WO2021253899A1 - Targeted attack detection method and apparatus, and computer-readable storage medium - Google Patents

Targeted attack detection method and apparatus, and computer-readable storage medium Download PDF

Info

Publication number
WO2021253899A1
WO2021253899A1 PCT/CN2021/081482 CN2021081482W WO2021253899A1 WO 2021253899 A1 WO2021253899 A1 WO 2021253899A1 CN 2021081482 W CN2021081482 W CN 2021081482W WO 2021253899 A1 WO2021253899 A1 WO 2021253899A1
Authority
WO
WIPO (PCT)
Prior art keywords
attack
address
parameter
source
targeted
Prior art date
Application number
PCT/CN2021/081482
Other languages
French (fr)
Chinese (zh)
Inventor
刘伯仲
王远
Original Assignee
深信服科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深信服科技股份有限公司 filed Critical 深信服科技股份有限公司
Publication of WO2021253899A1 publication Critical patent/WO2021253899A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/24Multipath
    • H04L45/245Link aggregation, e.g. trunking
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Definitions

  • the present invention relates to the field of network security, in particular to a targeted attack detection method and device and computer readable storage medium.
  • SIEM Security Information and Event Management, security information and event management
  • the main purpose of the present invention is to provide a targeted attack detection method and device and computer readable storage medium, which are aimed at solving the problem of low network security guarantee of equipment.
  • the present invention provides a targeted attack detection method, which includes the following steps:
  • a target source IP address for a targeted attack on the device is determined.
  • the step of determining a target source IP address for a targeted attack on the device in each of the source IP addresses according to the first attack parameter and the reference parameter includes:
  • the reference parameter includes a second attack parameter
  • the second attack parameter is determined according to each attacked information of the device
  • the source IP address corresponding to the ratio greater than the preset ratio is determined as the target source IP address of the targeted attack on the device.
  • the step of determining a target source IP address for a targeted attack on the device in each of the source IP addresses according to the first attack parameter and the reference parameter includes:
  • the source IP address corresponding to the first attack parameter that is greater than or equal to the preset parameter is determined as the target source IP address of the targeted attack on the device.
  • the method further includes:
  • the step of generating description information of a targeted attack according to the attacked information corresponding to the target source IP address includes:
  • the step of generating description information for a sexual attack according to the attacked information corresponding to the target source IP address includes:
  • the first attack parameter includes the number of attacks on the device by the source IP address or the cumulative attack duration of the attack on the device by the source IP address.
  • the present invention also provides a targeted attack detection device, the targeted attack detection device includes:
  • a determining module configured to determine the first attack parameter corresponding to the attacked information with the same source IP address
  • the determining module is further configured to determine a target source IP address for a targeted attack on the device in each of the source IP addresses according to the first attack parameter and the reference parameter.
  • the present invention also provides a targeted attack detection device, which includes a memory, a processor, and a targeted attack detection program stored in the memory and running on the processor When the targeted attack detection program is executed by the processor, each step of the above-mentioned targeted attack detection method is realized.
  • the present invention also provides a computer-readable storage medium that stores a targeted attack detection program, and the targeted attack detection program is executed by the processor as described above The individual steps of the targeted attack detection method.
  • the targeted attack detection device obtains the attacked information corresponding to the device, and determines the first attack parameter corresponding to the attacked information with the same source IP address , And determine the target source IP address of the targeted attack on the device in each source IP address according to the first attack parameter and the reference parameter. Since the targeted detection device collects the attacked information of the device and determines the attack parameters of each attacked information of the same source IP address, the source IP address of the targeted attack on the device is accurately determined according to the attack parameters, so that the device is more targeted.
  • the source IP address of the attack adopts corresponding protective measures to ensure the network security of the device.
  • FIG. 1 is a schematic diagram of the hardware of a targeted attack detection device involved in a solution of an embodiment of the present invention
  • FIG. 2 is a schematic flowchart of the first embodiment of the targeted attack detection method of the present invention.
  • step S30 is a schematic diagram of the detailed process of step S30 in the second embodiment of the targeted attack detection method of the present invention.
  • step S30 is a schematic diagram of the detailed flow of step S30 in the third embodiment of the targeted attack detection method of the present invention.
  • FIG. 5 is a schematic flowchart of a fourth embodiment of the targeted attack detection method of the present invention.
  • FIG. 6 is a detailed flowchart of step S40 in the fifth embodiment of the targeted attack detection method of the present invention.
  • FIG. 7 is a detailed flowchart of step S40 in the sixth embodiment of the targeted attack detection method of the present invention.
  • FIG. 8 is a schematic diagram of functional modules of the targeted attack detection device of the present invention.
  • the main solution of the embodiment of the present invention is: obtain the attacked information corresponding to the device; determine the first attack parameter corresponding to the attacked information with the same source IP address; In the source IP address, a target source IP address for a targeted attack on the device is determined.
  • the present invention provides a solution. Since the targeted detection device collects the attacked information of the equipment and determines the attack parameters of the attacked information of the same source IP address, the source of the targeted attack on the equipment is accurately determined according to the attack parameters.
  • the IP address enables the device to adopt corresponding protective measures against the source IP address of the targeted attack, ensuring the network security of the device.
  • the targeted attack detection device may be as shown in FIG. 1.
  • FIG. 1 is a targeted attack detection device involved in a solution of an embodiment of the present invention.
  • the targeted attack detection device may include a processor 1001, such as a CPU, a memory 1002, and a communication bus 1003.
  • the communication bus 1003 is used to realize the connection and communication between these components.
  • the memory 1003 may be a high-speed RAM memory, or a non-volatile memory (non-volatile memory), such as a magnetic disk memory.
  • the memory 1002 may also be a storage device independent of the aforementioned processor 1001.
  • the memory 1002 may include a targeted attack detection program.
  • the processor 1001 may be used to call a targeted attack detection program stored in the memory 1002, and perform the following operations:
  • a target source IP address for a targeted attack on the device is determined.
  • the processor 1001 may call a targeted attack detection program stored in the memory 1005, and also perform the following operations:
  • the reference parameter includes a second attack parameter
  • the second attack parameter is determined according to each attacked information of the device
  • the source IP address corresponding to the ratio greater than the preset ratio is determined as the target source IP address of the targeted attack on the device.
  • the processor 1001 may call a targeted attack detection program stored in the memory 1005, and also perform the following operations:
  • the source IP address corresponding to the first attack parameter that is greater than or equal to the preset parameter is determined as the target source IP address of the targeted attack on the device.
  • the processor 1001 may call a targeted attack detection program stored in the memory 1005, and also perform the following operations:
  • the processor 1001 may call a targeted attack detection program stored in the memory 1005, and also perform the following operations:
  • the step of generating description information of a targeted attack according to the attacked information corresponding to the target source IP address includes:
  • the first attack parameter includes the number of attacks on the device by the source IP address or the cumulative attack duration of the attack on the device by the source IP address.
  • the targeted attack detection device obtains the attacked information corresponding to the device, and determines the first attack parameter corresponding to the attacked information with the same source IP address, and according to the first attack parameter and the reference parameter in each source IP
  • the address determines the source IP address of the target for targeted attacks on the device. Since the targeted detection device collects the attacked information of the device and determines the attack parameters of each attacked information of the same source IP address, the source IP address of the targeted attack on the device is accurately determined according to the attack parameters, so that the device is more targeted.
  • the source IP address of the attack adopts corresponding protective measures to ensure the network security of the device.
  • Fig. 2 is a first embodiment of a method for detecting a targeted attack according to the present invention.
  • the method for detecting a targeted attack includes:
  • Step S10 obtain the attacked information corresponding to the device
  • the execution subject is a targeted attack detection device.
  • the targeted attack detection device communicates with the cloud, or the targeted attack detection device is the cloud.
  • the device is equipped with multiple security software, which can be applications such as firewall, Internet behavior management, terminal security, and database security.
  • the device can be registered on the cloud, so that the security software in the device can upload the security data to the cloud, and classify each security data as the security data corresponding to the device.
  • the security software detects that the device is under attack, it generates security data and sends the security data to the cloud.
  • the cloud receives the security data, determines the device where the security software that sends the security data is located, and stores the security data in association with the device.
  • the security data also includes the log data of key security events generated by the operating system of the device.
  • the log data records the time when the attack is detected, the type of the event, and the actors associated with the event, and some logs also contain the risk level of the alarm.
  • the device used below refers to the targeted attack detection device.
  • the device itself can be used as a targeted attack detection device, that is, the targeted attack detection device collects security data about itself under attack.
  • the device can perform targeted attack detection on the device regularly, and can also perform targeted attack detection based on the targeted attack detection request sent by the device. At this time, the device obtains the attacked information corresponding to the device, and there are multiple attacked information. It should be noted that the device first obtains the security data corresponding to the device from the cloud, and the security data may be the security data in the most recent time period, for example, the most recent week. The device will clean the safety data first, that is, filter the data that does not meet the requirements in the safety data, remove redundant data or erroneous data, and only retain valid data.
  • the data to be cleaned generally includes the following forms: 1) Analyze log records with incorrect format, such as log length that does not meet the requirements; 2) Analyze logs with incorrect content, such as IP address, port number, and other information that is not in the normal range; 3)
  • the parsing information does not meet the requirements of the detection logic, for example, the parsing result shows that the log is a communication behavior between intranet hosts.
  • the feature refers to the feature of the network attack, so as to obtain the attacked information containing the feature data.
  • the characteristic data can be information such as the source IP, destination IP, alarm type, and time of alarm generation of the firewall data terminal.
  • Step S20 Determine the first attack parameter corresponding to the attacked information with the same source IP address
  • the device is equipped with detection rules for targeted attacks, and the detection rules can include one or more, which can be set according to the actual situation.
  • the device needs to obtain the first attack parameter corresponding to each attacked information with the same source IP address to determine whether the first attack parameter meets the detection rule. If the first attack parameter meets the detection rule, the source IP corresponding to the first attack parameter can be determined The address carried out a targeted attack on the device.
  • the first attack parameter includes the number of attacks on the device by the source IP address or the cumulative attack duration of the attack on the device by the source IP address.
  • the device After obtaining each attacked information corresponding to the device, the device determines each attacked information with the same source IP address. Specifically, the attacked information includes the active IP address, and the device traverses each attacked information to determine each attacked information with the same source IP address. The device counts the first attack parameters while traversing each attacked information. After the device completes the traversal of each attacked information, the first attack parameter can be obtained by statistics. Of course, the device can also classify each attacked information, the source IP address of each attacked information after classification is the same, and the first attack parameter is determined for each source IP address after classification.
  • Step S30 Determine a target source IP address for a targeted attack on the device in each of the source IP addresses according to the first attack parameter and the reference parameter.
  • the detection rules can be set by reference parameters. That is, the device judges whether the first attack parameter matches the reference parameter, and if they match, it can be determined that the source IP address corresponding to the first attack parameter has carried out a targeted attack on the device, and the source IP address is the target source IP address.
  • the reference parameter includes a preset parameter or a second attack parameter, and the type of the reference parameter is the same as the type of the first attack parameter. For example, if the first attack parameter is the number of attacks, the preset parameter may be the preset number of attacks; if the first attack parameter is the cumulative attack duration, the preset parameter may be the preset attack duration.
  • the second attack parameter is determined by all the attacked information of the device, and the second attack parameter includes the total number of attacks for which the device is attacked or the cumulative total attack duration for which the device is attacked.
  • the device After obtaining the first attack parameter corresponding to each source IP address, the device determines whether each first attack parameter matches the reference parameter. For example, the first attack parameter is the number of attacks, and the reference parameter is the preset number of attacks. If the first attack parameter is greater than or equal to the preset number of attacks, it can be determined that the first attack parameter matches the reference parameter. The device determines each source IP address that matches the reference parameter as the target source IP address, and the target source IP address is the source IP address that initiates a targeted attack on the device.
  • the targeted attack detection apparatus obtains the attacked information corresponding to the device, and determines the first attack parameter corresponding to the attacked information with the same source IP address, and compares the first attack parameter with the reference parameter according to the first attack parameter and the reference parameter.
  • the target source IP address for targeted attacks on the device is determined. Since the targeted detection device collects the attacked information of the device and determines the attack parameters of each attacked information of the same source IP address, the source IP address of the targeted attack on the device is accurately determined according to the attack parameters, so that the device is more targeted.
  • the source IP address of the attack adopts corresponding protective measures to ensure the network security of the device.
  • Fig. 3 is a second embodiment of the targeted attack detection method of the present invention. Based on the first embodiment, the step S30 includes:
  • Step S31 Determine a ratio between the first attack parameter and the second attack parameter, the reference parameter includes a second attack parameter, and the second attack parameter is determined according to each attacked information of the device;
  • Step S32 Determine the source IP address corresponding to the ratio that is greater than the preset ratio as the target source IP address for a targeted attack on the device.
  • the reference parameter includes the second attack parameter
  • the second attack parameter includes the total number of attacks in which the device is attacked or the cumulative total attack time period in which the device is attacked.
  • the device is acquiring the first attack parameter and the second attack parameter, and then calculates the ratio between the first attack parameter and the second attack parameter.
  • the time windows corresponding to the first attack parameter and the second attack parameter are the same.
  • the first attack parameter is the number of attacks
  • the second number of attacks is the total number of attacks
  • the number of attacks is determined by the attacked information in the first set in the target time window
  • the total number of attacks is determined by the device in the target time window The attacked information is confirmed.
  • the device judges whether the ratio is greater than the preset ratio. If the ratio is greater than the preset ratio, it can be determined that the source IP address of the first attack parameter corresponding to the ratio is the target source IP address, that is, the target source IP address vs. the device Carried out a targeted attack.
  • the first attack parameter includes the number of attacks or the accumulated attack time, and the ratio is the ratio between the number of attacks and the total number of attacks, or the ratio between the accumulated attack time and the accumulated attack time.
  • the two ratios correspond to different preset ratios. .
  • the device determines the corresponding preset ratio according to the specific ratio to determine the target source IP address.
  • the device determines the ratio between the first attack parameter and the second attack parameter, and judges whether the ratio is greater than the preset ratio, and if it is greater, the source IP address corresponding to the first attack parameter is taken as Target source IP address, so as to accurately determine the source IP address for targeted attacks on the device.
  • Figure 4 is a third embodiment of the targeted attack detection method of the present invention. Based on the first embodiment, the step S30 includes:
  • Step S33 Compare the first attack parameter with the preset parameter, where the reference parameter includes the preset parameter;
  • Step S34 Determine the source IP address corresponding to the first attack parameter that is greater than or equal to the preset parameter as the target source IP address for the targeted attack on the device.
  • the reference parameters include preset parameters.
  • the preset parameters are of the same type as the first attack parameter.
  • the preset parameter is the preset number of attacks; when the first attack parameter is the cumulative duration of the attack, the preset parameter is the preset attack duration.
  • the device compares the first attack parameter with the preset parameter, and if the first attack parameter is greater than or equal to the preset parameter, the source IP address corresponding to the first attack parameter is determined as the target source IP address for the targeted attack on the device . For example, if the number of first attacks is 50 times, and the preset number of attacks is 30 times, at this time, it can be determined that the source IP address corresponding to the first attack parameter is the target source IP address.
  • the device determines to compare the first attack parameter with the preset parameter, and if the first attack parameter is greater than the preset parameter, the source IP address corresponding to the first attack parameter is used as the target source IP address, In this way, the source IP address of the targeted attack on the device can be accurately determined.
  • Fig. 5 is a fourth embodiment of the targeted attack detection method of the present invention. Based on any one of the first to third embodiments, after the step S30, the method further includes:
  • Step S40 generating description information of a targeted attack according to the attacked information corresponding to the target source IP address;
  • Step S50 output the description information.
  • the device After determining the target source IP address, the device obtains each attacked information corresponding to the target source IP address, and analyzes each attacked information, thereby generating description information of a targeted attack.
  • the description information can include the attack behavior parameters of the target source IP address on the device.
  • the attack behavior parameters include the identity ID of the attacker, the identity ID of the victim, the attack type, attack time, etc.
  • the attacker ID can be its IP address, attack type It can be vulnerability scanning, password blasting, etc. That is, the device extracts attack behavior parameters from each attacked information to obtain the description information of the targeted attack.
  • the device outputs description information. If the device itself is a device, the description information is displayed; if the device is in the cloud, the description information is output to the device, so that the device adopts corresponding protective measures based on the description information.
  • the device can generate the prompt information according to the description information, and output the prompt information and the description information at the same time.
  • the prompt message can be: the source IP address has targeted the device, and it is recommended to isolate the source IP address. Of course, the source IP address in the prompt message needs to be written directly.
  • the device determines the various attacked information corresponding to the target source IP address to determine the description information of the target source IP address for the targeted attack on the device, and then outputs the description information so that the device can be based on the description information Adopt corresponding protective measures to protect the equipment safely.
  • Fig. 6 is a fifth embodiment of the targeted attack detection method of the present invention. Based on the fourth embodiment, the step S40 includes:
  • Step S41 Determine the attacked network segment of the device according to the attacked information corresponding to each target source IP address;
  • Step S42 Aggregate each of the attacked network segments to obtain the attacked aggregate network segment, where the description information includes the attacked aggregate network segment.
  • the description information includes the attacked aggregate network segment of the device.
  • Network segment refers to the part of a computer network that can communicate directly with the same physical layer equipment.
  • the attacked aggregate network segment refers to the attacked part of the network where the device is located.
  • the device determines the attacked network segment of the device according to the attacked information corresponding to each target source IP address. There are multiple attacked network segments.
  • the device aggregates the attacked network segments to obtain the attacked aggregate network segment.
  • the attacked aggregate network segment can be the network segment with the most attacks, or it can be composed of each attacked network segment. Set, and there is no overlapping attacked network segment in the set.
  • the device determines the attacked network segment of the device according to the attacked information of each target source IP address, and then aggregates the attacked network segments to obtain the attacked aggregate network segment, so that the device can know The attacked network segment, so that the device adopts corresponding protection measures according to the attacked aggregate network segment.
  • Fig. 7 is a sixth embodiment of a targeted attack detection method of the present invention. Based on the fourth or fifth embodiment, the step S40 includes:
  • Step S43 According to the attacked information corresponding to each target source IP address, determine the attack characteristics of each target source IP address for a targeted attack on the device;
  • Step S44 Determine the attack network segment corresponding to each target source IP address corresponding to the same attack feature
  • Step S45 Aggregate each of the attacked network segments to obtain an attacked aggregated network segment, wherein the description information includes the attacked aggregated network segment.
  • the attacker can use multiple source IP addresses to perform targeted attacks on the device, that is, the attacker uses multiple network segments to attack the device. Therefore, the description information may include the aggregated network segment where the attacker performs a targeted attack on the device, and the aggregated network segment is the attack aggregated network segment.
  • the device after determining multiple target source IP addresses, the device needs to judge each target source IP address to determine the target source IP address belonging to the same attacker. Specifically, the device first determines the attack feature corresponding to each target source IP address, and the attack feature can be determined by each attacked information corresponding to the target source IP address.
  • the attack feature is the attack behavior parameter of the target source IP address on the device. For the attack behavior parameter, refer to the above description, which will not be repeated here.
  • the device After determining the attack characteristics corresponding to each target source IP address, the device makes similar judgments on each attack characteristic, and puts the similar attack characteristics into one category.
  • the target source IP address corresponding to this type of attack characteristic constitutes the first
  • the second set that is, the attackers corresponding to each target source IP address in the second set are the same.
  • each attack feature consists of multiple features, for example, attack type and attack frequency. If the attack type is the same and the attack frequency is in the same range, it can be determined that the two attack characteristics are similar.
  • the device can determine the attack network segment used by each target source IP address in the second set to perform a targeted attack on the device, and the attack network segment is determined by the attacked information corresponding to the target source IP address. Therefore, each attack network segment used by the attacker corresponding to the second set can be determined, and the device aggregates each attack network segment to attack the aggregate network segment.
  • the attack aggregate network segment can be the attacker targeting the device.
  • the network segment with the most frequent sexual attacks can also be a collection composed of various attack network segments, and the attack network segments in the collection do not overlap.
  • the device can directly traverse the attack characteristics of each target source IP address to determine each target source IP address of the same attack characteristic, and when traversing to the target source IP address of the same attack characteristic, determine the target source IP address corresponding Attack the network segment. After the device traverses each attack feature, it can determine the attack network segment corresponding to each target source IP address corresponding to the same attack feature, and finally aggregate each attack network to obtain the attack aggregation network segment.
  • the device determines the attack characteristics of each target source IP address for a targeted attack on the device according to the attacked information corresponding to each target source IP address, so as to determine each of the attackers belonging to the same attacker according to the attack characteristics.
  • the target source IP address is used to determine the attack network segments used by the attacker to target the device.
  • the attack network segments are aggregated to obtain the attack aggregate network segment, so that the device adopts corresponding protection measures according to the attack aggregate network segment.
  • the invention also provides a targeted attack detection device.
  • FIG. 8 is a schematic diagram of functional modules of a targeted attack detection device according to the present invention.
  • the targeted attack detection device 100 includes:
  • the obtaining module 110 obtains the attacked information corresponding to the device
  • the determining module 120 is configured to determine the first attack parameter corresponding to the attacked information with the same source IP address;
  • the determining module 120 is further configured to determine a target source IP address for a targeted attack on the device in each of the source IP addresses according to the first attack parameter and the reference parameter.
  • the targeted detection apparatus 100 is also used to implement various embodiments of the targeted attack detection method. For details, refer to the above-mentioned embodiments, and details are not described herein again.
  • the present invention also provides a targeted attack detection device.
  • the targeted attack detection device includes a memory, a processor, and a targeted attack detection program stored in the memory and running on the processor. When the attack detection program is executed by the processor, each step of the targeted attack detection method described in the above embodiment is implemented.
  • the present invention also provides a computer-readable storage medium, the computer-readable storage medium stores a targeted attack detection program, and when the targeted attack detection program is executed by the processor, the targeted attack as described in the above embodiment is achieved.
  • the various steps of the attack detection method are described in the above embodiment.
  • the technical solution of the present invention essentially or the part that contributes to the existing technology can be embodied in the form of a software product, and the computer software product is stored in a storage medium (such as ROM/RAM) as described above. , Magnetic disk, optical disk), including several instructions to make a terminal device (can be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) execute the method described in each embodiment of the present invention.

Abstract

A targeted attack detection method. The targeted attack detection method comprises the following steps: acquiring attacked information corresponding to a device; determining a first attack parameter corresponding to the attacked information, source IP addresses of which are the same; and according to the first attack parameter and a reference parameter, determining, from the source IP addresses, a target source IP address at which a targeted attack is performed on the device. Further provided are a targeted attack detection apparatus and a computer-readable storage medium. By means of the present invention, the network security of a device is ensured.

Description

针对性攻击检测方法及其装置和计算机可读存储介质Targeted attack detection method and device and computer readable storage medium
本申请要求于2020年6月16日提交中国专利局、申请号为202010556949.5、发明名称为“针对性攻击检测方法及其装置和计算机可读存储介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office on June 16, 2020, the application number is 202010556949.5, and the invention title is "targeted attack detection method and its device and computer-readable storage medium", and its entire content Incorporated in this application by reference.
技术领域Technical field
本发明涉及网络安全领域,尤其涉及一种针对性攻击检测方法及其装置和计算机可读存储介质。The present invention relates to the field of network security, in particular to a targeted attack detection method and device and computer readable storage medium.
背景技术Background technique
随着互联网+和信息化的发展,网络攻击越来越普遍,造成的威胁也来越严重。企业为了减少损失,也开始重视和大量投入安全建设。企业根据不同需求购买多种不同功能的安全软件,例如防火墙、上网行为管理、终端安全、数据库安全等等。这些软件面临一个严重的问题:本地产生大量的告警日志,安全运维人员难以一一应对,久而久之就放任不管。With the development of Internet+ and informatization, cyber attacks have become more and more common, and the threats caused by them have become more and more serious. In order to reduce losses, enterprises have also begun to attach importance to and invest heavily in safety construction. Companies purchase multiple security software with different functions according to different needs, such as firewalls, Internet behavior management, terminal security, database security, and so on. These softwares face a serious problem: a large number of alarm logs are generated locally, and it is difficult for security operation and maintenance personnel to deal with them one by one.
一些安全软件如SIEM(Security Information and Event Management,安全信息和事件管理),通过统一收集和管理日志,一定程度上起到告警消减的作用。然而,由于这些软件都是本地化部署,只能看到攻击的局部情况,无法准确的检测到对设备的针对性攻击,导致设备的网络安全保障较低。Some security software, such as SIEM (Security Information and Event Management, security information and event management), through the unified collection and management of logs, play a role in reducing alarms to a certain extent. However, because these software are deployed locally, only the partial situation of the attack can be seen, and the targeted attack on the device cannot be accurately detected, resulting in lower network security guarantee for the device.
上述内容仅用于辅助理解本发明的技术方案,并不代表承认上述内容是现有技术。The foregoing content is only used to assist in understanding the technical solutions of the present invention, and does not mean that the foregoing content is recognized as prior art.
发明内容Summary of the invention
本发明的主要目的在于提供一种针对性攻击检测方法及其装置和计算机可读存储介质,旨在解决设备的网络安全保障较低的问题。The main purpose of the present invention is to provide a targeted attack detection method and device and computer readable storage medium, which are aimed at solving the problem of low network security guarantee of equipment.
为实现上述目的,本发明提供一种针对性攻击检测方法,所述针对性攻击检测方法包括以下步骤:In order to achieve the above objective, the present invention provides a targeted attack detection method, which includes the following steps:
获取设备对应的被攻击信息;Obtain the attacked information corresponding to the device;
确定源IP地址相同的所述被攻击信息对应的第一攻击参数;Determining the first attack parameter corresponding to the attacked information with the same source IP address;
根据所述第一攻击参数与参考参数,在各个所述源IP地址中,确定对所述设备进行针对性攻击的目标源IP地址。According to the first attack parameter and the reference parameter, in each of the source IP addresses, a target source IP address for a targeted attack on the device is determined.
在一实施例中,所述根据所述第一攻击参数与参考参数,在各个所述源IP地址中,确定对所述设备进行针对性攻击的目标源IP地址的步骤包括:In an embodiment, the step of determining a target source IP address for a targeted attack on the device in each of the source IP addresses according to the first attack parameter and the reference parameter includes:
确定所述第一攻击参数与第二攻击参数之间的比值,所述参考参数包括第二攻击参数,所述第二攻击参数根据所述设备的各个被攻击信息确定;Determining a ratio between the first attack parameter and a second attack parameter, the reference parameter includes a second attack parameter, and the second attack parameter is determined according to each attacked information of the device;
将大于预设比值的所述比值对应的源IP地址确定为对所述设备进行针对性攻击的目标源IP地址。The source IP address corresponding to the ratio greater than the preset ratio is determined as the target source IP address of the targeted attack on the device.
在一实施例中,所述根据所述第一攻击参数与参考参数,在各个所述源IP地址中,确定对所述设备进行针对性攻击的目标源IP地址的步骤包括:In an embodiment, the step of determining a target source IP address for a targeted attack on the device in each of the source IP addresses according to the first attack parameter and the reference parameter includes:
比对第一攻击参数与预设参数,其中,所述参考参数包括预设参数;Compare the first attack parameter with the preset parameter, where the reference parameter includes the preset parameter;
将大于或等于预设参数的所述第一攻击参数对应的源IP地址确定为对所述设备进行针对性攻击的目标源IP地址。The source IP address corresponding to the first attack parameter that is greater than or equal to the preset parameter is determined as the target source IP address of the targeted attack on the device.
在一实施例中,所述根据所述第一攻击参数与参考参数,在各个所述源IP地址中,确定对所述设备进行针对性攻击的目标源IP地址的步骤之后,还包括:In an embodiment, after the step of determining a target source IP address for a targeted attack on the device in each of the source IP addresses according to the first attack parameter and the reference parameter, the method further includes:
根据所述目标源地址对应的被攻击信息生成针对性攻击的描述信息;Generating description information of a targeted attack according to the attacked information corresponding to the target source address;
输出所述描述信息。Output the description information.
在一实施例中,所述根据所述目标源IP地址对应的被攻击信息生成针对性攻击的描述信息的步骤包括:In an embodiment, the step of generating description information of a targeted attack according to the attacked information corresponding to the target source IP address includes:
根据各个所述目标源IP地址对应的被攻击信息,确定所述设备的被攻击网段;Determine the attacked network segment of the device according to the attacked information corresponding to each target source IP address;
对各个所述被攻击网段进行聚合得到被攻击聚合网段,其中,所述描述信息包括所述被攻击聚合网段。Aggregating each of the attacked network segments to obtain the attacked aggregate network segment, where the description information includes the attacked aggregate network segment.
在一实施例中,所述根据所述目标源IP地址对应的被攻击信息生成针 对性攻击的描述信息的步骤包括:In an embodiment, the step of generating description information for a sexual attack according to the attacked information corresponding to the target source IP address includes:
根据各个所述目标源IP地址对应的被攻击信息,确定每个所述目标源IP地址对所述设备进行针对性攻击的攻击特征;Determine, according to the attacked information corresponding to each target source IP address, an attack characteristic of each target source IP address for a targeted attack on the device;
确定相同的攻击特征对应的每个所述目标源IP地址对应的攻击网段;Determine the attack network segment corresponding to each target source IP address corresponding to the same attack feature;
对各个所述攻击网段进行聚合,得到攻击聚合网段,其中,所述描述信息包括所述攻击聚合网段。Aggregating each of the attacking network segments to obtain an attacking aggregated network segment, where the description information includes the attacking aggregated network segment.
在一实施例中,所述第一攻击参数包括源IP地址对所述设备进行攻击的攻击次数或者源IP地址对所述设备进行攻击的累计攻击时长。In an embodiment, the first attack parameter includes the number of attacks on the device by the source IP address or the cumulative attack duration of the attack on the device by the source IP address.
为实现上述目的,本发明还提供一种针对性攻击检测装置,所述针对性攻击检测装置包括:To achieve the above objective, the present invention also provides a targeted attack detection device, the targeted attack detection device includes:
获取模块,获取设备对应的被攻击信息;Obtain the module to obtain the attacked information corresponding to the device;
确定模块,用于确定源IP地址相同的所述被攻击信息对应的第一攻击参数;A determining module, configured to determine the first attack parameter corresponding to the attacked information with the same source IP address;
所述确定模块,还用于根据所述第一攻击参数与参考参数,在各个所述源IP地址中,确定对所述设备进行针对性攻击的目标源IP地址。The determining module is further configured to determine a target source IP address for a targeted attack on the device in each of the source IP addresses according to the first attack parameter and the reference parameter.
为实现上述目的,本发明还提供一种针对性攻击检测装置,所述针对性攻击检测装置包括存储器、处理器以及存储在所述存储器并可在所述处理器上运行的针对性攻击检测程序,所述针对性攻击检测程序被所述处理器执行时实现如上所述针对性攻击检测方法的各个步骤。To achieve the above objective, the present invention also provides a targeted attack detection device, which includes a memory, a processor, and a targeted attack detection program stored in the memory and running on the processor When the targeted attack detection program is executed by the processor, each step of the above-mentioned targeted attack detection method is realized.
为实现上述目的,本发明还提供一种计算机可读存储介质,所述计算机可读存储介质存储有针对性攻击检测程序,所述针对性攻击检测程序被所述处理器执行时实现如上所述的针对性攻击检测方法的各个步骤。To achieve the above objective, the present invention also provides a computer-readable storage medium that stores a targeted attack detection program, and the targeted attack detection program is executed by the processor as described above The individual steps of the targeted attack detection method.
本发明实施例提出的针对性攻击检测方法及其装置和计算机可读存储介质,针对性攻击检测装置获取设备对应的被攻击信息,并确定源IP地址相同的被攻击信息对应的第一攻击参数,并根据第一攻击参数与参考参数在各个源IP地址中确定对设备进行针对性攻击的目标源IP地址。由于针对性检测装置收集设备的被攻击信息,且确定相同源IP地址的各个被攻击信息的攻击参数,从而根据攻击参数准确的确定对设备的针对性攻击的源IP地址,使得设备对针对性攻击的源IP地址采用对应的防护措施,确保了 设备的网络安全。According to the targeted attack detection method and device and computer-readable storage medium proposed in the embodiment of the present invention, the targeted attack detection device obtains the attacked information corresponding to the device, and determines the first attack parameter corresponding to the attacked information with the same source IP address , And determine the target source IP address of the targeted attack on the device in each source IP address according to the first attack parameter and the reference parameter. Since the targeted detection device collects the attacked information of the device and determines the attack parameters of each attacked information of the same source IP address, the source IP address of the targeted attack on the device is accurately determined according to the attack parameters, so that the device is more targeted. The source IP address of the attack adopts corresponding protective measures to ensure the network security of the device.
附图说明Description of the drawings
图1为本发明实施例方案涉及的针对性攻击检测装置的硬件示意图;FIG. 1 is a schematic diagram of the hardware of a targeted attack detection device involved in a solution of an embodiment of the present invention;
图2为本发明针对性攻击检测方法第一实施例的流程示意图;2 is a schematic flowchart of the first embodiment of the targeted attack detection method of the present invention;
图3为本发明针对性攻击检测方法第二实施例中步骤S30的细化流程示意图;3 is a schematic diagram of the detailed process of step S30 in the second embodiment of the targeted attack detection method of the present invention;
图4为本发明针对性攻击检测方法第三实施例中步骤S30的细化流程示意图;4 is a schematic diagram of the detailed flow of step S30 in the third embodiment of the targeted attack detection method of the present invention;
图5为本发明针对性攻击检测方法第四实施例的流程示意图;FIG. 5 is a schematic flowchart of a fourth embodiment of the targeted attack detection method of the present invention;
图6为本发明针对性攻击检测方法第五实施例中步骤S40的细化流程示意图;FIG. 6 is a detailed flowchart of step S40 in the fifth embodiment of the targeted attack detection method of the present invention;
图7为本发明针对性攻击检测方法第六实施例中步骤S40的细化流程示意图;FIG. 7 is a detailed flowchart of step S40 in the sixth embodiment of the targeted attack detection method of the present invention;
图8为本发明针对性攻击检测装置的功能模块示意图。Figure 8 is a schematic diagram of functional modules of the targeted attack detection device of the present invention.
具体实施方式detailed description
应当理解,此处所描述的具体实施例仅仅用以解释本发明,并不用于限定本发明。It should be understood that the specific embodiments described here are only used to explain the present invention, but not used to limit the present invention.
本发明实施例的主要解决方案是:获取设备对应的被攻击信息;确定源IP地址相同的所述被攻击信息对应的第一攻击参数;根据所述第一攻击参数与参考参数,在各个所述源IP地址中,确定对所述设备进行针对性攻击的目标源IP地址。The main solution of the embodiment of the present invention is: obtain the attacked information corresponding to the device; determine the first attack parameter corresponding to the attacked information with the same source IP address; In the source IP address, a target source IP address for a targeted attack on the device is determined.
本发明提供一种解决方案,由于针对性检测装置收集设备的被攻击信息,且确定相同源IP地址的各个被攻击信息的攻击参数,从而根据攻击参数准确的确定对设备的针对性攻击的源IP地址,使得设备对针对性攻击的源IP地址采用对应的防护措施,确保了设备的网络安全。The present invention provides a solution. Since the targeted detection device collects the attacked information of the equipment and determines the attack parameters of the attacked information of the same source IP address, the source of the targeted attack on the equipment is accurately determined according to the attack parameters. The IP address enables the device to adopt corresponding protective measures against the source IP address of the targeted attack, ensuring the network security of the device.
作为一种实现方式,针对性攻击检测装置可如图1所示。As an implementation manner, the targeted attack detection device may be as shown in FIG. 1.
参照图1,图1为本发明实施例方案涉及的是针对性攻击检测装置, 针对性攻击检测装置可以包括:处理器1001,例如CPU,存储器1002,通信总线1003。其中,通信总线1003用于实现这些组件之间的连接通信。存储器1003可以是高速RAM存储器,也可以是稳定的存储器(non-volatile memory),例如磁盘存储器。存储器1002可选的还可以是独立于前述处理器1001的存储装置。作为一种计算机存储介质的存储器1002中可以包括针对性攻击检测程序。处理器1001可以用于调用存储器1002中存储的针对性攻击检测程序,并执行以下操作:Referring to FIG. 1, FIG. 1 is a targeted attack detection device involved in a solution of an embodiment of the present invention. The targeted attack detection device may include a processor 1001, such as a CPU, a memory 1002, and a communication bus 1003. Among them, the communication bus 1003 is used to realize the connection and communication between these components. The memory 1003 may be a high-speed RAM memory, or a non-volatile memory (non-volatile memory), such as a magnetic disk memory. Optionally, the memory 1002 may also be a storage device independent of the aforementioned processor 1001. As a computer storage medium, the memory 1002 may include a targeted attack detection program. The processor 1001 may be used to call a targeted attack detection program stored in the memory 1002, and perform the following operations:
获取设备对应的被攻击信息;Obtain the attacked information corresponding to the device;
确定源IP地址相同的所述被攻击信息对应的第一攻击参数;Determining the first attack parameter corresponding to the attacked information with the same source IP address;
根据所述第一攻击参数与参考参数,在各个所述源IP地址中,确定对所述设备进行针对性攻击的目标源IP地址。According to the first attack parameter and the reference parameter, in each of the source IP addresses, a target source IP address for a targeted attack on the device is determined.
在一实施例中,处理器1001可以调用存储器1005中存储的针对性攻击检测程序,还执行以下操作:In an embodiment, the processor 1001 may call a targeted attack detection program stored in the memory 1005, and also perform the following operations:
确定所述第一攻击参数与第二攻击参数之间的比值,所述参考参数包括第二攻击参数,所述第二攻击参数根据所述设备的各个被攻击信息确定;Determining a ratio between the first attack parameter and a second attack parameter, the reference parameter includes a second attack parameter, and the second attack parameter is determined according to each attacked information of the device;
将大于预设比值的所述比值对应的源IP地址确定为对所述设备进行针对性攻击的目标源IP地址。The source IP address corresponding to the ratio greater than the preset ratio is determined as the target source IP address of the targeted attack on the device.
在一实施例中,处理器1001可以调用存储器1005中存储的针对性攻击检测程序,还执行以下操作:In an embodiment, the processor 1001 may call a targeted attack detection program stored in the memory 1005, and also perform the following operations:
比对第一攻击参数与预设参数,其中,所述参考参数包括预设参数;Compare the first attack parameter with the preset parameter, where the reference parameter includes the preset parameter;
将大于或等于预设参数的所述第一攻击参数对应的源IP地址确定为对所述设备进行针对性攻击的目标源IP地址。The source IP address corresponding to the first attack parameter that is greater than or equal to the preset parameter is determined as the target source IP address of the targeted attack on the device.
在一实施例中,处理器1001可以调用存储器1005中存储的针对性攻击检测程序,还执行以下操作:In an embodiment, the processor 1001 may call a targeted attack detection program stored in the memory 1005, and also perform the following operations:
根据所述目标源地址对应的被攻击信息生成针对性攻击的描述信息;Generating description information of a targeted attack according to the attacked information corresponding to the target source address;
输出所述描述信息。Output the description information.
在一实施例中,处理器1001可以调用存储器1005中存储的针对性攻击检测程序,还执行以下操作:In an embodiment, the processor 1001 may call a targeted attack detection program stored in the memory 1005, and also perform the following operations:
根据各个所述目标源IP地址对应的被攻击信息,确定所述设备的被攻 击网段;Determine the attacked network segment of the device according to the attacked information corresponding to each target source IP address;
对各个所述被攻击网段进行聚合得到被攻击聚合网段,其中,所述描述信息包括所述被攻击聚合网段。Aggregating each of the attacked network segments to obtain the attacked aggregate network segment, where the description information includes the attacked aggregate network segment.
在一实施例中,所述根据所述目标源IP地址对应的被攻击信息生成针对性攻击的描述信息的步骤包括:In an embodiment, the step of generating description information of a targeted attack according to the attacked information corresponding to the target source IP address includes:
根据各个所述目标源IP地址对应的被攻击信息,确定每个所述目标源IP地址对所述设备进行针对性攻击的攻击特征;Determine, according to the attacked information corresponding to each target source IP address, an attack characteristic of each target source IP address for a targeted attack on the device;
确定相同的攻击特征对应的每个所述目标源IP地址对应的攻击网段;Determine the attack network segment corresponding to each target source IP address corresponding to the same attack feature;
对各个所述攻击网段进行聚合,得到攻击聚合网段,其中,所述描述信息包括所述攻击聚合网段。Aggregating each of the attacking network segments to obtain an attacking aggregated network segment, where the description information includes the attacking aggregated network segment.
在一实施例中,所述第一攻击参数包括源IP地址对所述设备进行攻击的攻击次数或者源IP地址对所述设备进行攻击的累计攻击时长。In an embodiment, the first attack parameter includes the number of attacks on the device by the source IP address or the cumulative attack duration of the attack on the device by the source IP address.
本实施例根据上述方案,针对性攻击检测装置获取设备对应的被攻击信息,并确定源IP地址相同的被攻击信息对应的第一攻击参数,并根据第一攻击参数与参考参数在各个源IP地址中确定对设备进行针对性攻击的目标源IP地址。由于针对性检测装置收集设备的被攻击信息,且确定相同源IP地址的各个被攻击信息的攻击参数,从而根据攻击参数准确的确定对设备的针对性攻击的源IP地址,使得设备对针对性攻击的源IP地址采用对应的防护措施,确保了设备的网络安全。In this embodiment, according to the above solution, the targeted attack detection device obtains the attacked information corresponding to the device, and determines the first attack parameter corresponding to the attacked information with the same source IP address, and according to the first attack parameter and the reference parameter in each source IP The address determines the source IP address of the target for targeted attacks on the device. Since the targeted detection device collects the attacked information of the device and determines the attack parameters of each attacked information of the same source IP address, the source IP address of the targeted attack on the device is accurately determined according to the attack parameters, so that the device is more targeted. The source IP address of the attack adopts corresponding protective measures to ensure the network security of the device.
基于上述针对性攻击检测装置的硬件构架,提出本发明针对性攻击检测方法的各个实施例Based on the hardware architecture of the above-mentioned targeted attack detection device, various embodiments of the targeted attack detection method of the present invention are proposed.
参照图2,图2为本发明针对性攻击检测方法的第一实施例,所述针对性攻击检测方法包括:Referring to Fig. 2, Fig. 2 is a first embodiment of a method for detecting a targeted attack according to the present invention. The method for detecting a targeted attack includes:
步骤S10,获取设备对应的被攻击信息;Step S10, obtain the attacked information corresponding to the device;
在本实施例中,执行主体为针对性攻击检测装置。针对性攻击检测装置与云端通信连接,或者针对性攻击检测装置即为云端。设备设有多个安全软件,安全软件可为防火墙、上网行为管理、终端安全、数据库安全等应用程序。设备可在云端上进行注册,使得设备中的安全软件能够将安全数据上传至云端,且将各个安全数据归为设备所对应的安全数据。具体的, 安全软件在检测到设备受到攻击时,生成安全数据,并将安全数据发送至云端。云端接收安全数据,并确定发送安全数据的安全软件所在的设备,将安全数据与该设备进行关联存储。当然,安全数据还包括设备的操作系统产生的关键安全事件的日志数据,日志数据记录了检测到攻击发生的时间、事件的类型和事件关联的行为主体,且部分日志还包含有告警的风险等级。为了便于描述,以下采用装置指代针对性攻击检测装置。当然,设备本身可作为针对性攻击检测装置,也即针对性攻击检测装置收集自身受到攻击的安全数据。In this embodiment, the execution subject is a targeted attack detection device. The targeted attack detection device communicates with the cloud, or the targeted attack detection device is the cloud. The device is equipped with multiple security software, which can be applications such as firewall, Internet behavior management, terminal security, and database security. The device can be registered on the cloud, so that the security software in the device can upload the security data to the cloud, and classify each security data as the security data corresponding to the device. Specifically, when the security software detects that the device is under attack, it generates security data and sends the security data to the cloud. The cloud receives the security data, determines the device where the security software that sends the security data is located, and stores the security data in association with the device. Of course, the security data also includes the log data of key security events generated by the operating system of the device. The log data records the time when the attack is detected, the type of the event, and the actors associated with the event, and some logs also contain the risk level of the alarm. . For ease of description, the device used below refers to the targeted attack detection device. Of course, the device itself can be used as a targeted attack detection device, that is, the targeted attack detection device collects security data about itself under attack.
装置可以定时对设备进行针对性攻击的检测,也可基于设备发送的针对性攻击的检测请求进行针对性攻击的检测。此时,装置获取设备对应的被攻击信息,被攻击信息为多个。需要说明的是,装置先从云端中获取设备所对应的安全数据,安全数据可以为最近时间周期内的安全数据,例如,最近一周。装置会先对安全数据进行清洗,也即先对安全数据中不满足要求的数据进行过滤,去掉冗余数据或者错误的数据,仅仅保留有效的数据。被清洗的数据一般包括以下几种形式:1)解析格式不正确的日志记录,如日志长度不符合要求;2)解析内容不正确的日志,如IP地址,端口号等不是正常范围的信息;3)解析信息不满足检测逻辑的需求,比如解析结果显示日志为内网主机之间的通信行为。The device can perform targeted attack detection on the device regularly, and can also perform targeted attack detection based on the targeted attack detection request sent by the device. At this time, the device obtains the attacked information corresponding to the device, and there are multiple attacked information. It should be noted that the device first obtains the security data corresponding to the device from the cloud, and the security data may be the security data in the most recent time period, for example, the most recent week. The device will clean the safety data first, that is, filter the data that does not meet the requirements in the safety data, remove redundant data or erroneous data, and only retain valid data. The data to be cleaned generally includes the following forms: 1) Analyze log records with incorrect format, such as log length that does not meet the requirements; 2) Analyze logs with incorrect content, such as IP address, port number, and other information that is not in the normal range; 3) The parsing information does not meet the requirements of the detection logic, for example, the parsing result shows that the log is a communication behavior between intranet hosts.
在对安全数据进行清洗后,在对清洗后的安全数据进行特征提取,特征指的是网络攻击的特征,从而得到含有特征数据的被攻击信息。特征数据可为防火墙数据终端源IP、目的IP、告警类型以及告警产生的时间等信息。After the security data is cleaned, feature extraction is performed on the cleaned security data. The feature refers to the feature of the network attack, so as to obtain the attacked information containing the feature data. The characteristic data can be information such as the source IP, destination IP, alarm type, and time of alarm generation of the firewall data terminal.
步骤S20,确定源IP地址相同的所述被攻击信息对应的第一攻击参数;Step S20: Determine the first attack parameter corresponding to the attacked information with the same source IP address;
装置中设有针对性攻击的检测规则,检测规则可包括一个或多个,根据实际情况进行设置。装置需要获取源IP地址相同的各个被攻击信息对应的第一攻击参数,从而判断第一攻击参数是否满足检测规则,若第一攻击参数满足检测规则,即可判定第一攻击参数对应的源IP地址对设备进行了针对性攻击。第一攻击参数包括源IP地址对设备进行攻击的攻击次数或者源IP地址对设备进行攻击的累计攻击时长。The device is equipped with detection rules for targeted attacks, and the detection rules can include one or more, which can be set according to the actual situation. The device needs to obtain the first attack parameter corresponding to each attacked information with the same source IP address to determine whether the first attack parameter meets the detection rule. If the first attack parameter meets the detection rule, the source IP corresponding to the first attack parameter can be determined The address carried out a targeted attack on the device. The first attack parameter includes the number of attacks on the device by the source IP address or the cumulative attack duration of the attack on the device by the source IP address.
装置在获得设备对应的各个被攻击信息后,确定源IP地址相同的各个被攻击信息。具体的,被攻击信息中包括有源IP地址,装置对各个被攻击信息进行遍历,从而确定源IP地址相同的各个被攻击信息。装置在遍历各个被攻击信息的同时,统计第一攻击参数。装置在完成对各个被攻击信息的遍历后,即可统计得到第一攻击参数。当然,装置也可对各个被攻击信息进行归类,归类后的各个被攻击信息的源IP地址相同,在对归类后的各个源IP地址进行第一攻击参数的确定。After obtaining each attacked information corresponding to the device, the device determines each attacked information with the same source IP address. Specifically, the attacked information includes the active IP address, and the device traverses each attacked information to determine each attacked information with the same source IP address. The device counts the first attack parameters while traversing each attacked information. After the device completes the traversal of each attacked information, the first attack parameter can be obtained by statistics. Of course, the device can also classify each attacked information, the source IP address of each attacked information after classification is the same, and the first attack parameter is determined for each source IP address after classification.
步骤S30,根据所述第一攻击参数与参考参数,在各个所述源IP地址中,确定对所述设备进行针对性攻击的目标源IP地址。Step S30: Determine a target source IP address for a targeted attack on the device in each of the source IP addresses according to the first attack parameter and the reference parameter.
检测规则可由参考参数进行设定。也即装置判断第一攻击参数与参考参数是否匹配,若是匹配,即可判定第一攻击参数对应的源IP地址对设备进行了针对性攻击,该源IP地址即为目标源IP地址。参考参数包括预设参数或者第二攻击参数,且参考参数的类型与第一攻击参数的类型相同。例如,第一攻击参数为攻击次数,则预设参数可为预设攻击次数;若第一攻击参数为累计攻击时长,则预设参数可为预设攻击时长。第二攻击参数由设备的全部被攻击信息确定,第二攻击参数包括设备受到攻击的攻击总次数或者设备受到攻击的累计攻击总时长。The detection rules can be set by reference parameters. That is, the device judges whether the first attack parameter matches the reference parameter, and if they match, it can be determined that the source IP address corresponding to the first attack parameter has carried out a targeted attack on the device, and the source IP address is the target source IP address. The reference parameter includes a preset parameter or a second attack parameter, and the type of the reference parameter is the same as the type of the first attack parameter. For example, if the first attack parameter is the number of attacks, the preset parameter may be the preset number of attacks; if the first attack parameter is the cumulative attack duration, the preset parameter may be the preset attack duration. The second attack parameter is determined by all the attacked information of the device, and the second attack parameter includes the total number of attacks for which the device is attacked or the cumulative total attack duration for which the device is attacked.
装置在获取各个源IP地址对应的第一攻击参数之后,再确定各个第一攻击参数与参考参数是否匹配。例如,第一攻击参数为攻击次数,参考参数为预设攻击次数,若第一攻击参数大于或等于预设攻击次数,即可确定第一攻击参数与参考参数匹配。装置确定每一个与参考参数匹配的源IP地址,以作为目标源IP地址,目标源IP地址即为对设备发起针对性攻击的源IP地址。After obtaining the first attack parameter corresponding to each source IP address, the device determines whether each first attack parameter matches the reference parameter. For example, the first attack parameter is the number of attacks, and the reference parameter is the preset number of attacks. If the first attack parameter is greater than or equal to the preset number of attacks, it can be determined that the first attack parameter matches the reference parameter. The device determines each source IP address that matches the reference parameter as the target source IP address, and the target source IP address is the source IP address that initiates a targeted attack on the device.
在本实施例提供的技术方案中,针对性攻击检测装置获取设备对应的被攻击信息,并确定源IP地址相同的被攻击信息对应的第一攻击参数,并根据第一攻击参数与参考参数在各个源IP地址中确定对设备进行针对性攻击的目标源IP地址。由于针对性检测装置收集设备的被攻击信息,且确定相同源IP地址的各个被攻击信息的攻击参数,从而根据攻击参数准确的确定对设备的针对性攻击的源IP地址,使得设备对针对性攻击的源IP地 址采用对应的防护措施,确保了设备的网络安全。In the technical solution provided in this embodiment, the targeted attack detection apparatus obtains the attacked information corresponding to the device, and determines the first attack parameter corresponding to the attacked information with the same source IP address, and compares the first attack parameter with the reference parameter according to the first attack parameter and the reference parameter. In each source IP address, the target source IP address for targeted attacks on the device is determined. Since the targeted detection device collects the attacked information of the device and determines the attack parameters of each attacked information of the same source IP address, the source IP address of the targeted attack on the device is accurately determined according to the attack parameters, so that the device is more targeted. The source IP address of the attack adopts corresponding protective measures to ensure the network security of the device.
参照图3,图3为本发明针对性攻击检测方法的第二实施例,基于第一实施例,所述步骤S30包括:Referring to Fig. 3, Fig. 3 is a second embodiment of the targeted attack detection method of the present invention. Based on the first embodiment, the step S30 includes:
步骤S31,确定所述第一攻击参数与第二攻击参数之间的比值,所述参考参数包括第二攻击参数,所述第二攻击参数根据所述设备的各个被攻击信息确定;Step S31: Determine a ratio between the first attack parameter and the second attack parameter, the reference parameter includes a second attack parameter, and the second attack parameter is determined according to each attacked information of the device;
步骤S32,将大于预设比值的所述比值对应的源IP地址,确定为对所述设备进行针对性攻击的目标源IP地址。Step S32: Determine the source IP address corresponding to the ratio that is greater than the preset ratio as the target source IP address for a targeted attack on the device.
在本实施例中,参考参数包括第二攻击参数,第二攻击参数包括设备受到攻击的攻击总次数或者设备受到攻击的累计攻击总时长。装置在获得第一攻击参数,在获取第二攻击参数,再计算第一攻击参数与第二攻击参数之间的比值。需要说明的是,第一攻击参数与第二攻击参数所对应的时间窗口是相同。例如,第一攻击参数为攻击次数,第二攻击次数为攻击总次数,攻击次数由位于目标时间窗口中的第一集合内的被攻击信息确定,且攻击总次数由位于目标时间窗口中的设备的被攻击信息确定。In this embodiment, the reference parameter includes the second attack parameter, and the second attack parameter includes the total number of attacks in which the device is attacked or the cumulative total attack time period in which the device is attacked. The device is acquiring the first attack parameter and the second attack parameter, and then calculates the ratio between the first attack parameter and the second attack parameter. It should be noted that the time windows corresponding to the first attack parameter and the second attack parameter are the same. For example, the first attack parameter is the number of attacks, the second number of attacks is the total number of attacks, the number of attacks is determined by the attacked information in the first set in the target time window, and the total number of attacks is determined by the device in the target time window The attacked information is confirmed.
装置在确定比值后,判断比值是否大于预设比值,若比值大于预设比值,即可判定比值所对应的第一攻击参数的源IP地址为目标源IP地址,也即目标源IP地址对设备进行了针对性攻击。第一攻击参数包括攻击次数或累计攻击时长,比值则为攻击次数与攻击总次数之间的比值,或者累计攻击时长与累计攻击总时长之间的比值,两个比值所对应的预设比值不同。装置根据具体的比值确定对应的预设比值,以进行目标源IP地址的判断。After determining the ratio, the device judges whether the ratio is greater than the preset ratio. If the ratio is greater than the preset ratio, it can be determined that the source IP address of the first attack parameter corresponding to the ratio is the target source IP address, that is, the target source IP address vs. the device Carried out a targeted attack. The first attack parameter includes the number of attacks or the accumulated attack time, and the ratio is the ratio between the number of attacks and the total number of attacks, or the ratio between the accumulated attack time and the accumulated attack time. The two ratios correspond to different preset ratios. . The device determines the corresponding preset ratio according to the specific ratio to determine the target source IP address.
在本实施例提供的技术方案中,装置确定第一攻击参数与第二攻击参数之间的比值,并判断比值是否大于预设比值,若大于,则将第一攻击参数对应的源IP地址作为目标源IP地址,从而准确的确定对设备进行针对性攻击的源IP地址。In the technical solution provided in this embodiment, the device determines the ratio between the first attack parameter and the second attack parameter, and judges whether the ratio is greater than the preset ratio, and if it is greater, the source IP address corresponding to the first attack parameter is taken as Target source IP address, so as to accurately determine the source IP address for targeted attacks on the device.
参照图4,图4为本发明针对性攻击检测方法的第三实施例,基于第一实施例,所述步骤S30包括:Referring to Figure 4, Figure 4 is a third embodiment of the targeted attack detection method of the present invention. Based on the first embodiment, the step S30 includes:
步骤S33,比对第一攻击参数与预设参数,其中,所述参考参数包括预设参数;Step S33: Compare the first attack parameter with the preset parameter, where the reference parameter includes the preset parameter;
步骤S34,将大于或等于预设参数的所述第一攻击参数对应的源IP地址,确定为对所述设备进行针对性攻击的目标源IP地址。Step S34: Determine the source IP address corresponding to the first attack parameter that is greater than or equal to the preset parameter as the target source IP address for the targeted attack on the device.
在本实施例中,参考参数包括预设参数。预设参数与第一攻击参数的类型相同。在第一攻击参数为攻击次数时,预设参数为预设攻击次数;在第一攻击参数为攻击累计时长时,预设参数为预设攻击时长。In this embodiment, the reference parameters include preset parameters. The preset parameters are of the same type as the first attack parameter. When the first attack parameter is the number of attacks, the preset parameter is the preset number of attacks; when the first attack parameter is the cumulative duration of the attack, the preset parameter is the preset attack duration.
装置将第一攻击参数与预设参数进行比对,若是第一攻击参数大于或等于预设参数,则第一攻击参数对应的源IP地址,确定为对设备进行针对性攻击的目标源IP地址。例如,第一攻击次数为50次,预设攻击次数为30次,此时,即可判定第一攻击参数所对应的源IP地址为目标源IP地址。The device compares the first attack parameter with the preset parameter, and if the first attack parameter is greater than or equal to the preset parameter, the source IP address corresponding to the first attack parameter is determined as the target source IP address for the targeted attack on the device . For example, if the number of first attacks is 50 times, and the preset number of attacks is 30 times, at this time, it can be determined that the source IP address corresponding to the first attack parameter is the target source IP address.
在本实施例提供的技术方案中,装置确定比对第一攻击参数与预设参数,若第一攻击参数大于预设参数,则将第一攻击参数对应的源IP地址作为目标源IP地址,从而准确的确定对设备进行针对性攻击的源IP地址。In the technical solution provided in this embodiment, the device determines to compare the first attack parameter with the preset parameter, and if the first attack parameter is greater than the preset parameter, the source IP address corresponding to the first attack parameter is used as the target source IP address, In this way, the source IP address of the targeted attack on the device can be accurately determined.
参照图5,图5为本发明针对性攻击检测方法的第四实施例,基于第一至第三中任一实施例,所述步骤S30之后,还包括:Referring to Fig. 5, Fig. 5 is a fourth embodiment of the targeted attack detection method of the present invention. Based on any one of the first to third embodiments, after the step S30, the method further includes:
步骤S40,根据所述目标源IP地址对应的被攻击信息生成针对性攻击的描述信息;Step S40, generating description information of a targeted attack according to the attacked information corresponding to the target source IP address;
步骤S50,输出所述描述信息。Step S50, output the description information.
装置在确定目标源IP地址后,再获取目标源IP地址对应的各个被攻击信息,并对各个被攻击信息进行分析,从而生成针对性攻击的描述信息。描述信息可以包括目标源IP地址对设备的攻击行为参数,攻击行为参数包括攻击者的身份ID,被攻击者的身份ID,攻击类型,攻击时间等,攻击者ID可以是其IP地址,攻击类型可以是漏洞扫描,口令爆破等。也即装置从各个被攻击信息中提取攻击行为参数,以得到针对性攻击的描述信息。装置输出描述信息。若装置本身为设备,则显示描述信息,若装置为云端,则向设备输出描述信息,使得设备根据描述信息采用对应的防护措施。After determining the target source IP address, the device obtains each attacked information corresponding to the target source IP address, and analyzes each attacked information, thereby generating description information of a targeted attack. The description information can include the attack behavior parameters of the target source IP address on the device. The attack behavior parameters include the identity ID of the attacker, the identity ID of the victim, the attack type, attack time, etc. The attacker ID can be its IP address, attack type It can be vulnerability scanning, password blasting, etc. That is, the device extracts attack behavior parameters from each attacked information to obtain the description information of the targeted attack. The device outputs description information. If the device itself is a device, the description information is displayed; if the device is in the cloud, the description information is output to the device, so that the device adopts corresponding protective measures based on the description information.
需要说明的是,装置生成描述信息后,可以根据描述信息生成提示信息,并同时输出提示信息与描述信息。提示信息可以为:源IP地址对设备进行了针对性攻击,建议隔离该源IP地址。当然提示信息中的源IP地址需要直接写明。It should be noted that after the device generates the description information, it can generate the prompt information according to the description information, and output the prompt information and the description information at the same time. The prompt message can be: the source IP address has targeted the device, and it is recommended to isolate the source IP address. Of course, the source IP address in the prompt message needs to be written directly.
在本实施例提供的技术方案中,装置确定目标源IP地址对应的各个被攻击信息,以确定目标源IP地址对设备进行针对性攻击的描述信息,再输出描述信息,使得设备得以根据描述信息采用相应的防护措施对设备进行安全防护。In the technical solution provided in this embodiment, the device determines the various attacked information corresponding to the target source IP address to determine the description information of the target source IP address for the targeted attack on the device, and then outputs the description information so that the device can be based on the description information Adopt corresponding protective measures to protect the equipment safely.
参照图6,图6为本发明针对性攻击检测方法的第五实施例,基于第四实施例,所述步骤S40包括:Referring to Fig. 6, Fig. 6 is a fifth embodiment of the targeted attack detection method of the present invention. Based on the fourth embodiment, the step S40 includes:
步骤S41,根据各个所述目标源IP地址对应的被攻击信息,确定所述设备的被攻击网段;Step S41: Determine the attacked network segment of the device according to the attacked information corresponding to each target source IP address;
步骤S42,对各个所述被攻击网段进行聚合得到被攻击聚合网段,其中,所述描述信息包括所述被攻击聚合网段。Step S42: Aggregate each of the attacked network segments to obtain the attacked aggregate network segment, where the description information includes the attacked aggregate network segment.
在本实施例中,描述信息包括设备的被攻击聚合网段。网段指一个计算机网络中使用同一物理层设备能够直接通讯的那一部分。被攻击聚合网段则指的是设备所在网络被攻击的部分。In this embodiment, the description information includes the attacked aggregate network segment of the device. Network segment refers to the part of a computer network that can communicate directly with the same physical layer equipment. The attacked aggregate network segment refers to the attacked part of the network where the device is located.
装置根据各个目标源IP地址所对应的被攻击信息确定设备的被攻击网段。被攻击网段有多个,装置将各个被攻击网段进行聚合,得到被攻击聚合网段,被攻击聚合网段可以是攻击次数最多的网段,也可以是各个被攻击网段所构成的集合,且该集合中无重叠的被攻击网段。The device determines the attacked network segment of the device according to the attacked information corresponding to each target source IP address. There are multiple attacked network segments. The device aggregates the attacked network segments to obtain the attacked aggregate network segment. The attacked aggregate network segment can be the network segment with the most attacks, or it can be composed of each attacked network segment. Set, and there is no overlapping attacked network segment in the set.
在本实施例提供的技术方案中,装置根据各个目标源IP地址的被攻击信息确定设备的被攻击网段,再对各个被攻击网段进行聚合得到被攻击聚合网段,使得设备能够得知被攻击的网段,从而使得设备根据被攻击聚合网段采用对应的防护措施。In the technical solution provided in this embodiment, the device determines the attacked network segment of the device according to the attacked information of each target source IP address, and then aggregates the attacked network segments to obtain the attacked aggregate network segment, so that the device can know The attacked network segment, so that the device adopts corresponding protection measures according to the attacked aggregate network segment.
参照图7,图7为本发明针对性攻击检测方法的第六实施例,基于第第四或第五实施例,所述步骤S40包括:Referring to Fig. 7, Fig. 7 is a sixth embodiment of a targeted attack detection method of the present invention. Based on the fourth or fifth embodiment, the step S40 includes:
步骤S43,根据各个所述目标源IP地址对应的被攻击信息,确定每个所述目标源IP地址对所述设备进行针对性攻击的攻击特征;Step S43: According to the attacked information corresponding to each target source IP address, determine the attack characteristics of each target source IP address for a targeted attack on the device;
步骤S44,确定相同的攻击特征对应的每个所述目标源IP地址对应的攻击网段;Step S44: Determine the attack network segment corresponding to each target source IP address corresponding to the same attack feature;
步骤S45,对各个所述攻击网段进行聚合,得到攻击聚合网段,其中,所述描述信息包括所述攻击聚合网段。Step S45: Aggregate each of the attacked network segments to obtain an attacked aggregated network segment, wherein the description information includes the attacked aggregated network segment.
在本实施例中,攻击者可采用多个源IP地址对设备进行针对性攻击,也即攻击者采用多个网段对设备进行攻击。故描述信息可包括攻击者对设备进行针对性攻击的聚合网段,该聚合网段即为攻击聚合网段。In this embodiment, the attacker can use multiple source IP addresses to perform targeted attacks on the device, that is, the attacker uses multiple network segments to attack the device. Therefore, the description information may include the aggregated network segment where the attacker performs a targeted attack on the device, and the aggregated network segment is the attack aggregated network segment.
对此,装置在确定多个目标源IP地址后,需要对各个目标源IP地址进行判断,以确定属于同一攻击者的目标源IP地址。具体的,装置先确定每一个目标源IP地址所对应的攻击特征,攻击特征可由目标源IP地址对应的各个被攻击信息确定。攻击特征即为目标源IP地址对设备的攻击行为参数,攻击行为参数参照上述描述,在此不再进行赘述。装置在确定每一个目标源IP地址对应的攻击特征后,对各个攻击特征进行相似的判断,并将相似的各个攻击特征归位一类,这一类攻击特征所对应的目标源IP地址构成第二集合,也即第二集合中的各个目标源IP地址对应的攻击者相同。需要说明的是,每一个攻击特征由多个特征构成,例如,攻击类型、攻击频率。若攻击类型相同,且攻击频率均处于同一个区间,即可判定两个攻击特征相似。In this regard, after determining multiple target source IP addresses, the device needs to judge each target source IP address to determine the target source IP address belonging to the same attacker. Specifically, the device first determines the attack feature corresponding to each target source IP address, and the attack feature can be determined by each attacked information corresponding to the target source IP address. The attack feature is the attack behavior parameter of the target source IP address on the device. For the attack behavior parameter, refer to the above description, which will not be repeated here. After determining the attack characteristics corresponding to each target source IP address, the device makes similar judgments on each attack characteristic, and puts the similar attack characteristics into one category. The target source IP address corresponding to this type of attack characteristic constitutes the first The second set, that is, the attackers corresponding to each target source IP address in the second set are the same. It should be noted that each attack feature consists of multiple features, for example, attack type and attack frequency. If the attack type is the same and the attack frequency is in the same range, it can be determined that the two attack characteristics are similar.
装置在得到第二集合后,即可确定第二集合中每个目标源IP地址对设备进行针对性攻击所采用的攻击网段,攻击网段由目标源IP地址对应的被攻击信息确定。故,第二集合所对应的攻击者所采用的各个攻击网段即可被确定,装置再对各个攻击网段进行聚合从而到攻击聚合网段,攻击聚合网段可以是攻击者对设备进行针对性攻击最频繁的网段,也可以是各个攻击网段所构成的集合,该集合内的攻击网段不重叠。After obtaining the second set, the device can determine the attack network segment used by each target source IP address in the second set to perform a targeted attack on the device, and the attack network segment is determined by the attacked information corresponding to the target source IP address. Therefore, each attack network segment used by the attacker corresponding to the second set can be determined, and the device aggregates each attack network segment to attack the aggregate network segment. The attack aggregate network segment can be the attacker targeting the device. The network segment with the most frequent sexual attacks can also be a collection composed of various attack network segments, and the attack network segments in the collection do not overlap.
当然,装置可以直接对各个目标源IP地址的攻击特征进行遍历,以确定相同攻击特征的各个目标源IP地址,在遍历到相同攻击特征的目标源IP地址时,确定目标源IP地址所对应的攻击网段。在装置对各个攻击特征进行遍历后,即可确定相同攻击特征对应的每个目标源IP地址对应的攻击网段,最终对各个攻击网络进行聚合得到攻击聚合网段。Of course, the device can directly traverse the attack characteristics of each target source IP address to determine each target source IP address of the same attack characteristic, and when traversing to the target source IP address of the same attack characteristic, determine the target source IP address corresponding Attack the network segment. After the device traverses each attack feature, it can determine the attack network segment corresponding to each target source IP address corresponding to the same attack feature, and finally aggregate each attack network to obtain the attack aggregation network segment.
在本实施例提供的技术方案中,装置根据各个目标源IP地址对应的被攻击信息确定每个目标源IP地址对设备进行针对性攻击的攻击特征,从而根据攻击特征确定属于同一攻击者的各个目标源IP地址,进而确定攻击者对设备进行针对性攻击所采用的各个攻击网段,最后对各个攻击网段进行 聚合得到攻击聚合网段,使得设备根据攻击聚合网段采用对应的防护措施。In the technical solution provided in this embodiment, the device determines the attack characteristics of each target source IP address for a targeted attack on the device according to the attacked information corresponding to each target source IP address, so as to determine each of the attackers belonging to the same attacker according to the attack characteristics. The target source IP address is used to determine the attack network segments used by the attacker to target the device. Finally, the attack network segments are aggregated to obtain the attack aggregate network segment, so that the device adopts corresponding protection measures according to the attack aggregate network segment.
本发明还提供一种针对性攻击检测装置。The invention also provides a targeted attack detection device.
参照图8,图8为本发明针对性攻击检测装置的功能模块示意图,所述针对性攻击检测装置100包括:Referring to FIG. 8, FIG. 8 is a schematic diagram of functional modules of a targeted attack detection device according to the present invention. The targeted attack detection device 100 includes:
获取模块110,获取设备对应的被攻击信息;The obtaining module 110 obtains the attacked information corresponding to the device;
确定模块120,用于确定源IP地址相同的所述被攻击信息对应的第一攻击参数;The determining module 120 is configured to determine the first attack parameter corresponding to the attacked information with the same source IP address;
所述确定模块120,还用于根据所述第一攻击参数与参考参数,在各个所述源IP地址中,确定对所述设备进行针对性攻击的目标源IP地址。The determining module 120 is further configured to determine a target source IP address for a targeted attack on the device in each of the source IP addresses according to the first attack parameter and the reference parameter.
针对性检测装置100还用于实现针对性攻击检测方法的各个实施例,具体参照上述实施例,在此不再进行赘述。The targeted detection apparatus 100 is also used to implement various embodiments of the targeted attack detection method. For details, refer to the above-mentioned embodiments, and details are not described herein again.
本发明还提供一种针对性攻击检测装置,所述针对性攻击检测装置包括存储器、处理器以及存储在所述存储器并可在所述处理器上运行的针对性攻击检测程序,所述针对性攻击检测程序被所述处理器执行时实现上实施例所述针对性攻击检测方法的各个步骤。The present invention also provides a targeted attack detection device. The targeted attack detection device includes a memory, a processor, and a targeted attack detection program stored in the memory and running on the processor. When the attack detection program is executed by the processor, each step of the targeted attack detection method described in the above embodiment is implemented.
本发明还提供一种计算机可读存储介质,所述计算机可读存储介质存储有针对性攻击检测程序,所述针对性攻击检测程序被所述处理器执行时实现如上实施例所述的针对性攻击检测方法的各个步骤。The present invention also provides a computer-readable storage medium, the computer-readable storage medium stores a targeted attack detection program, and when the targeted attack detection program is executed by the processor, the targeted attack as described in the above embodiment is achieved The various steps of the attack detection method.
需要说明的是,在本文中,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者系统不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者系统所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括该要素的过程、方法、物品或者系统中还存在另外的相同要素。It should be noted that in this article, the terms "include", "include" or any other variants thereof are intended to cover non-exclusive inclusion, so that a process, method, article or system including a series of elements not only includes those elements, It also includes other elements not explicitly listed, or elements inherent to the process, method, article, or system. If there are no more restrictions, the element defined by the sentence "including a..." does not exclude the existence of other identical elements in the process, method, article, or system that includes the element.
上述本发明实施例序号仅仅为了描述,不代表实施例的优劣。The sequence numbers of the foregoing embodiments of the present invention are only for description, and do not represent the superiority or inferiority of the embodiments.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到上述实施例方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品 的形式体现出来,该计算机软件产品存储在如上所述的一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端设备(可以是手机,计算机,服务器,空调器,或者网络设备等)执行本发明各个实施例所述的方法。Through the description of the above implementation manners, those skilled in the art can clearly understand that the above-mentioned embodiment methods can be implemented by means of software plus the necessary general hardware platform. Of course, it can also be implemented by hardware, but in many cases the former is better.的实施方式。 Based on this understanding, the technical solution of the present invention essentially or the part that contributes to the existing technology can be embodied in the form of a software product, and the computer software product is stored in a storage medium (such as ROM/RAM) as described above. , Magnetic disk, optical disk), including several instructions to make a terminal device (can be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) execute the method described in each embodiment of the present invention.
以上仅为本发明的优选实施例,并非因此限制本发明的专利范围,凡是利用本发明说明书及附图内容所作的等效结构或等效流程变换,或直接或间接运用在其他相关的技术领域,均同理包括在本发明的专利保护范围内。The above are only the preferred embodiments of the present invention, and do not limit the scope of the present invention. Any equivalent structure or equivalent process transformation made by using the content of the description and drawings of the present invention, or directly or indirectly applied to other related technical fields , The same reason is included in the scope of patent protection of the present invention.

Claims (10)

  1. 一种针对性攻击检测方法,其特征在于,所述针对性攻击检测方法包括以下步骤:A targeted attack detection method, characterized in that the targeted attack detection method includes the following steps:
    获取设备对应的被攻击信息;Obtain the attacked information corresponding to the device;
    确定源IP地址相同的所述被攻击信息对应的第一攻击参数;Determining the first attack parameter corresponding to the attacked information with the same source IP address;
    根据所述第一攻击参数与参考参数,在各个所述源IP地址中,确定对所述设备进行针对性攻击的目标源IP地址。According to the first attack parameter and the reference parameter, in each of the source IP addresses, a target source IP address for a targeted attack on the device is determined.
  2. 如权利要求1所述的针对性攻击检测方法,其特征在于,所述根据所述第一攻击参数与参考参数,在各个所述源IP地址中,确定对所述设备进行针对性攻击的目标源IP地址的步骤包括:The method for detecting a targeted attack according to claim 1, wherein the target of the targeted attack on the device is determined in each of the source IP addresses according to the first attack parameter and the reference parameter The steps for the source IP address include:
    确定所述第一攻击参数与第二攻击参数之间的比值,所述参考参数包括第二攻击参数,所述第二攻击参数根据所述设备的各个被攻击信息确定;Determining a ratio between the first attack parameter and a second attack parameter, the reference parameter includes a second attack parameter, and the second attack parameter is determined according to each attacked information of the device;
    将大于预设比值的所述比值对应的源IP地址,确定为对所述设备进行针对性攻击的目标源IP地址。The source IP address corresponding to the ratio that is greater than the preset ratio is determined as a target source IP address for a targeted attack on the device.
  3. 如权利要求1所述的针对性攻击检测方法,其特征在于,所述根据所述第一攻击参数与参考参数,在各个所述源IP地址中,确定对所述设备进行针对性攻击的目标源IP地址的步骤包括:The method for detecting a targeted attack according to claim 1, wherein the target of the targeted attack on the device is determined in each of the source IP addresses according to the first attack parameter and the reference parameter The steps for the source IP address include:
    比对第一攻击参数与预设参数,其中,所述参考参数包括预设参数;Compare the first attack parameter with the preset parameter, where the reference parameter includes the preset parameter;
    将大于或等于预设参数的所述第一攻击参数对应的源IP地址,确定为对所述设备进行针对性攻击的目标源IP地址。The source IP address corresponding to the first attack parameter that is greater than or equal to the preset parameter is determined as the target source IP address of the targeted attack on the device.
  4. 如权利要求1所述的针对性攻击检测方法,其特征在于,所述根据所述第一攻击参数与参考参数,在各个所述源IP地址中,确定对所述设备进行针对性攻击的目标源IP地址的步骤之后,还包括:The method for detecting a targeted attack according to claim 1, wherein the target of the targeted attack on the device is determined in each of the source IP addresses according to the first attack parameter and the reference parameter After the source IP address step, it also includes:
    根据所述目标源地址对应的被攻击信息生成针对性攻击的描述信息;Generating description information of a targeted attack according to the attacked information corresponding to the target source address;
    输出所述描述信息。Output the description information.
  5. 如权利要求4所述的针对性攻击检测方法,其特征在于,所述根据所述目标源IP地址对应的被攻击信息生成针对性攻击的描述信息的步骤包括:The targeted attack detection method according to claim 4, wherein the step of generating description information of the targeted attack according to the attacked information corresponding to the target source IP address comprises:
    根据各个所述目标源IP地址对应的被攻击信息,确定所述设备的被攻 击网段;Determine the attacked network segment of the device according to the attacked information corresponding to each target source IP address;
    对各个所述被攻击网段进行聚合得到被攻击聚合网段,其中,所述描述信息包括所述被攻击聚合网段。Aggregating each of the attacked network segments to obtain the attacked aggregate network segment, where the description information includes the attacked aggregate network segment.
  6. 如权利要求4所述的针对性攻击检测方法,其特征在于,所述根据所述目标源IP地址对应的被攻击信息生成针对性攻击的描述信息的步骤包括:The targeted attack detection method according to claim 4, wherein the step of generating description information of the targeted attack according to the attacked information corresponding to the target source IP address comprises:
    根据各个所述目标源IP地址对应的被攻击信息,确定每个所述目标源IP地址对所述设备进行针对性攻击的攻击特征;Determine, according to the attacked information corresponding to each target source IP address, an attack characteristic of each target source IP address for a targeted attack on the device;
    确定相同的攻击特征对应的每个所述目标源IP地址对应的攻击网段;Determine the attack network segment corresponding to each target source IP address corresponding to the same attack feature;
    对各个所述攻击网段进行聚合,得到攻击聚合网段,其中,所述描述信息包括所述攻击聚合网段。Aggregating each of the attacking network segments to obtain an attacking aggregated network segment, where the description information includes the attacking aggregated network segment.
  7. 如权利要求1-6任一项所述的针对性攻击检测方法,其特征在于,所述第一攻击参数包括源IP地址对所述设备进行攻击的攻击次数或者源IP地址对所述设备进行攻击的累计攻击时长。The targeted attack detection method according to any one of claims 1-6, wherein the first attack parameter includes the number of attacks on the device by the source IP address or the number of attacks on the device by the source IP address. The cumulative attack duration of the attack.
  8. 一种针对性攻击检测装置,其特征在于,所述针对性攻击检测装置包括:A targeted attack detection device, characterized in that the targeted attack detection device includes:
    获取模块,获取设备对应的被攻击信息;Obtain the module to obtain the attacked information corresponding to the device;
    确定模块,用于确定源IP地址相同的所述被攻击信息对应的第一攻击参数;A determining module, configured to determine the first attack parameter corresponding to the attacked information with the same source IP address;
    所述确定模块,还用于根据所述第一攻击参数与参考参数,在各个所述源IP地址中,确定对所述设备进行针对性攻击的目标源IP地址。The determining module is further configured to determine a target source IP address for a targeted attack on the device in each of the source IP addresses according to the first attack parameter and the reference parameter.
  9. 一种针对性攻击检测装置,其特征在于,所述针对性攻击检测装置包括存储器、处理器以及存储在所述存储器并可在所述处理器上运行的针对性攻击检测程序,所述针对性攻击检测程序被所述处理器执行时实现如权利要求1-7任一项所述针对性攻击检测方法的各个步骤。A targeted attack detection device, characterized in that the targeted attack detection device includes a memory, a processor, and a targeted attack detection program stored in the memory and running on the processor. When the attack detection program is executed by the processor, each step of the targeted attack detection method according to any one of claims 1-7 is realized.
  10. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质存储有针对性攻击检测程序,所述针对性攻击检测程序被所述处理器执行时实现如权利要求1-7任一项所述的针对性攻击检测方法的各个步骤。A computer-readable storage medium, characterized in that the computer-readable storage medium stores a targeted attack detection program, and when the targeted attack detection program is executed by the processor, the implementation is as in any one of claims 1-7. Each step of the targeted attack detection method described in the item.
PCT/CN2021/081482 2020-06-16 2021-03-18 Targeted attack detection method and apparatus, and computer-readable storage medium WO2021253899A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010556949.5 2020-06-16
CN202010556949.5A CN111756720B (en) 2020-06-16 2020-06-16 Targeted attack detection method, apparatus thereof and computer-readable storage medium

Publications (1)

Publication Number Publication Date
WO2021253899A1 true WO2021253899A1 (en) 2021-12-23

Family

ID=72676215

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/081482 WO2021253899A1 (en) 2020-06-16 2021-03-18 Targeted attack detection method and apparatus, and computer-readable storage medium

Country Status (2)

Country Link
CN (1) CN111756720B (en)
WO (1) WO2021253899A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115242502A (en) * 2022-07-21 2022-10-25 广东电网有限责任公司 Power system network security risk evaluation method, device, equipment and medium

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111756720B (en) * 2020-06-16 2023-03-24 深信服科技股份有限公司 Targeted attack detection method, apparatus thereof and computer-readable storage medium
CN113315785B (en) * 2021-06-23 2023-05-12 深信服科技股份有限公司 Alarm reduction method, device, equipment and computer readable storage medium
CN113923039B (en) * 2021-10-20 2023-11-28 北京知道创宇信息技术股份有限公司 Attack equipment identification method and device, electronic equipment and readable storage medium
CN114124540B (en) * 2021-11-25 2023-12-29 中国工商银行股份有限公司 IPS (in-plane switching) blocking method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105991628A (en) * 2015-03-24 2016-10-05 杭州迪普科技有限公司 Network attack identification method and network attack identification device
CN106375331A (en) * 2016-09-23 2017-02-01 北京网康科技有限公司 Mining method and device of attacking organization
US20190098050A1 (en) * 2017-09-22 2019-03-28 Nec Laboratories America, Inc. Network gateway spoofing detection and mitigation
CN109660557A (en) * 2019-01-16 2019-04-19 光通天下网络科技股份有限公司 Attack IP portrait generation method, attack IP portrait generating means and electronic equipment
CN111756720A (en) * 2020-06-16 2020-10-09 深信服科技股份有限公司 Targeted attack detection method, apparatus thereof and computer-readable storage medium

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6513122B1 (en) * 2001-06-29 2003-01-28 Networks Associates Technology, Inc. Secure gateway for analyzing textual content to identify a harmful impact on computer systems with known vulnerabilities
CN107733725B (en) * 2017-11-27 2021-01-19 深信服科技股份有限公司 Safety early warning method, device, equipment and storage medium
CN109005181B (en) * 2018-08-10 2021-07-02 深信服科技股份有限公司 Detection method, system and related components for DNS amplification attack
CN110912861B (en) * 2018-09-18 2022-02-15 北京数安鑫云信息技术有限公司 AI detection method and device for deeply tracking group attack behavior
CN110809010B (en) * 2020-01-08 2020-05-08 浙江乾冠信息安全研究院有限公司 Threat information processing method, device, electronic equipment and medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105991628A (en) * 2015-03-24 2016-10-05 杭州迪普科技有限公司 Network attack identification method and network attack identification device
CN106375331A (en) * 2016-09-23 2017-02-01 北京网康科技有限公司 Mining method and device of attacking organization
US20190098050A1 (en) * 2017-09-22 2019-03-28 Nec Laboratories America, Inc. Network gateway spoofing detection and mitigation
CN109660557A (en) * 2019-01-16 2019-04-19 光通天下网络科技股份有限公司 Attack IP portrait generation method, attack IP portrait generating means and electronic equipment
CN111756720A (en) * 2020-06-16 2020-10-09 深信服科技股份有限公司 Targeted attack detection method, apparatus thereof and computer-readable storage medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115242502A (en) * 2022-07-21 2022-10-25 广东电网有限责任公司 Power system network security risk evaluation method, device, equipment and medium
CN115242502B (en) * 2022-07-21 2024-03-08 广东电网有限责任公司 Method, device, equipment and medium for evaluating network security risk of power system

Also Published As

Publication number Publication date
CN111756720B (en) 2023-03-24
CN111756720A (en) 2020-10-09

Similar Documents

Publication Publication Date Title
WO2021253899A1 (en) Targeted attack detection method and apparatus, and computer-readable storage medium
JP6894003B2 (en) Defense against APT attacks
US7735141B1 (en) Intrusion event correlator
JP5248612B2 (en) Intrusion detection method and system
US9401924B2 (en) Monitoring operational activities in networks and detecting potential network intrusions and misuses
US9438616B2 (en) Network asset information management
CN110213226B (en) Network attack scene reconstruction method and system based on risk full-factor identification association
US20060037077A1 (en) Network intrusion detection system having application inspection and anomaly detection characteristics
US11888882B2 (en) Network traffic correlation engine
Zhang et al. User intention-based traffic dependence analysis for anomaly detection
Avritzer et al. Monitoring for security intrusion using performance signatures
CN112787992A (en) Method, device, equipment and medium for detecting and protecting sensitive data
CN111327601A (en) Abnormal data response method, system, device, computer equipment and storage medium
Hubballi et al. Network specific false alarm reduction in intrusion detection system
Beigh et al. Intrusion detection and prevention system: issues and challenges
CN116827690A (en) DDoS attack and cloud WAF defense method based on distribution type
Kumar et al. Statistical based intrusion detection framework using six sigma technique
CN113055362B (en) Method, device, equipment and storage medium for preventing abnormal behaviors
CN110750795B (en) Information security risk processing method and device
Xue et al. Research of worm intrusion detection algorithm based on statistical classification technology
Zhuang et al. Applying data fusion in collaborative alerts correlation
Zhang et al. Analysis of payload based application level network anomaly detection
US11792209B2 (en) Robust learning of web traffic
CN113660291B (en) Method and device for preventing malicious tampering of intelligent large-screen display information
CN117294517A (en) Network security protection method and system for solving abnormal traffic

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21825677

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21825677

Country of ref document: EP

Kind code of ref document: A1