CN108810014A - Attack alarm method and device - Google Patents
Attack alarm method and device Download PDFInfo
- Publication number
- CN108810014A CN108810014A CN201810713167.0A CN201810713167A CN108810014A CN 108810014 A CN108810014 A CN 108810014A CN 201810713167 A CN201810713167 A CN 201810713167A CN 108810014 A CN108810014 A CN 108810014A
- Authority
- CN
- China
- Prior art keywords
- attack
- behavior
- target object
- result
- threat
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Alarm Systems (AREA)
Abstract
本发明涉及信息安全技术领域,尤其涉及攻击事件告警方法及装置,所述方法包括:监听是否存在对目标对象进行攻击的攻击行为;当监听到存在所述攻击行为时,确定所述攻击行为的行为类型;根据所述攻击行为的行为类型,确定所述攻击行为对所述目标对象的攻击威胁程度;在所述攻击行为完成对所述目标对象的攻击之后,获取用于表征所述攻击行为对所述目标对象的攻击是否成功的攻击结果;根据所述攻击威胁程度和所述攻击结果,对所述攻击行为进行告警。本发明由于将攻击行为的攻击威胁程度和攻击结果结合在一起进行考量,以对攻击行为进行告警,从而能够更加准确地确定出攻击行为对目标对象的威胁情况,进而提高了对攻击行为告警的准确率。
The present invention relates to the technical field of information security, and in particular to an attack event warning method and device. The method includes: monitoring whether there is an attack behavior that attacks a target object; Behavior type; according to the behavior type of the attack behavior, determine the attack threat degree of the attack behavior to the target object; after the attack behavior completes the attack on the target object, obtain the information used to characterize the attack behavior An attack result indicating whether the attack on the target object is successful; according to the attack threat level and the attack result, an alarm is given to the attack behavior. The present invention combines the attack threat degree and the attack result of the attack behavior to give an alarm to the attack behavior, so that the threat of the attack behavior to the target object can be determined more accurately, and the warning of the attack behavior is improved. Accuracy.
Description
技术领域technical field
本发明涉及信息安全技术领域,尤其涉及攻击事件告警方法及装置。The invention relates to the technical field of information security, in particular to an attack event warning method and device.
背景技术Background technique
信息安全主要包括以下五方面的内容,即需保证信息的保密性、真实性、完整性、未授权拷贝和所寄生系统的安全性,具体的,信息安全本身可以包括如何防范商业企业机密泄露、防范青少年对不良信息的浏览、个人信息的泄露等。网络环境下的信息安全体系是保证信息安全的关键,只要存在安全漏洞便可以威胁全局安全。Information security mainly includes the following five aspects, that is, the need to ensure the confidentiality, authenticity, integrity, unauthorized copying and security of the parasitic system of information. Specifically, information security itself can include how to prevent the leakage of commercial enterprise secrets, Prevent teenagers from browsing bad information and leaking personal information. The information security system in the network environment is the key to ensuring information security, as long as there are security holes, it can threaten the overall security.
在现有技术中,当攻击行为对目标对象进行攻击时,通常根据攻击行为所针对的目标对象的漏洞的等级来确定攻击事件对目标对象的威胁情况,从而根据确定出的威胁情况实现对攻击行为的告警,然而,采用上述方式确定出的威胁情况往往并不准确,进而导致对于攻击行为的告警也存在准确率低的技术问题。In the prior art, when the attack behavior attacks the target object, the threat situation of the attack event to the target object is usually determined according to the vulnerability level of the target object targeted by the attack behavior, so that the attack can be realized according to the determined threat situation. Behavior alerts, however, the threat situation determined by the above method is often inaccurate, which leads to a technical problem of low accuracy in the attack behavior alerts.
发明内容Contents of the invention
鉴于上述问题,提出了本发明以便提供一种克服上述问题或者至少部分地解决上述问题的攻击事件告警方法及装置。In view of the above problems, the present invention is proposed to provide an attack event warning method and device that overcome the above problems or at least partially solve the above problems.
依据本发明的第一个方面,提供了一种攻击事件告警方法,所述方法包括:According to a first aspect of the present invention, a method for alerting an attack event is provided, the method comprising:
监听是否存在对目标对象进行攻击的攻击行为;Monitor whether there is an attack on the target object;
当监听到存在所述攻击行为时,确定所述攻击行为的行为类型;When the presence of the attacking behavior is detected, determining the behavior type of the attacking behavior;
根据所述攻击行为的行为类型,确定所述攻击行为对所述目标对象的攻击威胁程度;According to the behavior type of the attack behavior, determine the attack threat level of the attack behavior to the target object;
在所述攻击行为完成对所述目标对象的攻击之后,获取用于表征所述攻击行为对所述目标对象的攻击是否成功的攻击结果;After the attack behavior completes the attack on the target object, acquiring an attack result used to characterize whether the attack behavior on the target object is successful;
根据所述攻击威胁程度和所述攻击结果,对所述攻击行为进行告警。According to the attack threat level and the attack result, an alarm is given to the attack behavior.
优选的,所述监听是否存在对目标对象进行攻击的攻击行为,包括:Preferably, the monitoring whether there is an attack on the target object includes:
监听是否存在所述攻击行为对所述目标对象的攻击请求;Monitoring whether there is an attack request of the attack behavior on the target object;
其中,若监听到存在所述攻击请求,则表明存在所述攻击行为,否则,表明不存在所述攻击行为。Wherein, if the attack request is detected, it indicates that the attack behavior exists; otherwise, it indicates that the attack behavior does not exist.
优选的,所述当监听到存在所述攻击行为时,确定所述攻击行为的行为类型,包括:Preferably, when the presence of the attacking behavior is detected, determining the behavior type of the attacking behavior includes:
当监听到存在所述攻击请求时,根据所述攻击请求确定所述攻击行为的行为类型。When it is detected that the attack request exists, the behavior type of the attack behavior is determined according to the attack request.
优选的,所述根据所述攻击行为的行为类型,确定所述攻击行为对所述目标对象的攻击威胁程度,包括:Preferably, according to the behavior type of the attack behavior, determining the attack threat degree of the attack behavior to the target object includes:
根据所述攻击行为的行为类型,从预设的行为类型与威胁分数之间的对应关系中,确定所述攻击行为的威胁分数,其中,所述攻击行为的威胁分数用于表征所述攻击行为对所述目标对象的攻击威胁程度。According to the behavior type of the aggressive behavior, the threat score of the aggressive behavior is determined from a preset correspondence between the behavior type and the threat score, wherein the threat score of the aggressive behavior is used to characterize the aggressive behavior The level of attack threat to the target object.
优选的,在所述攻击行为完成对所述目标对象的攻击之后,且在所述获取用于表征所述攻击行为对所述目标对象的攻击是否成功的攻击结果之前,所述方法还包括:Preferably, after the attack behavior completes the attack on the target object and before acquiring the attack result for characterizing whether the attack behavior on the target object is successful, the method further includes:
获取所述目标对象对所述攻击行为的响应消息;Obtain a response message of the target object to the attack behavior;
其中,所述获取用于表征所述攻击行为对所述目标对象的攻击是否成功的攻击结果,包括:Wherein, the acquisition of the attack result used to characterize whether the attack on the target object is successfully attacked by the attack behavior includes:
根据所述响应消息获取用于表征所述攻击行为对所述目标对象的攻击是否成功的攻击结果。An attack result for representing whether the attack on the target object is successfully attacked by the attack behavior is acquired according to the response message.
优选的,所述攻击结果为攻击结果权重。Preferably, the attack result is an attack result weight.
优选的,当所述攻击结果为攻击结果权重时,所述根据所述攻击威胁程度和所述攻击结果,对所述攻击行为进行告警,包括:Preferably, when the attack result is the weight of the attack result, the alerting of the attack behavior according to the attack threat degree and the attack result includes:
将所述攻击行为的威胁分数与所述攻击结果权重相乘,获得攻击分数;multiplying the threat score of the attack behavior by the weight of the attack result to obtain the attack score;
根据所述攻击分数对所述攻击行为进行告警。The attack behavior is alerted according to the attack score.
优选的,所述根据所述攻击分数对所述攻击行为进行告警,包括:Preferably, the alerting the attack behavior according to the attack score includes:
判断所述攻击分数是否高于预设告警阈值;judging whether the attack score is higher than a preset warning threshold;
当所述攻击分数高于预设高警阈值时,向用户发送告警信息。When the attack score is higher than the preset high alarm threshold, an alarm message is sent to the user.
优选的,当存在多个所述攻击行为时,在获得各个攻击行为的攻击分数之后,所述方法还包括:Preferably, when there are multiple aggressive behaviors, after obtaining the attack score of each aggressive behavior, the method further includes:
按照攻击分数的高低,对所有攻击行为进行排序,获得用于表征所有攻击行为对所述目标对象的威胁情况的攻击排序结果。All the attack behaviors are sorted according to the attack scores, and an attack ranking result for representing the threat of all the attack behaviors to the target object is obtained.
优选的,所述目标对象为客户端或服务器中的硬件、软件、系统或协议。Preferably, the target object is hardware, software, system or protocol in the client or server.
依据本发明的第二个方面,提供了一种攻击事件告警装置,所述装置包括:According to a second aspect of the present invention, an attack event warning device is provided, the device comprising:
监听模块,用于监听是否存在对目标对象进行攻击的攻击行为;A monitoring module, configured to monitor whether there is an attack behavior on the target object;
第一确定模块,用于当监听到存在所述攻击行为时,确定所述攻击行为的行为类型;A first determination module, configured to determine the behavior type of the attack when the presence of the attack is detected;
第二确定模块,用于根据所述攻击行为的行为类型,确定所述攻击行为对所述目标对象的攻击威胁程度;The second determination module is configured to determine the degree of attack threat of the attack behavior to the target object according to the behavior type of the attack behavior;
第一获取模块,用于在所述攻击行为完成对所述目标对象的攻击之后,获取用于表征所述攻击行为对所述目标对象的攻击是否成功的攻击结果;A first acquiring module, configured to acquire an attack result indicating whether the attack on the target object by the attack behavior is successful after the attack on the target object is completed by the attack behavior;
告警模块,用于根据所述攻击威胁程度和所述攻击结果,对所述攻击行为进行告警。An alarm module, configured to alarm the attack behavior according to the attack threat level and the attack result.
优选的,所述监听模块,具体用于:Preferably, the monitoring module is specifically used for:
监听是否存在所述攻击行为对所述目标对象的攻击请求;Monitoring whether there is an attack request of the attack behavior on the target object;
其中,若监听到存在所述攻击请求,则表明存在所述攻击行为,否则,表明不存在所述攻击行为。Wherein, if the attack request is detected, it indicates that the attack behavior exists; otherwise, it indicates that the attack behavior does not exist.
优选的,所述第一确定模块,具体用于:Preferably, the first determination module is specifically used for:
当监听到存在所述攻击请求时,根据所述攻击请求确定所述攻击行为的行为类型。When it is detected that the attack request exists, the behavior type of the attack behavior is determined according to the attack request.
优选的,所述第二确定模块,具体用于:Preferably, the second determination module is specifically used for:
根据所述攻击行为的行为类型,从预设的行为类型与威胁分数之间的对应关系中,确定所述攻击行为的威胁分数,其中,所述攻击行为的威胁分数用于表征所述攻击行为对所述目标对象的攻击威胁程度。According to the behavior type of the aggressive behavior, the threat score of the aggressive behavior is determined from a preset correspondence between the behavior type and the threat score, wherein the threat score of the aggressive behavior is used to characterize the aggressive behavior The level of attack threat to the target object.
优选的,所述装置还包括:Preferably, the device also includes:
第二获取模块,用于获取所述目标对象对所述攻击行为的响应消息;A second acquiring module, configured to acquire a response message of the target object to the attack behavior;
其中,所述第一获取模块,具体用于:Wherein, the first acquisition module is specifically used for:
根据所述响应消息获取用于表征所述攻击行为对所述目标对象的攻击是否成功的攻击结果。An attack result for representing whether the attack on the target object is successfully attacked by the attack behavior is acquired according to the response message.
优选的,所述攻击结果为攻击结果权重。Preferably, the attack result is an attack result weight.
优选的,当所述攻击结果为攻击结果权重时,所述告警模块,包括:Preferably, when the attack result is the weight of the attack result, the alarm module includes:
获得单元,用于将所述攻击行为的威胁分数与所述攻击结果权重相乘,获得攻击分数;an obtaining unit, configured to multiply the threat score of the attack behavior by the weight of the attack result to obtain the attack score;
告警单元,用于根据所述攻击分数对所述攻击行为进行告警。An alarm unit, configured to alarm the attack behavior according to the attack score.
优选的,所述告警单元,包括:Preferably, the alarm unit includes:
判断子单元,用于判断所述攻击分数是否高于预设告警阈值;a judging subunit, configured to judge whether the attack score is higher than a preset warning threshold;
发送子单元,用于当所述攻击分数高于预设高警阈值时,向用户发送告警信息。The sending subunit is configured to send warning information to the user when the attack score is higher than a preset high warning threshold.
优选的,当存在多个所述攻击行为时,所述装置还包括:Preferably, when there are multiple attacks, the device further includes:
排序模块,用于按照攻击分数的高低,对所有攻击行为进行排序,获得用于表征所有攻击行为对所述目标对象的威胁情况的攻击排序结果。The sorting module is configured to sort all the attacking behaviors according to the attack scores, and obtain an attack sorting result for representing the threat of all the attacking behaviors to the target object.
优选的,所述目标对象为客户端或服务器中的硬件、软件、系统或协议。Preferably, the target object is hardware, software, system or protocol in the client or server.
依据本发明的第三个方面,提供了一种计算机可读存储介质,其上存储有计算机程序,该程序被处理器执行时实现如本发明的第一方面中任一方法步骤。According to a third aspect of the present invention, a computer-readable storage medium is provided, on which a computer program is stored, and when the program is executed by a processor, any method step in the first aspect of the present invention is implemented.
依据本发明的第四个方面,提供了一种计算机设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述程序时实现如本发明的第一方面中任一方法步骤。According to a fourth aspect of the present invention, a computer device is provided, including a memory, a processor, and a computer program stored on the memory and operable on the processor, when the processor executes the program, the computer program according to the present invention is realized. Any method step of the first aspect.
根据本发明的攻击事件告警方法及装置,通过监听是否存在对目标对象进行攻击的攻击行为,当监听到存在攻击行为时,确定攻击行为的行为类型,并根据攻击行为的行为类型,确定攻击行为对目标对象的攻击威胁程度,在攻击行为完成对目标对象的攻击之后,获取用于表征攻击行为对目标对象的攻击是否成功的攻击结果,最后,根据攻击威胁程度和攻击结果,对攻击行为进行告警,由于将攻击行为的攻击威胁程度和攻击结果结合在一起进行考量,以对攻击行为进行告警,从而能够更加准确地确定出攻击行为对目标对象的威胁情况,进而提高了对攻击行为告警的准确率。According to the attack event alarm method and device of the present invention, by monitoring whether there is an attack behavior that attacks the target object, when the presence of the attack behavior is detected, the behavior type of the attack behavior is determined, and the attack behavior is determined according to the behavior type of the attack behavior The degree of attack threat to the target object. After the attack behavior completes the attack on the target object, the attack result used to characterize whether the attack behavior is successful on the target object is obtained. Finally, according to the attack threat degree and attack result, the attack behavior Alerting, because the attack threat degree of the attack behavior and the attack result are combined to consider the attack behavior, so that the threat of the attack behavior to the target object can be determined more accurately, and the warning of the attack behavior can be improved. Accuracy.
上述说明仅是本发明技术方案的概述,为了能够更清楚了解本发明的技术手段,而可依照说明书的内容予以实施,并且为了让本发明的上述和其它目的、特征和优点能够更明显易懂,以下特举本发明的具体实施方式。The above description is only an overview of the technical solution of the present invention. In order to better understand the technical means of the present invention, it can be implemented according to the contents of the description, and in order to make the above and other purposes, features and advantages of the present invention more obvious and understandable , the specific embodiments of the present invention are enumerated below.
附图说明Description of drawings
通过阅读下文优选实施方式的详细描述,各种其他的优点和益处对于本领域普通技术人员将变得清楚明了。附图仅用于示出优选实施方式的目的,而并不认为是对本发明的限制。而且在整个附图中,用相同的参考图形表示相同的部件。在附图中:Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiment. The drawings are only for the purpose of illustrating a preferred embodiment and are not to be considered as limiting the invention. Also throughout the drawings, the same components are represented by the same reference figures. In the attached picture:
图1示出了本发明实施例中攻击事件告警方法的流程图;Fig. 1 shows the flowchart of the attack event warning method in the embodiment of the present invention;
图2示出了本发明实施例中攻击事件告警装置的结构图;FIG. 2 shows a structural diagram of an attack event warning device in an embodiment of the present invention;
图3示出了本发明实施例中计算机设备的结构图。Fig. 3 shows a structural diagram of a computer device in an embodiment of the present invention.
具体实施方式Detailed ways
下面将参照附图更详细地描述本公开的示例性实施例。虽然附图中显示了本公开的示例性实施例,然而应当理解,可以以各种形式实现本公开而不应被这里阐述的实施例所限制。相反,提供这些实施例是为了能够更透彻地理解本公开,并且能够将本公开的范围完整的传达给本领域的技术人员。Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. Although exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited by the embodiments set forth herein. Rather, these embodiments are provided for more thorough understanding of the present disclosure and to fully convey the scope of the present disclosure to those skilled in the art.
本发明实施例提供一种攻击事件告警方法,该方法可以应用于服务器中,也可以应用于客户端中,如图1所示,该方法包括:An embodiment of the present invention provides an attack event alarm method, which can be applied to a server or a client, as shown in FIG. 1 , the method includes:
步骤101:监听是否存在对目标对象进行攻击的攻击行为。Step 101: Monitor whether there is an attack behavior on the target object.
步骤102:当监听到存在攻击行为时,确定攻击行为的行为类型。Step 102: When an attack behavior is detected, determine the behavior type of the attack behavior.
步骤103:根据攻击行为的行为类型,确定攻击行为对目标对象的攻击威胁程度。Step 103: According to the behavior type of the attack behavior, determine the degree of attack threat of the attack behavior to the target object.
步骤104:在攻击行为完成对目标对象的攻击之后,获取用于表征攻击行为对目标对象的攻击是否成功的攻击结果。Step 104: After the attack behavior completes the attack on the target object, obtain an attack result for representing whether the attack behavior on the target object is successful.
步骤105:根据攻击威胁程度和攻击结果,对攻击行为进行告警。Step 105: Alarming the attack behavior according to the attack threat level and the attack result.
具体来讲,若本发明的攻击事件告警方法应用在服务器中,则目标对象可以为服务器中的硬件、软件、系统或协议,若本发明的攻击事件告警方法应用在客户端中,则目标对象可以为客户端中的硬件、软件、系统或协议。而,攻击行为与目标对象的类型相对应,即攻击行为是能够对目标对象造成安全威胁的行为,例如,若目标对象是PC客户端中的系统、软件或协议时,对应的攻击行为可以为溢出、释放重引用、数组越界、拒绝服务、双重释放、内核提取、权限提成\绕过、逻辑漏洞、信息泄露、DLL劫持和XSS等,若目标对象为客户端中的系统、软件或协议时,对应的攻击行为可以为信息泄露、XSS、代码执行、逻辑漏洞、钓鱼欺诈和拒绝服务等,若目标对象为服务器中的系统、软件或协议时,对应的攻击行为可以为远程代码执行、DOS、疑似入侵或高危端口等。Specifically, if the attack event warning method of the present invention is applied in the server, the target object can be hardware, software, system or protocol in the server; if the attack event warning method of the present invention is applied in the client, the target object Can be hardware, software, system or protocol in the client. However, the attack behavior corresponds to the type of the target object, that is, the attack behavior is a behavior that can cause a security threat to the target object. For example, if the target object is a system, software or protocol in the PC client, the corresponding attack behavior can be Overflow, free re-reference, array out of bounds, denial of service, double free, kernel extraction, privilege commission \ bypass, logic vulnerability, information leakage, DLL hijacking and XSS, etc., if the target object is the system, software or protocol in the client , the corresponding attack behaviors can be information leakage, XSS, code execution, logical loopholes, phishing fraud and denial of service, etc. If the target object is the system, software or protocol in the server, the corresponding attack behaviors can be remote code execution, DOS , suspected intrusion or high-risk ports, etc.
进一步,在步骤101中,对于如何监听是否存在攻击行为,本发明实施例提供以下实现方式:监听是否存在攻击行为对目标对象的攻击请求。Further, in step 101, for how to monitor whether there is an attack behavior, the embodiment of the present invention provides the following implementation manner: monitor whether there is an attack request of the attack behavior on the target object.
具体来讲,当攻击行为尝试对目标对象进行攻击时通常会发出攻击请求,通过监听是否存在攻击请求能够判断是否存在攻击行为,若监听到存在攻击请求,则表明存在对目标对象进行攻击的攻击行为,若没有监听到攻击请求,则表明不存在对目标对象进行攻击的攻击行为。Specifically, when the attack behavior attempts to attack the target object, an attack request is usually sent out. By monitoring whether there is an attack request, it can be judged whether there is an attack behavior. If there is an attack request detected, it indicates that there is an attack on the target object. Behavior, if no attack request is detected, it indicates that there is no attack behavior to attack the target object.
进一步,攻击请求包含攻击行为的行为类型,即,根据攻击请求能够知晓攻击行为的行为类型。在步骤102中,当监听到存在攻击请求时,根据攻击请求确定出攻击行为的行为类型。Further, the attack request includes the behavior type of the attack behavior, that is, the behavior type of the attack behavior can be known according to the attack request. In step 102, when an attack request is detected, the behavior type of the attack behavior is determined according to the attack request.
进一步,在确定出攻击行为的行为类型之后,在步骤103中,对于如何确定攻击行为对目标对象的攻击威胁程度,本发明实施例提供以下实现方式:根据攻击行为的行为类型,从预设的行为类型与威胁分数之间的对应关系中,确定攻击行为的威胁分数,其中,攻击行为的威胁分数用于表征攻击行为对目标对象的攻击威胁程度。Further, after the behavior type of the attack behavior is determined, in step 103, for how to determine the attack threat degree of the attack behavior to the target object, the embodiment of the present invention provides the following implementation: according to the behavior type of the attack behavior, from the preset In the corresponding relationship between the behavior type and the threat score, the threat score of the attack behavior is determined, wherein the threat score of the attack behavior is used to represent the attack threat degree of the attack behavior to the target object.
具体来讲,在本发明实施例中,预先建立有行为类型与威胁分数之间的对应关系,其中,对目标对象的安全造成威胁的程度越高的行为类型,其对应的威胁分数越高,对于高危攻击行为、中危攻击行为和低危攻击行为而言,上述三种攻击行为对于目标对象的安全造成的威胁程度依次降低,即,高危攻击行为对目标对象的安全造成的威胁程度高于中危攻击行为,中危攻击行为对目标对象的安全造成的威胁程度又高于低危攻击行为,进而,高危攻击行为对应的威胁分数大于中危攻击行为的威胁分数,中危攻击行为的威胁分数大于低危攻击行为的威胁分数。例如,若攻击行为的行为类型为XSS攻击行为,XSS攻击行为全称跨站脚本攻击,XSS攻击行为是一种在WEB应用中的计算机安全漏洞,它允许恶意WEB用户将代码植入到提供给其它用户使用的页面中,其对目标对象的安全造成的威胁程度很高,属于高危攻击行为,因此,XSS攻击行为具有较高的威胁分数,如8分;若攻击行为的行为类型为信息泄露攻击行为,其对目标对象的安全造成的威胁程度一般,属于中危攻击行为,因此,信息泄露攻击行为具有处于中间分数值的威胁分数,如5分。Specifically, in the embodiment of the present invention, the corresponding relationship between the behavior type and the threat score is established in advance, wherein the behavior type with a higher degree of threat to the safety of the target object has a higher corresponding threat score, For high-risk attack behaviors, medium-risk attack behaviors, and low-risk attack behaviors, the threats to the security of the target object caused by the above three attack behaviors are reduced in turn, that is, the threat level of high-risk attack behaviors to the security of the target object is higher than that of Medium-risk attack behavior, the threat degree of medium-risk attack behavior to the security of the target object is higher than that of low-risk attack behavior, and the threat score corresponding to high-risk attack behavior is greater than the threat score of medium-risk attack behavior, the threat of medium-risk attack behavior The score is greater than the threat score for low-risk aggressive behavior. For example, if the behavior type of the attack behavior is XSS attack behavior, the full name of XSS attack behavior is cross-site scripting attack, and XSS attack behavior is a computer security hole in WEB applications, which allows malicious WEB users to implant code into other In the page used by the user, the threat to the security of the target object is very high, which is a high-risk attack behavior. Therefore, the XSS attack behavior has a high threat score, such as 8 points; if the behavior type of the attack behavior is an information leakage attack Behaviors that pose a general threat to the security of the target object belong to medium-risk attack behaviors. Therefore, information leakage attack behaviors have a threat score at an intermediate score, such as 5 points.
进一步,在确定出攻击行为的行为类型之后,基于攻击行为的行为类型,从预先建立的行为类型与威胁分数之间的对应关系中,查找出攻击行为的威胁分数。例如,若确定出攻击行为的行为类型为XSS攻击行为,则从预先建立的行为类型与威胁分数之间的对应关系中查找出与XSS攻击行为对应的威胁分数为8分,若确定出的攻击行为的行为类型为信息泄露攻击行为,则从预先建立的行为类型与威胁分数之间的对应关系中查找出与信息泄露攻击行为对应的威胁分数为5分。Further, after the behavior type of the aggressive behavior is determined, based on the behavior type of the aggressive behavior, the threat score of the aggressive behavior is found from the pre-established correspondence between the behavior type and the threat score. For example, if it is determined that the behavior type of the attack behavior is an XSS attack behavior, it is found from the correspondence between the pre-established behavior type and the threat score that the threat score corresponding to the XSS attack behavior is 8 points. If the behavior type of the behavior is an information leakage attack behavior, the threat score corresponding to the information leakage attack behavior is found to be 5 points from the pre-established correspondence between the behavior type and the threat score.
进一步,在确定出攻击行为的威胁分数之后,在步骤104中,当攻击行为完成对目标对象的攻击之后,获取用于表征攻击行为对目标对象的攻击是否成功的攻击结果。对于如何知晓攻击行为的攻击结果,本发明实施例提供以下实现方式:在攻击行为完成对目标对象的攻击之后,首先获取目标对象对攻击行为的响应消息,其中,响应消息中包含用于表征攻击行为对目标对象的攻击是否成功的攻击结果,接着,根据响应消息确定出攻击结果,攻击结果包含攻击成功和攻击失败两种情况。Further, after the threat score of the attack behavior is determined, in step 104, after the attack behavior completes the attack on the target object, an attack result for indicating whether the attack behavior on the target object is successful is obtained. For how to know the attack result of the attack behavior, the embodiment of the present invention provides the following implementation: After the attack behavior completes the attack on the target object, firstly obtain the response message of the target object to the attack behavior, wherein the response message contains information used to characterize the attack. Behavior the attack result of whether the attack on the target object is successful, and then determine the attack result according to the response message, and the attack result includes two cases of attack success and attack failure.
进一步,在本发明实施例中,攻击结果可以以攻击结果权重的方式进行实现,具体来讲,攻击结果为攻击成功所对应的权重高于攻击结果为攻击失败所对应的权重,而攻击结果权重所赋予的具体数值可以根据实际情况进行调整,通常情况下,攻击结果权重的设置范围为0~1,即,攻击结果为攻击成功所对应的权重和攻击结果为攻击失败所对应的权重均在0~1中进行选择,但是,在选择时需要满足:攻击结果为攻击成功所对应的权重高于攻击结果为攻击失败所对应的权重,例如,将攻击结果为攻击成功所对应的权重设定为1,同时,将攻击结果为攻击失败所对应的权重设定为0.2。Further, in the embodiment of the present invention, the attack results can be implemented in the form of attack result weights. Specifically, the weight corresponding to the attack result being a successful attack is higher than the weight corresponding to the attack result being an attack failure, and the attack result weight The assigned specific value can be adjusted according to the actual situation. Usually, the setting range of the attack result weight is 0 to 1, that is, the weight corresponding to the attack result being a successful attack and the weight corresponding to an attack result being a failure are both in the Choose from 0 to 1, but the selection needs to satisfy: the weight corresponding to the attack result is the attack success is higher than the weight corresponding to the attack result is the attack failure, for example, set the weight corresponding to the attack result as the attack success is 1, and at the same time, set the weight corresponding to the attack failure as the attack result to 0.2.
需要说明的是,对于归属于不同行为类型的攻击行为而言,其对应的攻击结果权重可以设置为不相同,也可以设置为相同。例如,对于两种行为类型不同的攻击行为而言,即,第一攻击行为的行为类型与第二攻击行为的行为类型不同,第一攻击行为对应有攻击成功和攻击失败两种攻击结果,第二攻击行为同样对应有攻击成功和攻击失败两种攻击结果,第一攻击行为对应的攻击成功所对应的攻击结果权重为第一攻击结果权重,第一攻击行为对应的攻击失败所对应的攻击结果权重为第二攻击结果权重,第二攻击行为对应的攻击成功所对应的攻击结果权重为第三攻击结果权重,第二攻击行为对应的攻击失败所对应的攻击结果权重为第四攻击结果权重,从而,设置权重时,在满足将第一攻击结果权重设置为高于第二攻击结果权重,且,将第三攻击结果权重设置为高于第四攻击结果权重的条件下,在第一种情况下,可以将第一攻击结果权重设置为高于第三攻击结果权重,同时,第二攻击结果权重可以高于第四攻击结果权重,第二攻击结果权重也可以等于第四攻击结果权重,第二攻击结果权重还可以低于第四攻击结果权重;在第二种情况下,可以将第一攻击结果权重设置为等于第三攻击结果权重,同时,第二攻击结果权重可以高于第四攻击结果权重,第二攻击结果权重也可以等于第四攻击结果权重,第二攻击结果权重还可以低于第四攻击结果权重;在第三种情况下,可以将第一攻击结果权重设置为低于第三攻击结果权重,同时,第二攻击结果权重可以高于第四攻击结果权重,第二攻击结果权重也可以等于第四攻击结果权重,第二攻击结果权重还可以低于第四攻击结果权重。It should be noted that, for attack behaviors belonging to different behavior types, their corresponding attack result weights can be set to be different or the same. For example, for two attack behaviors with different behavior types, that is, the behavior type of the first attack behavior is different from the behavior type of the second attack behavior, and the first attack behavior corresponds to two attack results: attack success and attack failure. The second attack behavior also corresponds to two attack results: attack success and attack failure. The weight of the attack result corresponding to the attack success corresponding to the first attack behavior is the weight of the first attack result, and the attack result corresponding to the attack failure corresponding to the first attack behavior The weight is the second attack result weight, the attack result weight corresponding to the attack success corresponding to the second attack behavior is the third attack result weight, the attack result weight corresponding to the attack failure corresponding to the second attack behavior is the fourth attack result weight, Therefore, when setting the weight, under the condition that the weight of the first attack result is set higher than the weight of the second attack result, and the weight of the third attack result is set higher than the weight of the fourth attack result, in the first case Next, the weight of the first attack result can be set to be higher than the weight of the third attack result. At the same time, the weight of the second attack result can be higher than the weight of the fourth attack result, and the weight of the second attack result can also be equal to the weight of the fourth attack result. The second attack result weight can also be lower than the fourth attack result weight; in the second case, the first attack result weight can be set to be equal to the third attack result weight, and at the same time, the second attack result weight can be higher than the fourth attack result weight Result weight, the second attack result weight can also be equal to the fourth attack result weight, the second attack result weight can also be lower than the fourth attack result weight; in the third case, the first attack result weight can be set to be lower than The third attack result weight, meanwhile, the second attack result weight may be higher than the fourth attack result weight, the second attack result weight may also be equal to the fourth attack result weight, and the second attack result weight may be lower than the fourth attack result weight .
进一步,在本发明实施例中,当攻击结果为攻击结果权重,且攻击威胁程度为威胁分数时,在步骤105中,对于如何根据攻击威胁程度和攻击结果对攻击行为进行告警,本发明实施例提供以下实现方式:将攻击行为的威胁分数与攻击结果权重相乘,获得攻击分数,根据攻击分数对攻击行为进行告警。Further, in the embodiment of the present invention, when the attack result is the weight of the attack result, and the attack threat degree is the threat score, in step 105, how to alert the attack behavior according to the attack threat degree and the attack result, the embodiment of the present invention The following implementation methods are provided: multiply the threat score of the attack behavior by the weight of the attack result to obtain the attack score, and send an alarm to the attack behavior according to the attack score.
具体来讲,在攻击行为尝试对目标对象进行攻击时获得威胁分数,以及,在攻击行为完成对目标对象的攻击时获得攻击结果权重,在分别获得威胁分数和攻击结果权重之后,将威胁分数与攻击结果权重之间的乘积结果作为攻击分数,例如,针对某一攻击行为而言,获得的威胁分数为7,获得的攻击结果权重为0.3,则该攻击行为的攻击分数为7*0.3,即攻击分数为2.1。Specifically, the threat score is obtained when the attack behavior attempts to attack the target object, and the attack result weight is obtained when the attack behavior completes the attack on the target object. After obtaining the threat score and attack result weight respectively, the threat score and The product of the attack result weights is used as the attack score. For example, for an attack behavior, the obtained threat score is 7, and the obtained attack result weight is 0.3, then the attack score of the attack behavior is 7*0.3, namely The attack score was 2.1.
进一步,在获得攻击分数之后,根据攻击分数对攻击行为进行告警,具体地,可以预先设置一预设告警阈值,从而,在获得攻击分数之后,首先判断攻击分数是否高于预设告警阈值,若攻击分数高于预设告警阈值,则向用户发送告警信息,以提示用户该攻击行为对目标对象的威胁情况。其中,告警信息可以为文字告警信息,也可以为声音告警信息,也可以为灯光告警信息,还可以为声光告警信息。当告警信息为文字告警信息时,告警信息中包含攻击行为的攻击分数;当告警信息包含声音告警信息时,攻击分数越高则声音发声频率越高,攻击分数越低则声音发声频率越低,从而使得用户根据声音告警信息能够直观地知晓攻击行为对目标对象威胁程度的高低;当告警信息包含灯光告警信息时,攻击分数越高则灯光闪烁频率越高,攻击分数越低则灯光闪烁平率越低,从而使得用户根据灯光告警信息能够直观地知晓攻击行为对目标对象威胁程度的高低。Further, after the attack score is obtained, the attack behavior is alerted according to the attack score. Specifically, a preset warning threshold can be set in advance, so that after the attack score is obtained, it is first judged whether the attack score is higher than the preset warning threshold. If If the attack score is higher than the preset alarm threshold, an alarm message will be sent to the user to remind the user of the threat of the attack behavior to the target object. Wherein, the warning information may be text warning information, may also be sound warning information, may also be light warning information, and may also be sound and light warning information. When the warning information is text warning information, the warning information contains the attack score of the attack behavior; when the warning information contains sound warning information, the higher the attack score, the higher the sound frequency, and the lower the attack score, the lower the sound frequency. In this way, the user can intuitively know the threat level of the attack behavior to the target object according to the sound alarm information; when the alarm information includes light alarm information, the higher the attack score, the higher the light flicker frequency, and the lower the attack score, the higher the light flicker rate. The lower the value, the user can intuitively know the threat level of the attack behavior to the target object according to the light alarm information.
在本发明实施例中,对于目标对象而言,当存在多个攻击行为时,一个攻击行为对应一个攻击分数,在获得各个攻击行为的攻击分数之后,可以按照攻击分数的高低,对所有攻击行为进行排序,获得用于表征所有攻击行为对目标对象的威胁情况的攻击排序结果。例如,对于一个目标对象,当存在3个攻击行为,分别为第一攻击行为、第二攻击行为和第三攻击行为,在获得第一攻击行为的第一攻击分数为10,第二攻击行为的第二攻击分数为8,第三攻击行为的第三攻击分数为5之后,按照攻击分数的高低,对上述三个攻击分数进行排序,若以从高到低的顺序进行排序,则获得的攻击排序结果为:第一攻击行为-第二攻击行为-第三攻击行为,根据攻击排序结果能够直观的了解到所有攻击行为对目标对象为威胁情况,即,第一攻击行为对目标对象的安全造成威胁的程度高于第二攻击行为,第二攻击行为对目标对象的安全造成威胁的程度高于第三攻击行为。In the embodiment of the present invention, for the target object, when there are multiple attack behaviors, one attack behavior corresponds to one attack score, and after obtaining the attack scores of each attack behavior, all attack behaviors can Sorting is performed to obtain the attack ranking result used to characterize the threat situation of all attack behaviors to the target object. For example, for a target object, when there are 3 aggressive behaviors, namely the first aggressive behavior, the second aggressive behavior and the third aggressive behavior, the first attack score of the first aggressive behavior is 10, and the second aggressive behavior’s score is 10. After the second attack score is 8 and the third attack score of the third attack behavior is 5, the above three attack scores are sorted according to the attack score. If they are sorted from high to low, the obtained attack The sorting result is: first attack behavior - second attack behavior - third attack behavior. According to the attack sorting results, it can be intuitively understood that all attack behaviors are threats to the target object, that is, the first attack behavior poses a threat to the security of the target object. The degree of threat is higher than that of the second attack behavior, and the degree of threat to the security of the target object caused by the second attack behavior is higher than that of the third attack behavior.
下面将结合一具体示例对本发明实施例的攻击事件告警方法进行详细描述。The method for alerting an attack event according to the embodiment of the present invention will be described in detail below with reference to a specific example.
若目标对象为客户端的操作系统,则,监听是否存在对操作系统进行攻击的攻击行为,若监听到存在与第一攻击行为对应的第一攻击请求,以及与第二攻击行为对应的第二攻击请求时,根据第一攻击请求能够确定出第一攻击行为的行为类型,根据第二攻击请求能够确定出第二攻击行为的行为类型,若第一攻击行为的行为类型为XSS攻击行为,第二攻击行为的行为类型为信息泄露攻击行为,从预设的行为类型与威胁分数之间的对应关系中,根据XSS攻击行为能够确定出第一攻击行为的威胁分数为8,根据信息泄露攻击行为能够确定出第二攻击行为的威胁分数为5,在第一攻击行为和第二攻击行为完成对目标对象的攻击之后,目标对象将会生成与第一攻击行为对应的第一响应消息,以及与第二攻击行为对应的第二响应消息,若对于第一攻击行为和第二攻击行为而言,预设的攻击成功对应的攻击结果权重均为1,预设的攻击失败对应的攻击结果权重均为0.2,若第一响应消息表征第一攻击行为攻击失败,则确定出第一攻击行为的攻击结果权重为0.2,若第二响应消息表征第二攻击行为攻击成功,则确定出第二攻击行为的攻击结果权重为1,从而可以计算出第一攻击行为的攻击分数为8*0.2,即1.6,计算出第二攻击行为的攻击分数为5*1,即5,若预设告警阈值为4,则,对第二攻击行为进行告警,同时,还可以按照攻击分数从高到低对第一攻击行为和第二攻击行为进行排序,得到攻击排序结果为:第一攻击行为-第二攻击行为。If the target object is the operating system of the client, then monitor whether there is an attack behavior that attacks the operating system, if there is a first attack request corresponding to the first attack behavior and a second attack request corresponding to the second attack behavior When requesting, the behavior type of the first attack behavior can be determined according to the first attack request, and the behavior type of the second attack behavior can be determined according to the second attack request. If the behavior type of the first attack behavior is an XSS attack behavior, the second The behavior type of the attack behavior is information leakage attack behavior. From the correspondence between the preset behavior type and the threat score, the threat score of the first attack behavior can be determined to be 8 according to the XSS attack behavior. According to the information leakage attack behavior, it can be It is determined that the threat score of the second attack behavior is 5. After the first attack behavior and the second attack behavior complete the attack on the target object, the target object will generate a first response message corresponding to the first attack behavior, and a response message corresponding to the second attack behavior. For the second response message corresponding to the second attack behavior, if for the first attack behavior and the second attack behavior, the weight of the attack result corresponding to the preset attack success is 1, and the weight of the attack result corresponding to the preset attack failure is 0.2, if the first response message represents the failure of the first attack behavior, it is determined that the attack result weight of the first attack behavior is 0.2, and if the second response message represents the success of the second attack behavior, then the weight of the second attack behavior is determined The weight of the attack result is 1, so the attack score of the first attack behavior can be calculated as 8*0.2, which is 1.6, and the attack score of the second attack behavior can be calculated as 5*1, or 5. If the preset alarm threshold is 4, Then, the second attack behavior is alerted, and at the same time, the first attack behavior and the second attack behavior can also be sorted according to the attack score from high to low, and the attack ranking result is: first attack behavior-second attack behavior.
基于同一发明构思,本发明实施例还提供一种攻击事件告警装置,如图2所示,所述装置包括:Based on the same inventive concept, an embodiment of the present invention also provides an attack event warning device, as shown in Figure 2, the device includes:
监听模块201,用于监听是否存在对目标对象进行攻击的攻击行为;A monitoring module 201, configured to monitor whether there is an attack on the target object;
第一确定模块202,用于当监听到存在所述攻击行为时,确定所述攻击行为的行为类型;The first determining module 202 is configured to determine the behavior type of the attacking behavior when the presence of the attacking behavior is detected;
第二确定模块203,用于根据所述攻击行为的行为类型,确定所述攻击行为对所述目标对象的攻击威胁程度;The second determination module 203 is configured to determine the degree of attack threat of the attack behavior to the target object according to the behavior type of the attack behavior;
第一获取模块204,用于在所述攻击行为完成对所述目标对象的攻击之后,获取用于表征所述攻击行为对所述目标对象的攻击是否成功的攻击结果;The first acquiring module 204 is configured to acquire an attack result indicating whether the attack on the target object by the attack behavior is successful after the attack on the target object is completed by the attack behavior;
告警模块205,用于根据所述攻击威胁程度和所述攻击结果,对所述攻击行为进行告警。The alarm module 205 is configured to alarm the attack behavior according to the attack threat level and the attack result.
优选的,监听模块201,具体用于:Preferably, the monitoring module 201 is specifically used for:
监听是否存在所述攻击行为对所述目标对象的攻击请求;Monitoring whether there is an attack request of the attack behavior on the target object;
其中,若监听到存在所述攻击请求,则表明存在所述攻击行为,否则,表明不存在所述攻击行为。Wherein, if the attack request is detected, it indicates that the attack behavior exists; otherwise, it indicates that the attack behavior does not exist.
优选的,第一确定模块202,具体用于:Preferably, the first determination module 202 is specifically used for:
当监听到存在所述攻击请求时,根据所述攻击请求确定所述攻击行为的行为类型。When it is detected that the attack request exists, the behavior type of the attack behavior is determined according to the attack request.
优选的,第二确定模块203,具体用于:Preferably, the second determining module 203 is specifically used for:
根据所述攻击行为的行为类型,从预设的行为类型与威胁分数之间的对应关系中,确定所述攻击行为的威胁分数,其中,所述攻击行为的威胁分数用于表征所述攻击行为对所述目标对象的攻击威胁程度。According to the behavior type of the aggressive behavior, the threat score of the aggressive behavior is determined from a preset correspondence between the behavior type and the threat score, wherein the threat score of the aggressive behavior is used to characterize the aggressive behavior The level of attack threat to the target object.
优选的,所述装置还包括:Preferably, the device also includes:
第二获取模块,用于获取所述目标对象对所述攻击行为的响应消息;A second acquiring module, configured to acquire a response message of the target object to the attack behavior;
其中,所述第一获取模块,具体用于:Wherein, the first acquisition module is specifically used for:
根据所述响应消息获取用于表征所述攻击行为对所述目标对象的攻击是否成功的攻击结果。An attack result used to characterize whether the attack on the target object is successfully attacked by the attack behavior is obtained according to the response message.
优选的,所述攻击结果为攻击结果权重。Preferably, the attack result is an attack result weight.
优选的,当所述攻击结果为攻击结果权重时,告警模块205,包括:Preferably, when the attack result is the weight of the attack result, the alarm module 205 includes:
获得单元,用于将所述攻击行为的威胁分数与所述攻击结果权重相乘,获得攻击分数;an obtaining unit, configured to multiply the threat score of the attack behavior by the weight of the attack result to obtain the attack score;
告警单元,用于根据所述攻击分数对所述攻击行为进行告警。An alarm unit, configured to alarm the attack behavior according to the attack score.
优选的,所述告警单元,包括:Preferably, the alarm unit includes:
判断子单元,用于判断所述攻击分数是否高于预设告警阈值;a judging subunit, configured to judge whether the attack score is higher than a preset warning threshold;
发送子单元,用于当所述攻击分数高于预设高警阈值时,向用户发送告警信息。The sending subunit is configured to send warning information to the user when the attack score is higher than a preset high warning threshold.
优选的,当存在多个所述攻击行为时,所述装置还包括:Preferably, when there are multiple attacks, the device further includes:
排序模块,用于按照攻击分数的高低,对所有攻击行为进行排序,获得用于表征所有攻击行为对所述目标对象的威胁情况的攻击排序结果。The sorting module is configured to sort all the attacking behaviors according to the attack scores, and obtain an attack sorting result for representing the threat of all the attacking behaviors to the target object.
优选的,所述目标对象为客户端或服务器中的硬件、软件、系统或协议。Preferably, the target object is hardware, software, system or protocol in the client or server.
基于同一发明构思,本发明实施例还提供一种计算机可读存储介质,其上存储有计算机程序,该程序被处理器执行时实现前述实施例所述的方法步骤。Based on the same inventive concept, an embodiment of the present invention further provides a computer-readable storage medium on which a computer program is stored, and when the program is executed by a processor, the method steps described in the foregoing embodiments are implemented.
基于同一发明构思,本发明实施例还提供了一种计算机设备,如图3所示,为了便于说明,仅示出了与本发明实施例相关的部分,具体技术细节未揭示的,请参照本发明实施例方法部分。该计算机设备可以为包括手机、平板电脑、PDA(Personal DigitalAssistant,个人数字助理)、POS(Point of Sales,销售终端)、车载电脑等任意终端设备,以计算机设备为手机为例:Based on the same inventive concept, the embodiment of the present invention also provides a computer device, as shown in Figure 3, for the convenience of description, only the parts related to the embodiment of the present invention are shown, and the specific technical details are not disclosed, please refer to this Invention Examples Methods Section. The computer device can be any terminal device including mobile phone, tablet computer, PDA (Personal Digital Assistant, personal digital assistant), POS (Point of Sales, sales terminal), vehicle-mounted computer, etc. Taking the computer device as a mobile phone as an example:
图3示出的是与本发明实施例提供的计算机设备相关的部分结构的框图。参考图3,该计算机设备包括:存储器301和处理器302。本领域技术人员可以理解,图3中示出的计算机设备结构并不构成对计算机设备的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置。Fig. 3 shows a block diagram of a part of the structure related to the computer device provided by the embodiment of the present invention. Referring to FIG. 3 , the computer device includes: a memory 301 and a processor 302 . Those skilled in the art can understand that the structure of the computer device shown in FIG. 3 is not limited to the computer device, and may include more or less components than shown in the figure, or combine some components, or arrange different components.
下面结合图3对计算机设备的各个构成部件进行具体的介绍:The following is a specific introduction to each component of the computer device in conjunction with FIG. 3:
存储器301可用于存储软件程序以及模块,处理器302通过运行存储在存储器301的软件程序以及模块,从而执行各种功能应用以及数据处理。存储器301可主要包括存储程序区和存储数据区,其中,存储程序区可存储操作系统、至少一个功能所需的应用程序(比如声音播放功能、图像播放功能等)等;存储数据区可存储数据(比如音频数据、电话本等)等。此外,存储器301可以包括高速随机存取存储器,还可以包括非易失性存储器,例如至少一个磁盘存储器件、闪存器件、或其他易失性固态存储器件。The memory 301 can be used to store software programs and modules, and the processor 302 executes various functional applications and data processing by running the software programs and modules stored in the memory 301 . The memory 301 can mainly include a program storage area and a data storage area, wherein the program storage area can store an operating system, at least one application program required by a function (such as a sound playback function, an image playback function, etc.) and the like; the storage data area can store data (such as audio data, phone book, etc.) and so on. In addition, the memory 301 may include a high-speed random access memory, and may also include a non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid-state storage devices.
处理器302是计算机设备的控制中心,通过运行或执行存储在存储器301内的软件程序和/或模块,以及调用存储在存储器301内的数据,执行各种功能和处理数据。可选的,处理器302可包括一个或多个处理单元;优选的,处理器302可集成应用处理器和调制解调处理器,其中,应用处理器主要处理操作系统、用户界面和应用程序等,调制解调处理器主要处理无线通信。The processor 302 is the control center of the computer device, and performs various functions and processes data by running or executing software programs and/or modules stored in the memory 301 and calling data stored in the memory 301 . Optionally, the processor 302 may include one or more processing units; preferably, the processor 302 may integrate an application processor and a modem processor, wherein the application processor mainly processes operating systems, user interfaces, and application programs, etc. , the modem processor mainly handles wireless communications.
在本发明实施例中,该计算机设备所包括的处理器302可以具有前述实施例中任一方法步骤所对应的功能。In this embodiment of the present invention, the processor 302 included in the computer device may have a function corresponding to any method step in the foregoing embodiments.
根据本发明的攻击事件告警方法及装置,通过监听是否存在对目标对象进行攻击的攻击行为,当监听到存在攻击行为时,确定攻击行为的行为类型,并根据攻击行为的行为类型,确定攻击行为对目标对象的攻击威胁程度,在攻击行为完成对目标对象的攻击之后,获取用于表征攻击行为对目标对象的攻击是否成功的攻击结果,最后,根据攻击威胁程度和攻击结果,对攻击行为进行告警,由于将攻击行为的攻击威胁程度和攻击结果结合在一起进行考量,以对攻击行为进行告警,从而能够更加准确地确定出攻击行为对目标对象的威胁情况,进而提高了对攻击行为告警的准确率。According to the attack event alarm method and device of the present invention, by monitoring whether there is an attack behavior that attacks the target object, when the presence of the attack behavior is detected, the behavior type of the attack behavior is determined, and the attack behavior is determined according to the behavior type of the attack behavior The degree of attack threat to the target object. After the attack behavior completes the attack on the target object, the attack result used to characterize whether the attack behavior is successful on the target object is obtained. Finally, according to the attack threat degree and attack result, the attack behavior Alerting, because the attack threat degree of the attack behavior and the attack result are combined to consider the attack behavior, so that the threat of the attack behavior to the target object can be determined more accurately, and the warning of the attack behavior can be improved. Accuracy.
在此提供的算法和显示不与任何特定计算机、虚拟系统或者其它设备固有相关。各种通用系统也可以与基于在此的示教一起使用。根据上面的描述,构造这类系统所要求的结构是显而易见的。此外,本发明也不针对任何特定编程语言。应当明白,可以利用各种编程语言实现在此描述的本发明的内容,并且上面对特定语言所做的描述是为了披露本发明的最佳实施方式。The algorithms and displays presented herein are not inherently related to any particular computer, virtual system, or other device. Various generic systems can also be used with the teachings based on this. The structure required to construct such a system is apparent from the above description. Furthermore, the present invention is not specific to any particular programming language. It should be understood that various programming languages can be used to implement the content of the present invention described herein, and the above description of specific languages is for disclosing the best mode of the present invention.
在此处所提供的说明书中,说明了大量具体细节。然而,能够理解,本发明的实施例可以在没有这些具体细节的情况下实践。在一些实例中,并未详细示出公知的方法、结构和技术,以便不模糊对本说明书的理解。In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure the understanding of this description.
类似地,应当理解,为了精简本公开并帮助理解各个发明方面中的一个或多个,在上面对本发明的示例性实施例的描述中,本发明的各个特征有时被一起分组到单个实施例、图、或者对其的描述中。然而,并不应将该公开的方法解释成反映如下意图:即所要求保护的本发明要求比在每个权利要求中所明确记载的特征更多的特征。更确切地说,如下面的权利要求书所反映的那样,发明方面在于少于前面公开的单个实施例的所有特征。因此,遵循具体实施方式的权利要求书由此明确地并入该具体实施方式,其中每个权利要求本身都作为本发明的单独实施例。Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, in order to streamline this disclosure and to facilitate an understanding of one or more of the various inventive aspects, various features of the invention are sometimes grouped together in a single embodiment, figure, or its description. This method of disclosure, however, is not to be interpreted as reflecting an intention that the claimed invention requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the Detailed Description are hereby expressly incorporated into this Detailed Description, with each claim standing on its own as a separate embodiment of this invention.
本领域那些技术人员可以理解,可以对实施例中的设备中的模块进行自适应性地改变并且把它们设置在与该实施例不同的一个或多个设备中。可以把实施例中的模块或单元或组件组合成一个模块或单元或组件,以及此外可以把它们分成多个子模块或子单元或子组件。除了这样的特征和/或过程或者单元中的至少一些是相互排斥之外,可以采用任何组合对本说明书(包括伴随的权利要求、摘要和附图)中公开的所有特征以及如此公开的任何方法或者设备的所有过程或单元进行组合。除非另外明确陈述,本说明书(包括伴随的权利要求、摘要和附图)中公开的每个特征可以由提供相同、等同或相似目的的替代特征来代替。Those skilled in the art can understand that the modules in the device in the embodiment can be adaptively changed and arranged in one or more devices different from the embodiment. Modules or units or components in the embodiments may be combined into one module or unit or component, and furthermore may be divided into a plurality of sub-modules or sub-units or sub-assemblies. All features disclosed in this specification (including accompanying claims, abstract and drawings) and any method or method so disclosed may be used in any combination, except that at least some of such features and/or processes or units are mutually exclusive. All processes or units of equipment are combined. Each feature disclosed in this specification (including accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
此外,本领域的技术人员能够理解,尽管在此所述的一些实施例包括其它实施例中所包括的某些特征而不是其它特征,但是不同实施例的特征的组合意味着处于本发明的范围之内并且形成不同的实施例。例如,在下面的权利要求书中,所要求保护的实施例的任意之一都可以以任意的组合方式来使用。Furthermore, those skilled in the art will understand that although some embodiments described herein include some features included in other embodiments but not others, combinations of features from different embodiments are meant to be within the scope of the invention. and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
本发明的各个部件实施例可以以硬件实现,或者以在一个或者多个处理器上运行的软件模块实现,或者以它们的组合实现。本领域的技术人员应当理解,可以在实践中使用微处理器或者数字信号处理器(DSP)来实现根据本发明实施例中的一些或者全部部件的一些或者全部功能。本发明还可以实现为用于执行这里所描述的方法的一部分或者全部的设备或者装置程序(例如,计算机程序和计算机程序产品)。这样的实现本发明的程序可以存储在计算机可读介质上,或者可以具有一个或者多个信号的形式。这样的信号可以从因特网网站上下载得到,或者在载体信号上提供,或者以任何其他形式提供。The various component embodiments of the present invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art should understand that a microprocessor or a digital signal processor (DSP) may be used in practice to implement some or all functions of some or all components in the embodiments of the present invention. The present invention can also be implemented as an apparatus or an apparatus program (for example, a computer program and a computer program product) for performing a part or all of the methods described herein. Such a program for realizing the present invention may be stored on a computer-readable medium, or may be in the form of one or more signals. Such a signal may be downloaded from an Internet site, or provided on a carrier signal, or provided in any other form.
应该注意的是上述实施例对本发明进行说明而不是对本发明进行限制,并且本领域技术人员在不脱离所附权利要求的范围的情况下可设计出替换实施例。在权利要求中,不应将位于括号之间的任何参考符号构造成对权利要求的限制。单词“包含”不排除存在未列在权利要求中的元件或步骤。位于元件之前的单词“一”或“一个”不排除存在多个这样的元件。本发明可以借助于包括有若干不同元件的硬件以及借助于适当编程的计算机来实现。在列举了若干装置的单元权利要求中,这些装置中的若干个可以是通过同一个硬件项来具体体现。单词第一、第二、以及第三等的使用不表示任何顺序。可将这些单词解释为名称。It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention can be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In a unit claim enumerating several means, several of these means can be embodied by one and the same item of hardware. The use of the words first, second, and third, etc. does not indicate any order. These words can be interpreted as names.
A1、一种攻击事件告警方法,其特征在于,所述方法包括:A1. An attack event warning method, characterized in that the method comprises:
监听是否存在对目标对象进行攻击的攻击行为;Monitor whether there is an attack on the target object;
当监听到存在所述攻击行为时,确定所述攻击行为的行为类型;When the presence of the attacking behavior is detected, determining the behavior type of the attacking behavior;
根据所述攻击行为的行为类型,确定所述攻击行为对所述目标对象的攻击威胁程度;According to the behavior type of the attack behavior, determine the attack threat level of the attack behavior to the target object;
在所述攻击行为完成对所述目标对象的攻击之后,获取用于表征所述攻击行为对所述目标对象的攻击是否成功的攻击结果;After the attack behavior completes the attack on the target object, acquiring an attack result used to characterize whether the attack behavior on the target object is successful;
根据所述攻击威胁程度和所述攻击结果,对所述攻击行为进行告警。According to the attack threat level and the attack result, an alarm is given to the attack behavior.
A2、根据A1所述的攻击事件告警方法,其特征在于,所述监听是否存在对目标对象进行攻击的攻击行为,包括:A2, according to the attack event warning method described in A1, it is characterized in that whether there is an attack behavior that attacks the target object in the monitoring, including:
监听是否存在所述攻击行为对所述目标对象的攻击请求;Monitoring whether there is an attack request of the attack behavior on the target object;
其中,若监听到存在所述攻击请求,则表明存在所述攻击行为,否则,表明不存在所述攻击行为。Wherein, if the attack request is detected, it indicates that the attack behavior exists; otherwise, it indicates that the attack behavior does not exist.
A3、根据A2所述的攻击事件告警方法,其特征在于,所述当监听到存在所述攻击行为时,确定所述攻击行为的行为类型,包括:A3, according to the attack event warning method described in A2, it is characterized in that, when the described attack behavior is detected, determining the behavior type of the attack behavior includes:
当监听到存在所述攻击请求时,根据所述攻击请求确定所述攻击行为的行为类型。When it is detected that the attack request exists, the behavior type of the attack behavior is determined according to the attack request.
A4、根据A1所述的攻击事件告警方法,其特征在于,所述根据所述攻击行为的行为类型,确定所述攻击行为对所述目标对象的攻击威胁程度,包括:A4, according to the attack event warning method described in A1, it is characterized in that, according to the behavior type of the attack behavior, determining the attack threat degree of the attack behavior to the target object includes:
根据所述攻击行为的行为类型,从预设的行为类型与威胁分数之间的对应关系中,确定所述攻击行为的威胁分数,其中,所述攻击行为的威胁分数用于表征所述攻击行为对所述目标对象的攻击威胁程度。According to the behavior type of the aggressive behavior, the threat score of the aggressive behavior is determined from a preset correspondence between the behavior type and the threat score, wherein the threat score of the aggressive behavior is used to characterize the aggressive behavior The level of attack threat to the target object.
A5、根据A1所述的攻击事件告警方法,其特征在于,在所述攻击行为完成对所述目标对象的攻击之后,且在所述获取用于表征所述攻击行为对所述目标对象的攻击是否成功的攻击结果之前,所述方法还包括:A5. The attack event warning method according to A1, characterized in that, after the attack behavior completes the attack on the target object, and after the acquisition is used to characterize the attack behavior on the target object Whether the attack results in success, the method also includes:
获取所述目标对象对所述攻击行为的响应消息;Obtain a response message of the target object to the attack behavior;
其中,所述获取用于表征所述攻击行为对所述目标对象的攻击是否成功的攻击结果,包括:Wherein, the acquisition of the attack result used to characterize whether the attack on the target object is successfully attacked by the attack behavior includes:
根据所述响应消息获取用于表征所述攻击行为对所述目标对象的攻击是否成功的攻击结果。An attack result for representing whether the attack on the target object is successfully attacked by the attack behavior is acquired according to the response message.
A6、根据A1所述的攻击事件告警方法,其特征在于,所述攻击结果为攻击结果权重。A6. The attack event warning method according to A1, wherein the attack result is an attack result weight.
A7、根据A4所述的攻击事件告警方法,其特征在于,当所述攻击结果为攻击结果权重时,所述根据所述攻击威胁程度和所述攻击结果,对所述攻击行为进行告警,包括:A7. The attack event warning method according to A4, wherein when the attack result is the weight of the attack result, the attack behavior is alerted according to the attack threat degree and the attack result, including :
将所述攻击行为的威胁分数与所述攻击结果权重相乘,获得攻击分数;multiplying the threat score of the attack behavior by the weight of the attack result to obtain the attack score;
根据所述攻击分数对所述攻击行为进行告警。The attack behavior is alerted according to the attack score.
A8、根据A7所述的攻击事件告警方法,其特征在于,所述根据所述攻击分数对所述攻击行为进行告警,包括:A8. The attack event warning method according to A7, wherein the warning of the attack behavior according to the attack score includes:
判断所述攻击分数是否高于预设告警阈值;judging whether the attack score is higher than a preset warning threshold;
当所述攻击分数高于预设高警阈值时,向用户发送告警信息。When the attack score is higher than the preset high alarm threshold, an alarm message is sent to the user.
A9、根据A7所述的攻击事件告警方法,其特征在于,当存在多个所述攻击行为时,在获得各个攻击行为的攻击分数之后,所述方法还包括:A9, according to the attack event warning method described in A7, it is characterized in that, when there are a plurality of said attack behaviors, after obtaining the attack score of each attack behavior, the method also includes:
按照攻击分数的高低,对所有攻击行为进行排序,获得用于表征所有攻击行为对所述目标对象的威胁情况的攻击排序结果。All the attack behaviors are sorted according to the attack scores, and an attack ranking result for representing the threat of all the attack behaviors to the target object is obtained.
A10、根据A1所述的攻击事件告警方法,其特征在于,所述目标对象为客户端或服务器中的硬件、软件、系统或协议。A10. The attack event warning method according to A1, wherein the target object is hardware, software, system or protocol in the client or server.
B11、一种攻击事件告警装置,其特征在于,所述装置包括:B11. An attack event warning device, characterized in that the device includes:
监听模块,用于监听是否存在对目标对象进行攻击的攻击行为;A monitoring module, configured to monitor whether there is an attack behavior on the target object;
第一确定模块,用于当监听到存在所述攻击行为时,确定所述攻击行为的行为类型;A first determination module, configured to determine the behavior type of the attack when the presence of the attack is detected;
第二确定模块,用于根据所述攻击行为的行为类型,确定所述攻击行为对所述目标对象的攻击威胁程度;The second determination module is configured to determine the degree of attack threat of the attack behavior to the target object according to the behavior type of the attack behavior;
第一获取模块,用于在所述攻击行为完成对所述目标对象的攻击之后,获取用于表征所述攻击行为对所述目标对象的攻击是否成功的攻击结果;A first acquiring module, configured to acquire an attack result indicating whether the attack on the target object by the attack behavior is successful after the attack on the target object is completed by the attack behavior;
告警模块,用于根据所述攻击威胁程度和所述攻击结果,对所述攻击行为进行告警。An alarm module, configured to alarm the attack behavior according to the attack threat level and the attack result.
B12、根据B11所述的攻击事件告警装置,其特征在于,所述监听模块,具体用于:B12, according to the attack event warning device described in B11, it is characterized in that the monitoring module is specifically used for:
监听是否存在所述攻击行为对所述目标对象的攻击请求;Monitoring whether there is an attack request of the attack behavior on the target object;
其中,若监听到存在所述攻击请求,则表明存在所述攻击行为,否则,表明不存在所述攻击行为。Wherein, if the attack request is detected, it indicates that the attack behavior exists; otherwise, it indicates that the attack behavior does not exist.
B13、根据B12所述的攻击事件告警装置,其特征在于,所述第一确定模块,具体用于:B13, according to the attack event warning device described in B12, it is characterized in that the first determination module is specifically used for:
当监听到存在所述攻击请求时,根据所述攻击请求确定所述攻击行为的行为类型。When it is detected that the attack request exists, the behavior type of the attack behavior is determined according to the attack request.
B14、根据B11所述的攻击事件告警装置,其特征在于,所述第二确定模块,具体用于:B14, according to the attack event warning device described in B11, it is characterized in that the second determination module is specifically used for:
根据所述攻击行为的行为类型,从预设的行为类型与威胁分数之间的对应关系中,确定所述攻击行为的威胁分数,其中,所述攻击行为的威胁分数用于表征所述攻击行为对所述目标对象的攻击威胁程度。According to the behavior type of the aggressive behavior, the threat score of the aggressive behavior is determined from a preset correspondence between the behavior type and the threat score, wherein the threat score of the aggressive behavior is used to characterize the aggressive behavior The level of attack threat to the target object.
B15、根据B11所述的攻击事件告警装置,其特征在于,所述装置还包括:B15, according to the attack event warning device described in B11, it is characterized in that, described device also comprises:
第二获取模块,用于获取所述目标对象对所述攻击行为的响应消息;A second acquiring module, configured to acquire a response message of the target object to the attack behavior;
其中,所述第一获取模块,具体用于:Wherein, the first acquisition module is specifically used for:
根据所述响应消息获取用于表征所述攻击行为对所述目标对象的攻击是否成功的攻击结果。An attack result for representing whether the attack on the target object is successfully attacked by the attack behavior is acquired according to the response message.
B16、根据B11所述的攻击事件告警装置,其特征在于,所述攻击结果为攻击结果权重。B16. The attack event warning device according to B11, wherein the attack result is the weight of the attack result.
B17、根据B14所述的攻击事件告警装置,其特征在于,当所述攻击结果为攻击结果权重时,所述告警模块,包括:B17, according to the attack event warning device described in B14, it is characterized in that, when the attack result is the weight of the attack result, the warning module includes:
获得单元,用于将所述攻击行为的威胁分数与所述攻击结果权重相乘,获得攻击分数;an obtaining unit, configured to multiply the threat score of the attack behavior by the weight of the attack result to obtain the attack score;
告警单元,用于根据所述攻击分数对所述攻击行为进行告警。An alarm unit, configured to alarm the attack behavior according to the attack score.
B18、根据B17所述的攻击事件告警装置,其特征在于,所述告警单元,包括:B18. The attack event warning device according to B17, wherein the warning unit includes:
判断子单元,用于判断所述攻击分数是否高于预设告警阈值;a judging subunit, configured to judge whether the attack score is higher than a preset warning threshold;
发送子单元,用于当所述攻击分数高于预设高警阈值时,向用户发送告警信息。The sending subunit is configured to send warning information to the user when the attack score is higher than a preset high warning threshold.
B19、根据B17所述的攻击事件告警装置,其特征在于,当存在多个所述攻击行为时,所述装置还包括:B19, according to the attack event warning device described in B17, it is characterized in that, when there are a plurality of said attack behaviors, the device also includes:
排序模块,用于按照攻击分数的高低,对所有攻击行为进行排序,获得用于表征所有攻击行为对所述目标对象的威胁情况的攻击排序结果。The sorting module is configured to sort all the attacking behaviors according to the attack scores, and obtain an attack sorting result for representing the threat of all the attacking behaviors to the target object.
B20、根据B11所述的攻击事件告警装置,其特征在于,所述目标对象为客户端或服务器中的硬件、软件、系统或协议。B20. The attack event warning device according to B11, wherein the target object is hardware, software, system or protocol in the client or server.
C21、一种计算机可读存储介质,其上存储有计算机程序,其特征在于,该程序被处理器执行时实现根据A1-A10中任一权利要求所述的方法步骤。C21. A computer-readable storage medium, on which a computer program is stored, characterized in that, when the program is executed by a processor, the method steps according to any one of claims A1-A10 are implemented.
D22、一种计算机设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,其特征在于,所述处理器执行所述程序时实现根据A1-A10中任一权利要求所述的方法步骤。D22. A computer device, comprising a memory, a processor, and a computer program stored in the memory and operable on the processor, characterized in that, when the processor executes the program, any one of the claims in A1-A10 is realized The method steps described are required.
Claims (10)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810713167.0A CN108810014B (en) | 2018-06-29 | 2018-06-29 | Attack event alarm method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810713167.0A CN108810014B (en) | 2018-06-29 | 2018-06-29 | Attack event alarm method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108810014A true CN108810014A (en) | 2018-11-13 |
| CN108810014B CN108810014B (en) | 2021-06-04 |
Family
ID=64074100
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810713167.0A Active CN108810014B (en) | 2018-06-29 | 2018-06-29 | Attack event alarm method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108810014B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111581643A (en) * | 2020-05-07 | 2020-08-25 | 中国工商银行股份有限公司 | Penetration attack evaluation method and device, electronic equipment and readable storage medium |
| CN113037555A (en) * | 2021-03-12 | 2021-06-25 | 中国工商银行股份有限公司 | Risk event marking method, risk event marking device and electronic equipment |
| CN113947788A (en) * | 2021-08-27 | 2022-01-18 | 浙江新再灵科技股份有限公司 | Method, device and equipment for identifying abnormal flow of people in buildings |
| CN114760151A (en) * | 2022-06-13 | 2022-07-15 | 宁波和利时信息安全研究院有限公司 | Method and device for acquiring authority of upper computer through PLC |
| CN115664730A (en) * | 2022-10-10 | 2023-01-31 | 国家电网有限公司信息通信分公司 | Network security evaluation method, device, equipment and storage medium |
| CN115842658A (en) * | 2022-11-18 | 2023-03-24 | 贵州电网有限责任公司遵义供电局 | Network security alarm method for threat and attack |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103685298A (en) * | 2013-12-23 | 2014-03-26 | 上海交通大学无锡研究院 | Deep packet inspection based SSL (Secure Sockets Layer) man-in-the-middle attack discovering method |
| CN104811447A (en) * | 2015-04-21 | 2015-07-29 | 深信服网络科技(深圳)有限公司 | Security detection method and system based on attack association |
| CN105407103A (en) * | 2015-12-19 | 2016-03-16 | 中国人民解放军信息工程大学 | Network threat evaluation method based on multi-granularity anomaly detection |
| CN106656912A (en) * | 2015-10-28 | 2017-05-10 | 华为技术有限公司 | Method and device for detecting denial of service attack |
| CN107483438A (en) * | 2017-08-15 | 2017-12-15 | 山东华诺网络科技有限公司 | A kind of network security situation awareness early warning system and method based on big data |
| CN107819783A (en) * | 2017-11-27 | 2018-03-20 | 深信服科技股份有限公司 | A kind of network security detection method and system based on threat information |
| KR20180068268A (en) * | 2016-12-13 | 2018-06-21 | 경희대학교 산학협력단 | Method and apparatus for security investment based on evaluating security risks |
-
2018
- 2018-06-29 CN CN201810713167.0A patent/CN108810014B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103685298A (en) * | 2013-12-23 | 2014-03-26 | 上海交通大学无锡研究院 | Deep packet inspection based SSL (Secure Sockets Layer) man-in-the-middle attack discovering method |
| CN104811447A (en) * | 2015-04-21 | 2015-07-29 | 深信服网络科技(深圳)有限公司 | Security detection method and system based on attack association |
| CN106656912A (en) * | 2015-10-28 | 2017-05-10 | 华为技术有限公司 | Method and device for detecting denial of service attack |
| CN105407103A (en) * | 2015-12-19 | 2016-03-16 | 中国人民解放军信息工程大学 | Network threat evaluation method based on multi-granularity anomaly detection |
| KR20180068268A (en) * | 2016-12-13 | 2018-06-21 | 경희대학교 산학협력단 | Method and apparatus for security investment based on evaluating security risks |
| CN107483438A (en) * | 2017-08-15 | 2017-12-15 | 山东华诺网络科技有限公司 | A kind of network security situation awareness early warning system and method based on big data |
| CN107819783A (en) * | 2017-11-27 | 2018-03-20 | 深信服科技股份有限公司 | A kind of network security detection method and system based on threat information |
Non-Patent Citations (2)
| Title |
|---|
| HAN-WEI HSIAO, CATHY S. LIN, AND SSU-YANG CHANG: ""Constructing an ARP attack detection system with SNMP traffic data mining"", 《IN PROCEEDINGS OF THE 11TH INTERNATIONAL CONFERENCE ON ELECTRONIC COMMERCE (ICEC "09)》 * |
| 雷杰: ""网络安全威胁与态势评估方法研究"", 《中国博士学位论文全文数据库 信息科技辑》 * |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111581643A (en) * | 2020-05-07 | 2020-08-25 | 中国工商银行股份有限公司 | Penetration attack evaluation method and device, electronic equipment and readable storage medium |
| CN111581643B (en) * | 2020-05-07 | 2024-02-02 | 中国工商银行股份有限公司 | Penetration attack evaluation method and device, electronic device and readable storage medium |
| CN113037555A (en) * | 2021-03-12 | 2021-06-25 | 中国工商银行股份有限公司 | Risk event marking method, risk event marking device and electronic equipment |
| CN113037555B (en) * | 2021-03-12 | 2022-09-20 | 中国工商银行股份有限公司 | Risk event marking method, risk event marking device and electronic equipment |
| CN113947788A (en) * | 2021-08-27 | 2022-01-18 | 浙江新再灵科技股份有限公司 | Method, device and equipment for identifying abnormal flow of people in buildings |
| CN114760151A (en) * | 2022-06-13 | 2022-07-15 | 宁波和利时信息安全研究院有限公司 | Method and device for acquiring authority of upper computer through PLC |
| CN114760151B (en) * | 2022-06-13 | 2022-09-13 | 宁波和利时信息安全研究院有限公司 | Method and device for acquiring authority of upper computer through PLC |
| CN115664730A (en) * | 2022-10-10 | 2023-01-31 | 国家电网有限公司信息通信分公司 | Network security evaluation method, device, equipment and storage medium |
| CN115842658A (en) * | 2022-11-18 | 2023-03-24 | 贵州电网有限责任公司遵义供电局 | Network security alarm method for threat and attack |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108810014B (en) | 2021-06-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108810014A (en) | Attack alarm method and device | |
| Arif et al. | Android mobile malware detection using fuzzy AHP | |
| US11336458B2 (en) | Evaluating authenticity of applications based on assessing user device context for increased security | |
| EP3502943B1 (en) | Method and system for generating cognitive security intelligence for detecting and preventing malwares | |
| US10348771B2 (en) | Learned behavior based security | |
| US10430592B2 (en) | Integrity checking for computing devices | |
| CN102932329B (en) | A kind of method, device and client device that the behavior of program is tackled | |
| US10783239B2 (en) | System, method, and apparatus for computer security | |
| CN103020526B (en) | Rogue program active interception method and apparatus and client device | |
| CN104268476B (en) | A kind of method for running application program | |
| CN103020527B (en) | The method of active interception rogue program, device, system | |
| CN102882875B (en) | Active defense method and device | |
| WO2019153857A1 (en) | Asset protection method and apparatus for digital wallet, electronic device, and storage medium | |
| CN103001946B (en) | Website security detection method and equipment | |
| US20150371043A1 (en) | Controlling a Download Source of an Electronic File | |
| US11487868B2 (en) | System, method, and apparatus for computer security | |
| US8479289B1 (en) | Method and system for minimizing the effects of rogue security software | |
| CN103530561A (en) | Method and device for preventing attacks of Trojan horse programs based on social engineering | |
| CN105095758A (en) | Processing method and device for lock-screen application program and mobile terminal | |
| CN102857519B (en) | Active defensive system | |
| CN115643044A (en) | Data processing method, device, server and storage medium | |
| US8701196B2 (en) | System, method and computer program product for obtaining a reputation associated with a file | |
| CN106411899A (en) | Security detection method and device for data files | |
| GB2529392B (en) | Detection of webcam abuse | |
| CN115665447B (en) | Risk management adjustment methods and their devices, equipment and media |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220721 Address after: 300450 No. 9-3-401, No. 39, Gaoxin 6th Road, Binhai Science Park, Binhai New Area, Tianjin Patentee after: 3600 Technology Group Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230718 Address after: 1765, floor 17, floor 15, building 3, No. 10 Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after: Beijing Hongxiang Technical Service Co.,Ltd. Address before: 300450 No. 9-3-401, No. 39, Gaoxin 6th Road, Binhai Science Park, Binhai New Area, Tianjin Patentee before: 3600 Technology Group Co.,Ltd. |
|
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 1765, floor 17, floor 15, building 3, No. 10 Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after: Beijing 360 Zhiling Technology Co.,Ltd. Country or region after: China Address before: 1765, floor 17, floor 15, building 3, No. 10 Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee before: Beijing Hongxiang Technical Service Co.,Ltd. Country or region before: China |