CN111756720B - Targeted attack detection method, apparatus thereof and computer-readable storage medium - Google Patents

Targeted attack detection method, apparatus thereof and computer-readable storage medium Download PDF

Info

Publication number
CN111756720B
CN111756720B CN202010556949.5A CN202010556949A CN111756720B CN 111756720 B CN111756720 B CN 111756720B CN 202010556949 A CN202010556949 A CN 202010556949A CN 111756720 B CN111756720 B CN 111756720B
Authority
CN
China
Prior art keywords
attack
address
parameter
source
targeted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010556949.5A
Other languages
Chinese (zh)
Other versions
CN111756720A (en
Inventor
刘伯仲
王远
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN202010556949.5A priority Critical patent/CN111756720B/en
Publication of CN111756720A publication Critical patent/CN111756720A/en
Priority to PCT/CN2021/081482 priority patent/WO2021253899A1/en
Application granted granted Critical
Publication of CN111756720B publication Critical patent/CN111756720B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/24Multipath
    • H04L45/245Link aggregation, e.g. trunking
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a targeted attack detection method, which comprises the following steps: acquiring attacked information corresponding to equipment; determining a first attack parameter corresponding to the attacked information with the same source IP address; and determining a target source IP address for performing targeted attack on the equipment in each source IP address according to the first attack parameter and the reference parameter. The invention also provides a targeted attack detection device and a computer readable storage medium. The invention ensures the network security of the equipment.

Description

Targeted attack detection method, apparatus thereof and computer-readable storage medium
Technical Field
The present invention relates to the field of network security, and in particular, to a targeted attack detection method, apparatus, and computer-readable storage medium.
Background
With the development of internet + and informatization, network attacks are more and more common, and the threat caused by the network attacks is more and more serious. Enterprises also begin to attach importance to and invest a lot of security in order to reduce losses. Enterprises purchase security software with various functions according to different requirements, such as firewalls, internet behavior management, terminal security, database security and the like. These software face a serious problem: a large amount of alarm logs are generated locally, and safety operation and maintenance personnel are difficult to correspond one to one and can be left alone over the long term.
Some Security software such as SIEM (Security Information and Event Management) plays a role of alarm reduction to some extent by collecting and managing logs in a unified manner. However, since these software are locally deployed, only local attack situations can be seen, and a targeted attack on a device cannot be accurately detected, which results in low network security of the device.
The above is only for the purpose of assisting understanding of the technical aspects of the present invention, and does not represent an admission that the above is prior art.
Disclosure of Invention
The invention mainly aims to provide a targeted attack detection method, a device thereof and a computer readable storage medium, aiming at solving the problem of low network security guarantee of equipment.
In order to achieve the above object, the present invention provides a targeted attack detection method, which includes the following steps:
acquiring attacked information corresponding to equipment;
determining a first attack parameter corresponding to the attacked information with the same source IP address;
and determining a target source IP address for performing targeted attack on the equipment in each source IP address according to the first attack parameter and the reference parameter.
In an embodiment, the step of determining, according to the first attack parameter and the reference parameter, a target source IP address for performing a targeted attack on the device in each source IP address includes:
determining a ratio between the first attack parameter and a second attack parameter, wherein the reference parameter comprises a second attack parameter, and the second attack parameter is determined according to each attacked information of the equipment;
and determining the source IP address corresponding to the ratio which is greater than the preset ratio as a target source IP address for carrying out targeted attack on the equipment.
In an embodiment, the step of determining, according to the first attack parameter and the reference parameter, a target source IP address for performing a targeted attack on the device in each source IP address includes:
comparing the first attack parameter with a preset parameter, wherein the reference parameter comprises the preset parameter;
and determining a source IP address corresponding to the first attack parameter which is greater than or equal to a preset parameter as a target source IP address for performing targeted attack on the equipment.
In an embodiment, after the step of determining, according to the first attack parameter and the reference parameter, a target source IP address for performing a targeted attack on the device in each source IP address, the method further includes:
generating description information of the targeted attack according to the attacked information corresponding to the target source address;
and outputting the description information.
In an embodiment, the step of generating description information of a targeted attack according to attacked information corresponding to the target source IP address includes:
determining an attacked network segment of the equipment according to the attacked information corresponding to each target source IP address;
and aggregating all the attacked network segments to obtain the attacked aggregation network segments, wherein the description information comprises the attacked aggregation network segments.
In an embodiment, the step of generating description information of a targeted attack according to attacked information corresponding to the target source IP address includes:
according to the attacked information corresponding to each target source IP address, determining the attack characteristics of each target source IP address for carrying out targeted attack on the equipment;
determining an attack network segment corresponding to each target source IP address corresponding to the same attack characteristics;
and aggregating all the attack aggregation network segments to obtain an attack aggregation network segment, wherein the description information comprises the attack aggregation network segment.
In an embodiment, the first attack parameter includes a number of times that the source IP address attacks the device or an accumulated attack duration that the source IP address attacks the device.
In order to achieve the above object, the present invention further provides a targeted attack detection apparatus, including:
the acquisition module acquires attacked information corresponding to the equipment;
the determining module is used for determining a first attack parameter corresponding to the attacked information with the same source IP address;
the determining module is further configured to determine, according to the first attack parameter and the reference parameter, a target source IP address for performing targeted attack on the device in each source IP address.
In order to achieve the above object, the present invention further provides a targeted attack detection apparatus, which includes a memory, a processor, and a targeted attack detection program stored in the memory and executable on the processor, and when the targeted attack detection program is executed by the processor, the targeted attack detection apparatus implements the steps of the targeted attack detection method as described above.
To achieve the above object, the present invention further provides a computer-readable storage medium storing a targeted attack detection program, which when executed by the processor implements the steps of the targeted attack detection method as described above.
The targeted attack detection method, the device and the computer readable storage medium provided by the embodiment of the invention have the advantages that the targeted attack detection device obtains the attacked information corresponding to the equipment, determines the first attack parameters corresponding to the attacked information with the same source IP address, and determines the target source IP address for targeted attack on the equipment in each source IP address according to the first attack parameters and the reference parameters. The pertinence detection device collects the attacked information of the equipment and determines the attack parameters of each attacked information with the same source IP address, so that the source IP address of the equipment in the targeted attack is accurately determined according to the attack parameters, the equipment adopts corresponding protection measures to the source IP address of the targeted attack, and the network security of the equipment is ensured.
Drawings
Fig. 1 is a schematic hardware diagram of a targeted attack detection apparatus according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating a first embodiment of a targeted attack detection method according to the present invention;
fig. 3 is a detailed flowchart of step S30 in the second embodiment of the targeted attack detection method according to the present invention;
fig. 4 is a detailed flowchart of step S30 in the third embodiment of the targeted attack detection method according to the present invention;
FIG. 5 is a flowchart illustrating a fourth embodiment of a targeted attack detection method according to the present invention;
FIG. 6 is a detailed flowchart of step S40 in the fifth embodiment of the targeted attack detection method according to the present invention;
fig. 7 is a detailed flowchart of step S40 in the sixth embodiment of the targeted attack detection method according to the present invention;
fig. 8 is a functional block diagram of the targeted attack detection apparatus according to the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The main solution of the embodiment of the invention is as follows: acquiring attacked information corresponding to equipment; determining a first attack parameter corresponding to the attacked information with the same source IP address; and determining a target source IP address for performing targeted attack on the equipment in each source IP address according to the first attack parameter and the reference parameter.
The invention provides a solution, because the pertinence detection device collects the attacked information of the equipment and determines the attack parameters of each attacked information with the same source IP address, the source IP address of the targeted attack to the equipment is accurately determined according to the attack parameters, so that the equipment adopts corresponding protective measures to the source IP address of the targeted attack, and the network security of the equipment is ensured.
As an implementation, the targeted attack detection apparatus may be as shown in fig. 1.
Referring to fig. 1, fig. 1 is a targeted attack detection apparatus according to an embodiment of the present invention, and the targeted attack detection apparatus may include: a processor 1001, such as a CPU, a memory 1002, and a communication bus 1003. The communication bus 1003 is used for realizing connection communication among these components. The memory 1003 may be a high-speed RAM memory or a non-volatile memory (e.g., a disk memory). The memory 1002 may alternatively be a storage device separate from the processor 1001. A targeted attack detection program may be included in memory 1002, which is a type of computer storage medium. The processor 1001 may be configured to invoke a targeted attack detection program stored in the memory 1002 and perform the following operations:
acquiring attacked information corresponding to equipment;
determining a first attack parameter corresponding to the attacked information with the same source IP address;
and determining a target source IP address for performing targeted attack on the equipment in each source IP address according to the first attack parameter and the reference parameter.
In one embodiment, the processor 1001 may call a targeted attack detection program stored in the memory 1005, and further perform the following operations:
determining a ratio between the first attack parameter and a second attack parameter, wherein the reference parameter comprises the second attack parameter, and the second attack parameter is determined according to each attacked information of the equipment;
and determining the source IP address corresponding to the ratio which is greater than the preset ratio as a target source IP address for carrying out targeted attack on the equipment.
In one embodiment, the processor 1001 may call a targeted attack detection program stored in the memory 1005, and further perform the following operations:
comparing the first attack parameter with a preset parameter, wherein the reference parameter comprises the preset parameter;
and determining a source IP address corresponding to the first attack parameter which is greater than or equal to a preset parameter as a target source IP address for performing targeted attack on the equipment.
In one embodiment, the processor 1001 may call a targeted attack detection program stored in the memory 1005, and further perform the following operations:
generating description information of the targeted attack according to the attacked information corresponding to the target source address;
and outputting the description information.
In one embodiment, the processor 1001 may call the targeted attack detection program stored in the memory 1005 and further perform the following operations:
determining an attacked network segment of the equipment according to the attacked information corresponding to each target source IP address;
and aggregating all the attacked network segments to obtain the attacked network segments, wherein the description information comprises the attacked network segments.
In an embodiment, the step of generating description information of the targeted attack according to the attacked information corresponding to the target source IP address includes:
according to the attacked information corresponding to each target source IP address, determining the attack characteristics of each target source IP address for carrying out targeted attack on the equipment;
determining an attack network segment corresponding to each target source IP address corresponding to the same attack characteristics;
and aggregating all the attack aggregation network segments to obtain attack aggregation network segments, wherein the description information comprises the attack aggregation network segments.
In an embodiment, the first attack parameter includes a number of times that the source IP address attacks the device or an accumulated attack duration that the source IP address attacks the device.
According to the scheme, the targeted attack detection device obtains the attacked information corresponding to the equipment, determines the first attack parameters corresponding to the attacked information with the same source IP address, and determines the target source IP address for targeted attack on the equipment in each source IP address according to the first attack parameters and the reference parameters. The pertinence detection device collects the attacked information of the equipment and determines the attack parameters of each attacked information with the same source IP address, so that the source IP address of the equipment in the targeted attack is accurately determined according to the attack parameters, the equipment adopts corresponding protection measures to the source IP address of the targeted attack, and the network security of the equipment is ensured.
Based on the hardware architecture of the targeted attack detection device, the invention provides various embodiments of the targeted attack detection method
Referring to fig. 2, fig. 2 is a first embodiment of the targeted attack detection method of the present invention, where the targeted attack detection method includes:
s10, acquiring attacked information corresponding to the equipment;
in the present embodiment, the execution subject is a targeted attack detection apparatus. The targeted attack detection device is in communication connection with the cloud, or the targeted attack detection device is the cloud. The device is provided with a plurality of safety software, and the safety software can be application programs such as a firewall, internet behavior management, terminal safety, database safety and the like. The device can register on the cloud, so that the security software in the device can upload the security data to the cloud, and each security data is classified as the security data corresponding to the device. Specifically, when the security software detects that the equipment is attacked, the security software generates security data and sends the security data to the cloud. And the cloud receives the security data, determines the equipment where the security software sending the security data is located, and stores the security data and the equipment in an associated manner. Of course, the security data also includes log data of key security events generated by the operating system of the device, the log data records the time when the attack is detected, the type of the event and the behavior body associated with the event, and part of the log also contains the risk level of the alarm. For convenience of description, the following will refer to the targeted attack detection apparatus using the apparatus. Of course, the device itself may be used as a targeted attack detection device, that is, the targeted attack detection device collects security data that is attacked by itself.
The device can detect the targeted attack to the equipment at regular time, and can also detect the targeted attack based on a detection request of the targeted attack sent by the equipment. At this time, the apparatus acquires attacked information corresponding to the device, and the attacked information is plural. It should be noted that, the apparatus first obtains the security data corresponding to the device from the cloud, and the security data may be the security data in the latest time period, for example, the latest week. The device can firstly clean the safety data, namely firstly filter the data which does not meet the requirements in the safety data, remove redundant data or wrong data and only keep effective data. The data that is cleaned generally includes several forms: 1) Analyzing the log record with an incorrect format, if the log length does not meet the requirement; 2) Analyzing logs with incorrect contents, such as IP addresses, port numbers and the like which are not in a normal range; 3) The analysis information does not meet the requirement of detection logic, for example, the analysis result displays a log as the communication behavior between the intranet hosts.
After the security data is cleaned, feature extraction is carried out on the cleaned security data, wherein the feature refers to the feature of network attack, and therefore attacked information containing feature data is obtained. The characteristic data can be information such as firewall data terminal source IP, destination IP, alarm type, alarm generation time and the like.
Step S20, determining a first attack parameter corresponding to the attacked information with the same source IP address;
the device is provided with a detection rule which has pertinence to attacks, and the detection rule can comprise one or more detection rules which are set according to actual conditions. The device needs to acquire first attack parameters corresponding to each attacked information with the same source IP address, so as to judge whether the first attack parameters meet the detection rules, and if the first attack parameters meet the detection rules, the device can judge that the source IP address corresponding to the first attack parameters carries out targeted attack on the device. The first attack parameter includes attack times of the source IP address attacking the device or accumulated attack duration of the source IP address attacking the device.
The device determines each attacked information with the same source IP address after obtaining each attacked information corresponding to the equipment. Specifically, the attacked information includes an active IP address, and the device traverses each attacked information, thereby determining each attacked information having the same source IP address. The device counts the first attack parameters while traversing all the attacked information. After the device completes traversal of each attacked information, the first attack parameter can be obtained through statistics. Of course, the device may also classify each attacked information, the source IP addresses of the classified attacked information are the same, and the first attack parameter is determined for each classified source IP address.
And step S30, determining a target source IP address for performing targeted attack on the equipment in each source IP address according to the first attack parameter and the reference parameter.
The detection rule may be set by a reference parameter. That is, the device determines whether the first attack parameter is matched with the reference parameter, and if so, determines that the source IP address corresponding to the first attack parameter performs targeted attack on the device, and the source IP address is the target source IP address. The reference parameters comprise preset parameters or second attack parameters, and the types of the reference parameters are the same as the types of the first attack parameters. For example, if the first attack parameter is the attack frequency, the preset parameter may be the preset attack frequency; if the first attack parameter is the accumulated attack duration, the preset parameter may be a preset attack duration. The second attack parameter is determined by all attacked information of the equipment, and the second attack parameter comprises the total number of times of attacking the equipment or the accumulated total attack duration of attacking the equipment.
The device determines whether each first attack parameter is matched with the reference parameter after acquiring the first attack parameter corresponding to each source IP address. For example, the first attack parameter is attack times, the reference parameter is preset attack times, and if the first attack parameter is greater than or equal to the preset attack times, it can be determined that the first attack parameter is matched with the reference parameter. The device determines each source IP address matched with the reference parameters to serve as a target source IP address, wherein the target source IP address is the source IP address for launching the targeted attack to the equipment.
In the technical scheme provided by this embodiment, the targeted attack detection apparatus obtains the attacked information corresponding to the device, determines the first attack parameter corresponding to the attacked information with the same source IP address, and determines the target source IP address for targeted attack on the device in each source IP address according to the first attack parameter and the reference parameter. The pertinence detection device collects the attacked information of the equipment and determines the attack parameters of each attacked information with the same source IP address, so that the source IP address of the equipment in the targeted attack is accurately determined according to the attack parameters, the equipment adopts corresponding protection measures to the source IP address of the targeted attack, and the network security of the equipment is ensured.
Referring to fig. 3, fig. 3 is a second embodiment of the targeted attack detection method of the present invention, and based on the first embodiment, the step S30 includes:
step S31, determining a ratio between the first attack parameter and a second attack parameter, wherein the reference parameter comprises the second attack parameter, and the second attack parameter is determined according to each attacked information of the equipment;
and step S32, determining the source IP address corresponding to the ratio which is greater than the preset ratio as a target source IP address for carrying out targeted attack on the equipment.
In this embodiment, the reference parameter includes a second attack parameter, where the second attack parameter includes total attack times of the device under attack or total attack duration of the device under attack. The device obtains the first attack parameter, obtains the second attack parameter, and then calculates the ratio of the first attack parameter to the second attack parameter. It should be noted that the time windows corresponding to the first attack parameter and the second attack parameter are the same. For example, the first attack parameter is the attack times, the second attack times is the total attack times, the attack times is determined by the attacked information in the first set in the target time window, and the total attack times is determined by the attacked information of the devices in the target time window.
After the ratio is determined, the device judges whether the ratio is greater than a preset ratio, and if the ratio is greater than the preset ratio, the source IP address of the first attack parameter corresponding to the ratio can be judged to be the target source IP address, namely, the target source IP address performs targeted attack on the equipment. The first attack parameter comprises attack times or accumulated attack duration, the ratio is the ratio between the attack times and the total attack times, or the ratio between the accumulated attack duration and the total accumulated attack duration, and the preset ratios corresponding to the two ratios are different. The device determines a corresponding preset ratio according to the specific ratio so as to judge the IP address of the target source.
In the technical scheme provided by this embodiment, the apparatus determines a ratio between the first attack parameter and the second attack parameter, and determines whether the ratio is greater than a preset ratio, and if so, takes the source IP address corresponding to the first attack parameter as the target source IP address, thereby accurately determining the source IP address for performing targeted attack on the device.
Referring to fig. 4, fig. 4 is a third embodiment of the targeted attack detection method of the present invention, and based on the first embodiment, the step S30 includes:
step S33, comparing the first attack parameter with a preset parameter, wherein the reference parameter comprises the preset parameter;
and step S34, determining the source IP address corresponding to the first attack parameter which is greater than or equal to the preset parameter as the target source IP address for performing targeted attack on the equipment.
In this embodiment, the reference parameter includes a preset parameter. The preset parameter is of the same type as the first attack parameter. When the first attack parameter is the attack times, the preset parameter is the preset attack times; when the first attack parameter is attack accumulation time length, the preset parameter is preset attack time length.
The device compares the first attack parameter with a preset parameter, and if the first attack parameter is greater than or equal to the preset parameter, the source IP address corresponding to the first attack parameter is determined as a target source IP address for performing targeted attack on the equipment. For example, the first attack number is 50 times, and the preset attack number is 30 times, at this time, it may be determined that the source IP address corresponding to the first attack parameter is the target source IP address.
In the technical scheme provided by this embodiment, the device determines and compares the first attack parameter with a preset parameter, and if the first attack parameter is greater than the preset parameter, the source IP address corresponding to the first attack parameter is used as the target source IP address, so as to accurately determine the source IP address for performing targeted attack on the device.
Referring to fig. 5, fig. 5 is a fourth embodiment of the targeted attack detection method according to the present invention, and based on any one of the first to third embodiments, after step S30, the method further includes:
step S40, generating description information aiming at the attack according to the attacked information corresponding to the target source IP address;
and step S50, outputting the description information.
After the device determines the target source IP address, the device acquires each attacked information corresponding to the target source IP address and analyzes each attacked information, thereby generating the description information of the targeted attack. The description information may include attack behavior parameters of the target source IP address on the device, where the attack behavior parameters include an identity ID of an attacker, an identity ID of an attacked, an attack type, attack time, and the like, the attacker ID may be the IP address thereof, and the attack type may be vulnerability scanning, password blasting, and the like. That is, the device extracts the attack behavior parameters from each attacked message to obtain the description information of the targeted attack. The device outputs the description information. If the device is equipment, the description information is displayed, and if the device is a cloud, the description information is output to the equipment, so that the equipment adopts corresponding protection measures according to the description information.
It should be noted that, after the device generates the description information, the device may generate the prompt information according to the description information, and output the prompt information and the description information at the same time. The prompt message may be: the source IP address has made a targeted attack on the device, suggesting isolation of the source IP address. Of course, the source IP address in the hint needs to be directly written.
In the technical scheme provided by this embodiment, the apparatus determines each attacked information corresponding to the target source IP address to determine description information of the target source IP address for performing targeted attack on the device, and then outputs the description information, so that the device can perform security protection on the device by using corresponding protection measures according to the description information.
Referring to fig. 6, fig. 6 is a fifth embodiment of the targeted attack detection method of the present invention, and based on the fourth embodiment, the step S40 includes:
step S41, determining an attacked network segment of the equipment according to the attacked information corresponding to each target source IP address;
and S42, aggregating all the attacked network segments to obtain the attacked network segments, wherein the description information comprises the attacked network segments.
In this embodiment, the description information includes the attacked aggregation network segment of the device. A network segment refers to a portion of a computer network that can communicate directly using the same physical layer device. The attacked aggregation network segment refers to the attacked portion of the network in which the device is located.
The device determines the attacked network segment of the equipment according to the attacked information corresponding to each target source IP address. The device aggregates the attacked network segments to obtain the attacked aggregation network segment, wherein the attacked aggregation network segment can be the network segment with the most attacking times or a set formed by the attacked network segments, and the set does not have overlapped attacked network segments.
In the technical scheme provided by this embodiment, the apparatus determines an attacked network segment of the device according to the attacked information of each target source IP address, and then aggregates each attacked network segment to obtain an attacked aggregated network segment, so that the device can know the attacked network segment, and thus the device adopts a corresponding protection measure according to the attacked aggregated network segment.
Referring to fig. 7, fig. 7 is a sixth embodiment of the targeted attack detection method according to the present invention, and based on the fourth or fifth embodiment, the step S40 includes:
s43, determining attack characteristics of each target source IP address for carrying out targeted attack on the equipment according to attacked information corresponding to each target source IP address;
s44, determining an attack network segment corresponding to each target source IP address corresponding to the same attack characteristics;
and step S45, aggregating all the attack aggregation network segments to obtain an attack aggregation network segment, wherein the description information comprises the attack aggregation network segment.
In this embodiment, an attacker may use multiple source IP addresses to perform a targeted attack on a device, that is, the attacker uses multiple network segments to attack the device. The description information may include an aggregation network segment targeted for attack on the device by an attacker, i.e., an attack aggregation network segment.
In this regard, after the device determines a plurality of target source IP addresses, it needs to determine each target source IP address to determine the target source IP addresses belonging to the same attacker. Specifically, the device determines an attack characteristic corresponding to each target source IP address, and the attack characteristic can be determined by each attacked information corresponding to the target source IP address. The attack characteristics are attack behavior parameters of the target source IP address to the device, and the attack behavior parameters refer to the above description and are not described herein again. After determining the attack characteristics corresponding to each target source IP address, the device performs similar judgment on each attack characteristic and classifies the similar attack characteristics into one class, and the target source IP addresses corresponding to the attack characteristics of the class form a second set, namely, the attackers corresponding to the target source IP addresses in the second set are the same. It should be noted that each attack feature is composed of a plurality of features, for example, attack type and attack frequency. If the attack types are the same and the attack frequencies are in the same interval, the similarity of the two attack characteristics can be judged.
After the device obtains the second set, an attack network segment adopted by each target source IP address in the second set to carry out targeted attack on the equipment can be determined, and the attack network segment is determined by attacked information corresponding to the target source IP address. Therefore, each attack network segment adopted by an attacker corresponding to the second set can be determined, the device aggregates each attack network segment to reach an attack aggregation network segment, the attack aggregation network segment can be the network segment which is most frequently attacked by the attacker for equipment, and can also be a set formed by each attack network segment, and the attack network segments in the set are not overlapped.
Of course, the device may directly traverse the attack features of each target source IP address to determine each target source IP address having the same attack features, and when traversing the target source IP addresses having the same attack features, determine the attack network segment corresponding to the target source IP address. After the device traverses each attack characteristic, an attack network segment corresponding to each target source IP address corresponding to the same attack characteristic can be determined, and finally, each attack network is aggregated to obtain an attack aggregation network segment.
In the technical scheme provided by this embodiment, the apparatus determines attack characteristics of each target source IP address for performing targeted attack on the device according to attacked information corresponding to each target source IP address, thereby determining each target source IP address belonging to the same attacker according to the attack characteristics, further determining each attack network segment adopted by the attacker for performing targeted attack on the device, and finally aggregating each attack network segment to obtain an attack aggregation network segment, so that the device adopts corresponding protective measures according to the attack aggregation network segment.
The invention also provides a targeted attack detection device.
Referring to fig. 8, fig. 8 is a schematic diagram of functional modules of the targeted attack detection apparatus 100 according to the present invention, including:
the obtaining module 110 obtains attacked information corresponding to the device;
a determining module 120, configured to determine a first attack parameter corresponding to the attacked information with the same source IP address;
the determining module 120 is further configured to determine, according to the first attack parameter and the reference parameter, a target source IP address for performing a targeted attack on the device in each source IP address.
The targeted detection apparatus 100 is further configured to implement various embodiments of the targeted attack detection method, which specifically refer to the embodiments described above and are not described herein again.
The invention also provides a targeted attack detection device, which comprises a memory, a processor and a targeted attack detection program which is stored in the memory and can run on the processor, wherein when the targeted attack detection program is executed by the processor, the targeted attack detection program realizes the steps of the targeted attack detection method of the embodiment.
The present invention also provides a computer-readable storage medium storing a targeted attack detection program, which when executed by the processor implements the steps of the targeted attack detection method as described in the above embodiments.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising a … …" does not exclude the presence of another identical element in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the description of the foregoing embodiments, it is clear to those skilled in the art that the method of the foregoing embodiments may be implemented by software plus a necessary general hardware platform, and certainly may also be implemented by hardware, but in many cases, the former is a better implementation. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) as described above and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.

Claims (7)

1. A targeted attack detection method, characterized in that the targeted attack detection method comprises the following steps:
acquiring attacked information corresponding to equipment;
determining a first attack parameter corresponding to the attacked information with the same source IP address;
according to the first attack parameter and the reference parameter, determining a target source IP address for performing targeted attack on the equipment in each source IP address;
after the step of determining, according to the first attack parameter and the reference parameter, a target source IP address for performing a targeted attack on the device in each source IP address, the method further includes:
generating description information of the targeted attack according to the attacked information corresponding to the target source IP address;
outputting the description information;
the step of generating description information of the targeted attack according to the attacked information corresponding to the target source IP address comprises the following steps:
according to the attacked information corresponding to each target source IP address, determining the attack characteristics of each target source IP address for carrying out targeted attack on the equipment;
determining an attack network segment corresponding to each target source IP address corresponding to the same attack characteristics;
and aggregating all the attack aggregation network segments to obtain attack aggregation network segments, wherein the description information comprises the attack aggregation network segments.
2. The targeted attack detection method according to claim 1, wherein the step of determining, among the source IP addresses, a target source IP address for targeted attack on the device according to the first attack parameter and the reference parameter comprises:
determining a ratio between the first attack parameter and a second attack parameter, wherein the reference parameter comprises the second attack parameter, and the second attack parameter is determined according to each attacked information of the equipment;
and determining the source IP address corresponding to the ratio which is greater than the preset ratio as a target source IP address for performing targeted attack on the equipment.
3. The targeted attack detection method according to claim 1, wherein the step of determining, among the source IP addresses, a target source IP address for targeted attack on the device according to the first attack parameter and the reference parameter comprises:
comparing the first attack parameter with a preset parameter, wherein the reference parameter comprises the preset parameter;
and determining the source IP address corresponding to the first attack parameter which is greater than or equal to the preset parameter as a target source IP address for performing targeted attack on the equipment.
4. The targeted attack detection method of any one of claims 1-3, wherein the first attack parameter comprises a number of attacks the device is attacked by the source IP address or a cumulative attack duration the device is attacked by the source IP address.
5. A targeted attack detection apparatus, characterized in that the targeted attack detection apparatus comprises:
the acquisition module acquires attacked information corresponding to the equipment;
the determining module is used for determining a first attack parameter corresponding to the attacked information with the same source IP address;
the determining module is further configured to determine, according to the first attack parameter and the reference parameter, a target source IP address for performing targeted attack on the device in each source IP address; after the step of determining, according to the first attack parameter and the reference parameter, a target source IP address for performing a targeted attack on the device in each source IP address, the method further includes: generating description information of the targeted attack according to the attacked information corresponding to the target source IP address; outputting the description information; the step of generating description information of the targeted attack according to the attacked information corresponding to the target source IP address comprises the following steps: according to the attacked information corresponding to each target source IP address, determining the attack characteristics of each target source IP address for carrying out targeted attack on the equipment; determining an attack network segment corresponding to each target source IP address corresponding to the same attack characteristics; and aggregating all the attack aggregation network segments to obtain attack aggregation network segments, wherein the description information comprises the attack aggregation network segments.
6. A targeted attack detection apparatus, characterized in that the targeted attack detection apparatus comprises a memory, a processor and a targeted attack detection program stored in the memory and running on the processor, which when executed by the processor implements the steps of the targeted attack detection method according to any one of claims 1-4.
7. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a targeted attack detection program, which when executed by a processor implements the steps of the targeted attack detection method according to any one of claims 1-4.
CN202010556949.5A 2020-06-16 2020-06-16 Targeted attack detection method, apparatus thereof and computer-readable storage medium Active CN111756720B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202010556949.5A CN111756720B (en) 2020-06-16 2020-06-16 Targeted attack detection method, apparatus thereof and computer-readable storage medium
PCT/CN2021/081482 WO2021253899A1 (en) 2020-06-16 2021-03-18 Targeted attack detection method and apparatus, and computer-readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010556949.5A CN111756720B (en) 2020-06-16 2020-06-16 Targeted attack detection method, apparatus thereof and computer-readable storage medium

Publications (2)

Publication Number Publication Date
CN111756720A CN111756720A (en) 2020-10-09
CN111756720B true CN111756720B (en) 2023-03-24

Family

ID=72676215

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010556949.5A Active CN111756720B (en) 2020-06-16 2020-06-16 Targeted attack detection method, apparatus thereof and computer-readable storage medium

Country Status (2)

Country Link
CN (1) CN111756720B (en)
WO (1) WO2021253899A1 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111756720B (en) * 2020-06-16 2023-03-24 深信服科技股份有限公司 Targeted attack detection method, apparatus thereof and computer-readable storage medium
CN113315785B (en) * 2021-06-23 2023-05-12 深信服科技股份有限公司 Alarm reduction method, device, equipment and computer readable storage medium
CN113923039B (en) * 2021-10-20 2023-11-28 北京知道创宇信息技术股份有限公司 Attack equipment identification method and device, electronic equipment and readable storage medium
CN114124540B (en) * 2021-11-25 2023-12-29 中国工商银行股份有限公司 IPS (in-plane switching) blocking method and device
CN115242502B (en) * 2022-07-21 2024-03-08 广东电网有限责任公司 Method, device, equipment and medium for evaluating network security risk of power system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6513122B1 (en) * 2001-06-29 2003-01-28 Networks Associates Technology, Inc. Secure gateway for analyzing textual content to identify a harmful impact on computer systems with known vulnerabilities
CN105991628A (en) * 2015-03-24 2016-10-05 杭州迪普科技有限公司 Network attack identification method and network attack identification device
CN107733725A (en) * 2017-11-27 2018-02-23 深信服科技股份有限公司 A kind of safe early warning method, device, equipment and storage medium
CN109005181A (en) * 2018-08-10 2018-12-14 深信服科技股份有限公司 A kind of detection method, system and the associated component of DNS amplification attack
CN110809010A (en) * 2020-01-08 2020-02-18 浙江乾冠信息安全研究院有限公司 Threat information processing method, device, electronic equipment and medium
CN110912861A (en) * 2018-09-18 2020-03-24 北京数安鑫云信息技术有限公司 AI detection method and device for deeply tracking group attack behavior

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106375331B (en) * 2016-09-23 2020-02-14 北京网康科技有限公司 Attack organization mining method and device
US10911488B2 (en) * 2017-09-22 2021-02-02 Nec Corporation Neural network based spoofing detection
CN109660557A (en) * 2019-01-16 2019-04-19 光通天下网络科技股份有限公司 Attack IP portrait generation method, attack IP portrait generating means and electronic equipment
CN111756720B (en) * 2020-06-16 2023-03-24 深信服科技股份有限公司 Targeted attack detection method, apparatus thereof and computer-readable storage medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6513122B1 (en) * 2001-06-29 2003-01-28 Networks Associates Technology, Inc. Secure gateway for analyzing textual content to identify a harmful impact on computer systems with known vulnerabilities
CN105991628A (en) * 2015-03-24 2016-10-05 杭州迪普科技有限公司 Network attack identification method and network attack identification device
CN107733725A (en) * 2017-11-27 2018-02-23 深信服科技股份有限公司 A kind of safe early warning method, device, equipment and storage medium
CN109005181A (en) * 2018-08-10 2018-12-14 深信服科技股份有限公司 A kind of detection method, system and the associated component of DNS amplification attack
CN110912861A (en) * 2018-09-18 2020-03-24 北京数安鑫云信息技术有限公司 AI detection method and device for deeply tracking group attack behavior
CN110809010A (en) * 2020-01-08 2020-02-18 浙江乾冠信息安全研究院有限公司 Threat information processing method, device, electronic equipment and medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于SDS架构的多级DDoS防护机制;何亨等;《计算机工程与应用》;20161231;第52卷(第01期);第81-88页 *

Also Published As

Publication number Publication date
WO2021253899A1 (en) 2021-12-23
CN111756720A (en) 2020-10-09

Similar Documents

Publication Publication Date Title
CN111756720B (en) Targeted attack detection method, apparatus thereof and computer-readable storage medium
JP6863969B2 (en) Detecting security incidents with unreliable security events
US7735141B1 (en) Intrusion event correlator
CN111404909B (en) Safety detection system and method based on log analysis
JP6201614B2 (en) Log analysis apparatus, method and program
US20160191352A1 (en) Network asset information management
CN110830470B (en) Method, device and equipment for detecting defect-losing host and readable storage medium
US20040250169A1 (en) IDS log analysis support apparatus, IDS log analysis support method and IDS log analysis support program
US11431792B2 (en) Determining contextual information for alerts
US20120311562A1 (en) Extendable event processing
CN110602135B (en) Network attack processing method and device and electronic equipment
CN107682345B (en) IP address detection method and device and electronic equipment
CN111181978B (en) Abnormal network traffic detection method and device, electronic equipment and storage medium
CN104135474A (en) Network anomaly behavior detection method based on out-degree and in-degree of host
CN109787964B (en) Process behavior tracing device and method
CN112784268A (en) Method, device, equipment and storage medium for analyzing host behavior data
US8775613B2 (en) Method and system for providing network monitoring, security event collection apparatus and service abnormality detection apparatus for network monitoring
CN108833442A (en) A kind of distributed network security monitoring device and its method
CN113987508A (en) Vulnerability processing method, device, equipment and medium
CN106506553B (en) A kind of Internet protocol IP filter method and system
CN110460558B (en) Method and system for discovering attack model based on visualization
CN115022077B (en) Network threat protection method, system and computer readable storage medium
US9426174B2 (en) Protecting computing assets from segmented HTTP attacks
CN113810351A (en) Method and device for determining attacker of network attack and computer readable storage medium
CN110750795B (en) Information security risk processing method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant