CN117527359A - Attack traceability saving and restoring method based on blockchain technology - Google Patents
Attack traceability saving and restoring method based on blockchain technology Download PDFInfo
- Publication number
- CN117527359A CN117527359A CN202311486046.4A CN202311486046A CN117527359A CN 117527359 A CN117527359 A CN 117527359A CN 202311486046 A CN202311486046 A CN 202311486046A CN 117527359 A CN117527359 A CN 117527359A
- Authority
- CN
- China
- Prior art keywords
- attack
- data
- blockchain
- attacker
- scene
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000005516 engineering process Methods 0.000 title claims abstract description 59
- 238000000034 method Methods 0.000 title claims abstract description 39
- 230000007123 defense Effects 0.000 claims abstract description 15
- 238000007405 data analysis Methods 0.000 claims abstract description 10
- 238000013500 data storage Methods 0.000 claims abstract description 5
- 238000013524 data verification Methods 0.000 claims abstract description 5
- 238000004458 analytical method Methods 0.000 claims description 31
- 230000006399 behavior Effects 0.000 claims description 22
- 238000012795 verification Methods 0.000 claims description 13
- 230000009471 action Effects 0.000 claims description 8
- 238000011835 investigation Methods 0.000 claims description 8
- 238000011084 recovery Methods 0.000 claims description 8
- 238000001514 detection method Methods 0.000 claims description 6
- 238000004321 preservation Methods 0.000 claims description 6
- 230000004044 response Effects 0.000 claims description 4
- 230000000007 visual effect Effects 0.000 claims description 4
- 230000010485 coping Effects 0.000 abstract description 7
- 230000008569 process Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 238000007726 management method Methods 0.000 description 5
- 230000009545 invasion Effects 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 238000007792 addition Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/104—Peer-to-peer [P2P] networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/50—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/146—Tracing the source of attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Power Engineering (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a method for storing and restoring attack scenes by tracing attacks based on a blockchain technology, belongs to the technical field of data tracing, and solves the problems that all attack information cannot be recorded in real time, the data volume is large, scene restoration is complex and the like in the prior art. The method comprises the following steps: step one, recording attack events; step two, data analysis and verification; step three, data are uplink; step four, attack tracing guarantee; step five, data storage; step six, attack tracing; step seven, privacy protection; step eight, inquiring data; step nine, restoring an attack scene; step ten, recovering the victim system; step eleven, attack tracking; step twelve, reporting and summarizing. The invention adopts a mode of combining the blockchain technology and the attack scene restoration technology, and can realize the efficient, accurate and safe storage and restoration of the attack tracing information; the real-time performance is good, the traceability is strong, and the security defense and coping capacity of enterprises and institutions can be improved.
Description
Technical Field
The invention belongs to the technical field of data tracing, and relates to a method for preserving and restoring attack scenes by tracing attacks based on a blockchain technology.
Background
With the development and popularization of network technology, network attack events frequently occur, which poses a great threat to information security of enterprises and individuals. Currently, network attack tracing technology has been widely used for quickly tracking and identifying attack sources. However, the existing attack tracing technology only provides basic information of attack sources, cannot restore an attack scene, and cannot save related data generated in the whole attack process.
Currently, in the field of network security, there are other technical schemes for traceable saving and restoring attack scenes, which mainly include the following steps:
traditional network security defense technology: traditional network security defense technologies comprise firewall, intrusion detection, virus prevention and other technologies, are mainly used for defending and detecting network security threats, but are not strong enough in support of attack tracing and attack scene restoration.
Security information and event management System (SIEM): the safety information and event management system is a safety management platform integrating various safety technologies and functions, and can realize the functions of safety event management, safety information management, threat information analysis and the like. However, SIEM systems are not strong enough to support attack tracing and attack scene restoration.
The following problems are mainly present: incomplete data preservation: the prior art can only save certain data in the attack process, and cannot comprehensively record each link in the attack scene; the attack scenario cannot be restored: the prior art can only store attack data and cannot restore attack scenes; the method can not be stored in real time: the prior art can only store data after the attack is finished, and can not store related data generated in the whole attack process in real time.
