CN110311890B - Visualized attack and defense graph generation method and device, computer equipment and storage medium - Google Patents
Visualized attack and defense graph generation method and device, computer equipment and storage medium Download PDFInfo
- Publication number
- CN110311890B CN110311890B CN201910430525.1A CN201910430525A CN110311890B CN 110311890 B CN110311890 B CN 110311890B CN 201910430525 A CN201910430525 A CN 201910430525A CN 110311890 B CN110311890 B CN 110311890B
- Authority
- CN
- China
- Prior art keywords
- attack
- longitude
- defense
- latitude
- point
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention belongs to the field of safety monitoring, and discloses a visualized attack and defense graph generation method, a visualized attack and defense graph generation device, computer equipment and a storage medium, wherein the visualized attack and defense graph generation method comprises the following steps: acquiring an attack and defense graph generation request, and acquiring each access record of the service system according to the attack and defense graph generation request; determining the access records meeting the preset conditions as abnormal access records; acquiring a corresponding attack source IP and an attack point IP based on each abnormal access record; acquiring longitude and latitude corresponding to an attack source IP and longitude and latitude corresponding to an attacked point IP; and sending the longitude and latitude of the attack source IP and the longitude and latitude of the attacked point IP to a business-level data chart, and displaying the attack source IP and the attacked point IP of each abnormal access record through the business-level data chart to obtain an attack and defense chart. By locating the attack source and the attacked point and automatically displaying the attack source and the attacked point through the chart, the visual effect of the network attack and defense chart and the efficiency of network security management can be improved.
Description
Technical Field
The invention belongs to the field of security monitoring, and particularly relates to a visualized attack and defense graph generation method, a visualized attack and defense graph generation device, computer equipment and a storage medium.
Background
Network attack and defense mainly refers to anti-virus technology of computers and technology for manufacturing destructive viruses. Specific attack and defense can be understood as: one is hacker and one is antivirus software; or one is a technique of hacking a computer system and one is a technique of protecting a computer from hacking.
With the advent of the big data age, networks have evolved towards intellectualization and synergization, and multi-step combined penetration attacks become a major form of threat to network security, which presents great difficulties to network security administrators. Particularly, in recent years, the problem of violence in the aspect of network security is more and more increasing, and in order to evaluate the network security, research and analysis of attack and defense graphs becomes one of main means, and the network is subjected to security analysis by utilizing the attack and defense graphs, so that the capability of a network system for handling emergencies can be improved, and the network security is improved.
However, the current attack and defense graphs are all manufactured by hand, so that the efficiency is low, the visualization degree is low, and the current situation and the requirement of network attack and defense cannot be met.
Disclosure of Invention
The embodiment of the invention provides a visualized attack and defense graph generation method, a visualized attack and defense graph generation device, computer equipment and a storage medium, which are used for solving the problem that the generation efficiency of the current attack and defense graph is low.
A visual attack and defense graph generation method comprises the following steps:
acquiring an attack and defense graph generation request, and acquiring each access record of a service system according to the attack and defense graph generation request;
determining the access records meeting preset conditions as abnormal access records;
acquiring a corresponding attack source IP and an attack point IP based on each abnormal access record;
acquiring longitude and latitude corresponding to the attack source IP and longitude and latitude corresponding to the attacked point IP;
and sending the longitude and latitude of the attack source IP and the longitude and latitude of the attacked point IP to a business-level data chart, and displaying the attack source IP and the attacked point IP of each abnormal access record through the business-level data chart to obtain the attack and defense graph.
A visualized attack and defense graph generating device comprises:
the record acquisition module is used for acquiring an attack and defense image generation request and acquiring each access record of the service system according to the attack and defense image generation request;
the abnormality determining module is used for determining the access record meeting the preset condition as an abnormal access record;
the attack and defense positioning module is used for acquiring a corresponding attack source IP and an attack point IP based on each abnormal access record;
the longitude and latitude acquisition module is used for acquiring the longitude and latitude corresponding to the attack source IP and the longitude and latitude corresponding to the attacked point IP;
the chart display module is used for sending the longitude and latitude of the attack source IP and the longitude and latitude of the attacked point IP to a commercial grade data chart, and displaying the attack source IP and the attacked point IP of each abnormal access record through the commercial grade data chart to obtain the attack and defense chart.
A computer device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the above-described visual attack and defense graph generation method when executing the computer program.
A computer readable storage medium storing a computer program which, when executed by a processor, implements the above-described visual attack and defense graph generation method.
