CN112491913A - Hacker attack tracing analysis system - Google Patents
Hacker attack tracing analysis system Download PDFInfo
- Publication number
- CN112491913A CN112491913A CN202011393307.4A CN202011393307A CN112491913A CN 112491913 A CN112491913 A CN 112491913A CN 202011393307 A CN202011393307 A CN 202011393307A CN 112491913 A CN112491913 A CN 112491913A
- Authority
- CN
- China
- Prior art keywords
- data
- attack
- network
- clue
- source
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 34
- 238000006243 chemical reaction Methods 0.000 claims abstract description 4
- 238000007405 data analysis Methods 0.000 claims abstract description 4
- 238000013075 data extraction Methods 0.000 claims abstract description 4
- 238000000034 method Methods 0.000 claims description 11
- 230000006399 behavior Effects 0.000 claims description 9
- 230000002159 abnormal effect Effects 0.000 claims description 8
- 230000003068 static effect Effects 0.000 claims description 5
- 238000001514 detection method Methods 0.000 description 8
- 230000007547 defect Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000005457 optimization Methods 0.000 description 3
- 108090000623 proteins and genes Proteins 0.000 description 3
- 230000006870 function Effects 0.000 description 2
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 2
- 244000035744 Hura crepitans Species 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/126—Applying verification of the received information the source of the received data
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A hacking traceability analysis system is characterized in that: the system is provided with a network attack clue acquisition module used for acquiring clue data of network attack; the attack data extraction and analysis module is used for analyzing the clue data and judging whether the clue data is attack data or not; the attack data format conversion module is used for sorting and storing the attack data into a preset uniform format; the system is provided with a forensics unit used for storing clue data of network attacks; the source tracing analysis module is used for constructing a source tracing analysis model; and the source tracing module is used for tracing and judging the source of the attack hacker. The invention monitors the running network in real time, monitors the running environment of the network in all directions and has high speed and high efficiency; the data is stored in a unified format, evidence is fixed, and the storage device is separated from the terminal equipment by adopting a cloud end or an independent device, so that the data is safer and more reliable; and performing multidimensional accurate identification on the information, judging attack data, identifying the source of an attack hacker according to the data characteristics, and ensuring the safety of the running network.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a hacker attack traceability analysis system.
Background
With the development of network technology, network security technology has emerged, which is used to maintain the security of computer communication network, mainly including the normal operation of the hardware and software of the network and the security of data information exchange. In practical application, the frequent occurrence of the network attack behavior often causes hidden danger to the network security of the system, and a common and effective means for tracing the network attack event and attacking the network attack behavior is provided.
The existing system mainly has two steps of forensics and traceability, in the traceability processing process, data comparison and identification are vital, and the existing technology has the defects that 1, the detection source is single: the detection basis and index are derived from a limited static feature set extracted from the Trojan file and are single in source. 2. The detection method is simple: the sandbox method supports dynamic detection, but the detection means is not comprehensive enough. The method for identifying suspicious behaviors through inconsistent operation has the defects of missing report and false report, the detection result is influenced, and the validity of dynamic detection can be ensured only by carrying out more comprehensive behavior analysis. 3. The tracing method falls behind: the trojan file tracing can not be carried out by combining the behavior habit of hacker organization, and the accurate positioning tracing can not be realized. 4. Data isolated use: and the data association and fusion of each feature set are lacked, and the comprehensive analysis of the data cannot be realized.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides a hacker attack tracing analysis system which has the advantages of comprehensive detection, high comparison efficiency and high accuracy, and the specific technical scheme is as follows:
a hacker attack tracing analysis system is provided with a network attack clue acquisition module, a source analysis module and a source analysis module, wherein the network attack clue acquisition module is used for acquiring clue data of network attack;
the attack data extraction and analysis module is used for analyzing the clue data and judging whether the clue data is attack data or not;
the attack data format conversion module is used for sorting and storing the attack data into a preset uniform format;
the system is provided with a forensics unit used for storing clue data of network attacks;
the source tracing analysis module is used for constructing a source tracing analysis model;
and the source tracing module is used for tracing and judging the source of the attack hacker.
As an optimization: the method comprises the following specific working steps:
the method comprises the following steps: collecting corresponding data of a network layer, an operation layer and a terminal layer of network operation according to the type of the threat information database, comparing the data with the threat information database, judging whether the data is abnormal, if so, entering the next step, otherwise, continuing the step one;
step two: separating the information types of the abnormal data, extracting features, comparing the features with attack data, judging as attack data if the features are matched with the attack data, and ending if the features are not matched with the attack data;
step three: storing the attack data into a forensics unit according to a preset uniform format;
step four: and comparing the attack data with the hacker file data to identify an attack source.
As an optimization: the evidence obtaining unit is arranged at the cloud end or is an independent memory and is communicated with the terminal equipment through a data line.
As an optimization: separating the information types of the abnormal data in the second step specifically according to the following steps: static fingerprint analysis, implicit fingerprint analysis, and dynamic behavior fingerprint analysis.
The invention has the beneficial effects that: the operation network is monitored in real time, the operation environment of the network is monitored in an all-dimensional and multi-dimensional manner, and the method is quick and efficient; the data is stored in a unified format, evidence is fixed, and the storage device is separated from the terminal equipment by adopting a cloud end or an independent device, so that the data is safer and more reliable; and performing multidimensional accurate identification on the information, judging attack data, identifying the source of an attack hacker according to the data characteristics, and ensuring the safety of the running network.
Detailed Description
The following detailed description of the preferred embodiments of the present invention is provided to enable those skilled in the art to more readily understand the advantages and features of the present invention, and to clearly and unequivocally define the scope of the present invention.
A hacker attack tracing analysis system is provided with a network attack clue acquisition module, a source analysis module and a source analysis module, wherein the network attack clue acquisition module is used for acquiring clue data of network attack;
the attack data extraction and analysis module is used for analyzing the clue data and judging whether the clue data is attack data or not;
the attack data format conversion module is used for sorting and storing the attack data into a preset uniform format;
the system is provided with a forensics unit, a cloud storage and a data processing unit, wherein the forensics unit is used for storing clue data of network attacks;
the source tracing analysis module is used for constructing a source tracing analysis model;
and the source tracing module is used for tracing and judging the source of the attack hacker.
The method comprises the following specific working steps:
the method comprises the following steps: collecting corresponding data of a network layer, an operation layer and a terminal layer of network operation according to the type of the threat information database, comparing the data with the threat information database, judging whether the data is abnormal, if so, entering the next step, otherwise, continuing the step one;
step two: separating the information types of the abnormal data, wherein the static fingerprint genes comprise the following 6 label items according to the standards of static fingerprint analysis, implicit fingerprint analysis and dynamic behavior fingerprint analysis: PE file basic information labels, compiling information labels, digital signature information labels, window resource information labels, PDB path labels and export function labels; the cryptomorphic fingerprint gene comprises the following 3 label items: the system comprises an own algorithm label, a functional function label, a programming habit and style label; and the dynamic behavior fingerprint gene comprises the following 10 label items: the system comprises a basic label, a window resource label, an injection type label, a keyboard record label, a network event label, an active attack label, a self-starting label, a self-copying label, a file attribute label and a system attribute label. Extracting features, comparing the features with attack data, judging as attack data if the features are matched with the attack data, and ending if the features are not matched with the attack data;
step three: storing the attack data into a forensics unit according to a preset uniform format;
step four: and comparing the attack data with the hacker file data to identify an attack source.
Claims (4)
1. A hacking traceability analysis system is characterized in that: the system is provided with a network attack clue acquisition module used for acquiring clue data of network attack;
the attack data extraction and analysis module is used for analyzing the clue data and judging whether the clue data is attack data or not;
the attack data format conversion module is used for sorting and storing the attack data into a preset uniform format;
the system is provided with a forensics unit used for storing clue data of network attacks;
the source tracing analysis module is used for constructing a source tracing analysis model;
and the source tracing module is used for tracing and judging the source of the attack hacker.
2. The hacking traceability analysis system of claim 1, wherein: the method comprises the following specific working steps:
the method comprises the following steps: collecting corresponding data of a network layer, an operation layer and a terminal layer of network operation according to the type of the threat information database, comparing the data with the threat information database, judging whether the data is abnormal, if so, entering the next step, otherwise, continuing the step one;
step two: separating the information types of the abnormal data, extracting features, comparing the features with attack data, judging as attack data if the features are matched with the attack data, and ending if the features are not matched with the attack data;
step three: storing the attack data into a forensics unit according to a preset uniform format;
step four: and comparing the attack data with the hacker file data to identify an attack source.
3. The hacking traceability analysis system of claim 1, wherein: the evidence obtaining unit is arranged at the cloud end or is an independent memory and is communicated with the terminal equipment through a data line.
4. The hacking traceability analysis system of claim 2, wherein: separating the information types of the abnormal data in the second step specifically according to the following steps: static fingerprint analysis, implicit fingerprint analysis, and dynamic behavior fingerprint analysis.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011393307.4A CN112491913A (en) | 2020-12-03 | 2020-12-03 | Hacker attack tracing analysis system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011393307.4A CN112491913A (en) | 2020-12-03 | 2020-12-03 | Hacker attack tracing analysis system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112491913A true CN112491913A (en) | 2021-03-12 |
Family
ID=74938932
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011393307.4A Pending CN112491913A (en) | 2020-12-03 | 2020-12-03 | Hacker attack tracing analysis system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112491913A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116800534A (en) * | 2023-07-28 | 2023-09-22 | 微启星(江苏)科技发展有限公司 | Internet data information safety transmission system |
| CN117176480A (en) * | 2023-11-03 | 2023-12-05 | 北京锐服信科技有限公司 | Method and system for tracing attack event |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170324768A1 (en) * | 2015-10-28 | 2017-11-09 | Fractal Industries, Inc. | Advanced cybersecurity threat mitigation using behavioral and deep analytics |
| CN109495520A (en) * | 2019-01-11 | 2019-03-19 | 北京中睿天下信息技术有限公司 | Integrated network attack evidence obtaining source tracing method, system, equipment and storage medium |
| CN110445807A (en) * | 2019-08-23 | 2019-11-12 | 瑞森网安(福建)信息科技有限公司 | Network security situation sensing system and method |
| CN111935192A (en) * | 2020-10-12 | 2020-11-13 | 腾讯科技(深圳)有限公司 | Network attack event tracing processing method, device, equipment and storage medium |
-
2020
- 2020-12-03 CN CN202011393307.4A patent/CN112491913A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170324768A1 (en) * | 2015-10-28 | 2017-11-09 | Fractal Industries, Inc. | Advanced cybersecurity threat mitigation using behavioral and deep analytics |
| CN109495520A (en) * | 2019-01-11 | 2019-03-19 | 北京中睿天下信息技术有限公司 | Integrated network attack evidence obtaining source tracing method, system, equipment and storage medium |
| CN110445807A (en) * | 2019-08-23 | 2019-11-12 | 瑞森网安(福建)信息科技有限公司 | Network security situation sensing system and method |
| CN111935192A (en) * | 2020-10-12 | 2020-11-13 | 腾讯科技(深圳)有限公司 | Network attack event tracing processing method, device, equipment and storage medium |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116800534A (en) * | 2023-07-28 | 2023-09-22 | 微启星(江苏)科技发展有限公司 | Internet data information safety transmission system |
| CN116800534B (en) * | 2023-07-28 | 2024-03-22 | 微启星(江苏)科技发展有限公司 | Internet data information safety transmission system |
| CN117176480A (en) * | 2023-11-03 | 2023-12-05 | 北京锐服信科技有限公司 | Method and system for tracing attack event |
| CN117176480B (en) * | 2023-11-03 | 2024-01-09 | 北京锐服信科技有限公司 | Method and system for tracing attack event |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113706177B (en) | Threat identification method based on big data security and data security server | |
| CN111277578A (en) | Encrypted flow analysis feature extraction method, system, storage medium and security device | |
| CN112114995B (en) | Terminal abnormality analysis method, device, equipment and storage medium based on process | |
| CN108881263B (en) | Network attack result detection method and system | |
| CN111953697B (en) | APT attack recognition and defense method | |
| CN109918907B (en) | Method, controller and medium for obtaining evidence of malicious codes in process memory of Linux platform | |
| CN107302530B (en) | Industrial control system attack detection device based on white list and detection method thereof | |
| CN110188538B (en) | Method and device for detecting data by adopting sandbox cluster | |
| CN112491913A (en) | Hacker attack tracing analysis system | |
| CN113157994A (en) | Multi-source heterogeneous platform data processing method | |
| CN108256329B (en) | Fine-grained RAT program detection method and system based on dynamic behavior and corresponding APT attack detection method | |
| CN112131577A (en) | Vulnerability detection method, device and equipment and computer readable storage medium | |
| CN113420802B (en) | Alarm data fusion method based on improved spectral clustering | |
| CN111339293A (en) | Data processing method and device of alarm event and classification method of alarm event | |
| CN113132311A (en) | Abnormal access detection method, device and equipment | |
| US20210136032A1 (en) | Method and apparatus for generating summary of url for url clustering | |
| CN104980421A (en) | Method and system for processing batch requests | |
| CN114090406A (en) | Electric power Internet of things equipment behavior safety detection method, system, equipment and storage medium | |
| JP2019159431A (en) | Evaluation program, evaluation method, and evaluation device | |
| CN113032824B (en) | Low-frequency data leakage detection method and system based on database flow logs | |
| CN114297632A (en) | Host computer sink detection method and device, electronic equipment and storage medium | |
| CN105069158A (en) | Data mining method and system | |
| CN103095714A (en) | Trojan horse detection method based on Trojan horse virus type classification modeling | |
| CN115296888A (en) | Data radar monitoring system | |
| CN111507368B (en) | Campus network intrusion detection method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210312 |
|
| RJ01 | Rejection of invention patent application after publication |