Based on the method, the attack tracing preservation and restoration attack scene method based on the blockchain technology is provided, and the efficient, accurate and safe preservation and restoration of the attack tracing information can be realized by adopting a mode of combining the blockchain technology with the attack scene restoration technology; the privacy is good, the instantaneity is good, the traceability is strong, and the security defense and coping capacity of enterprises and institutions can be improved.
Disclosure of Invention
The invention aims at solving the problems in the prior art, and provides a method for tracing, saving and restoring attack scenes based on a blockchain technology, which aims at solving the technical problems that: how to realize the comprehensive record of the attack event in real time, accurately analyze the attack traceability information, restore the attack scene and recover, and improve the security defense and coping capacity of enterprises and institutions.
The aim of the invention can be achieved by the following technical scheme:
a method for preserving and restoring attack scenes based on attack tracing of a blockchain technology comprises the following steps:
step one, attack event record: when an attack event occurs, the system records all details of the attack event in real time, collects data related to the attack, and the data is obtained from a weblog record, an intrusion detection system, a firewall or other safety equipment;
step two, data analysis and verification: before the data is stored in the blockchain, the integrity and the accuracy of the data are required to be ensured, the collected data are processed by utilizing a big data analysis technology, the authenticity of the data is verified by using a mode which is not limited to an encryption algorithm or a digital signature, the data are ensured not to be tampered, the recovery of an attack scene is facilitated, and the behavior and the intention of an attacker are known;
step three, data uplink: the collected attack data is uplink through a blockchain technology, so that the non-tamper property of the data and the time stamp record are ensured;
step four, attack tracing guarantee: the block chain is a distributed database, each block contains hash values of the previous block, so that a tamper-proof data record chain is formed, collected attack data is encrypted by using a hash algorithm, the encrypted hash values are stored in a distributed block chain network, and each participating node is stored with a complete data copy by utilizing the decentralization characteristic of the block chain, so that the reliability and the sustainability of the data are ensured, and even if some nodes fail or suffer from attacks, the data can still be recovered to ensure the safety of the data; the hash algorithm can convert data with any length into a hash value with fixed length, so that the data integrity, the non-tamper property, the traceability and the timestamp record are ensured; the verification is carried out on the chain through the block chain technology, and an attacker cannot tamper with the attack log, so that the credibility of the traceability information is ensured;
step five, data storage: storing the uplink attack data in a blockchain network, ensuring the permanent storage of the data, and creating a blockchain record;
step six, attack tracing: by utilizing the data stored in the blockchain, the identity, attack path and other information of an attacker can be traced through analysis; potential security holes can be found out and timely repaired;
step seven, privacy protection: for sensitive information and private data, an encryption algorithm can be used for protection, and only authorized users can decrypt and view related contents, so that the privacy rights and data security of the users are ensured;
step eight, data query: the user can inquire the historical data and related information of the attack;
step nine, restoring an attack scene: the complete scene during attack is restored through the data stored in the blockchain, so that the behavior, the purpose and the adopted attack technology of an attacker are not limited, and reference is provided for subsequent defense; the method can also complete the state restoration of the victim system without being limited to the reproduction of attack traffic;
step ten, recovering the victim system: after attack recovery, repairing and recovering the victim system are needed when necessary to ensure the normal operation and make up for the security hole;
step eleven, attack tracking: by analyzing attack tracing data, the identity, action track and purpose of an attacker are tried to be traced, and further investigation and cooperation are needed;
step twelve, reporting and summarizing: according to the collected data and analysis results, writing detailed reports, summarizing characteristics, influences and defense suggestions of attack events; and remains as evidence to facilitate subsequent investigation and legal action.
The attack data in the first step include, but are not limited to, an attacker IP address, attack time, response of the attacked system, intrusion behavior, attack mode, source of the attacker, attack target, network traffic, system snapshot and user behavior.
And in the third step, after the data is uplink, certain format data information is formed and stored on the block chain, wherein the data format is, but not limited to, JSON.
In the fifth step, the blockchain record is created by using the distributed storage and non-tamperable characteristics of the blockchain, so as to store attack data, each attack data generates a new block, and the hash value of the previous block is used as its own leading hash value to form a chain structure.
The data stored in the step five can be automatically stored and updated by utilizing the technology not limited to intelligent contracts.
The restoration technique of the attack scenario in the step nine includes, but is not limited to, network topology analysis, code analysis, network traffic analysis, system log analysis, and attack sample analysis. Through the technologies, attack data can be converted into a visual chart, so that network security personnel can be helped to better understand the behaviors and intentions of an attacker.
And step nine, the verification mode of the attack scene in the restoration process is to verify whether the hash values of each block are matched from the target block forward one by one, so that the integrity of the data is ensured and the data is not tampered. Once verification is passed, the information such as the IP address, the attack time stamp, the attack type and the like of the attacker can be restored, so that the whole attack scene is restored.
Compared with the prior art, the attack tracing preservation and restoration attack scene method based on the blockchain technology has the following advantages:
the method has the advantages that the integrity and the reliability of attack tracing information are ensured by adopting a mode of combining a blockchain technology and an attack scene restoration technology, the key point of the blockchain technology is that the blockchain technology is non-tamper-proof and anti-repudiation, the credibility of the attack tracing information can be ensured, the reliability is high, and the information can be effectively prevented from being tampered and forged; the attack event is comprehensively recorded, including intrusion behavior, attack modes, sources of attackers and the like, so that the integrity and accuracy of attack tracing information are ensured; the real-time performance is good, and the efficiency of coping with attack events is improved;
and restoring the attack scene by analyzing the attack tracing information, and recovering. The attack scene restoration is one of key technologies of the invention, can identify an attacker and take proper security measures, and has strong traceability;
multiple security mechanisms including block chain technology, encryption technology and the like are adopted, so that the security and privacy of attack tracing information are ensured.
The method is suitable for various network attack events, has wide application range, improves the security defense and coping capacity of enterprises and institutions, and reduces the loss and risk of the network attack on the enterprises and institutions.
Drawings
Fig. 1 is a flow chart of the method of the present invention.
Fig. 2 is a block diagram of the structure of an attack event record in the present invention.
Fig. 3 is a block diagram of the structure of data analysis verification in the present invention.
Fig. 4 is a block diagram of the structure of attack tracing guarantee in the present invention.
FIG. 5 is a block diagram of the structure of the data store of the present invention.
Fig. 6 is a block diagram of a restore attack scenario in the present invention.
Detailed Description
The following are specific embodiments of the present invention and the technical solutions of the present invention will be further described with reference to the accompanying drawings, but the present invention is not limited to these embodiments.
As shown in fig. 1-6, the attack tracing saving and restoring method based on the blockchain technology comprises the following steps:
step one, attack event record: when an attack event occurs, the system records all details of the attack event in real time, collects data related to the attack, and the data is obtained from a weblog record, an intrusion detection system, a firewall or other safety equipment;
step two, data analysis and verification: before the data is stored in the blockchain, the integrity and the accuracy of the data are required to be ensured, the collected data are processed by utilizing a big data analysis technology, the authenticity of the data is verified by using a mode which is not limited to an encryption algorithm or a digital signature, the data are ensured not to be tampered, the recovery of an attack scene is facilitated, and the behavior and the intention of an attacker are known;
step three, data uplink: the collected attack data is uplink through a blockchain technology, so that the non-tamper property of the data and the time stamp record are ensured;
step four, attack tracing guarantee: the block chain is a distributed database, each block contains hash values of the previous block, so that a tamper-proof data record chain is formed, collected attack data is encrypted by using a hash algorithm, the encrypted hash values are stored in a distributed block chain network, and each participating node is stored with a complete data copy by utilizing the decentralization characteristic of the block chain, so that the reliability and the sustainability of the data are ensured, and even if some nodes fail or suffer from attacks, the data can still be recovered to ensure the safety of the data; the hash algorithm can convert data with any length into a hash value with fixed length, so that the data integrity, the non-tamper property, the traceability and the timestamp record are ensured; the verification is carried out on the chain through the block chain technology, and an attacker cannot tamper with the attack log, so that the credibility of the traceability information is ensured;
step five, data storage: storing the uplink attack data in a blockchain network, ensuring the permanent storage of the data, and creating a blockchain record;
step six, attack tracing: by utilizing the data stored in the blockchain, the identity, attack path and other information of an attacker can be traced through analysis; potential security holes can be found out and timely repaired;
step seven, privacy protection: for sensitive information and private data, an encryption algorithm can be used for protection, and only authorized users can decrypt and view related contents, so that the privacy rights and data security of the users are ensured;
step eight, data query: the user can inquire the historical data and related information of the attack;
step nine, restoring an attack scene: the complete scene during attack is restored through the data stored in the blockchain, so that the behavior, the purpose and the adopted attack technology of an attacker are not limited, and reference is provided for subsequent defense; the method can also complete the state restoration of the victim system without being limited to the reproduction of attack traffic;
step ten, recovering the victim system: after attack recovery, repairing and recovering the victim system are needed when necessary to ensure the normal operation and make up for the security hole;
step eleven, attack tracking: by analyzing attack tracing data, the identity, action track and purpose of an attacker are tried to be traced, and further investigation and cooperation are needed;
step twelve, reporting and summarizing: according to the collected data and analysis results, writing detailed reports, summarizing characteristics, influences and defense suggestions of attack events; and remains as evidence to facilitate subsequent investigation and legal action.
The attack data in the first step includes, but is not limited to, an attacker IP address, attack time, response of the attacked system, intrusion behavior, attack mode, source of the attacker, attack target, network traffic, system snapshot and user behavior.
And step three, after the data is uplink, forming data information with a certain format, and storing the data information on a block chain, wherein the data format is, but not limited to, JSON.
In the fifth step, the blockchain record is created by utilizing the distributed storage and non-tamperable characteristics of the blockchain, so as to store attack data, each attack data can generate a new block, and the hash value of the previous block is used as a leading hash value of the previous block to form a chain structure.
The data stored in step five may be automatically stored and updated using techniques not limited to smart contracts.
The restoration techniques of the attack scenario in step nine include, but are not limited to, network topology analysis, code analysis, network traffic analysis, system log analysis, and attack sample analysis. Through the technologies, attack data can be converted into a visual chart, so that network security personnel can be helped to better understand the behaviors and intentions of an attacker.
And step nine, the verification mode of the attack scene in the restoration process is to verify whether the hash value of each block is matched from the target block forward one by one, so that the integrity of the data is ensured and the data is not tampered. Once verification is passed, the information such as the IP address, the attack time stamp, the attack type and the like of the attacker can be restored, so that the whole attack scene is restored.
The working principle of the invention is as follows:
step one, attack event record: when an attack event occurs, the system records all details of the attack event in real time, and collects data related to the attack, wherein the attack data comprises, but is not limited to, an IP address of an attacker, attack time, a response of an attacked system, an invasion behavior, an attack mode, a source of the attacker, an attack target, network traffic, a system snapshot and user behavior, and the data is obtained through a network log record, an invasion detection system, a firewall or other safety equipment, namely, is collected through a network traffic analysis method, a log analysis method, an invasion detection system and the like;
step two, data analysis and verification: before the data is stored in the blockchain, the integrity and the accuracy of the data are required to be ensured, the collected data are processed by utilizing a big data analysis technology, the authenticity of the data is verified by using a mode which is not limited to an encryption algorithm or a digital signature, the data are ensured not to be tampered, the recovery of an attack scene is facilitated, and the behavior and the intention of an attacker are known;
step three, data uplink: the collected attack data is uplink through a block chain technology, and after the data is uplink, certain format such as JSON data information is formed and stored on the block chain, so that the non-tamper property and time stamp record of the data are ensured;
step four, attack tracing guarantee: the block chain is a distributed database, each block contains hash values of the previous block, so that a tamper-proof data record chain is formed, collected attack data is encrypted by using a hash algorithm, the encrypted hash values are stored in a distributed block chain network, and each participating node is stored with a complete data copy by utilizing the decentralization characteristic of the block chain, so that the reliability and the sustainability of the data are ensured, and even if some nodes fail or suffer from attacks, the data can still be recovered to ensure the safety of the data; the hash algorithm can convert data with any length into a hash value with fixed length, so that the data integrity, the non-tamper property, the traceability and the timestamp record are ensured; the verification is carried out on the chain through the block chain technology, and an attacker cannot tamper with the attack log, so that the credibility of the traceability information is ensured;
step five, data storage: storing the attack data of the uplink in a block chain network, ensuring the permanent storage of the data, creating a block chain record to store the attack data by utilizing the distributed storage and the non-tamperable characteristic of the block chain, generating a new block by each attack data, and forming a chain structure by taking the hash value of the previous block as a leading hash value of the previous block; the stored data may be automatically stored and updated using techniques not limited to smart contracts;
step six, attack tracing: by utilizing the data stored in the blockchain, the identity, attack path and other information of an attacker can be traced through analysis; potential security holes can be found out and timely repaired;
step seven, privacy protection: for sensitive information and private data, an encryption algorithm can be used for protection, and only authorized users can decrypt and view related contents, so that the privacy rights and data security of the users are ensured;
step eight, data query: the user can inquire the historical data and related information of the attack;
step nine, restoring an attack scene: the complete scene during the attack is restored through the data stored in the blockchain by restoration technologies such as network topology analysis, code analysis, network traffic analysis, system log analysis, attack sample analysis and the like, so that the behavior, the purpose and the adopted attack technology of an attacker are not limited, and a reference is provided for subsequent defense; the method can also complete the state restoration of the victim system without being limited to the reproduction of attack traffic; through the technologies, attack data can be converted into a visual chart, so that network security personnel can be helped to better understand the behaviors and intentions of an attacker; the verification mode of the attack scene in the restoration process is to verify whether the hash value of each block is matched from the target block forward one by one, so that the integrity of the data is ensured and the data is not tampered. Once verification is passed, the IP address, the attack time stamp, the attack type and other information of an attacker can be restored, so that the whole attack scene is restored;
step ten, recovering the victim system: after attack recovery, repairing and recovering the victim system are needed when necessary to ensure the normal operation and make up for the security hole;
step eleven, attack tracking: by analyzing attack tracing data, the identity, action track and purpose of an attacker are tried to be traced, and further investigation and cooperation are needed;
step twelve, reporting and summarizing: according to the collected data and analysis results, writing detailed reports, summarizing characteristics, influences and defense suggestions of attack events; and remains as evidence to facilitate subsequent investigation and legal action.
In summary, the integrity and reliability of attack tracing information are ensured by adopting a mode of combining a blockchain technology and an attack scene restoration technology, and the blockchain technology is characterized in that the blockchain technology is non-tamper-resistant and anti-repudiation, so that the reliability of the attack tracing information can be ensured, the reliability is high, and the information tampering and counterfeiting can be effectively prevented; the attack event is comprehensively recorded, including intrusion behavior, attack modes, sources of attackers and the like, so that the integrity and accuracy of attack tracing information are ensured; the real-time performance is good, and the efficiency of coping with attack events is improved;
and restoring the attack scene by analyzing the attack tracing information, and recovering. The attack scene restoration is one of key technologies of the invention, can identify an attacker and take proper security measures, and has strong traceability;
multiple security mechanisms including block chain technology, encryption technology and the like are adopted, so that the security and privacy of attack tracing information are ensured.
The method is suitable for various network attack events, has wide application range, improves the security defense and coping capacity of enterprises and institutions, and reduces the loss and risk of the network attack on the enterprises and institutions.
The specific embodiments described herein are offered by way of example only to illustrate the spirit of the invention. Those skilled in the art may make various modifications or additions to the described embodiments or substitutions thereof without departing from the spirit of the invention or exceeding the scope of the invention as defined in the accompanying claims.
Claims (7)
1. The attack traceability preservation and restoration attack scene method based on the blockchain technology is characterized by comprising the following steps of:
step one, attack event record: when an attack event occurs, the system records all details of the attack event in real time, collects data related to the attack, and the data is obtained from a weblog record, an intrusion detection system, a firewall or other safety equipment;
step two, data analysis and verification: before the data is stored in the blockchain, the integrity and the accuracy of the data are required to be ensured, the collected data are processed by utilizing a big data analysis technology, the authenticity of the data is verified by using a mode which is not limited to an encryption algorithm or a digital signature, the data are ensured not to be tampered, the recovery of an attack scene is facilitated, and the behavior and the intention of an attacker are known;
step three, data uplink: the collected attack data is uplink through a blockchain technology, so that the non-tamper property of the data and the time stamp record are ensured;
step four, attack tracing guarantee: the block chain is a distributed database, each block contains hash values of the previous block, so that a tamper-proof data record chain is formed, collected attack data is encrypted by using a hash algorithm, the encrypted hash values are stored in a distributed block chain network, and each participating node is stored with a complete data copy by utilizing the decentralization characteristic of the block chain, so that the reliability and the sustainability of the data are ensured, and even if some nodes fail or suffer from attacks, the data can still be recovered to ensure the safety of the data; the hash algorithm can convert data with any length into a hash value with fixed length, so that the data integrity, the non-tamper property, the traceability and the timestamp record are ensured; the verification is carried out on the chain through the block chain technology, and an attacker cannot tamper with the attack log, so that the credibility of the traceability information is ensured;
step five, data storage: storing the uplink attack data in a blockchain network, ensuring the permanent storage of the data, and creating a blockchain record;
step six, attack tracing: by utilizing the data stored in the blockchain, the identity, attack path and other information of an attacker can be traced through analysis; potential security holes can be found out and timely repaired;
step seven, privacy protection: for sensitive information and private data, an encryption algorithm can be used for protection, and only authorized users can decrypt and view related contents, so that the privacy rights and data security of the users are ensured;
step eight, data query: the user can inquire the historical data and related information of the attack;
step nine, restoring an attack scene: the complete scene during attack is restored through the data stored in the blockchain, so that the behavior, the purpose and the adopted attack technology of an attacker are not limited, and reference is provided for subsequent defense; the method can also complete the state restoration of the victim system without being limited to the reproduction of attack traffic;
step ten, recovering the victim system: after attack recovery, repairing and recovering the victim system are needed when necessary to ensure the normal operation and make up for the security hole;
step eleven, attack tracking: by analyzing attack tracing data, the identity, action track and purpose of an attacker are tried to be traced, and further investigation and cooperation are needed;
step twelve, reporting and summarizing: according to the collected data and analysis results, writing detailed reports, summarizing characteristics, influences and defense suggestions of attack events; and remains as evidence to facilitate subsequent investigation and legal action.
2. The method for preserving and restoring attack scenarios according to claim 1, wherein the attack data in the first step includes, but is not limited to, an attacker IP address, an attack time, a response of the attacked system, an intrusion behavior, an attack pattern, a source of the attacker, an attack target, network traffic, a system snapshot, and a user behavior.
3. The method for preserving and restoring attack scenes according to claim 1, wherein in the third step, after the data is uploaded, data information with a certain format is formed and stored on the blockchain, and the data format is, but not limited to, JSON.
4. The method for traceable attack scene saving and restoration according to claim 1, wherein the creating a blockchain record in the fifth step creates a blockchain record to save attack data by using the distributed storage and tamper-proof characteristics of the blockchain, each attack data generates a new block, and the hash value of the previous block is used as its own preamble hash value to form a chain structure.
5. The method for attack traceability preservation and restoration of an attack scene based on blockchain technology according to claim 1, wherein the data stored in the fifth step can be automatically stored and updated by using a technology not limited to intelligent contracts.
6. The method for preserving and restoring attack scenarios based on blockchain technique according to claim 1, wherein the restoring technique of attack scenario in step nine includes, but is not limited to, network topology analysis, code analysis, network traffic analysis, system log analysis, and attack sample analysis. Through the technologies, attack data can be converted into a visual chart, so that network security personnel can be helped to better understand the behaviors and intentions of an attacker.
7. The method for preserving and restoring attack scenes according to claim 1, wherein the verification mode of the attack scenes in the step nine during restoration is to verify whether the hash values of each block are matched from the target block forward one by one, so as to ensure the integrity of the data and that the data is not tampered. Once verification is passed, the information such as the IP address, the attack time stamp, the attack type and the like of the attacker can be restored, so that the whole attack scene is restored.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311486046.4A CN117527359A (en) | 2023-11-09 | 2023-11-09 | Attack traceability saving and restoring method based on blockchain technology |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311486046.4A CN117527359A (en) | 2023-11-09 | 2023-11-09 | Attack traceability saving and restoring method based on blockchain technology |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117527359A true CN117527359A (en) | 2024-02-06 |
Family
ID=89765730
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311486046.4A Pending CN117527359A (en) | 2023-11-09 | 2023-11-09 | Attack traceability saving and restoring method based on blockchain technology |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117527359A (en) |
-
2023
- 2023-11-09 CN CN202311486046.4A patent/CN117527359A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103226675B (en) | A kind of traceability system and method analyzing intrusion behavior | |
| CN110213226B (en) | Network attack scene reconstruction method and system based on risk full-factor identification association | |
| Yaacoub et al. | Advanced digital forensics and anti-digital forensics for IoT systems: Techniques, limitations and recommendations | |
| CN107196934A (en) | A kind of cloud data managing method based on block chain | |
| Wu et al. | Towards a SCADA forensics architecture | |
| CN104778420A (en) | Method for establishing safety management view of full life cycle of unstructured data | |
| CN107154939B (en) | Data tracking method and system | |
| CN112560029A (en) | Website content monitoring and automatic response protection method based on intelligent analysis technology | |
| RU2697953C2 (en) | System and method of deciding on data compromising | |
| CN115459965A (en) | Multistep attack detection method for network security of power system | |
| CN115134250B (en) | Network attack tracing evidence obtaining method | |
| Abeykoon et al. | A forensic investigation of the robot operating system | |
| CN114117432A (en) | APT attack chain restoration system based on data tracing graph | |
| Suo et al. | Research on the application of honeypot technology in intrusion detection system | |
| Altschaffel | Computer forensics in cyber-physical systems: applying existing forensic knowledge and procedures from classical IT to automation and automotive | |
| Hoque et al. | Avguard: A forensic investigation framework for autonomous vehicles | |
| CN108900505B (en) | Cluster audit management and control method based on block chain technology | |
| CN117220961B (en) | Intrusion detection method, device and storage medium based on association rule patterns | |
| KR102013415B1 (en) | System and method for verifying integrity of personal information | |
| CN117640250A (en) | Enterprise information security management system | |
| CN112925805A (en) | Big data intelligent analysis application method based on network security | |
| CN117527359A (en) | Attack traceability saving and restoring method based on blockchain technology | |
| Brotsis et al. | Blockchain-Enabled digital forensics for the IoT: challenges, features, and current frameworks | |
| Lin et al. | Automated analysis of multi-source logs for network forensics | |
| Wen | Research on System Design and Implementation of Computer Forensics Based on Log |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |