CN111526135A - Network activity data backtracking method and device - Google Patents
Network activity data backtracking method and device Download PDFInfo
- Publication number
- CN111526135A CN111526135A CN202010293968.3A CN202010293968A CN111526135A CN 111526135 A CN111526135 A CN 111526135A CN 202010293968 A CN202010293968 A CN 202010293968A CN 111526135 A CN111526135 A CN 111526135A
- Authority
- CN
- China
- Prior art keywords
- network activity
- activity data
- data
- host
- authority
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000000694 effects Effects 0.000 title claims abstract description 190
- 238000000034 method Methods 0.000 title claims abstract description 74
- 238000000605 extraction Methods 0.000 claims description 4
- 238000004458 analytical method Methods 0.000 abstract description 23
- 230000008569 process Effects 0.000 description 23
- 238000007726 management method Methods 0.000 description 14
- 230000009471 action Effects 0.000 description 7
- 230000000977 initiatory effect Effects 0.000 description 6
- 239000000126 substance Substances 0.000 description 5
- 230000006399 behavior Effects 0.000 description 4
- 238000001514 detection method Methods 0.000 description 4
- 230000003993 interaction Effects 0.000 description 3
- 238000013475 authorization Methods 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000010485 coping Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000009792 diffusion process Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/953—Querying, e.g. by the use of web search engines
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/126—Applying verification of the received information the source of the received data
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Databases & Information Systems (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a backtracking method and a backtracking device for network activity data, wherein the method comprises the following steps: acquiring and storing network activity data of each host, wherein the network activity data comprises: all network data acquired by each host in real time in an operating state are extracted under the condition that any one of the hosts is attacked; when a retrieval keyword associated with the attacked host is received, searching target network activity data in the network activity data of the attacked host according to the retrieval keyword; feeding back the target network activity data. In the method, the target network activity data is selected from the network activity data of the attacked host and fed back according to the retrieval keywords, forward evidence obtaining of the network activity data of the attacked host is realized, and the target network data is finally used for assisting the source tracing analysis of the network attack event.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a network activity data backtracking method and device.
Background
At present, in order to better cope with network attacks, it is necessary to perform a traceability analysis on a discovered network attack event as comprehensively and timely as possible, and even to reproduce an attack process. However, many malicious software adopt increasingly hidden attack strategies for hiding themselves, so as to avoid security detection and traceability analysis; for example, after an attack action or an attack stage is completed, relevant traces of the attack action such as system logs, network activities and the like are removed in time. In such a case, when security personnel discover that an attack exists to perform a traceability analysis, historical attack activity-related traces have been cleared.
Security personnel can only trace to a victim host through a source IP, but cannot specifically trace to network activity data such as malicious processes (including benign processes which are utilized maliciously), malicious file names and paths, initiation time and the like, and the information has important significance for actual attack analysis tracing, and a method for tracing back network activity data is urgently needed to be provided for assisting in tracing analysis of network attack events.
Disclosure of Invention
In view of this, the present invention provides a method and an apparatus for tracing back network activity data, so as to solve the problem that in the prior art, security personnel can only trace back to a victim host through a source IP, but cannot specifically trace back to network activity data such as a malicious process (including a maliciously utilized benign process), a malicious file name and path, initiation time, and the like, and be used for assisting in tracing back a network attack event. The specific scheme is as follows:
a method for backtracking network activity data, comprising:
acquiring and storing network activity data of each host, wherein the network activity data comprises: all network data acquired by each host in real time in an operating state;
under the condition that any one of the hosts is attacked, extracting network activity data of the attacked host;
when a retrieval keyword associated with the attacked host is received, searching target network activity data in the network activity data of the attacked host according to the retrieval keyword;
feeding back the target network activity data.
Optionally, the method described above, obtaining and storing the network activity data of each host, further includes:
and storing the network activity data at the host side according to a preset time period.
Optionally, in the method, searching for target network activity data in the network activity data of the attacked host according to the search keyword includes:
traversing the network activity data of the attacked host; and searching target network activity data containing the search keywords.
Optionally, the method for feeding back the target network activity data includes:
acquiring the authority level of a user inputting the retrieval key words and the data authority of each data of the target network activity data, wherein the authority level and the data authority have an association relation;
and feeding back data of which the data authority is not higher than the user authority in the target network data.
The above method, optionally, further includes:
and setting operation authority for the network activity data.
An apparatus for backtracking network activity data, comprising:
the acquiring and storing module is configured to acquire and store network activity data of each host, where the network activity data includes: all network data acquired by each host in real time in an operating state;
the extraction module is used for extracting the network activity data of the attacked host under the condition that any one of the hosts is attacked;
the search module is used for searching target network activity data in the network activity data of the attacked host according to the search key words when the search key words related to the attacked host are received;
and the feedback module is used for feeding back the target network activity data.
In the above apparatus, optionally, the obtaining and storing module further includes:
and the storage unit is used for storing the network activity data on the host side according to a preset time period.
The above apparatus, optionally, the search module includes:
the traversing unit is used for traversing the network activity data of the attacked host;
and the searching unit is used for searching the target network activity data containing the search keyword.
The above apparatus, optionally, the feedback module includes:
the acquisition unit is used for acquiring the authority level of a user who inputs the retrieval key word and the data authority of each data of the target network activity data, wherein the authority level and the data authority have an association relation;
and the feedback unit is used for feeding back data of which the data authority is not higher than the user authority in the target network data.
The above apparatus, optionally, further comprises:
and the setting module is used for setting operation permission for the network activity data.
Compared with the prior art, the invention has the following advantages:
the invention discloses a backtracking method and a backtracking device for network activity data, wherein the method comprises the following steps: acquiring and storing network activity data of each host, wherein the network activity data comprises: all network data acquired by each host in real time in an operating state are extracted under the condition that any one of the hosts is attacked; when a retrieval keyword associated with the attacked host is received, searching target network activity data in the network activity data of the attacked host according to the retrieval keyword; feeding back the target network activity data. In the method, the target network activity data is selected from the network activity data of the attacked host and fed back according to the retrieval keywords, forward evidence obtaining of the network activity data of the attacked host is realized, and the target network data is finally used for assisting the source tracing analysis of the network attack event.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart of a backtracking method for network activity data according to an embodiment of the present disclosure;
fig. 2 is another flowchart of a backtracking method of network activity data according to an embodiment of the present disclosure;
fig. 3 is a block diagram of a structure of a network activity data trace-back apparatus according to an embodiment of the present disclosure.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
The invention discloses a backtracking method and a backtracking device for network activity data, which are applied to the source tracing analysis process of network attack events, wherein in the face of increasingly complex network space forms, the network attack and defense game is continuously heated, and an attacker realizes more hidden attacks through continuously innovative attack strategies and technical means in order to improve the success rate of network attack, such as disguising commands and control flow into normal network flow, timely erasing activity traces on a target host and the like. This approach towards covert attack presents new challenges for the development of traceability analysis work.
At present, the technology related to attack detection on the network boundary is rapidly developed, and a plurality of clues that a host in the network is suspected to be attacked can be accurately detected on the network boundary. In order to better cope with network attacks, security personnel need to perform as comprehensive and timely a traceability analysis as possible on the discovered network attack events, even to reproduce the attack process. However, many malicious software adopt increasingly hidden attack strategies for hiding themselves, so as to hinder and even avoid security detection and traceability analysis; for example, after an attack action or an attack stage is completed, relevant traces of the attack action such as system logs, network activities and the like are removed in time. In such a case, when security personnel discover that an attack exists and conduct a traceability analysis, the attack activity-related traces have been cleared. As is well known, the complete analysis and tracing can help security personnel to master the attack situation and make a defense strategy, thereby effectively preventing the continuous diffusion of the attack. Obviously, when an attack is found and traceability analysis is performed, the attack activity history information in a certain time period ahead at the moment can effectively assist security personnel to perform deeper and comprehensive traceability analysis.