The visualized attack and defense graph generation method, the visualized attack and defense graph generation device, the computer equipment and the storage medium are characterized in that the attack and defense graph generation request is acquired, each access record of the service system is acquired according to the attack and defense graph generation request, and the access record meeting the preset condition is determined to be an abnormal access record; then, based on each abnormal access record, acquiring a corresponding attack source IP and an attacked point IP, and acquiring the longitude and latitude of the attack source IP and the longitude and latitude corresponding to the attacked point IP; and finally, the longitude and latitude of the attack source IP and the longitude and latitude of the attacked point IP are sent to a business level data chart, and the attack source IP and the attacked point IP of each abnormal record are displayed through the business level data chart, so that an attack and defense chart is obtained. The attack source and the attacked point are positioned through the abnormal access record and are displayed on the map through the chart tool, so that the visual effect of the network attack and defense graph is enhanced, corresponding defense strategies are formulated more intuitively according to the network attack condition, and the visual effect of the network attack and defense graph and the network security management efficiency are improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the embodiments or the description of the prior art will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of an application environment of a method for generating a visual attack-defense graph according to an embodiment of the present invention;
FIG. 2 is a flow chart of a method for generating a visual offensive and defensive map in an embodiment of the present invention;
FIG. 3 is another flow chart of a method for generating a visual offence and defense graph in accordance with an embodiment of the present invention;
FIG. 4 is another flow chart of a method for generating a visual offence and defense graph in accordance with an embodiment of the present invention;
FIG. 5 is an exemplary diagram of an arrow in a method for generating a visual offender and offender map in accordance with an embodiment of the present invention;
FIG. 6 is another flow chart of a method for generating a visual offence and defense graph in accordance with an embodiment of the present invention;
FIG. 7 is another flow chart of a method for generating a visual offence and defense graph in accordance with an embodiment of the present invention;
FIG. 8 is a schematic block diagram of a visual attack and defense graph generating device according to an embodiment of the present invention;
FIG. 9 is a schematic block diagram of an attack and defense positioning module in a visualized attack and defense graph generating device according to an embodiment of the present invention;
FIG. 10 is a schematic block diagram of a diagram display module in a visual attack and defense graph generating device according to an embodiment of the present invention;
FIG. 11 is a schematic diagram of a computer device in accordance with an embodiment of the invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The visualized attack and defense graph generation method provided by the application can be applied to an application environment as shown in fig. 1, wherein a client communicates with a server through a network, the server obtains an attack and defense graph generation request through the client, and each access record of a service system is obtained according to the attack and defense graph generation request; determining the access records meeting the preset conditions as abnormal access records; then, based on each abnormal access record, obtaining a corresponding attack source IP and an attack point IP; acquiring longitude and latitude corresponding to the attack source IP and longitude and latitude corresponding to the attacked point IP; and finally, the longitude and latitude of the attack source IP and the longitude and latitude of the attacked point IP are sent to a business level data chart, and the attack source IP and the attacked point IP of each abnormal access record are displayed on the client through the business level data chart, so that an attack and defense chart is obtained. The clients may be, but are not limited to, various personal computers, notebook computers, smart phones, tablet computers, and portable wearable devices. The server may be implemented by a stand-alone server or a server cluster formed by a plurality of servers.
In an embodiment, as shown in fig. 2, a method for generating a visual attack and defense graph is provided, and the method is applied to the server in fig. 1 for illustration, and includes the following steps:
s10: and acquiring an attack and defense graph generation request, and acquiring each access record of the service system according to the attack and defense graph generation request.
The attack and defense diagram refers to a diagram which is generated according to the network environment of the service system and can display the attack and defense conditions of the network. The attack and defense graph generation request refers to a trigger request for generating the attack and defense graph for the service system, and can be sent to the server by the client. The business system refers to a system for executing specific business, such as a banking business system, a certificate handling business system, a shopping business system and the like.
When the server receives the attack and defense graph generation request, each access record of the service system is obtained from the database. Optionally, each access record of the service system is stored in the database of the server in the form of an access log. When a business system is involved in a wide range, for example, including a business system in a global place, the access record may be stored in the form of a log cloud (big data).
S20: and determining the access record meeting the preset condition as an abnormal access record.
The abnormal access record refers to a record of abnormal login or abnormal access of the user to the service system server, and the preset condition may be conditions such as excessively high access frequency, non-working time access, abnormal IP access, and the like, and may be specifically set according to actual needs, which is not limited herein. For example, the frequency of access may be compared with a preset frequency threshold, and if the frequency reaches the preset frequency threshold, the server determines that the access record is an abnormal access record; if yes, the server side judges that the access record is an abnormal access record; if the number of the IP abnormal accesses exceeds the preset number threshold or the time for transmitting the data packets exceeds the preset time threshold, the server side judges that the access record is an abnormal access record. It will be appreciated that when the preset condition is other condition, a corresponding judgment rule may be set, so that the access record conforming to the judgment rule is judged as an abnormal access record.
Specifically, the server may first parse the data related to the access record, for example, first parse the access log into the following fields: and judging whether the parsed field meets the preset conditions or not, and if one access record meets the preset conditions, determining the access record as an abnormal access record. The server traverses all access records and determines all access records meeting preset conditions as abnormal access records.
Optionally, the server may store the abnormal access record in a preset database, so that the abnormal access record is sent to the client later, and displayed through a chart tool of the client. Alternatively, the preset database may be a PostgreSql database, or may be another type of database, which is not limited in this way.
S30: and acquiring a corresponding attack source IP and an attack point IP based on each abnormal access record.
The IP refers to an Internet protocol address, the attack source IP refers to the IP for attacking the service system, and the point-of-attack IP refers to the IP for the service system to be specifically attacked.
If the server determines that a certain access record is an abnormal access record, an access log corresponding to the abnormal record is obtained, and an attack source IP and an attacked point IP are obtained according to field contents corresponding to the access log. For example, if the server obtains the field contents of the "source IP address" and the "destination IP address" of the access log, the attack source IP and the attacked point IP corresponding to the abnormal access record may be obtained.
S40: and acquiring the longitude and latitude corresponding to the attack source IP and the longitude and latitude corresponding to the attacked point IP.
Optionally, after the server side obtains the attack source IP and the attacked point IP, the server side may query or query the map database through the internet to obtain the longitude and latitude corresponding to the attack source IP and the longitude and latitude corresponding to the attacked point IP.
Specifically, the method can be realized through an API for converting the IP provided by the hundred degrees and the longitude and latitude, and the longitude and latitude corresponding to the attack source IP and the longitude and latitude corresponding to the attacked point IP can be obtained by inquiring the APIs provided by the hundred degrees and outputting the attack source IP and the attacked point IP. Alternatively, the conversion of the IP address into latitude and longitude can be provided by logstar itself or by GeoIp service provided by maxmid, and the two methods are similar to the implementation of hundred-degree API. Optionally, a database corresponding to the longitude and latitude of the IP may be preset at the server, and according to the preset database, the server may query the longitude and latitude corresponding to the attack source IP and the longitude and latitude corresponding to the attacked point IP according to the attack source IP and the attacked point IP.
S50: and sending the longitude and latitude of the attack source IP and the longitude and latitude of the attacked point IP to a business-level data chart, and displaying the attack source IP and the attacked point IP of each abnormal access record through the business-level data chart to obtain an attack and defense chart.
The business-level data chart (Enterprise Charts, ECharts for short) and a pure Javascript chart library can provide visual, vivid, interactive and highly personalized data visualization charts. In a specific embodiment, the attack source IP and the attacked point IP may also be displayed by other tools that may display charts, and the present invention is not limited in particular.
In this embodiment, the Echarts chart is displayed on the client, specifically, the server sends the longitude and latitude of the attack source IP and the longitude and latitude of the point to be attacked IP to the Echarts chart of the client, and the Echarts chart obtains the attack and defense chart by locating the position corresponding to the longitude and latitude of the attack source IP and the longitude and latitude of the point to be attacked IP in the map, and displaying the position and the certain shape (for example, a point, a circle, a triangle, a square, etc.) and the color (for example, yellow, red, orange, etc.) on the map. Optionally, the client may be specifically a front end, where the front end refers to a foreground portion of a website, and is a web page that is displayed to a user for browsing when running on a browser such as a PC end, a mobile end, and the like. The network security administrator can log in at the front end to view the attack and defense graph generated through the echorts chart. Alternatively, the display may be performed on a map of the world, or may be performed on a map of an appropriate area according to actual needs, for example, a map of a certain country area, which is not limited herein.
In a specific embodiment, the attack and defense graph generated through the Echarts chart can also be displayed on a monitoring end connected with the server end, so that a network manager can check the attack and defense graph through the monitoring end to check the condition of network attack.
In the embodiment corresponding to fig. 2, by acquiring an attack and defense graph generation request, acquiring each access record of the service system according to the attack and defense graph generation request, and determining the access record meeting the preset condition as an abnormal access record; then, based on each abnormal access record, acquiring a corresponding attack source IP and an attacked point IP, and acquiring the longitude and latitude of the attack source IP and the longitude and latitude corresponding to the attacked point IP; and finally, the longitude and latitude of the attack source IP and the longitude and latitude of the attacked point IP are sent to a business level data chart, and the attack source IP and the attacked point IP of each abnormal record are displayed through the business level data chart, so that an attack and defense chart is obtained. The attack source and the attacked point are positioned through the abnormal access record and are displayed on the map through the chart tool, so that the visual effect of the network attack and defense graph is enhanced, corresponding defense strategies are formulated more intuitively according to the network attack condition, and the visual effect of the network attack and defense graph and the network security management efficiency are improved.
In an embodiment, as shown in fig. 3, in step S30, the latitude and longitude corresponding to each attack source IP and the latitude and longitude corresponding to the attacked point IP are obtained, which specifically includes the following steps:
s31: each attack source IP and the attacked point IP are converted into integer values.
It should be understood that IP is a logical address with a uniform format that the IP protocol assigns to each host and each network on the internet, typically in dotted decimal notation, for example: 123.125.0.236. specifically, the process of converting the IP address into integer values is:
(1) The IP address is partitioned into four small integers by point partitioning, for example, 123.125.0.236 into four small integers of 123, 125, 0, 236.
(2) The process of converting the integer of each small segment to binary, e.g., 123, 125, 0, 236 to binary, is:
the first section: 123 into binary 01111011;
and a second section: 125 to binary 01111101;
third section: 0 is converted into binary 00000000;
fourth section: 236 into binary 11101100.
(3) The binary values of the four small segments are spliced together in the original IP sequence, for example, the 123.125.0.236 binary values are spliced together as: 01111011011111010000000011101100, a thirty-two digit value may be obtained.
(4) The resulting thirty-two digit value is converted to an integer value, e.g., 01111011011111010000000011101100 is converted to an integer value of: 2071789804.
s32: matching the attack source IP and the attacked point IP converted into integer values with a preset IP address database to obtain the longitude and latitude of each attack source IP and the longitude and latitude of the attacked point IP.
Optionally, the preset IP address database refers to a database including IP addresses of countries around the world, including IP network segments allocated to each country and corresponding longitudes and latitudes. For example: latitude, longitude, starting IP address, ending IP address, integer value corresponding to starting IP address, etc. Alternatively, the IP addresses of countries around the world may be collected by manual collection and stored in a database of the server as an IP address database. Alternatively, storing the world IP addresses in the database of the server refers to storing the world IP addresses in the HIVE table.
Specifically, the server matches the integer value of the converted IP with a preset IP address database, and obtains the longitude and latitude of each attack source IP and the longitude and latitude of the attacked point IP according to the matching result.
In the embodiment corresponding to fig. 3, the longitude and latitude of each attack source IP and the longitude and latitude of the point to be attacked IP are obtained by converting each attack source IP and the point to be attacked into integer values and then matching the attack source IP and the point to be attacked IP converted into integer values with a preset IP address database. Through converting the IP address into integer numerical values, the IP address database is favorable for unified management of the IP address, so that the latitude and longitude of an attack source IP and the latitude and longitude of an attacked point IP are conveniently inquired, data support is provided for generating a visual attack and defense graph, and the generation efficiency of the attack and defense graph is improved.
In an embodiment, as shown in fig. 4, in step S50, the latitude and longitude of the attack source IP and the latitude and longitude of the point under attack IP are sent to a business level data chart, and the attack source IP and the point under attack IP of each abnormal access record are displayed through the business level data chart to obtain an attack and defense chart, which specifically includes the following steps:
s51: and displaying the attack source IP and the attacked point IP of each abnormal access record through preset shape symbols.
The preset shape symbol may be a shape symbol such as a dot, a circle, a triangle, a square, etc., which is not limited herein.
Alternatively, the server may set the attack source IP and the attacked point IP to the same preset shape symbol, for example, both set to a dot shape. Alternatively, in order to distinguish between the attack source IP and the attacked point IP, the server may set the attack source IP and the attacked point IP to different shape symbols when the world map is displayed, for example, the attack source IP is set to a shape of a point, and the attacked point is set to a shape of a triangle, and so on.
Optionally, when the server displays the longitude and latitude of the attack source IP and the longitude and latitude of the attacked point IP through the echartis chart, the attack source IP and the longitude and latitude of the attacked point IP may be displayed on a map of the world, or may be displayed on a map of a region of a country or a region according to actual needs, which is not limited herein.
S52: and displaying the attack source IP and the attacked point IP of each abnormal access record through preset colors.
The preset color can be red, green, blue, orange, purple and the like.
Alternatively, the server may set the attack source IP and the attacked point IP to the same preset color, for example, both set to blue. In order to further distinguish the attack source IP from the attacked point IP, the server may set the attack source IP and the attacked point IP to different preset colors when displaying the world map, for example, the attack source IP is set to blue, and the attacked point is set to green. Preferably, in order to make the attack and defense graph more consistent with the visual habit of a person, the attack source IP may be set to red, and the attacked point is displayed to yellow, which indicates that the attack is being performed, and the normal point (the point not attacked) is displayed to green.
Further, if the attack source IP is more than two, the attack source IP may be set to the same preset color, which indicates that a certain attacked point is being attacked by the attack source IP with the same color.
S53: the attack source IP is directed to the attacked point IP.
Optionally, the server points the attack source IP to the attacked point IP with an arrow, so as to display an attack route. For example, if the attack source IP is us and the attacked point IP is Shenzhen, the arrow points to Shenzhen from us, which means that the service system server IP from us attacks Shenzhen.
It will be understood that if there are many attack sources IP and many points IP to be attacked in the attack and defense graph, pointing with arrows causes the arrows to be staggered with each other, which is difficult to see, so, as shown in fig. 5, the short arrows can be displayed around the points IP to be attacked, and the positions of the attack sources IP can be displayed sideways, which indicates where the IP attack is coming from. Fig. 5 shows that the point under attack is Shenzhen, with three attack sources IP, new york, japan and brazil, respectively, where the extension of the other end of the arrow may intersect the location of the attack source IP.
In the embodiment corresponding to fig. 4, the attack source IP and the attacked point IP of each abnormal access record are displayed through a preset shape symbol, the attack source IP and the attacked point IP of each abnormal access record are displayed through a preset color, and the attack source IP is pointed to the attacked point. By displaying the attack source and the attacked point on the map by using the preset shape symbol and the preset color, the visualized degree of the attack and defense graph can be improved, so that the countermeasure of safety management can be more effectively carried out.
In an embodiment, as shown in fig. 6, in step S50, the latitude and longitude of the attack source IP and the latitude and longitude of the point under attack are sent to a business-level data chart, and the attack source IP and the point under attack IP of each abnormal access record are displayed through the business-level data chart, so as to obtain an attack-defense graph, which may specifically further include the following steps:
s51': and judging whether the attack times of the attack source IP reach a preset time threshold.
Alternatively, the number of attacks of the attack source IP may be defined according to a preset time interval, that is, an attack within a unit time is taken as one time, and an attack exceeding the unit time is calculated as the next attack. For example, an attack within 10min is taken as one attack, and if the attack time of one attack source exceeds 10min, for example, 18min, the attack times of the attack source are 2 times. Alternatively, different types of attacks may be used as one attack, for example, the high frequency access and the IP exception access of the attack source IP are used as one attack, so that the number of attacks may reflect a plurality of exception states of the attack source IP.
The preset number of times threshold may be set according to practical situations, for example, 10 times, 50 times, 100 times, or the like, which is not limited herein.
Specifically, the server acquires the attack frequency of the attack source IP, compares the attack frequency with a preset frequency threshold, and judges whether the attack frequency of the attack source IP reaches the preset frequency.
S52': and if the attack frequency of the attack source IP reaches a preset frequency threshold value, highlighting the preset shape symbol of the attack source IP.
Optionally, highlighting the preset symbol of the attack source IP may include: at least one form of highlighting such as thickening, amplifying, changing color and the like is performed on the preset symbol of the attack source IP. For example, if the preset symbol of the attack source IP is a circle, the circle may be thickened, enlarged according to a certain proportion, the change process from small to large displayed, the original preset color changed by other colors or darkened colors and so on are highlighted, which indicates that the attack frequency of the attack source IP reaches the preset frequency threshold value, and attention needs to be paid. Optionally, the server may send corresponding warning information to the client to enable the network manager to respond to the attack source IP, in addition to highlighting the preset shape symbol of the attack source IP, where the warning information is, for example, "the number of attacks to Shenzhen in japan is too large, and immediate processing is requested.
Alternatively, the attack source reaching the preset number of times can be marked by another shape symbol, for example by an additional red circle circling the attack source as a highlighted form.
Specifically, if the result of the judgment is that the attack frequency of the attack source IP reaches the preset frequency, the server sends a corresponding chart display instruction to the echarties chart, so that the attack source IP is highlighted on a preset shape symbol of the map. Alternatively, the highlighted rule may be set in the echorts chart in advance, and when the number of attacks of the attack source IP reaches the preset number, the server triggers the highlighted rule in the echorts chart, so that the attack source IP may be highlighted on the map.
In the embodiment corresponding to fig. 6, by judging whether the attack frequency of the attack source IP reaches the preset frequency threshold, if the attack frequency of the attack source IP reaches the preset frequency threshold, the preset shape symbol of the attack source IP is highlighted. By highlighting the attack source IP with more attack times, a network security manager can be effectively reminded of carrying out targeted processing on the attack source IP with more attack times, and the visual effect of the attack and defense graph and the efficiency of network security implementation are improved.
In an embodiment, as shown in fig. 7, after step S50, that is, after the latitude and longitude of the attack source IP and the latitude and longitude of the attacked point IP are sent to the business-level data chart, the attack source IP and the attacked point IP of each abnormal access record are displayed through the business-level data chart, and the attack-defense graph is obtained, the method for generating the visualized attack-defense graph provided in this embodiment further includes the following steps:
s61: and acquiring a new attack source IP and a new attacked point IP based on a preset time interval.
The preset time interval may be set according to actual needs, for example, 10min, 20min or 30min, which is not limited herein.
Specifically, the server acquires an abnormal access record occurring in a preset time interval from the database according to the preset time interval, and acquires a new attack source IP and a new attacked point IP according to the abnormal access record. Optionally, because the abnormal access records are stored in the preset database, the server may also set a pushing rule, that is, push the abnormal access records from the preset database to the server at preset time intervals, and then the server obtains the new attack source IP and the new attacked point IP from the abnormal access records.
S62: and acquiring the longitude and latitude of the new attack source IP and the longitude and latitude of the new attacked point IP.
Specifically, the server matches the acquired new attack source IP and new attacked point IP with the IP address database, so as to acquire the longitude and latitude of the new attack source IP and the new attacked point IP.
S63: and sending the longitude and latitude of the new attack source IP and the longitude and latitude of the new attacked point IP to a business level data chart, and displaying the new attack source IP and the new attacked point IP through the business level data chart to obtain an updated attack and defense chart.
It should be understood that when the longitude and latitude of the new attack source IP and the new attacked point IP are sent to the echartis chart, the server may cover the longitude and latitude information of the original attack source IP and the new attacked point IP with the information of the new attack source IP and the new attacked point IP, that is, only the new attack source IP and the new attacked point IP are displayed on the echartis chart, so as to obtain the updated attack and defense chart.
Optionally, if the new attacked point IP is the same as the original attacked point IP, but the attack source IP is changed, the server may display the original attack source IP in the world map together in the updated attack and defense graph, and change the color of the original attack source IP into other colors, for example, into gray. Optionally, the original attack source IP and the new attack source IP can be connected by an arrow, so that the change condition of the attack source IP can be reflected more intuitively. For example, the original source IP is New York, the new source IP is los Angeles, and the arrow points from New York to los Angeles, indicating that the source IP has changed from New York to los Angeles. Alternatively, when there are more than two attack sources IP corresponding to one attacked point IP and the attack sources IP are changed, the direction of the arrow may be determined according to the country or the neighborhood. Continuing the example above, because both New York and los Angeles belong to the United states, it can be determined that the arrow should point from New York to los Angeles. Wherein the shape, line thickness and color of the arrows may be different from the arrows from which the attack source points to the point under attack to distinguish between them.
In the embodiment corresponding to fig. 7, the new attack source IP and the new attacked point IP are acquired based on the preset time interval, the longitude and latitude of the new attack source IP and the longitude and latitude of the new attacked point IP are acquired, the longitude and latitude of the new attack source IP and the longitude and latitude of the new attacked point IP are sent to the business level data chart, the new attack source IP and the new attacked point IP are displayed through the business level data chart, and the updated attack and defense chart is obtained. By acquiring and displaying the new attack source and the new attacked point based on the preset time interval, the attack and defense graph can more intuitively reflect the changes of the attack source and the attacked point, embody the real-time attack and defense state and improve the visualization effect of the attack and defense graph and the efficiency of network security management.
It should be understood that the sequence number of each step in the foregoing embodiment does not mean that the execution sequence of each process should be determined by the function and the internal logic, and should not limit the implementation process of the embodiment of the present invention.
In an embodiment, a visual attack and defense graph generating device is provided, and the visual attack and defense graph generating device corresponds to the visual attack and defense graph generating method in the embodiment one by one. As shown in fig. 8, the visualized attack-defense graph generating device includes a record acquiring module 10, an abnormality determining module 20, an attack-defense positioning module 30, a longitude-latitude acquiring module 40 and a graph displaying module 50. The functional modules are described in detail as follows:
the record acquisition module 10 is used for acquiring an attack and defense graph generation request, and acquiring each access record of the service system according to the attack and defense graph generation request;
an anomaly determination module 20, configured to determine an access record meeting a preset condition as an anomaly access record;
the attack and defense positioning module 30 is configured to obtain a corresponding attack source IP and an attack point IP based on each abnormal access record;
the longitude and latitude obtaining module 40 is configured to obtain a longitude and latitude corresponding to the attack source IP and a longitude and latitude corresponding to the attacked point IP;
the chart display module 50 is configured to send the latitude and longitude of the attack source IP and the latitude and longitude of the point under attack IP to a business level data chart, and display the attack source IP and the point under attack IP of each abnormal access record through the business level data chart, so as to obtain an attack and defense chart.
Further, as shown in fig. 9, the attack and defense positioning module 30 includes a numerical conversion unit 31 and an address matching unit 32.
A value conversion unit 31 for converting each of the attack source IP and the attacked point IP into integer values;
the address matching unit 32 is configured to match the attack source IP and the attacked point IP converted into integer values with a preset IP address database, and obtain the longitude and latitude of each attack source IP and the longitude and latitude of the attacked point IP.
Further, as shown in fig. 10, the graph display module 50 includes a shape display unit 51, a color display unit 52, and a direction indication unit 53.
A shape display unit 51 for displaying the attack source IP and the attacked point IP of each abnormal access record by a preset shape symbol;
a color display unit 52 for displaying the attack source IP and the attacked point IP of each abnormal access record by a preset color;
a direction indicating unit 53 for directing the attack source IP to the attacked point IP.
Further, the graph display module 50 is further configured to:
judging whether the attack times of the attack source IP reach a preset time threshold value or not;
and if the attack frequency of the attack source IP reaches a preset frequency threshold value, highlighting the preset shape symbol of the attack source IP.
Further, the visual attack and defense graph generating device provided in this embodiment further includes a graph updating module, where the graph updating module is configured to:
acquiring a new attack source IP and a new attacked point IP based on a preset time interval;
acquiring the longitude and latitude of a new attack source IP and the longitude and latitude of a new attacked point IP;
and sending the longitude and latitude of the new attack source IP and the longitude and latitude of the new attacked point IP to a business level data chart, and displaying the new attack source IP and the new attacked point IP through the business level data chart to obtain an updated attack and defense chart.
For specific limitation of the visual offence and defensive graph generating device, reference may be made to the limitation of the visual offence and defensive graph generating method hereinabove, and the description thereof will not be repeated here. The modules in the visualized attack and defense graph generating device can be realized in whole or in part by software, hardware and a combination thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In one embodiment, a computer device is provided, which may be a server, and the internal structure of which may be as shown in fig. 11. The computer device includes a processor, a memory, a network interface, and a database connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The database of the computer equipment is used for storing access records, latitude and longitude of an attack source IP and an attacked point, an IP address database and the like. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program, when executed by a processor, implements a visual attack and defense graph generation method.
In one embodiment, a computer device is provided comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing the steps of when executing the computer program:
acquiring an attack and defense graph generation request, and acquiring each access record of the service system according to the attack and defense graph generation request;
determining the access records meeting the preset conditions as abnormal access records;
acquiring a corresponding attack source IP and an attack point IP based on each abnormal access record;
acquiring longitude and latitude corresponding to an attack source IP and longitude and latitude corresponding to an attacked point IP;
and sending the longitude and latitude of the attack source IP and the longitude and latitude of the attacked point IP to a business-level data chart, and displaying the attack source IP and the attacked point IP of each abnormal access record through the business-level data chart to obtain an attack and defense chart.
In one embodiment, a computer readable storage medium is provided having a computer program stored thereon, which when executed by a processor, performs the steps of:
acquiring an attack and defense graph generation request, and acquiring each access record of the service system according to the attack and defense graph generation request;
determining the access records meeting the preset conditions as abnormal access records;
acquiring a corresponding attack source IP and an attack point IP based on each abnormal access record;
acquiring longitude and latitude corresponding to an attack source IP and longitude and latitude corresponding to an attacked point IP;
and sending the longitude and latitude of the attack source IP and the longitude and latitude of the attacked point IP to a business-level data chart, and displaying the attack source IP and the attacked point IP of each abnormal access record through the business-level data chart to obtain an attack and defense chart.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the various embodiments provided herein may include non-volatile and/or volatile memory. The nonvolatile memory can include Read Only Memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), memory bus direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), among others.
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-described division of the functional units and modules is illustrated, and in practical application, the above-described functional distribution may be performed by different functional units and modules according to needs, i.e. the internal structure of the apparatus is divided into different functional units or modules to perform all or part of the above-described functions.
The above embodiments are only for illustrating the technical solution of the present invention, and not for limiting the same; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention, and are intended to be included in the scope of the present invention.
Claims (8)
1. The visualized attack and defense graph generation method is characterized by comprising the following steps of:
acquiring an attack and defense graph generation request, and acquiring each access record of a service system according to the attack and defense graph generation request;
determining the access records meeting preset conditions as abnormal access records;
acquiring a corresponding attack source IP and an attack point IP based on each abnormal access record;
acquiring longitude and latitude corresponding to the attack source IP and longitude and latitude corresponding to the attacked point IP;
the longitude and latitude of the attack source IP and the longitude and latitude of the attacked point IP are sent to a business-level data chart, and the attack source IP and the attacked point IP of each abnormal access record are displayed through the business-level data chart, so that the attack and defense graph is obtained;
the obtaining the longitude and latitude corresponding to the attack source IP and the longitude and latitude corresponding to the attacked point IP includes:
converting each of the attack source IP and the attacked point IP into integer values;
matching the attack source IP and the attacked point IP converted into integer values with a preset IP address database to obtain the longitude and latitude of each attack source IP and the longitude and latitude of the attacked point IP;
the converting each of the attack source IP and the attacked point IP into integer values includes:
dividing the IP address of each attack source IP and the IP address of the attacked point IP into four small-section integers through point division, converting the whole number of each small section into binary, splicing the binary values of the four small sections together according to the original IP sequence to obtain a thirty-two-bit numerical value, and converting the obtained thirty-two-bit numerical value into an integer numerical value.
2. The method for generating a visualized attack and defense graph according to claim 1, wherein the steps of sending the latitude and longitude of the attack source IP and the latitude and longitude of the attacked point IP to a business-level data chart, displaying the attack source IP and the attacked point IP of each abnormal access record through the business-level data chart, and obtaining the attack and defense graph include:
displaying the attack source IP and the attacked point IP of each abnormal access record through a preset shape symbol;
displaying the attack source IP and the attacked point IP of each abnormal access record through preset colors;
and directing the attack source IP to the attacked point IP.
3. The method for generating a visualized attack and defense graph according to claim 2, wherein the steps of sending the latitude and longitude of the attack source IP and the latitude and longitude of the attacked point IP to a business-level data chart, displaying the attack source IP and the attacked point IP of each abnormal access record through the business-level data chart, and obtaining the attack and defense graph further comprise:
judging whether the attack times of the attack source IP reach a preset time threshold value or not;
and if the attack frequency of the attack source IP reaches the preset frequency threshold, highlighting the preset shape symbol of the attack source IP.
4. The method for generating a visual attack and defense graph according to claim 3, wherein after said sending the latitude and longitude of the attack source IP and the latitude and longitude of the attacked point IP to a business-level data chart, displaying the attack source IP and the attacked point IP of each of the abnormal access records through the business-level data chart, the method for generating a visual attack and defense graph further comprises:
acquiring a new attack source IP and a new attacked point IP based on a preset time interval;
acquiring the longitude and latitude of the new attack source IP and the longitude and latitude of the new attacked point IP;
and sending the longitude and latitude of the new attack source IP and the longitude and latitude of the new attacked point IP to the business grade data chart, and displaying the new attack source IP and the new attacked point IP through the business grade data chart to obtain an updated attack and defense graph.
5. The visualized attack and defense graph generating device is characterized by comprising:
the record acquisition module is used for acquiring an attack and defense image generation request and acquiring each access record of the service system according to the attack and defense image generation request;
the abnormality determining module is used for determining the access record meeting the preset condition as an abnormal access record;
the attack and defense positioning module is used for acquiring a corresponding attack source IP and an attack point IP based on each abnormal access record;
the longitude and latitude acquisition module is used for acquiring the longitude and latitude corresponding to the attack source IP and the longitude and latitude corresponding to the attacked point IP;
the chart display module is used for sending the longitude and latitude of the attack source IP and the longitude and latitude of the attacked point IP to a commercial grade data chart, and displaying the attack source IP and the attacked point IP of each abnormal access record through the commercial grade data chart to obtain the attack and defense chart;
the attack and defense positioning module comprises a numerical conversion unit and an address matching unit;
the numerical conversion unit is used for converting each attack source IP and each attacked point IP into integer numerical values;
the address matching unit is used for matching the attack source IP and the attacked point IP converted into integer values with a preset IP address database to obtain the longitude and latitude of each attack source IP and the longitude and latitude of the attacked point IP;
the numerical conversion unit is further configured to divide the IP address of each of the attack source IP and the attacked point IP into four small-segment integers through point division, convert each small-segment integer into binary, splice the binary values of the four small segments together according to the original IP order, obtain a thirty-two-bit numerical value, and convert the obtained thirty-two-bit numerical value into an integer numerical value.
6. The visual offensive and defensive map generating apparatus of claim 5, wherein the graph display module includes a shape display unit, a color display unit and a direction indication unit;
the shape display unit is used for displaying the attack source IP and the attacked point IP of each abnormal access record through a preset shape symbol;
the color display unit is used for displaying the attack source IP and the attacked point IP of each abnormal access record through preset colors;
the direction indicating unit is configured to direct the attack source IP to the attacked point IP.
7. A computer device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, wherein the processor implements the visual attack and defense graph generation method according to any of claims 1 to 4 when the computer program is executed by the processor.
8. A computer-readable storage medium storing a computer program, wherein the computer program when executed by a processor implements the visual attack and defense graph generation method according to any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910430525.1A CN110311890B (en) | 2019-05-22 | 2019-05-22 | Visualized attack and defense graph generation method and device, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910430525.1A CN110311890B (en) | 2019-05-22 | 2019-05-22 | Visualized attack and defense graph generation method and device, computer equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110311890A CN110311890A (en) | 2019-10-08 |
| CN110311890B true CN110311890B (en) | 2023-06-27 |
Family
ID=68074897
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910430525.1A Active CN110311890B (en) | 2019-05-22 | 2019-05-22 | Visualized attack and defense graph generation method and device, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110311890B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111222135A (en) * | 2019-12-31 | 2020-06-02 | 北京安码科技有限公司 | Method, system, electronic device and storage medium for reproducing actual attack and defense process |
| CN111726352B (en) * | 2020-06-17 | 2023-05-26 | 杭州安恒信息技术股份有限公司 | Method, device, computer equipment and medium for visualizing monitoring probe state |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104935676A (en) * | 2014-03-17 | 2015-09-23 | 阿里巴巴集团控股有限公司 | Method and device for determining IP address fields and corresponding latitude and longitude |
| CN108228560A (en) * | 2016-12-22 | 2018-06-29 | 北京国双科技有限公司 | A kind of determining method and device of data type |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108881294B (en) * | 2018-07-23 | 2021-05-25 | 杭州安恒信息技术股份有限公司 | Attack source IP portrait generation method and device based on network attack behaviors |
| CN109660557A (en) * | 2019-01-16 | 2019-04-19 | 光通天下网络科技股份有限公司 | Attack IP portrait generation method, attack IP portrait generating means and electronic equipment |
-
2019
- 2019-05-22 CN CN201910430525.1A patent/CN110311890B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104935676A (en) * | 2014-03-17 | 2015-09-23 | 阿里巴巴集团控股有限公司 | Method and device for determining IP address fields and corresponding latitude and longitude |
| CN108228560A (en) * | 2016-12-22 | 2018-06-29 | 北京国双科技有限公司 | A kind of determining method and device of data type |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110311890A (en) | 2019-10-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11750659B2 (en) | Cybersecurity profiling and rating using active and passive external reconnaissance | |
| US11212306B2 (en) | Graph database analysis for network anomaly detection systems | |
| US11601475B2 (en) | Rating organization cybersecurity using active and passive external reconnaissance | |
| US20210092152A1 (en) | Identifying related communication interactions to a security threat in a computing environment | |
| US20220014560A1 (en) | Correlating network event anomalies using active and passive external reconnaissance to identify attack information | |
| US20200389495A1 (en) | Secure policy-controlled processing and auditing on regulated data sets | |
| US9342691B2 (en) | Internet protocol threat prevention | |
| US11824878B2 (en) | Malware detection at endpoint devices | |
| US20210360032A1 (en) | Cybersecurity risk analysis and anomaly detection using active and passive external reconnaissance | |
| US20160226893A1 (en) | Methods for optimizing an automated determination in real-time of a risk rating of cyber-attack and devices thereof | |
| US12041091B2 (en) | System and methods for automated internet- scale web application vulnerability scanning and enhanced security profiling | |
| US20160366176A1 (en) | High-level reputation scoring architecture | |
| TW202107312A (en) | Data processing method and device, and storage medium | |
| US20230362200A1 (en) | Dynamic cybersecurity scoring and operational risk reduction assessment | |
| US20210281609A1 (en) | Rating organization cybersecurity using probe-based network reconnaissance techniques | |
| US20200076845A1 (en) | System and method for prevention of threat | |
| CN110311890B (en) | Visualized attack and defense graph generation method and device, computer equipment and storage medium | |
| US20230283641A1 (en) | Dynamic cybersecurity scoring using traffic fingerprinting and risk score improvement | |
| JP2015026182A (en) | Security service effect display system, security service effect display method, and security service effect display program | |
| CN115022077B (en) | Network threat protection method, system and computer readable storage medium | |
| CN114726579A (en) | Method, apparatus, device, storage medium and program product for defending against network attacks | |
| Suciu et al. | Mobile devices forensic platform for malware detection | |
| US10230598B1 (en) | Method and system for providing visualization of instance data to identify and evaluate re-stacking policies in a cloud computing environment | |
| US20240195841A1 (en) | System and method for manipulation of secure data | |
| KR102636138B1 (en) | Method, apparatus and computer program of controling security through database server identification based on network traffic |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |