leftwards, which indicates that the user needs upstream tracing. The initial pane may be the highest-level downstream pane among the panes for presentation data and may be arranged at the far right of the page. For example, data of 3 panes needs to be presented, then the initial pane may be the rightmost pane.

Pane search conditions for a pane downstream of the initial pane may then be generated based on analyzing the source IP of the initial data. The destination IP of the pane retrieval condition is the source IP of the initial data.

The data retrieval and presentation may then be completed based on the pane retrieval conditions of the upstream pane of the initial pane, and pane retrieval conditions of the upstream pane of the initial pane may be generated from the retrieved data. And so on until a second predetermined number of pane search criteria are generated. The second preset number may be referred to as the first preset number, and will not be repeated here.

For example, 3 panes of data are presented. The initial search condition is source ip= =3.3.3.3. Destination= IP 4.4.4.4. The first tracing direction is leftwards, and the first preset number is 2. Then a pane search condition for destination ip= 3.3.3.3 may be generated. If the source IP of the data detected using the pane search condition of destination ip= = 3.3.3.3 is 2.2.2, destination ip= 3.3.3.3, the pane search condition of destination ip= 2.2.2.2 may also be generated, completing the data search. If the first preset number is greater than 2, the pane search condition cache can be continuously generated.

S208, when the first tracing direction is bidirectional, the initial pane is a midstream pane, pane search conditions corresponding to a third preset number of upstream panes of the initial pane are generated according to the source IP of the initial data, and pane search conditions corresponding to a fourth preset number of downstream panes of the initial pane are generated according to the destination IP of the initial data.

The tracing direction selected by the user is bidirectional, which indicates that the user needs to trace back both upstream and downstream. The initial pane may be arranged in the middle of the page as a hierarchically centered midstream pane in the panes for presentation data. For example, data of 3 panes needs to be presented, the initial pane may be an intermediate pane.

Then, a pane search condition of a pane downstream of the initial pane, whose destination IP is the source IP of the initial data, can be generated based on the source IP of the analysis initial data; and, a pane search condition of a pane downstream of the initial pane, which is a destination IP of the initial data, may be generated based on the destination IP of the analysis initial data.

And continuing to bi-directionally expand the data retrieved according to the generated pane retrieval conditions to generate pane retrieval conditions of a third preset number of upstream panes and pane retrieval conditions corresponding to a fourth preset number of downstream panes. The description of the sum of the third preset number and the fourth preset number may refer to the first preset number, and will not be repeated here.

For example, 3 panes of data are presented. The initial search condition is source ip= =2.2.2.2, destination ip= =3.3.3.3. The first tracing direction is bidirectional, and the first preset number is 2. Then a pane search condition for destination ip= =2.2.2.2 and a pane search condition for source ip= 3.3.3.3.3 may be generated to complete the data search. If the first preset number is greater than 2, the pane search condition cache can be continuously generated.

Through the scheme recorded in S202-S208, various tracing directions can be provided for the user, the user can select the tracing directions when inputting initial search conditions, tracing meeting the user requirements is completed, and therefore user satisfaction is improved, pane search conditions which are larger than the number of display panes can be generated and cached, the subsequent data query rate is increased, and a small amount of storage space is occupied.

In some embodiments, the thread load (queue data amount) can be predicted according to the history record, and the thread number can be dynamically adjusted according to the predicted load so as to use a proper number of threads to read data from the queue and send the data to the front-end display, so that resources are not wasted, the data display efficiency is ensured, and further the user experience is improved.

In this example, each pane corresponds to at least one data queue, data queried based on pane search conditions is stored in the data queue corresponding to the pane, and then the data is read from the data queue according to threads of a set thread number and displayed in the pane corresponding to the data queue.

Referring to fig. 3, fig. 3 is a flow chart of a method for setting the number of threads according to the present application. The method may include S302-S306 as shown in fig. 3.

S302, predicting future data volume by using the data volume prediction model.

The data quantity prediction model is obtained by training based on a data quantity time sequence sample; the data volume time sequence sample comprises data volume data in a period before the marking time and a marking value of the marking time.

The data volume prediction model may be an artificial intelligence model. Such as a deep learning model.

The time sequence samples of the data volume can be obtained through labeling. For example, data may be obtained from historical data for a period of time. Then, the data at a certain time (called a labeling time) is masked, the data in a period before the time is taken as input, and then the data at the time is taken as a labeling value to construct a sample.

For example, the historical data includes a sum of the amount of queue data per day over a 9 month whole month. Assuming that the predictive model can predict the amount of data on day 8 from the 7 day historical data, 9.8 day data may be used as the label value and 9.1 to 9.7 day data may be used as the input in one sample. Whereby a number of training samples can be obtained from the historical data.

Training of the data volume prediction model may then be accomplished by means such as supervised training based on the samples. The trained data quantity prediction model has the capability of predicting the data quantity. For example, from the data volume of the previous 7 days, the future data volume can be predicted.

S304, inquiring the number of history threads corresponding to the future data quantity in the history record.

The history record stores the correspondence between the data amount and the number of threads meeting the processing capacity requirement. For example, the history record stores a correspondence relationship between the number of threads and the sum of the queue data amounts satisfying the second-level response. The number of threads meeting the second-level response can be obtained by querying the history.

S306, completing the setting based on the historical thread number.

Through the scheme recorded in S302-S306, future thread loads can be predicted through the training data quantity prediction model, so that the threads with proper quantity can be used for reading data from the queue and sending the data to the front-end display, resources are not wasted, the data display efficiency is ensured, and further user experience is improved.

In some embodiments, tracing may be based on user-selected data. Referring to fig. 4, fig. 4 is a flowchart illustrating a method for assisting a user in tracing. The step of fig. 4 is to describe the tracing of S106 based on the data presented in each of the panes. As shown in fig. 4, the method may include S402-S406.

S402, at least one item of label data selected in any first pane and a selected second tracing direction are obtained.

After presenting the data to the user through the pane, the user may mark the data in any pane. The marked data is referred to as target data. It is understood that the target data is data that the user wants to track the trace source (e.g., attack data that the user believes to be).

The method for tracking and tracing the source is characterized in that the pane detection conditions of the original pane are adjusted according to the source IP and the destination IP of the target data, so that the remaining data of the original pane are only associated with the target data, and the user can trace the source conveniently; the second is to newly generate some panes, and generate the search conditions of the panes to complete data search according to the source IP and the destination IP of the target data, so that the data in the original panes can not be influenced.

It will be appreciated that if the user removes the marking of the target data, the initial pane situation may be restored.

The second tracing direction is the direction the user wants to trace to the source at the moment, and the understanding of the second tracing direction can refer to the first tracing direction.

And S404, generating adjacent pane retrieval conditions corresponding to adjacent panes of the arbitrary first pane in the second tracing direction according to the source IP and the destination IP of the target data.

And the adjacent pane is an upstream pane of the arbitrary first pane when the second tracing direction is leftward, and is a downstream pane of the arbitrary first pane when the second tracing direction is rightward.

The adjacent pane may be a newly generated pane or an original pane. If the pane is the original pane, the first tracking and tracing mode is corresponding to the first tracking and tracing mode, and if the pane is the newly generated pane, the second tracking and tracing mode is corresponding to the second tracking and tracing mode. The generation logic of the S404 pane search condition may refer to S202 to S208.

S406, inquiring the data of the adjacent panes and displaying the data according to the adjacent pane retrieval conditions so as to trace the source.

Through the scheme recorded in S402-S406, convenient tracing can be provided for the user through two tracing modes, and user experience is improved.

In some embodiments, the attack chain may be generated from data marked by the user within each pane.

Specifically, in response to tracing out the most upstream attacker and the most downstream victim, an attack chain may be generated according to data marked in adjacent panes between a first pane in which the attacker is located and a second pane in which the victim is located.

The most upstream attacker refers to an attacker who does not have upstream data with the source IP as the destination IP. For example, when a source IP from a certain attack link species to a certain attacker is IP1, continuing tracing to find that no data using IP1 as a destination IP indicates that the attacker is the most upstream attacker, and if data using IP1 as a destination IP is found, continuing tracing is needed.

The most downstream victim is the victim that does not have its destination IP as downstream data of the source IP. For example, when a target IP from a certain attack link is traced to a certain victim is IP2, continuing tracing to find that no data using IP2 as source IP indicates that the victim is the most downstream victim, and if data using IP2 as source IP is found, continuing tracing is needed.

For example, the user marks data 1 in pane 1, and in an embodiment may generate pane search conditions for adjacent pane 2 and query data within adjacent pane 2 based on the marked data 1. The user may continue to mark attack data 2 within adjacent pane 2 and, in an embodiment, may generate pane search conditions for adjacent pane 3 and generate data within adjacent pane 3 based on marked data 2. The user may proceed with the data tagging. And so on until the user determines the most upstream aggressor and the most downstream victim. And obtaining an attack chain according to the user marked data from the attacker to the victim.

Whereby the user can be assisted in generating an attack chain.

In some embodiments, a method of sliding window tracing is provided for a user. Referring to fig. 5, fig. 5 is a schematic flow chart of a method for tracing a sliding window shown in the present application. The step of fig. 5 is to describe the tracing of S106 based on the data presented in each of the panes. As shown in fig. 5, the method may include S502-S506.

In this example, in order to improve the data query efficiency, after querying the data of each pane, pane search conditions corresponding to a fifth preset number of upstream panes of the current most upstream pane are generated and cached, and pane search conditions corresponding to a sixth preset number of downstream panes of the current most downstream pane are generated and cached.

The fifth preset number and the sixth preset number may be set according to requirements. By caching the pane search conditions, the data query efficiency can be improved compared with the temporary generation pane search conditions, and too much data can not be found to occupy much storage space.

S502, a sliding tracing operation is received, wherein the sliding tracing operation comprises a third tracing direction and tracing quantity.

The third tracing direction refers to the sliding direction of the user, and can also indicate the direction in which the user wants to trace the source. The third tracing direction may be obtained by a user input or by a user operation. For example, the user operates the mouse to slide the window rightward, and the third tracing direction is right.

The tracing number refers to the number of panes that the user wants to trace back. The tracing quantity can be obtained according to the amplitude of the sliding mouse of the user, and can also be input by the user. For example, a user sliding the mouse to the right swipes the mouse arrow through two panes, meaning that the user traces back 2 panes to the right. The tracing quantity is 2.

S504, responding to the sliding tracing operation, and under the condition that the third tracing direction is rightward, acquiring pane retrieval conditions corresponding to the downstream panes of the tracing number of the current downstream pane from the cache, and finishing data query and display.

In the step, when the user needs to trace to the right, the window pane retrieval conditions of the downstream window panes with the tracing quantity after the current most downstream window pane can be obtained from the cache, and the data query and the display are completed.

For example, the trace-source number is 2, and the display pane number is 3. Two panes can be slid to the right by S504, showing the rightmost pane before sliding (leftmost pane after sliding), and two downstream panes of the rightmost pane.

S506, under the condition that the third tracing direction is leftward, acquiring pane retrieval conditions corresponding to upstream panes of the tracing number of the current most upstream pane from the cache, and finishing data query and display.

In the step, when the user needs to trace to the left, the pane retrieval conditions of the upstream panes of the tracing quantity before the current most upstream pane can be obtained from the cache, and the data query and the display are completed.

For example, the trace-source number is 2, and the display pane number is 3. Two panes can be slid to the left through S506, revealing the leftmost pane before sliding (the rightmost pane after sliding), and two upstream panes of the leftmost pane.

The attacker tracing mode of the sliding pane can be provided for the user through S502-S506, and user experience is improved.

In some embodiments, in order to improve the tracing efficiency, the data volume of the query is the data volume of the preset number of pages according to the pane retrieval condition every time, and the data volume is returned to the pane for display. The preset number of pages is set according to the requirement, for example, 3 or 6.

Referring to fig. 6, fig. 6 is a flowchart of a tracing method for improving tracing efficiency shown in the present application. The step of fig. 6 is an explanation of the tracing performed in S106 on the basis of the data presented in each of the panes. As shown in fig. 6, the method may include S602-S606.

S602, responding to page turning operation of a preset page of any first pane, inquiring page turning data of the preset page according to pane searching conditions corresponding to any first pane, and displaying the page turning data on any first pane.

The preset page is related to the preset page number, the preset page number is 3, and the preset page is a multiple page of 3 rd, 6 th, 9 th and the like. The preset page number is 5, and the preset page is a multiple of 5 pages of 5, 10, 15, etc.

For example, the preset number of pages is 3, the number of pages is 3,6,9, etc. When the user turns pages 3 of any first pane, the user can continuously inquire the data of the data amount of 3 pages and display the pane.

S604, generating an associated pane retrieval condition of an associated pane corresponding to the arbitrary first pane according to the source IP and the destination IP of the queried page turning data.

The related pane refers to all the original panes. The associated pane includes an upstream pane and/or a downstream pane of the arbitrary first pane.

Because the data in any first pane has been turned, other associated panes also need to update the exposed tree to remain associated with the data after any first pane has been turned, thereby facilitating user traceability, and therefore in this step, the search conditions of the associated panes need to be updated according to the queried turned data.

In some implementations, the rules may be updated by an update thread that traverses page-turning identifiers in each queue that indicate whether page-turning operations are to be performed. If a page flip operation is detected, the associated pane retrieval conditions may be updated based on the page flip data.

S606, inquiring and displaying the data of the associated pane according to the associated pane retrieval condition, or caching the associated pane retrieval condition to respond to the page turning operation of the associated pane, inquiring and displaying the data of the associated pane according to the associated pane retrieval condition.

The method comprises the steps of providing two schemes, namely updating and displaying data of the associated pane in time after any first pane turns pages, so that the user can trace the source conveniently, and buffering the updated associated pane retrieval conditions until the user inquires and displays the data when the associated pane turns pages, so that various tracing scenes can be used, and the user experience is improved.

In some embodiments, the data presentation is performed on a front-end basis and the data query is performed on a back-end basis. The front end displays pane data, and the back end performs data query. In general, the computing pane search conditions will be performed at the back end, which will increase the computing pressure at the back end. In this example, the task of calculating the window search condition may be arranged at the front end, so that the front end resource may be utilized to release the back end resource.

Referring to fig. 7, fig. 7 is a flow chart of a method for completing data query by front-end and back-end coordination. Fig. 7 illustrates the step of generating a pane search condition corresponding to each pane according to the first tracing direction and the source IP and the destination IP of the query result of the initial search condition, and querying the description of the data of each pane according to the pane search condition for S104. As shown in fig. 7, the method may include S702-S706.

S702, the back end returns the query result to the front end for display.

The back end can acquire data from the data queues corresponding to the panes through threads and send the data to the front end, and the front end can complete rendering to display the pane data.

And S704, the front end generates pane retrieval conditions corresponding to each pane according to the first tracing direction based on the source IP and the destination IP of the query result returned by the back end, and returns the pane retrieval conditions to the back end.

The front end is preset with pane search condition generation logic, and after receiving the data returned by the back end, the front end can generate pane search conditions while completing rendering, and returns the pane search conditions to the back end.

S706, the backend queries the data of each pane based on the pane retrieval conditions.

After the rear end receives the pane retrieval condition, the pane retrieval condition can be cached to wait for inquiring the data, and the data can be directly inquired to prevent the data queues from summarizing.

Through the scheme recorded in S702-S706, only the search condition is required to be maintained at the front end, and only the query task is required to be executed at the back end, so that the front end resource can be utilized, and the back end resource can be released.

In some embodiments, the user may be provided with continued data retrieval within the pane and pane linkage.

In a first scene, in response to receiving a search request for data in any second pane, updating presentation data in any second pane based on a target search condition included in the search request, and in response to a marking operation for attack data in any second pane, updating pane search conditions of an associated pane of the any second pane, and updating presentation data in the associated pane.

For example, the user can continue to input the target search condition in any second pane, and can search the data in any second pane again according to the target search condition input by the user, so that the data meeting the condition is reserved, and the user can conveniently view the data. The user can mark attack data in the rest data, can update the pane retrieval conditions of the associated pane of any second pane according to the source IP and the destination IP of the attack data, update the data, and can continue to trace the data in the associated pane. Thereby facilitating attack tracing by the user.

And in a second scene, in response to receiving a search request for data in any second pane, generating first prompt information when a pane search condition corresponding to any second pane is not matched with a target search condition included in the search request, wherein the first prompt information is used for prompting a user whether to return to an initial pane for searching, in response to the user selecting to return to the initial pane for searching, performing data searching on the initial pane based on the target search condition to obtain a search result, in response to a marking operation for attack data in the search result, updating the pane search condition of an associated pane of the initial pane, and updating display data in the associated pane.

For example, the user may continue to input the target search condition in any of the second panes, may match the target search condition with the pane search condition of any of the second panes, and may ignore the target search condition input by the user if the target search condition is included in the pane search condition. If the target search condition is not included in the pane search condition, it may be stated that the initial search condition is not reasonably input by the user at first, and the attack data cannot be searched by the user, so that the first prompt information can be sent to prompt the user whether to apply the newly input target search condition to the initial pane. If the user selects yes, the initial pane data may be updated based on the target search criteria and the associated pane updated according to the search results. If the user selects no, then the data for any of the second panes and their associated panes may be updated based on the target retrieval conditions.

And in a third scene, in response to receiving a search request for data in any second pane, generating second prompt information when pane search conditions corresponding to any second pane are not matched with target search conditions included in the search request, wherein the second prompt information is used for prompting a user whether to newly create a pane for attack event tracing, in response to selecting a newly created pane by the user, creating a new pane, taking the target search conditions as the initial search conditions, generating pane search conditions of each new pane, querying data and displaying the new pane.

For example, the user may continue to input the target search condition in any of the second panes, may match the target search condition with the pane search condition of any of the second panes, and may ignore the target search condition input by the user if the target search condition is included in the pane search condition. If the target search condition is not included in the pane search condition, it may be stated that the user needs to set a condition for tracing, so as not to affect the data in the original pane, the second promotion information may be sent out to promote whether the user newly creates the pane for tracing the data. If the user selects yes, the search result of the target search condition can be used to generate the window search condition of the newly created window and perform data query and presentation. If the user selects no, the original pane data is directly updated.

Therefore, three associated inquiry scenes can be provided, the attack tracing is assisted for the user, and the user experience is improved.

The following describes embodiments in connection with an attack tracing scenario. The system for realizing attack tracing needs to comprise a front end and a back end. The front end is responsible for interacting with a user, inputting search conditions and displaying pane data. Suppose that 3 panes need to be displayed. The back end is used for expanding the search conditions and inquiring the data according to the search conditions input by the front end, and placing the inquired data in a data queue corresponding to the pane for the front end to display the data. The front and back ends can be directly connected by webSocket technology.

Referring to fig. 8, fig. 8 is a flowchart of an attack tracing method shown in the present application. As shown in fig. 8, the method may include S801-S807.

S801, a search request input by a user is received. The search request may include a search time and a search condition. The search criteria may include IP address, any field of data, etc.

S802, the front end transmits a search request to the back end.

And S803, the back end responds to the received search request to judge whether the search time is legal or not, if not, the attack tracing is ended, and if so, S804 is performed. In which case the user may be prompted by the front end if it is no longer legal.

S804, the back end generates pane search conditions corresponding to each queue according to the initial search conditions in the search request.

The relevant description may refer to S104, S202-S208, etc. This step may generate a 6 pane search criteria (including initial search criteria entered by the user). 3 of them can be queried and the other three are cached until the window pane slides, and the data display is performed.

S805, the back end calls an API interface provided by the database to perform data query and puts the data query into a corresponding data queue.

The data of 3 panes can be queried in the step, each pane can query 3 pages of data preferentially, and when the user is detected to turn to the 4 th page, the data query is continued, the data query efficiency is improved, and the attack tracing efficiency is further improved. And the queues also correspond to update threads and are used for updating pane retrieval rules in the user tracing process. For example, in the attack tracing process, the user marks attack data in the pane 1 or performs page turning operation, and the like, and the updating thread detects the action and can update the pane detection rule of the related pane.

S806, the back end reads the data in the data queue by calling the processing thread and returns to the front end.

The number of processing threads can be set with reference to S302 to S306.

S807, the front end may render and display based on the received data.

When the data is displayed, the triple information (source IP, destination IP and session ID) of the data can be displayed, and when the user clicks the details of a certain piece of data, the details of the data can be displayed.

The user can complete attack tracing based on the displayed pane data based on the tracing method described in any embodiment.

Through the scheme recorded in S801-S807, firstly, the user only needs to input initial search conditions and slide a pane to complete attacker tracking, the operation is simple, the search efficiency and the tracking efficiency are improved, and the method is friendly to the user. Secondly, because the search conditions are automatically generated, and the relevance exists between the search conditions, the queried data also has the relevance, so that the relevance between the data does not need to be confirmed manually in the process of reconstructing the attack chain, the efficiency is high, and the error is not easy to occur. Thirdly, since the search condition is automatically generated, the subsequent search condition generation can be performed based on all the retrieved data, the data cannot be lost, the attack data cannot be lost, the tracing result is improved, and the attack chain view cannot be affected. Fourth, the user can conveniently inquire the detailed information, and attack tracing is convenient.

The application also provides a tracing system for the attack event. Referring to fig. 9, fig. 9 is a schematic structural diagram of a tracing system for an attack event shown in the present application. As shown in fig. 9, the tracing system 900 for attack event includes: an acquiring unit 910, configured to acquire a tracing request input for the attack event; the tracing request comprises initial retrieval conditions, a first tracing direction and a display style of a pane; the pane is used for displaying the queried data; a query unit 920, configured to generate a pane search condition corresponding to each pane according to the first tracing direction according to the source IP and the destination IP of the query result of the initial search condition, and query data of each pane according to the pane search condition; wherein, the data queried by the pane retrieval condition satisfies the source IP of the data in the downstream pane in any two adjacent panes, which is the destination IP of the data in the upstream pane; and the display unit 930 is used for displaying data in each pane according to the display style so as to trace the source based on the data displayed in each pane.

In some embodiments, the querying element 920 further: acquiring initial data queried according to the initial retrieval conditions; the initial data is displayed in an initial pane; under the condition that the first tracing direction is rightward, the initial pane is the pane of the most upstream, and pane retrieval conditions corresponding to a first preset number of downstream panes of the initial pane respectively are generated according to the destination IP of the initial data; wherein, in any two adjacent panes, the source IP of the data in the downstream pane is generated based on the destination IP of the data in the upstream pane; under the condition that the first tracing direction is leftward, the initial pane is the most downstream pane, and pane retrieval conditions corresponding to a second preset number of upstream panes of the initial pane respectively are generated according to the source IP of the initial data; generating destination IP of data in an upstream pane based on source IP of data in a downstream pane in any two adjacent panes; and under the condition that the first tracing direction is bidirectional, the initial pane is a midstream pane, pane retrieval conditions corresponding to a third preset number of upstream panes of the initial pane are generated according to the source IP of the initial data, and pane retrieval conditions corresponding to a fourth preset number of downstream panes of the initial pane are generated according to the destination IP of the initial data.

In some embodiments, each pane corresponds to at least one data queue, and data queried based on pane retrieval conditions is stored in the data queue corresponding to the pane; the display unit 930 further: reading data from the data queue according to threads of the set thread number, and displaying the data in a pane corresponding to the data queue; the system 900 further comprises a thread setting unit for: predicting future data volume by using a data volume prediction model; the data quantity prediction model is obtained by training based on a data quantity time sequence sample; the data quantity time sequence sample comprises data quantity data in a period before a marking time and a marking value of the marking time; querying the number of history threads corresponding to the future data volume in the history record; the history record stores the corresponding relation between the data quantity and the number of threads meeting the processing capacity requirement; and completing the setting based on the historical thread number.

In some embodiments, the display unit 930 further: acquiring at least one item of label data selected in any first pane and a selected second tracing direction; generating adjacent pane retrieval conditions corresponding to adjacent panes of the arbitrary first pane in the second tracing direction according to the source IP and the destination IP of the target data; wherein, in the case that the second tracing direction is leftward, the adjacent pane is an upstream pane of the arbitrary first pane, and in the case that the second tracing direction is rightward, the adjacent pane is a downstream pane of the arbitrary first pane; and querying the data of the adjacent panes according to the adjacent pane retrieval conditions and displaying the data to trace the source.

In some embodiments, the display unit 930 further: and in response to tracing out the most upstream attacker and the most downstream victim, generating an attack chain according to the marked data in the adjacent panes between the first pane where the attacker is positioned and the second pane where the victim is positioned.

In some embodiments, after querying the data of each pane, generating pane search conditions corresponding to a fifth preset number of upstream panes of the current most upstream pane and caching, and generating pane search conditions corresponding to a sixth preset number of downstream panes of the current most downstream pane and caching; the display unit 930 further: receiving a sliding tracing operation, wherein the sliding tracing operation comprises a third tracing direction and tracing quantity; responding to the sliding tracing operation, under the condition that the third tracing direction is rightward, acquiring pane retrieval conditions corresponding to the tracing number of the current most downstream pane from the cache, and finishing data query and display; and under the condition that the third tracing direction is leftward, acquiring pane retrieval conditions corresponding to the upstream panes of the tracing number of the current most upstream pane from the cache, and finishing data query and display.

In some embodiments, the amount of data queried is the amount of data of the preset number of pages each time according to the pane retrieval condition; the display unit 930 further: responding to page turning operation of a preset page for any first pane, inquiring page turning data of the preset page according to a pane retrieval condition corresponding to the any first pane, and displaying the page turning data on the any first pane; generating associated pane retrieval conditions of associated panes corresponding to any first pane according to the source IP and the destination IP of the queried page turning data; the associated pane comprises an upstream pane and/or a downstream pane of the arbitrary first pane; and querying and displaying the data of the associated pane according to the associated pane retrieval conditions, or caching the associated pane retrieval conditions to respond to page turning operation aiming at the associated pane, and querying and displaying the data of the associated pane according to the associated pane retrieval conditions.

In some embodiments, the data presentation is performed based on the front end, and the data query is performed based on the back end; the query unit 920 further: the back end returns the query result to the front end for display; the front end generates pane retrieval conditions corresponding to each pane according to the first tracing direction based on the source IP and the destination IP of the query result returned by the back end, and returns the pane retrieval conditions to the back end; the backend queries the data of each pane based on the pane retrieval conditions.

In some embodiments, the display unit 930 further: updating presentation data in any second pane based on target search conditions included in a search request in response to receiving the search request for the data in the any second pane, and updating pane search conditions of an associated pane of the any second pane and updating presentation data in the associated pane in response to a marking operation for attack data in the any second pane; or, in response to receiving a search request for data in any second pane, generating first prompt information when a pane search condition corresponding to any second pane is not matched with a target search condition included in the search request, wherein the first prompt information is used for prompting a user whether to return to an initial pane for searching, in response to the user selecting to return to the initial pane for searching, performing data searching on the initial pane based on the target search condition to obtain a search result, and in response to a marking operation for attack data in the search result, updating pane search conditions of an associated pane of the initial pane and updating display data in the associated pane; or, in response to receiving a search request for data in any second pane, generating second prompt information when a pane search condition corresponding to any second pane is not matched with a target search condition included in the search request, wherein the second prompt information is used for prompting a user whether to newly create a pane for attack event tracing, in response to selecting a newly created pane by the user, creating a new pane, using the target search condition as the initial search condition, generating a pane search condition of each new pane, querying data and displaying the new pane.

One skilled in the relevant art will recognize that one or more embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, one or more embodiments of the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Moreover, one or more embodiments of the present application may take the form of a computer program product on one or more computer-usable storage media (which may include, but are not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

"and/or" in this application means having at least one of the two. All embodiments in the application are described in a progressive manner, and identical and similar parts of all embodiments are mutually referred, so that each embodiment mainly describes differences from other embodiments. In particular, for data processing apparatus embodiments, the description is relatively simple, as it is substantially similar to method embodiments, with reference to the description of method embodiments in part.

Although this application contains many specific implementation details, these should not be construed as limiting the scope of any disclosure or the scope of what is claimed, but rather as primarily describing features of certain disclosed embodiments. Certain features that are described in this application in the context of separate embodiments can also be implemented in combination in a single embodiment. On the other hand, the various features described in the individual embodiments may also be implemented separately in the various embodiments or in any suitable subcombination. Furthermore, although features may be acting in certain combinations and even initially claimed as such, one or more features from a claimed combination can in some cases be excised from the combination, and the claimed combination may be directed to a subcombination or variation of a subcombination.

Similarly, although operations are depicted in the drawings in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. In some cases, multitasking and parallel processing may be advantageous. Moreover, the separation of various system modules and components in the embodiments described should not be understood as requiring such separation in all embodiments, and it should be understood that the described program components and systems can generally be integrated together in a single software product or packaged into multiple software products.

The foregoing description of the preferred embodiment(s) of the present application is merely intended to illustrate the embodiment(s) of the present application and is not intended to limit the embodiment(s) of the present application, since any and all modifications, equivalents, improvements, etc. that fall within the spirit and principles of the embodiment(s) of the present application are intended to be included within the scope of the present application.

Claims (10)

1. A method for tracing an attack event, the method comprising:

acquiring a tracing request input for the attack event; the tracing request comprises initial retrieval conditions, a first tracing direction and a display style of a pane; the pane is used for displaying the queried data;

Generating pane retrieval conditions corresponding to each pane according to the source IP and the destination IP of the query result of the initial retrieval conditions and the first tracing direction, and querying data of each pane according to the pane retrieval conditions; wherein, the data queried by the pane retrieval condition satisfies the source IP of the data in the downstream pane in any two adjacent panes, which is the destination IP of the data in the upstream pane;

and carrying out data display on each pane according to the display style so as to determine the most upstream attacker for tracing based on the data displayed by each pane.

2. The method for tracing an attack event according to claim 1, wherein generating a pane search condition corresponding to each pane according to the first tracing direction by using the source IP and the destination IP of the query result of the initial search condition includes:

acquiring initial data queried according to the initial retrieval conditions; the initial data is displayed in an initial pane;

under the condition that the first tracing direction is rightward, the initial pane is the pane of the most upstream, and pane retrieval conditions corresponding to a first preset number of downstream panes of the initial pane respectively are generated according to the destination IP of the initial data; wherein, in any two adjacent panes, the source IP of the data in the downstream pane is generated based on the destination IP of the data in the upstream pane;

Under the condition that the first tracing direction is leftward, the initial pane is the most downstream pane, and pane retrieval conditions corresponding to a second preset number of upstream panes of the initial pane respectively are generated according to the source IP of the initial data; generating destination IP of data in an upstream pane based on source IP of data in a downstream pane in any two adjacent panes;

and under the condition that the first tracing direction is bidirectional, the initial pane is a midstream pane, pane retrieval conditions corresponding to a third preset number of upstream panes of the initial pane are generated according to the source IP of the initial data, and pane retrieval conditions corresponding to a fourth preset number of downstream panes of the initial pane are generated according to the destination IP of the initial data.

3. The method for tracing an attack event according to claim 1, wherein each pane corresponds to at least one data queue, and data queried based on pane retrieval conditions is stored in the data queue corresponding to the pane;

the data display is carried out on each pane according to the display style, and the method comprises the following steps:

reading data from the data queue according to threads of the set thread number, and displaying the data in a pane corresponding to the data queue;

The method for setting the number of threads comprises the following steps:

predicting future data volume by using a data volume prediction model; the data quantity prediction model is obtained by training based on a data quantity time sequence sample; the data quantity time sequence sample comprises data quantity data in a period before a marking time and a marking value of the marking time;

querying the number of history threads corresponding to the future data volume in the history record; the history record stores the corresponding relation between the data quantity and the number of threads meeting the processing capacity requirement;

and completing the setting based on the historical thread number.

4. The method for tracing an attack event according to claim 1, wherein said determining the most upstream attacker for said tracing based on the data presented in each of said panes comprises:

acquiring at least one item of label data selected in any first pane and a selected second tracing direction;

generating adjacent pane retrieval conditions corresponding to adjacent panes of the arbitrary first pane in the second tracing direction according to the source IP and the destination IP of the target data; wherein, in the case that the second tracing direction is leftward, the adjacent pane is an upstream pane of the arbitrary first pane, and in the case that the second tracing direction is rightward, the adjacent pane is a downstream pane of the arbitrary first pane;

And querying the data of the adjacent panes according to the adjacent pane retrieval conditions, and displaying and determining the most upstream attacker to trace the source.

5. The method for tracing an attack event according to claim 4, wherein said querying the data of the adjacent panes and exposing determines the most upstream attacker for tracing comprises:

and in response to tracing out the most upstream attacker and the most downstream victim, generating an attack chain according to the marked data in the adjacent panes between the first pane where the attacker is positioned and the second pane where the victim is positioned.

6. The method for tracing an attack event according to claim 1, wherein after querying the data of each pane, generating pane search conditions corresponding to a fifth preset number of upstream panes of a current most upstream pane and caching, and generating pane search conditions corresponding to a sixth preset number of downstream panes of a current most downstream pane and caching;

the determining the most upstream attacker for the tracing based on the data presented by each pane comprises:

receiving a sliding tracing operation, wherein the sliding tracing operation comprises a third tracing direction and tracing quantity;

Responding to the sliding tracing operation, under the condition that the third tracing direction is rightward, acquiring pane retrieval conditions corresponding to the tracing number of the current most downstream pane from the cache, and finishing data query and display;

and under the condition that the third tracing direction is leftward, acquiring pane retrieval conditions corresponding to the upstream panes of the tracing number of the current most upstream pane from the cache, and finishing data query and display.

7. The method for tracing an attack event according to claim 1, wherein the amount of data to be queried is an amount of data of a preset number of pages each time according to the pane retrieval condition;

the determining the most upstream attacker for the tracing based on the data presented by each pane comprises:

responding to page turning operation of a preset page for any first pane, inquiring page turning data of the preset page according to a pane retrieval condition corresponding to the any first pane, and displaying the page turning data on the any first pane;

generating associated pane retrieval conditions of associated panes corresponding to any first pane according to the source IP and the destination IP of the queried page turning data; the associated pane comprises an upstream pane and/or a downstream pane of the arbitrary first pane;

And querying and displaying the data of the associated pane according to the associated pane retrieval conditions, or caching the associated pane retrieval conditions to respond to page turning operation aiming at the associated pane, and querying and displaying the data of the associated pane according to the associated pane retrieval conditions.

8. The method for tracing an attack event according to claim 1, wherein the data presentation is performed based on a front end, and the data query is performed based on a back end;

generating a pane retrieval condition corresponding to each pane according to the source IP and the destination IP of the query result of the initial retrieval condition and the first tracing direction, and querying data of each pane according to the pane retrieval condition, wherein the method comprises the following steps:

the back end returns the query result to the front end for display;

the front end generates pane retrieval conditions corresponding to each pane according to the first tracing direction based on the source IP and the destination IP of the query result returned by the back end, and returns the pane retrieval conditions to the back end;

the backend queries the data of each pane based on the pane retrieval conditions.

9. The method for tracing an attack event according to claim 1, wherein said determining the most upstream attacker for said tracing based on the data presented in each of said panes comprises:

updating presentation data in any second pane based on target search conditions included in a search request in response to receiving the search request for the data in the any second pane, and updating pane search conditions of an associated pane of the any second pane and updating presentation data in the associated pane in response to a marking operation for attack data in the any second pane;

or,

generating first prompt information for prompting a user whether to return to an initial pane for searching or not under the condition that a pane searching condition corresponding to any second pane is not matched with a target searching condition included in the searching request in response to receiving a searching request for data in any second pane, carrying out data searching in the initial pane based on the target searching condition in response to the user selecting to return to the initial pane for searching to obtain a searching result, updating the pane searching condition of an associated pane of the initial pane in response to a marking operation for attack data in the searching result, and updating display data in the associated pane;

Or,

and generating second prompt information for prompting a user whether to newly establish a pane for attack event tracing under the condition that a pane retrieval condition corresponding to any second pane is not matched with a target retrieval condition included in the retrieval request in response to receiving the retrieval request for data in any second pane, establishing a new pane in response to the user selecting the new pane, generating a pane retrieval condition of each new pane by taking the target retrieval condition as the initial retrieval condition, querying data and displaying the data in the corresponding new pane.

10. A system for tracing an attack event, the system comprising:

the acquisition unit acquires a tracing request input for the attack event; the tracing request comprises initial retrieval conditions, a first tracing direction and a display style of a pane; the pane is used for displaying the queried data;

the query unit generates pane retrieval conditions corresponding to each pane according to the first tracing direction and the source IP and the destination IP of the query result of the initial retrieval conditions, and queries the data of each pane according to the pane retrieval conditions; wherein, the data queried by the pane retrieval condition satisfies the source IP of the data in the downstream pane in any two adjacent panes, which is the destination IP of the data in the upstream pane;

And the display unit is used for displaying data on each pane according to the display style so as to determine the most upstream attacker based on the data displayed on each pane for tracing.