Taking an APT attack with extremely strong imperceptibility as an example, in an initial attack stage, a targeted initial attack file may arrive at a victim host in various ways, and such a file generally needs to be connected to a server deployed in advance by an attacker after being induced to execute or run by means of a white list program or the like, and a complete attack load is downloaded/updated so as to develop a complete APT attack activity. In order to obtain better concealment, an attacker usually removes attack traces such as related files and host log records in time after the initial attack is completed. When security personnel detect suspected attack activities on a network boundary, in further tracing analysis, because relevant file records, host log records and the like used by actual attacks are removed by attackers in time, the security personnel can only trace to a victim host through a source IP and cannot specifically obtain important information such as malicious processes (including benign processes utilized maliciously), malicious file names and paths, launching time and the like, and the information has important significance for actual attack analysis tracing, however, until now, no method for combining the method with network boundary accurate detection exists, and data such as host network activities, corresponding processes and files, time information records and the like are actively obtained on a host side aiming at the hidden network attacks. Therefore, the present invention provides a backtracking method of network activity data for solving the above problems, where an execution flow of the backtracking method is shown in fig. 1, and the backtracking method includes the steps of:
s101, obtaining and storing network activity data of each host, wherein the network activity data comprises: all network data acquired by each host in real time in an operating state;
in this embodiment of the present invention, the network activity data includes: preferably, in order to reduce storage pressure, the network activity data is network activity data of a preset time period, where the length of the preset time period may be set according to experience or specific conditions.
The network activity data comprises network data accessed by normal access and attack activity of each host. The network activity data is safely stored in a specific format, and access and operation through a network are prohibited, so that the leakage of the network activity record data is avoided. Wherein the network activity data comprises: the domain name, the using protocol and the port, the execution time, the process of initiating the request, the file for creating the process and the file path thereof, etc. requested by the attacked host.
Further, the network activity data may be stored in the attacked host side or other preset storage media, and preferably, the network activity data is stored in the host side, and the storage in the host side may avoid leakage of the network activity data between different hosts, and set an operation right for the network activity data while storing, where the operation right includes: add, delete, modify, view, etc.
Thus, even if a malware/process has found its network activity record to be recorded, it does not have the authority to clear the trace of attack activity that has been recorded by the backtracking method, and in the case of more stringent management, it is possible to prohibit unauthorized access to the network activity data.
S102, under the condition that any one of the hosts is attacked, extracting network activity data of the attacked host;
in the embodiment of the present invention, when security personnel detects that malicious activities are performing network behaviors in a network boundary of a target network, determining relevant clues of the malicious activities includes: and traversing each IP address of the target network by the source IP, routing information and the like, searching for a target IP address which is the same as the source IP address, taking a host corresponding to the target IP address as an attacked host, and acquiring network activity data in the attacked host at a preset position.
S103, when a retrieval keyword associated with the attacked host is received, searching target network activity data in the network activity data of the attacked host according to the retrieval keyword;
in the embodiment of the invention, the retrieval keywords can help security personnel to lock the network activity records related to the known security clues more quickly; wherein the search keyword includes: the user can input the search key words in a mode of selecting or inputting in a corresponding input window, traverse the network activity data of the attacked host according to the search key words, and select target network activity data matched with the search key words from the network activity data of the attacked host. The matching can be that the similarity of the retrieval keyword and the target network activity is completely the same or the similarity of the retrieval keyword and the target network activity meets a specified similarity threshold.
Further, even if the attacked host does not exist, the network activity data associated with the search keyword can be searched in the corresponding host according to the search keyword by acquiring the search keyword of the corresponding host.
And S104, feeding back the target network activity data.
In the embodiment of the present invention, when the target network activity data exists in the network activity data, the target network activity data is fed back, and further, it is specifically fed back that all or part of the target network activity data is related to the data level of the target network activity data and the authority level of the current user, and preferably, the target network activity data may be fed back in sequence according to the matching degree with the search keyword.
The invention discloses a backtracking method of network activity data, which comprises the following steps: acquiring and storing network activity data of each host, wherein the network activity data comprises: all network data acquired by each host in real time in an operating state are extracted under the condition that any one of the hosts is attacked; when a retrieval keyword associated with the attacked host is received, searching target network activity data in the network activity data of the attacked host according to the retrieval keyword; feeding back the target network activity data. In the method, the target network activity data is selected from the network activity data of the attacked host and fed back according to the retrieval keywords, forward backtracking of the network activity data of the attacked host is realized, and the target network data is finally used for assisting in source tracing analysis of the network attack event.
In the embodiment of the present invention, the execution flow of feeding back the target network activity data is shown in fig. 2, and includes the steps of:
s201, acquiring the authority level of a user inputting the retrieval key word and the data authority of each data of the target network activity data, wherein the authority level and the data authority have an association relation;
in the embodiment of the invention, the users who input the search keywords have different authority levels, the authority levels are preset, and the authority levels of the users who input the search keywords are obtained.
In addition, each data of the network activity data also has a data level, the data level is also preset, and the data authority of each data of the target network data.
Preferably, the authority levels and the data authorities have an association relationship, where the association relationship may be the same or have a correspondence relationship, and the association relationship is exemplified as the authority levels and the data authorities have a correspondence relationship, for example, the authority levels are level a, level B and level C, the levels are sequentially increased, the data authorities are level 1, level 2, level 3, level 4, level 5 and level 6, the levels are sequentially increased, the relationship between the two levels may be level a corresponding to level 1 and level 2, level B corresponding to level 1, level 2, level 3 and level 4, and level C corresponding to level 1, level 2, level 3, level 4, level 5 and level 6.
The higher the further user rights, the higher the operation rights allowed by the user, for example, the user can view the class A, view and download the class B, view, download and delete the class C, etc.
S202, feeding back data of which the data authority is not higher than the user authority in the target network data.
In the embodiment of the present invention, as described in an example in S201, assuming that the user level is B, and the data permissions of the network data included in the target network data are respectively level 1, level 3, level 5, and level 6, data whose data permissions are level 1 and level 3 in the target network data are fed back.
In the embodiment of the present invention, a backtracking system constructed based on the backtracking method is taken as an example for explanation, the backtracking system is operated in each host of the target network with a management authority, and firstly, security personnel obtain part of relevant clues of attacks by other means, including: malicious domain names, attacking active source IP, etc. Then, according to the attack clues, tracing and locking the attacked host; then, the user with the corresponding user right inquires and extracts the network activity data of the attacked host, and the network activity data can theoretically extend forward to the initial stage of the network attack (related to the set preset time period). Finally, all network activity records related to the network attack on the attacked host can be locked, and the target network activity data comprises: domain name requested by the attacked host, usage protocol and port, execution time, process initiating the request, file creating the process and its file path, etc. And feeding the target network data back to a source tracing analyst initiating the query, so that under the assistance of the target network activity record data, safety personnel can perform deeper source tracing analysis and even attack recurrence, thereby making corresponding countermeasures and precautionary measures.
The backtracking system also has user interaction, safety management and data recording, and aims at interaction: the method mainly serves for the interactive use of the user and the backtracking system. Such as: after obtaining authorization, the user inputs clue information related to attack activity into the system, and the system feeds back related network activity data to the user according to authority level in a certain format
Mainly comprises the following steps aiming at safety management: the system comprises data operation authority management, self-protection management and access authority management, wherein a security policy for realizing network activity data operation of acquisition and storage is managed aiming at the data operation authority, namely users with different authorities have different operation authorities for data acquisition. By the hierarchical management of the operation authority, the integrity and the safety of the network activity data can be guaranteed. Even if the presence of the backtracking system is found, malicious software/processes do not have the authority to clear attack activity traces recorded by the backtracking method, and under the condition of stricter management, unauthorized access to the network activity data can be blocked. Meanwhile, in order to achieve targeted management and privacy protection, security personnel with management authority can perform operations such as extraction, modification and deletion on the network activity data. Aiming at self-protection management, the method is used for ensuring the normal operation of the backtracking method on each host, and avoiding network activity data acquisition of malicious software which is pertinently bypassed by the backtracking system, even causing the operational failure of the backtracking system and the like. The purpose of doing so is to guarantee the reality, the integrality of the stated network activity data in the stated back-tracing system as far as possible, can assist the personnel's analysis of tracing to the source really, and possess higher credibility. Aiming at the access authority management, the method is used for realizing the hierarchical management of the operation authority, and is cooperated with a data operation authority component, an interaction component and the like to realize the feedback of the data content of the corresponding authority to the users with different authorities. Meanwhile, the network activity data is prohibited from being accessed in a networking mode to prevent the recorded data from being leaked, and the safety and the reliability of the network activity data and the backtracking system are further ensured.
The recording data mainly includes: the method comprises data acquisition and data storage, wherein network activity records related to the network behavior of the actively acquired host comprise domain names requested by the host, a use protocol and a port, execution time, a process initiating a request, a file creating the process, a file path thereof and other information. Specifically, the whole backtracking system is deployed and operated on each host in the network, and network management/security personnel deploy and start the backtracking system after authorization. The backtracking system actively acquires all network and system behaviors of the host, so as to extract the network activity data of all network behaviors of the host. And aiming at record storage, the method is used for safely storing the acquired network activity data, and simultaneously, a storage strategy is formulated for performance requirements and functional requirements. Such as: the user-defined storage format meets the backtracking requirements of different network compositions, and the storage structure is optimized, so that the storage efficiency is improved, and the like.
The backtracking method actively acquires the important information of all network activities of the host and stores the important information in a record form without depending on a log system of the host. Even if an attacker removes the attack trace of the log of the host system, the recorded data in the method can still provide forward backtracking records in an ideal preset time period, and all network recorded information and related activity traces corresponding to specific attack activities, such as malicious processes or process information utilized maliciously, can be accurately extracted, so that security analysts are assisted to better perform traceability analysis, coping and prevention.
Furthermore, a necessary security mechanism and a necessary authority hierarchical management strategy are provided, so that an attacker cannot interfere with the storage of the recorded data and cannot clear the stored network activity recorded data, the integrity and the security of the recorded data are ensured, and more reliable and comprehensive traceability analysis is assisted to be developed.
Based on the foregoing method for backtracking network activity data, an embodiment of the present invention further provides a device for backtracking network activity data, where a structural block diagram of the device is shown in fig. 3, and the device includes:
an acquisition and storage module 301, an extraction module 302, a search module 303 and a feedback module 304.
Wherein the content of the first and second substances,
the acquiring and storing module 301 is configured to acquire and store network activity data of each host, where the network activity data includes: all network data acquired by each host in real time in an operating state;
the extracting module 302 is configured to, in a case that any one of the hosts is attacked, extract network activity data of the attacked host;
the search module 303 is configured to, when a search keyword associated with the attacked host is received, search target network activity data in the network activity data of the attacked host according to the search keyword;
the feedback module 304 is configured to feed back the target network activity data.
The invention discloses a backtracking device of network activity data, which comprises: acquiring and storing network activity data of each host, wherein the network activity data comprises: all network data acquired by each host in real time in an operating state are extracted under the condition that any one of the hosts is attacked; when a retrieval keyword associated with the attacked host is received, searching target network activity data in the network activity data of the attacked host according to the retrieval keyword; feeding back the target network activity data. In the device, the target network activity data is selected from the network activity data of the attacked host and fed back according to the retrieval keywords, forward evidence obtaining of the network activity data of the attacked host is realized, and the target network data is finally used for assisting the source tracing analysis of the network attack event.
In this embodiment of the present invention, the obtaining and storing module 301 further includes: a storage unit 305.
Wherein the content of the first and second substances,
the storage unit 305 is configured to store the network activity data at the host side according to a preset time period.
In this embodiment of the present invention, the searching module 303 includes:
a traversal unit 306 and a lookup unit 307.
Wherein the content of the first and second substances,
the traversing unit 306 is configured to traverse the network activity data of the attacked host;
the searching unit 307 is configured to search for target network activity data including the search keyword.
In this embodiment of the present invention, the feedback module 304 includes:
an acquisition unit 308 and a feedback unit 309.
Wherein the content of the first and second substances,
the obtaining unit 308 is configured to obtain an authority level of a user who inputs the search keyword and a data authority of each piece of the target network activity data, where the authority level and the data authority have an association relationship;
the feedback unit 309 is configured to feed back data of which the data authority is not higher than the user authority in the target network data.
In an embodiment of the present invention, the backtracking apparatus further includes: a setup module 310.
Wherein the content of the first and second substances,
the setting module 310 is configured to set an operation permission for the network activity data.
It should be noted that, in the present specification, the embodiments are all described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other. For the device-like embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functions of the units may be implemented in the same software and/or hardware or in a plurality of software and/or hardware when implementing the invention.
From the above description of the embodiments, it is clear to those skilled in the art that the present invention can be implemented by software plus necessary general hardware platform. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which may be stored in a storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.
The method and the device for backtracking network activity data provided by the invention are described in detail, a specific example is applied in the description to explain the principle and the implementation mode of the invention, and the description of the embodiment is only used for helping to understand the method and the core idea of the invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
Claims (10)
1. A method for backtracking network activity data, comprising:
acquiring and storing network activity data of each host, wherein the network activity data comprises: all network data acquired by each host in real time in an operating state;
under the condition that any one of the hosts is attacked, extracting network activity data of the attacked host;
when a retrieval keyword associated with the attacked host is received, searching target network activity data in the network activity data of the attacked host according to the retrieval keyword;
feeding back the target network activity data.
2. The method of claim 1, wherein the network activity data for each host is obtained and stored, further comprising:
and storing the network activity data at the host side according to a preset time period.
3. The method of claim 1, wherein searching for target network activity data in the network activity data of the attacked host according to the search keyword comprises:
traversing the network activity data of the attacked host; and searching target network activity data containing the search keywords.
4. The method of claim 1, wherein feeding back the target network activity data comprises:
acquiring the authority level of a user inputting the retrieval key words and the data authority of each data of the target network activity data, wherein the authority level and the data authority have an association relation;
and feeding back data of which the data authority is not higher than the user authority in the target network data.
5. The method of claim 1, further comprising:
and setting operation authority for the network activity data.
6. An apparatus for backtracking network activity data, comprising:
the acquiring and storing module is configured to acquire and store network activity data of each host, where the network activity data includes: all network data acquired by each host in real time in an operating state;
the extraction module is used for extracting the network activity data of the attacked host under the condition that any one of the hosts is attacked;
the search module is used for searching target network activity data in the network activity data of the attacked host according to the search key words when the search key words related to the attacked host are received;
and the feedback module is used for feeding back the target network activity data.
7. The apparatus of claim 6, wherein the obtaining and storing module further comprises:
and the storage unit is used for storing the network activity data on the host side according to a preset time period.
8. The apparatus of claim 7, wherein the search module comprises:
the traversing unit is used for traversing the network activity data of the attacked host;
and the searching unit is used for searching the target network activity data containing the search keyword.
9. The apparatus of claim 7, wherein the feedback module comprises:
the acquisition unit is used for acquiring the authority level of a user who inputs the retrieval key word and the data authority of each data of the target network activity data, wherein the authority level and the data authority have an association relation;
and the feedback unit is used for feeding back data of which the data authority is not higher than the user authority in the target network data.
10. The apparatus of claim 7, further comprising:
and the setting module is used for setting operation permission for the network activity data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010293968.3A CN111526135A (en) | 2020-04-15 | 2020-04-15 | Network activity data backtracking method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010293968.3A CN111526135A (en) | 2020-04-15 | 2020-04-15 | Network activity data backtracking method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111526135A true CN111526135A (en) | 2020-08-11 |
Family
ID=71902289
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010293968.3A Pending CN111526135A (en) | 2020-04-15 | 2020-04-15 | Network activity data backtracking method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111526135A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112307301A (en) * | 2020-11-25 | 2021-02-02 | 北京北信源软件股份有限公司 | Rule adjusting method and device based on network data analysis traceability |
| CN114189378A (en) * | 2021-12-07 | 2022-03-15 | 北京安天网络安全技术有限公司 | Network security event analysis method and device, electronic equipment and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101252592A (en) * | 2008-04-14 | 2008-08-27 | ***电信传输研究所 | Method and system for tracing network source of IP network |
| CN101262351A (en) * | 2008-05-13 | 2008-09-10 | 华中科技大学 | A network tracking system |
| US20170102678A1 (en) * | 2013-03-04 | 2017-04-13 | Fisher-Rosemount Systems, Inc. | Distributed industrial performance monitoring and analytics |
| US20180219751A1 (en) * | 2017-01-31 | 2018-08-02 | Splunk Inc. | Visualizing network activity involving networked computing devices distributed across network address spaces |
| CN108965349A (en) * | 2018-10-19 | 2018-12-07 | 周红梅 | A kind of method and system monitoring advanced duration network attack |
| CN109981587A (en) * | 2019-02-27 | 2019-07-05 | 南京众智维信息科技有限公司 | A kind of network security monitoring traceability system based on APT attack |
| CN110162974A (en) * | 2019-05-28 | 2019-08-23 | 郑州昂视信息科技有限公司 | Database attack defence method and system |
-
2020
- 2020-04-15 CN CN202010293968.3A patent/CN111526135A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101252592A (en) * | 2008-04-14 | 2008-08-27 | ***电信传输研究所 | Method and system for tracing network source of IP network |
| CN101262351A (en) * | 2008-05-13 | 2008-09-10 | 华中科技大学 | A network tracking system |
| US20170102678A1 (en) * | 2013-03-04 | 2017-04-13 | Fisher-Rosemount Systems, Inc. | Distributed industrial performance monitoring and analytics |
| US20180219751A1 (en) * | 2017-01-31 | 2018-08-02 | Splunk Inc. | Visualizing network activity involving networked computing devices distributed across network address spaces |
| CN108965349A (en) * | 2018-10-19 | 2018-12-07 | 周红梅 | A kind of method and system monitoring advanced duration network attack |
| CN109981587A (en) * | 2019-02-27 | 2019-07-05 | 南京众智维信息科技有限公司 | A kind of network security monitoring traceability system based on APT attack |
| CN110162974A (en) * | 2019-05-28 | 2019-08-23 | 郑州昂视信息科技有限公司 | Database attack defence method and system |
Non-Patent Citations (1)
| Title |
|---|
| 谭亮; 万铮, 西南交通大学出版社 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112307301A (en) * | 2020-11-25 | 2021-02-02 | 北京北信源软件股份有限公司 | Rule adjusting method and device based on network data analysis traceability |
| CN112307301B (en) * | 2020-11-25 | 2024-04-26 | 北京北信源软件股份有限公司 | Rule adjustment method and device based on network data analysis traceability |
| CN114189378A (en) * | 2021-12-07 | 2022-03-15 | 北京安天网络安全技术有限公司 | Network security event analysis method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Mohay | Computer and intrusion forensics | |
| US7660797B2 (en) | Scanning data in an access restricted file for malware | |
| Ball | China’s cyber warfare capabilities | |
| Casey | Investigating sophisticated security breaches | |
| US20080195829A1 (en) | Self-protecting memory device | |
| US20120324575A1 (en) | System, Method, Program, and Recording Medium for Detecting and Blocking Unwanted Programs in Real Time Based on Process Behavior Analysis and Recording Medium for Storing Program | |
| CN101667232B (en) | Terminal credible security system and method based on credible computing | |
| Dahbur et al. | The anti-forensics challenge | |
| CN109327451B (en) | Method, system, device and medium for preventing file uploading verification from bypassing | |
| CN101877039A (en) | Fault detection technology of server operating system | |
| Thiyab et al. | The impact of SQL injection attacks on the security of databases | |
| CN111526135A (en) | Network activity data backtracking method and device | |
| JP5334739B2 (en) | Log monitoring program, log monitoring system | |
| Zou et al. | Automatic recognition of advanced persistent threat tactics for enterprise security | |
| Kausar et al. | SQL injection detection and prevention techniques in ASP .NET web application | |
| Singh et al. | High Performance Computing (HPC) Data Center for Information as a Service (IaaS) Security Checklist: Cloud Data Governance. | |
| Patil et al. | Roadmap of digital forensics investigation process with discovery of tools | |
| Snyder et al. | {Pool-Party}: Exploiting browser resource pools for web tracking | |
| CN114285608B (en) | Network attack trapping method and device, electronic equipment and storage medium | |
| Sainju et al. | An experimental analysis of Windows log events triggered by malware | |
| Dahbur et al. | Toward understanding the challenges and countermeasures in computer anti-forensics | |
| Gudimetla | Ransomware Prevention and Mitigation Strategies | |
| RU2587426C2 (en) | System and method of detecting directed attack on corporate infrastructure | |
| Mahajan et al. | ADS: Protecting NTFS from hacking | |
| Etow | Impact of anti-forensics techniques on digital forensics investigation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200811 |
|
| RJ01 | Rejection of invention patent application after publication |