CN117896186A - Vulnerability scanning method, system and storage medium based on log analysis - Google Patents
Vulnerability scanning method, system and storage medium based on log analysis Download PDFInfo
- Publication number
- CN117896186A CN117896186A CN202410292286.9A CN202410292286A CN117896186A CN 117896186 A CN117896186 A CN 117896186A CN 202410292286 A CN202410292286 A CN 202410292286A CN 117896186 A CN117896186 A CN 117896186A
- Authority
- CN
- China
- Prior art keywords
- data
- concerned
- node
- log
- flow chart
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 47
- 238000004458 analytical method Methods 0.000 title claims abstract description 38
- 238000012545 processing Methods 0.000 claims abstract description 13
- 238000010586 diagram Methods 0.000 claims description 32
- 238000012216 screening Methods 0.000 claims description 21
- 238000012546 transfer Methods 0.000 claims description 8
- 238000004891 communication Methods 0.000 claims description 7
- 238000004088 simulation Methods 0.000 claims description 6
- 238000012986 modification Methods 0.000 claims description 4
- 230000004048 modification Effects 0.000 claims description 4
- 238000010276 construction Methods 0.000 claims description 3
- 238000007405 data analysis Methods 0.000 claims description 3
- 230000009191 jumping Effects 0.000 description 4
- 230000001360 synchronised effect Effects 0.000 description 2
- 206010033799 Paralysis Diseases 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000001771 impaired effect Effects 0.000 description 1
- 230000001939 inductive effect Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A vulnerability scanning method, system and storage medium based on log analysis belong to the technical field of data processing, and comprise the following steps: acquiring a data stream comprising access paths among all system devices; calculating the suspicious degree of the data flow, if the suspicious degree of the data is larger than or equal to a first threshold value, defining the request data as concerned data, and predicting future access targets of the concerned data; establishing a backup container, and admitting and processing the concerned data if the concerned data flows to a future access target; acquiring high-risk nodes, and executing concerned data by a backup container in the same mode of accessing the target in the future; when the node is running to a high-risk node, judging whether the node is attack data or not based on a comparison result; if the comparison result cannot be judged, the use state value of the specific resource can be compared to judge, and if the concerned data is attack data, the concerned data is isolated to generate an analysis report. The method solves the problem that the attack vulnerability target cannot be predicted in advance to cause the risk of data damage.
Description
Technical Field
The invention belongs to the technical field of data processing, and particularly relates to a vulnerability scanning method, a vulnerability scanning system and a vulnerability scanning storage medium based on log analysis.
Background
With the development of computer technology, network attacks are increasingly flooding, which can lead to significant economic losses for businesses and individuals. For example, a luxury software attack may require payment of redemption to unlock data, while data disclosure may lead to impaired corporate reputation and customer churn, and attacks on critical infrastructure may lead to extensive social confusion and functional paralysis.
In order to protect the security of a computer system, the prior art proposes a method for preventing network attack, for example, a method and a system for alarming network attack are disclosed in the Chinese patent document CN108471429B, and the method detects whether a target host is under network attack and determines the attack type of the network attack; if the target host is under the network attack, detecting whether the network attack is successful or not and determining the attack action of the successful network attack; if the network attack is successful, generating first alarm information comprising the attack type of the network attack and the attack action of the network attack, otherwise, generating second alarm information comprising the attack type of the network attack. The invention can screen out successful network attacks, thereby improving the operation and maintenance efficiency and finding out real loopholes.
However, the above method is based on the recognition after the network attack has occurred, and although the network attack can be prevented, a certain risk of data loss may still occur because countermeasures are taken after the attack is recognized.
Disclosure of Invention
In order to solve the problems, the invention provides a vulnerability scanning method, a vulnerability scanning system and a vulnerability scanning storage medium based on log analysis, so as to better protect the security of system data when an attack enters the system.
In order to achieve the above object, the present invention provides a vulnerability scanning method based on log analysis, including:
analyzing the communication log to obtain a data stream including access paths for the requested data in the respective system devices;
calculating the suspicious degree of the data flow based on the access path, if the suspicious degree is greater than or equal to a first threshold value, defining the request data as concerned data, and predicting a future access target of the concerned data based on the access path;
establishing a backup container, wherein the backup container and the future access target have the same network address and identifier, and if the concerned data flows to the future access target according to a prediction result, the backup container replaces the future access target to accommodate the concerned data;
analyzing the running process of the future access target, acquiring high-risk nodes in the running process, and executing the concerned data by the backup container in the same way as the future access target;
when the backup container runs to the high-risk node, the backup container synthesizes the current system log, analyzes the system log in a comparison database, judges whether the concerned data is attack data or not based on a comparison result, isolates the concerned data if yes, and inputs the concerned data to the future access target if no;
if the data of interest cannot be judged to be attack data based on the comparison result, acquiring a use state value of the specific resource, if the use state value is larger than a second threshold value, isolating the data of interest, and generating an analysis report of the data of interest at the same time so as to remind the future access target of potential loopholes.
Further, predicting a future access target for the data of interest based on the access path comprises the steps of:
numbering each system device, wherein the access path comprises a system name of each system device, the system name is defined as a node, the node has the same number as the system device, the corresponding node is connected by using a flow direction line based on the access path of the concerned data so as to generate a first flow chart corresponding to the access path, and the first flow chart is processed into a second flow chart;
a first template diagram and a corresponding second template diagram are recorded in advance in a database, the first template diagram is generated based on a historical access path, and the historical access path is an access path which is judged to be attacked;
obtaining the existence number of the nodes in the second flow chart, and searching in the database once to screen the second template chart containing the existence number which is more than or equal to the second flow chart, wherein the second template chart is defined as a first screening result;
screening again in the first screening result based on the node numbers included in the second flow chart to obtain a second screening result containing the same node number;
obtaining the first template diagram corresponding to each second screening result, and calculating the matching value of the first flow diagram and each first template diagram based on a first formulaThe first formula is: />Wherein->For the total number of nodes in the first flow chart and the first modular layout, which are numbered identically,/for all nodes in the first flow chart and the first modular layout>For the number of said flow lines connecting the same said nodes in said first flow diagram and said first modular layout +.>、/>The setting can be carried out according to the actual situation;
and defining the first template diagram with the largest matching value as a target template, acquiring an end point node of the target template, and taking the end point node as a future access target of the concerned data.
Further, processing the first flowchart into the second flowchart includes the steps of:
the nodes included in the first flow chart are obtained, the nodes with repeated numbers are located to be target nodes, the target nodes are combined to form one node, meanwhile, based on the positions of the nodes after modification, the flow direction lines are adjusted to modify the first flow chart into a transfer flow chart, the flow direction lines which are directed to the nodes with the same number in the transfer flow chart are simplified, so that each node is connected by only two flow direction lines, and the simplified transfer flow chart is defined as the second flow chart.
Further, calculating the access path suspicion degree includes the following steps:
presetting a first rule, a second rule and a third rule, wherein the first rule, the second rule and the third rule correspond to a first score, a second score and a third score, adding the corresponding scores based on the number of rules satisfied by the access path to obtain a total score, and defining the total score as the suspicious degree of the access path.
Further, analyzing the system log to obtain the access path includes the steps of:
extracting a running log of system equipment, acquiring a department to which the system equipment belongs, acquiring load-bearing software of the request data based on the running log, and continuously tracing a source address of the request data based on the source address to acquire the running log of the request data at the source address, continuously acquiring a system name, the load-bearing software and the department based on the running log, repeating the steps until the acquired running log does not have the source address any more, and generating the access path based on the acquired system name, the load-bearing software and the department to which the request data belongs.
The invention also provides a vulnerability scanning system based on log analysis, which is used for realizing the vulnerability scanning method based on log analysis, and comprises the following steps:
the system comprises an acquisition module, a data acquisition module and a data processing module, wherein the acquisition module analyzes a communication log to acquire a data stream, and the data stream comprises access paths of request data in each system device;
the data analysis module is used for calculating the suspicious degree of the data flow based on the access path, if the suspicious degree is larger than or equal to a first threshold value, defining the request data as concerned data, and predicting a future access target of the concerned data based on the access path;
the simulation construction module is used for establishing a backup container, wherein the backup container and the future access target have the same network address and identifier, and if the concerned data flows to the future access target according to a prediction result, the backup container replaces the future access target to accommodate the concerned data;
the simulation processing module analyzes the running process of the future access target, acquires high-risk nodes in the running process, and the backup container executes the concerned data in the same mode of the future access target;
the first judging module is used for integrating the current system log when the backup container runs to the high-risk node, analyzing the system log in the comparison database, judging whether the concerned data is attack data or not based on the comparison result, isolating the concerned data if yes, and inputting the concerned data to the future access target if no;
and the second judging module is used for acquiring a use state value of the specific resource if the concerned data cannot be judged to be attack data based on the comparison result, isolating the concerned data and generating an analysis report of the concerned data to remind the future access target of potential loopholes if the use state value is larger than a second threshold value.
The invention also provides a computer storage medium which stores program instructions, wherein the program instructions control equipment where the computer storage medium is located to execute the vulnerability scanning method based on log analysis when running.
Compared with the prior art, the invention has the following beneficial effects:
the invention obtains the corresponding access path by analyzing the data flow of the request data, calculates the suspicious degree of the request data through the access path, and further judges the request data with larger suspicious degree only, thereby reducing the analysis pressure of the data; after the request data is determined to be highly suspicious, equipment which is likely to be accessed by the request data in the future is predicted, a backup container which is the same as the equipment to be accessed is established, and the request data is induced to run in the backup container, so that even if the received data is attack data, the data is run in the backup container which is set in advance, the damage to the original system is avoided, and the risk of data damage is reduced.
The attack data generally tend to attack at the high-risk nodes, so that whether the request data is attack data can be determined by carrying out log analysis on the front of the high-risk nodes, and therefore, the invention synthesizes the system log analysis of the request data in front of the high-risk nodes, thereby reducing the workload required by the analysis of related personnel.
Drawings
FIG. 1 is a flow chart of steps of a vulnerability scanning method based on log analysis;
FIG. 2 is a first flow chart of the present invention;
FIG. 3 is a second flowchart of the present invention;
FIG. 4 is a first template diagram of the present invention;
FIG. 5 is a transfer flow chart of the present invention;
fig. 6 is a schematic structural diagram of a vulnerability scanning system based on log analysis.
Detailed Description
The present invention will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
It will be understood that the terms "first," "second," and the like, as used herein, may be used to describe various elements, but these elements are not limited by these terms unless otherwise specified. These terms are only used to distinguish one element from another element. For example, a first xx script may be referred to as a second xx script, and similarly, a second xx script may be referred to as a first xx script, without departing from the scope of the present application.
As shown in FIG. 1, the invention provides a vulnerability scanning method based on log analysis, which comprises the following steps of;
step S1: the communication log is analyzed to obtain a data stream including access paths for the requested data in the respective system devices.
Specifically, analyzing the system log to obtain the data stream includes the steps of:
extracting a running log of the system equipment, acquiring a department belonging to the system equipment, acquiring load software of the request data based on the running log, and continuously tracing back the source address based on the source address to acquire the running log of the request data at the source address, continuously acquiring a system name, the load software and the department belonging to the request data based on the running log, repeating the steps until the acquired running log does not have the source address any more, and generating an access path based on the acquired system name, the load software and the department belonging to the request data.
The operation log of the system equipment comprises the operation process of each software in the system and the occupancy rate of various resources of system hardware, such as CPU occupancy rate, disk occupancy rate and the like; in addition, the running log also includes the flow direction of the request data, such as which IP address the request data originates from, what equipment the source IP address belongs to, which region, and which department, and then the system log is read from the equipment the source IP address to determine which software (i.e. the bearing software) the request data originates from, so that the access path of the request data can be obtained by tracing forward.
Step S2: and calculating the suspicious degree of the data flow based on the access path, defining the data flow as the data of interest if the suspicious degree is larger than a first threshold value, and predicting the future access target of the data of interest based on the access path.
Further, calculating the access path suspicion includes the steps of:
the method comprises the steps of presetting a first rule, a second rule and a third rule, wherein the first rule, the second rule and the third rule correspond to the preset first score, the preset second score and the preset third score, adding the corresponding scores based on the number of the rules met by the access path to obtain a total score, and defining the total score as the suspicious degree of the access path.
Specifically, the preset first rule is that the concerned data repeatedly jump and visit among nodes, such as jumping from node 1 to node 2, jumping from node 2 to node 4, and jumping from node 4 to node 1, wherein the jumping may be that attack data want to generate a large amount of logs to interfere with analysis of related personnel; the second rule is that access paths which should not occur according to transmission attributes among system devices, like type data is generally accessed according to paths of nodes 1-2-3, and the data is directly jumped to the node 3 from the node 1; the third rule is false access, if no action is performed after reaching the node 3, the next node is continuously accessed; according to the preset first score, second score and third score and the access quantity conforming to various rule conditions, the total score can be calculated, for example, the first score, the second score and the third score are respectively 3 scores, 2 scores and 1 score, and if the access path of the request data meets the first rule and the second rule, the suspicious degree is 3+2=5 scores.
According to the calculated suspicious degree, the data flow which is larger than the first threshold value is concerned data, and according to the access path prediction, future access targets of concerned data can be further determined.
The first threshold is set to 3 points, and since the suspicion of the request data is 5 points, the request data is determined to be data of interest. In addition, specific steps for predicting future access targets based on the current access path will be described in detail later.
Step S3: and establishing a backup container, wherein the backup container has the same network address and identifier as the future access target, and if the concerned data flows to the future access target according to the predicted result, the backup container replaces the future access target to accommodate the concerned data.
Specifically, when the system detects that a data request exists, a storage space with the same network address and identifier as those of a future access target is established as a backup container, and when the data is concerned to access the future access target according to a prediction result, the data concerned is led to the backup container to run.
Step S4: and analyzing the running process of the future access target, acquiring high-risk nodes in the running process, and executing the concerned data by the backup container in the same way as the future access target.
The backup container runs the data of interest in the same way as the future access targets, such as by performing the same data encryption or obfuscation approach to the data of interest.
Step S5: when the system is operated to the high-risk node, the backup container synthesizes the current system log, analyzes the system log in the database, judges whether the concerned data is attack data or not based on the comparison result, isolates the concerned data if yes, and inputs the concerned data to a future access target if no.
Specifically, the data flow analyzes the access process of the access target through different system devices, and obtains the process which is easy to be attacked in the operation process, namely the high-risk node, for example, the software B of the device A is required to be accessed by the request data through analysis, and the software B can be known to be easy to be attacked when the software B is operated to any row of codes or easy to be injected into malicious codes when the software B is operated to any row of codes through analysis in advance; therefore, by inducing the request data into false software to test, so as to judge whether the data is attack data, in this embodiment, an attack standard library is established, the attack standard library stores attack judging standards, such as the size of the attack data, specific codes with identification attack characteristics, and the like, when the concerned data runs to a high-risk node, the current system log data is compared with the attack standard in the attack standard, and if the attack standard condition is met, for example, when the current data log exceeds the attack data size threshold or contains the specific codes with attack characteristics, the concerned data has aggressivity, and the backup container isolates the concerned data; through the steps, even if the data initiates an attack, the data cannot be lost because the data runs in false software.
Step S6: if the comparison result cannot be used for judging whether the concerned data is attack data or not, acquiring a use state value of the specific resource, if the use state value is larger than a second threshold value, isolating the concerned data, and generating an analysis report of the concerned data so as to remind a future access target of potential loopholes.
Specifically, if the judgment standard in the attack standard library is inaccurate or incomplete, when judgment omission occurs, a specific resource use state value when the current data of interest runs, such as the number of allowed communication sessions, the number of openable files and the like, is obtained, compared with a preset state threshold value of each resource, when one of the use state values is larger than a preset second threshold value, the data of interest has aggressivity, the data of interest is isolated, and when the previous data of interest runs to a high-risk node, the data characteristics of the system log data are updated into the attack standard library, and meanwhile, an analysis report of the data of interest is generated, and is output to an operation management terminal through an output unit, so that potential vulnerabilities of future access targets are reminded to be needed to take corresponding measures for avoidance processing; if the data has no aggressiveness, the concerned data is input according to the original access path, and the future access target is continuously accessed, so that the normal operation of the request data is realized.
Further, predicting future access targets for the data of interest based on the access path includes the steps of:
each system device is numbered, the access path includes a system name of each system device, the system name is defined as a node, the node has the same number as the system device, the corresponding node is connected by using a flow line based on the access path of the data of interest, so as to generate a first flow chart corresponding to the access path, and the first flow chart is processed as a second flow chart.
Specifically, as shown in fig. 2, which is an example of a first flowchart of the present invention, numbers 1, 2, 3, and 4 represent system device 1, system device 2, system device 3, and system device 4, respectively, and attention data is first accessed by system device 1 to system device 2 via flow line a, then by system device 2 to system device 3 via flow line b, flow line c is accessed by system device 3 to system device 4, flow line d is accessed by system device 4 to system device 2, and flow line e is accessed by system device 2 to system device 1; the present example also processes the first flowchart to obtain a second flowchart, and as fig. 3 shows the second flowchart obtained after the processing, the second flowchart is a simplification of the first flowchart, in the second flowchart, the data of interest is accessed by the system device 1 to the system device 2 via the flow line a, is accessed by the system device 2 to the system device 3 via the flow line b, and is accessed by the system device 3 to the system device 4 via the flow line 3.
The database is recorded with a first template diagram and a corresponding second template diagram in advance, the first template diagram is generated based on a historical access path, and the historical access path is an access path which is judged to be attacked.
And obtaining the existence number of the nodes in the second flow chart, and performing one-time screening in the database to screen a second template chart containing the existence number which is greater than or equal to that of the second flow chart, wherein the second template chart is defined as a first screening result.
The generating methods of the first template diagram and the second template diagram are the same as the generating methods of the first flow diagram and the second flow diagram, and are not repeated here; referring again to fig. 3, the second flowchart includes 4 nodes, namely node 1, node 2, node 3 and node 4, so that a second template map with the same number of nodes as 4 is screened in the database, and the result obtained by screening is taken as a first screening result.
And screening again in the first screening result based on the node numbers included in the second flow chart to obtain a second screening result containing the same node number.
And (3) screening the second template diagram at least comprising the node numbers 1, 2, 3 and 4 in the first screening result again, namely the second screening result, because the node numbers 1, 2, 3 and 4 are included in the first flow diagram.
Acquiring first template diagrams corresponding to the second screening results, and calculating matching values of the first flow diagrams and the first template diagrams based on a first formulaThe first formula is: />Wherein->For the total number of identically numbered nodes in the first flow diagram and the first modular layout, +.>For the number of flow lines connecting the same node in the first flow diagram and the first modular layout, +.>、/>The setting can be performed according to actual conditions.
To continue the comparison in more detail, the first template corresponding to each second template is filtered, then, the similarity between the first flowchart and each first template is calculated based on the first formula, and if the filtered first template is shown in fig. 4, the first flowchart includes 2 nodes 1 and 2,1 node 3 and 4, and the first template corresponding to the second template includes 2 nodes 1 and 2,1 node 3 and 4, then, if the number of 4 types of nodes is the same, thenIn the first flow chart, the flow line a connects the node 1 and the node 2, the flow line b connects the node 2 and the node 3, the flow line c connects the node 3 and the node 4, the flow line d connects the node 4 and the node 2, the flow line e connects the node 2 and the node 1, and the first template chart is the same, and if the nodes connected by 6 flow lines are the same, the node is the same->。
And defining the first template graph with the largest matching value as a target template, acquiring an end point node of the target template, and taking the end point node as a future access target of the concerned data.
Since the next to be accessed by node 1 in the first template is node 5, the device corresponding to node 5 should be the target of future access.
Further, the processing of the first flowchart into a second flowchart includes the steps of: the method comprises the steps of obtaining nodes included in a first flow chart, locating nodes with repeated numbers as target nodes, merging the target nodes into one node, adjusting flow lines based on the positions of the changed nodes to modify the first flow chart into a transit flow chart, simplifying the flow lines which are directed to the same numbered node in the transit flow chart, enabling each node to be connected by only two flow lines, and defining the simplified transit flow chart as a second flow chart.
Referring to fig. 2, since the node 1 and the node 2 appear twice, the node 1 and the node 2 are set as target nodes, the two nodes 1 and 2 are combined, and the two nodes 2 are combined and correspond to the combined flow lines, then the combined transfer flow chart is shown in fig. 5, and then the flow lines pointing to the same numbered node are reduced, so that the second flow chart shown in fig. 2 is obtained; the flow direction of the request data is converted into the flow chart, so that the request data can be displayed to the analyst on the basis of ensuring the realization of the technical scheme, the analyst is helped to know the flow direction of the data, and the analyst can analyze more in detail.
The invention also provides a vulnerability scanning system based on log analysis, as shown in fig. 6, the system is used for realizing the vulnerability scanning method based on log analysis, and the system mainly comprises the following steps:
and the acquisition module analyzes the communication log to acquire a data stream, wherein the data stream comprises access paths of the request data in each system device.
And the data analysis module is used for calculating the suspicious degree of the data flow based on the access path, defining the request data as the concerned data and predicting the future access target of the concerned data based on the access path if the suspicious degree is larger than or equal to a first threshold value.
The simulation construction module is used for establishing a backup container, wherein the backup container and the future access target have the same network address and identifier, and if the concerned data flows to the future access target according to the prediction result, the backup container replaces the future access target to accommodate the concerned data.
And the simulation processing module analyzes the running process of the future access target, acquires high-risk nodes in the running process, and executes the concerned data in the same mode of the future access target by the backup container.
And the first judging module is used for integrating the current system log by the backup container when the backup container runs to the high-risk node, analyzing the system log in the comparison database, judging whether the concerned data is attack data or not based on the comparison result, isolating the concerned data if yes, and inputting the concerned data to a future access target if no.
And the second judging module is used for acquiring the use state value of the specific resource if the data of interest cannot be judged to be attack data based on the comparison result, isolating the data of interest and generating an analysis report of the data of interest to remind a future access target of potential loopholes if the use state value is larger than a second threshold value.
The invention also provides a computer storage medium which stores program instructions, wherein the device where the computer storage medium is located is controlled to execute the vulnerability scanning method based on log analysis when the program instructions run.
It should be understood that, although the steps in the flowcharts of the embodiments of the present invention are shown in order as indicated by the arrows, these steps are not necessarily performed in order as indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in various embodiments may include multiple sub-steps or stages that are not necessarily performed at the same time, but may be performed at different times, nor do the order in which the sub-steps or stages are performed necessarily performed in sequence, but may be performed alternately or alternately with at least a portion of the sub-steps or stages of other steps or other steps.
Those skilled in the art will appreciate that implementing all or part of the above-described methods may be accomplished by way of computer programs, which may be stored on a non-transitory computer readable storage medium, and which, when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the various embodiments provided herein may include non-volatile and/or volatile memory. The nonvolatile memory can include Read Only Memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), memory bus direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), among others.
The technical features of the foregoing embodiments may be arbitrarily combined, and for brevity, all of the possible combinations of the technical features of the foregoing embodiments are not described, however, they should be considered as the scope of the disclosure as long as there is no contradiction between the combinations of the technical features.
The foregoing examples illustrate only a few embodiments of the invention and are described in detail herein without thereby limiting the scope of the invention. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the invention, which are all within the scope of the invention. Accordingly, the scope of protection of the present invention is to be determined by the appended claims.
The foregoing description of the preferred embodiments of the invention is not intended to be limiting, but rather is intended to cover all modifications, equivalents, and alternatives falling within the spirit and principles of the invention.
Claims (7)
1. The vulnerability scanning method based on log analysis is characterized by comprising the following steps of:
analyzing the communication log to obtain a data stream including access paths for the requested data in the respective system devices;
calculating the suspicious degree of the data flow based on the access path, if the suspicious degree is greater than or equal to a first threshold value, defining the request data as concerned data, and predicting a future access target of the concerned data based on the access path;
establishing a backup container, wherein the backup container and the future access target have the same network address and identifier, and if the concerned data flows to the future access target according to a prediction result, the backup container replaces the future access target to accommodate the concerned data;
analyzing the running process of the future access target, acquiring high-risk nodes in the running process, and executing the concerned data by the backup container in the same way as the future access target;
when the backup container runs to the high-risk node, the backup container synthesizes the current system log, analyzes the system log in a comparison database, judges whether the concerned data is attack data or not based on a comparison result, isolates the concerned data if yes, and inputs the concerned data to the future access target if no;
if the data of interest cannot be judged to be attack data based on the comparison result, acquiring a use state value of the specific resource, if the use state value is larger than a second threshold value, isolating the data of interest, and generating an analysis report of the data of interest at the same time so as to remind the future access target of potential loopholes.
2. The vulnerability scanning method based on log analysis of claim 1, wherein predicting future access targets of the data of interest based on the access path comprises the steps of:
numbering each system device, wherein the access path comprises a system name of each system device, the system name is defined as a node, the node has the same number as the system device, the corresponding node is connected by using a flow direction line based on the access path of the concerned data so as to generate a first flow chart corresponding to the access path, and the first flow chart is processed into a second flow chart;
a first template diagram and a corresponding second template diagram are recorded in advance in a database, the first template diagram is generated based on a historical access path, and the historical access path is an access path which is judged to be attacked;
obtaining the existence number of the nodes in the second flow chart, and searching in the database once to screen the second template chart containing the existence number which is more than or equal to the second flow chart, wherein the second template chart is defined as a first screening result;
screening again in the first screening result based on the node numbers included in the second flow chart to obtain a second screening result containing the same node number;
obtaining the first template diagram corresponding to each second screening result, and calculating the matching value of the first flow diagram and each first template diagram based on a first formulaThe first formula is: />Wherein->For the total number of nodes in the first flow chart and the first modular layout, which are numbered identically,/for all nodes in the first flow chart and the first modular layout>For the number of said flow lines connecting the same said nodes in said first flow diagram and said first modular layout +.>、/>Can be set according to actual conditions;
And defining the first template diagram with the largest matching value as a target template, acquiring an end point node of the target template, and taking the end point node as a future access target of the concerned data.
3. The vulnerability scanning method based on log analysis of claim 2, wherein processing the first flow chart into the second flow chart comprises the steps of:
the nodes included in the first flow chart are obtained, the nodes with repeated numbers are located to be target nodes, the target nodes are combined to form one node, meanwhile, based on the positions of the nodes after modification, the flow direction lines are adjusted to modify the first flow chart into a transfer flow chart, the flow direction lines which are directed to the nodes with the same number in the transfer flow chart are simplified, so that each node is connected by only two flow direction lines, and the simplified transfer flow chart is defined as the second flow chart.
4. The vulnerability scanning method based on log analysis of claim 1, wherein calculating the access path suspicion comprises the steps of:
presetting a first rule, a second rule and a third rule, wherein the first rule, the second rule and the third rule correspond to a first score, a second score and a third score, adding the corresponding scores based on the number of rules satisfied by the access path to obtain a total score, and defining the total score as the suspicious degree of the access path.
5. The vulnerability scanning method based on log analysis of claim 1, wherein analyzing the system log to obtain the access path comprises the steps of:
extracting a running log of system equipment, acquiring a department to which the system equipment belongs, acquiring load-bearing software of the request data based on the running log, and continuously tracing a source address of the request data based on the source address to acquire the running log of the request data at the source address, continuously acquiring a system name, the load-bearing software and the department based on the running log, repeating the steps until the acquired running log does not have the source address any more, and generating the access path based on the acquired system name, the load-bearing software and the department to which the request data belongs.
6. A vulnerability scanning system based on log analysis for implementing a vulnerability scanning method based on log analysis as claimed in any one of claims 1-5, comprising:
the system comprises an acquisition module, a data acquisition module and a data processing module, wherein the acquisition module analyzes a communication log to acquire a data stream, and the data stream comprises access paths of request data in each system device;
the data analysis module is used for calculating the suspicious degree of the data flow based on the access path, if the suspicious degree is larger than or equal to a first threshold value, defining the request data as concerned data, and predicting a future access target of the concerned data based on the access path;
the simulation construction module is used for establishing a backup container, wherein the backup container and the future access target have the same network address and identifier, and if the concerned data flows to the future access target according to a prediction result, the backup container replaces the future access target to accommodate the concerned data;
the simulation processing module analyzes the running process of the future access target, acquires high-risk nodes in the running process, and the backup container executes the concerned data in the same mode of the future access target;
the first judging module is used for integrating the current system log when the backup container runs to the high-risk node, analyzing the system log in the comparison database, judging whether the concerned data is attack data or not based on the comparison result, isolating the concerned data if yes, and inputting the concerned data to the future access target if no;
and the second judging module is used for acquiring a use state value of the specific resource if the concerned data cannot be judged to be attack data based on the comparison result, isolating the concerned data and generating an analysis report of the concerned data to remind the future access target of potential loopholes if the use state value is larger than a second threshold value.
7. A computer storage medium, wherein the computer storage medium stores program instructions, and wherein the program instructions, when executed, control a device in which the computer storage medium is located to perform a vulnerability scanning method based on log analysis as claimed in any one of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410292286.9A CN117896186B (en) | 2024-03-14 | Vulnerability scanning method, system and storage medium based on log analysis |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410292286.9A CN117896186B (en) | 2024-03-14 | Vulnerability scanning method, system and storage medium based on log analysis |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117896186A true CN117896186A (en) | 2024-04-16 |
| CN117896186B CN117896186B (en) | 2024-05-31 |
Family
ID=
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150332104A1 (en) * | 2014-05-14 | 2015-11-19 | Mobileye Vision Technologies Ltd. | Systems and methods for detecting traffic signs |
| US20160234238A1 (en) * | 2015-02-11 | 2016-08-11 | Qualys, Inc. | System and method for web-based log analysis |
| US20190215330A1 (en) * | 2018-01-07 | 2019-07-11 | Microsoft Technology Licensing, Llc | Detecting attacks on web applications using server logs |
| WO2021008028A1 (en) * | 2019-07-18 | 2021-01-21 | 平安科技(深圳)有限公司 | Network attack source tracing and protection method, electronic device and computer storage medium |
| WO2021068178A1 (en) * | 2019-10-11 | 2021-04-15 | Beijing Didi Infinity Technology And Development Co., Ltd. | Systems and methods for image quality detection |
| CN115695043A (en) * | 2022-11-18 | 2023-02-03 | 奇安信网神信息技术(北京)股份有限公司 | Vulnerability scanning attack detection method, model training method and device |
| CN117560189A (en) * | 2023-11-13 | 2024-02-13 | 贵州电网有限责任公司信息中心 | Power system access safety protection method and device and power system platform |
| US20240054227A1 (en) * | 2022-08-10 | 2024-02-15 | Microsoft Technology Licensing, Llc | Identification of a resource attack path by connecting code, configuration, and telemetry |
| CN117614734A (en) * | 2023-12-15 | 2024-02-27 | 北京安信天行科技有限公司 | Cloud primary container boundary authority identification method and device |
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150332104A1 (en) * | 2014-05-14 | 2015-11-19 | Mobileye Vision Technologies Ltd. | Systems and methods for detecting traffic signs |
| US20160234238A1 (en) * | 2015-02-11 | 2016-08-11 | Qualys, Inc. | System and method for web-based log analysis |
| US20190215330A1 (en) * | 2018-01-07 | 2019-07-11 | Microsoft Technology Licensing, Llc | Detecting attacks on web applications using server logs |
| WO2021008028A1 (en) * | 2019-07-18 | 2021-01-21 | 平安科技(深圳)有限公司 | Network attack source tracing and protection method, electronic device and computer storage medium |
| WO2021068178A1 (en) * | 2019-10-11 | 2021-04-15 | Beijing Didi Infinity Technology And Development Co., Ltd. | Systems and methods for image quality detection |
| US20240054227A1 (en) * | 2022-08-10 | 2024-02-15 | Microsoft Technology Licensing, Llc | Identification of a resource attack path by connecting code, configuration, and telemetry |
| CN115695043A (en) * | 2022-11-18 | 2023-02-03 | 奇安信网神信息技术(北京)股份有限公司 | Vulnerability scanning attack detection method, model training method and device |
| CN117560189A (en) * | 2023-11-13 | 2024-02-13 | 贵州电网有限责任公司信息中心 | Power system access safety protection method and device and power system platform |
| CN117614734A (en) * | 2023-12-15 | 2024-02-27 | 北京安信天行科技有限公司 | Cloud primary container boundary authority identification method and device |
Non-Patent Citations (6)
| Title |
|---|
| ARDIAN OKTADIKA 等: ""Hunting Cyber Threats in the Enterprise Using Network Defense Log"", 《2021 9TH INTERNATIONAL CONFERENCE ON INFORMATION AND COMMUNICATION TECHNOLOGY (ICOICT)》, 6 September 2021 (2021-09-06) * |
| SUHASINI SODAGUDI 等: ""Novel Approaches to Identify and Prevent Cyber Attacks in Web"", 《2019 3RD INTERNATIONAL CONFERENCE ON COMPUTING METHODOLOGIES AND COMMUNICATION (ICCMC)》, 29 August 2019 (2019-08-29) * |
| 沈艳: ""基于事务日志的智能合约漏洞检测"", 《万方数据库》, 22 January 2024 (2024-01-22) * |
| 王君: ""网络安全合规测试评审评估技术研究"", 《电子元器件与信息技术》, 20 December 2023 (2023-12-20) * |
| 金京犬: ""网络安全应急响应日志分析服务技术研究"", 《萍乡学院学报》, 15 June 2022 (2022-06-15) * |
| 魏璐露 等: ""基于SVM-DT-MLP模型的Web日志异常流量检测研究"", 《万方数据库》, 5 March 2024 (2024-03-05) * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112003870B (en) | Network encryption traffic identification method and device based on deep learning | |
| CN108932426B (en) | Unauthorized vulnerability detection method and device | |
| WO2019144549A1 (en) | Vulnerability testing method and device, computer equipment, and storage medium | |
| CN108256322B (en) | Security testing method and device, computer equipment and storage medium | |
| CN112560045A (en) | Application program vulnerability detection method and device, computer equipment and storage medium | |
| CN105009132A (en) | Event correlation based on confidence factor | |
| US20170155683A1 (en) | Remedial action for release of threat data | |
| CN113472803A (en) | Vulnerability attack state detection method and device, computer equipment and storage medium | |
| CN112367338A (en) | Malicious request detection method and device | |
| CN117896186B (en) | Vulnerability scanning method, system and storage medium based on log analysis | |
| CN115314268B (en) | Malicious encryption traffic detection method and system based on traffic fingerprint and behavior | |
| Laptiev et al. | Algorithm for Recognition of Network Traffic Anomalies Based on Artificial Intelligence | |
| CN117896186A (en) | Vulnerability scanning method, system and storage medium based on log analysis | |
| Thomas et al. | Comparative analysis of dimensionality reduction techniques on datasets for zero-day attack vulnerability | |
| CN115827379A (en) | Abnormal process detection method, device, equipment and medium | |
| CN116015861A (en) | Data detection method and device, electronic equipment and storage medium | |
| US20220374524A1 (en) | Method and system for anamoly detection in the banking system with graph neural networks (gnns) | |
| CN115776397A (en) | Method and system for opening computer network firewall | |
| CN111191235B (en) | Suspicious file analysis method, suspicious file analysis device and computer readable storage medium | |
| Rashid et al. | Enhanced website phishing detection based on the cyber kill chain and cloud computing | |
| Al-Saedi et al. | Research Proposal: an Intrusion Detection System Alert Reduction and Assessment Framework based on Data Mining. | |
| Brindavathi et al. | An Analysis of AI-based SQL Injection (SQLi) Attack Detection | |
| CN117134999B (en) | Safety protection method of edge computing gateway, storage medium and gateway | |
| Arul et al. | Malware detection using higher order statistical parameters | |
| CN114257415B (en) | Network attack defending method, device, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |