[go: up one dir, main page]

CN115021978A - Attack path prediction method and device, electronic equipment and storage medium - Google Patents

Attack path prediction method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN115021978A
CN115021978A CN202210534140.1A CN202210534140A CN115021978A CN 115021978 A CN115021978 A CN 115021978A CN 202210534140 A CN202210534140 A CN 202210534140A CN 115021978 A CN115021978 A CN 115021978A
Authority
CN
China
Prior art keywords
host
hosts
lost
access
suspected
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210534140.1A
Other languages
Chinese (zh)
Other versions
CN115021978B (en
Inventor
华超
张勇勇
谢铮
任鹏
史晓军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Yundun Smart Security Technology Co ltd
Original Assignee
Yundun Smart Security Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Yundun Smart Security Technology Co ltd filed Critical Yundun Smart Security Technology Co ltd
Priority to CN202210534140.1A priority Critical patent/CN115021978B/en
Publication of CN115021978A publication Critical patent/CN115021978A/en
Application granted granted Critical
Publication of CN115021978B publication Critical patent/CN115021978B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the application discloses an attack path prediction method, an attack path prediction device, electronic equipment and a storage medium, wherein the method comprises the following steps: aiming at each host in the multiple hosts, calculating the overall activity of the safety event corresponding to each host according to the safety event set of each host, and determining one or more suspected lost hosts from the multiple hosts according to the overall activity; calculating the access activity of each suspected lost host according to the access event set of each suspected lost host, and determining one or more lost hosts from one or more suspected lost hosts according to the access activity; and determining an attack path according to the access time and the access relation of each lost host. By implementing the embodiment of the application, the prediction efficiency of the attack path can be improved.

Description

Attack path prediction method and device, electronic equipment and storage medium
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and an apparatus for predicting an attack path, an electronic device, and a storage medium.
Background
The current black-yielding group mainly uses an automatic attack mode, and depends on virus worms as main carriers to carry out batch scanning attack on the assets on the current Internet, and then utilizes the system resources of the trapped host to carry out mine digging, botnet building and the like. Once a certain intranet asset is successfully invaded, worms infect other intranet hosts in batches by means of system loopholes, explosion cracking and the like, so that the hosts are infected in batches. The behavior is mainly presented in the way that after a certain host is successfully infected, the same attack mode is used for scanning, detecting and attacking other hosts which are in a network reachable with the current host, and after the host which is subjected to secondary damage is infected, the behavior of the host which is subjected to secondary damage is repeated, so that a large number of hosts are infected. In this scenario, attack path restoration is usually required, so as to construct an intranet attack path graph.
At present, aiming at the above scenario, a user mainly judges the infected sequence of each host according to the defect time of each defect host, so as to manually comb out the attacked path diagram of each host in the intranet. However, due to the complex infection environment, the situation of the lost host cannot be quickly confirmed, so that the attack path of the sample restored from the generated security event by a common user needs to be combed at a high labor cost and a high time cost, and the prediction efficiency of the attack path is low.
Disclosure of Invention
The embodiment of the application discloses an attack path prediction method and device, electronic equipment and a storage medium, and can improve the prediction efficiency of an attack path.
The embodiment of the application discloses an attack path prediction method, which is characterized by comprising the following steps:
for each host in a plurality of hosts, calculating the overall activity of the security event corresponding to each host according to the security event set of each host, and determining one or more suspected lost hosts from the plurality of hosts according to the overall activity;
calculating the access activity of each suspected lost host according to the access event set of each suspected lost host, and determining one or more lost hosts from the one or more suspected lost hosts according to the access activity;
and determining an attack path according to the access time and the access relation of each lost host.
As an optional implementation, the determining one or more suspected failed hosts from the plurality of hosts according to the overall liveness includes:
and determining one or more hosts with the overall activity greater than a first threshold as suspected lost hosts.
As an optional implementation, the determining one or more suspected failed hosts from the plurality of hosts according to the overall liveness includes:
calculating a first comprehensive evaluation index corresponding to each host according to the asset value of each host and the overall activity of the safety event corresponding to each host;
determining one or more hosts for which the first composite evaluation index is greater than a second threshold as suspected lost hosts.
As an optional implementation manner, the calculating the first comprehensive assessment index corresponding to each host according to the asset value of each host and the overall activity of the security event corresponding to each host includes:
and calculating a first comprehensive evaluation index corresponding to each host according to the asset value of each host, the first weight corresponding to the asset value, the overall activity of the safety event corresponding to each host and the second weight corresponding to the overall activity.
As an optional implementation manner, the set of security events includes one or more security events corresponding to each host, and a security event type corresponding to each security event; the calculating the overall activity of the security event corresponding to each host according to the security event set of each host includes:
determining the number of times of the security events corresponding to each security event type in the security time set and the number of hosts corresponding to different security event types;
calculating the individual activity of the safety event corresponding to each safety event type in each host according to the number of the safety event times and the number of the hosts;
and calculating the overall activity of the security event corresponding to each host according to the sum of the individual activities of the security events corresponding to each security event type in each host and the sum of squares of the individual activities of the security events corresponding to each security event type in each host.
As an optional implementation manner, the determining, according to the access activity, one or more lost hosts from the one or more suspected lost hosts includes:
and determining one or more suspected lost hosts with the access activity greater than a third threshold as lost hosts.
As an optional implementation manner, the determining, according to the access activity, one or more lost hosts from the one or more suspected lost hosts includes:
calculating a second comprehensive evaluation index corresponding to each suspected lost host according to the access activity of each suspected lost host and the access activity threshold corresponding to each suspected lost host; the access activity threshold is determined according to the average value of the historical access activity of the suspected lost host;
and determining one or more suspected failed hosts with the second composite evaluation index larger than a fourth threshold value as failed hosts.
The embodiment of the application discloses an attack path prediction device, which comprises:
the first determining module is used for calculating the overall activity of the security event corresponding to each host according to the security event set of each host aiming at each host in a plurality of hosts, and determining one or more suspected defect hosts from the plurality of hosts according to the overall activity;
the second determining module is used for calculating the access activity of each suspected lost host according to the access event set of each suspected lost host, and determining one or more lost hosts from the one or more suspected lost hosts according to the access activity;
and the third determining module is used for determining an attack path according to the access time and the access relation of each lost host.
The embodiment of the application discloses an electronic device, which comprises a memory and a processor, wherein a computer program is stored in the memory, and when the computer program is executed by the processor, the processor is enabled to realize any one of the attack path prediction methods disclosed by the embodiment of the application.
The embodiment of the application discloses a computer-readable storage medium which stores a computer program, wherein the computer program enables a computer to execute any one of the attack path prediction methods disclosed in the embodiment of the application.
Compared with the related art, the embodiment of the application has the following beneficial effects:
calculating the overall activity of the security events corresponding to each host by using the security event set of each host so as to determine suspected lost hosts from the multiple hosts; calculating the access activity of each suspected lost host according to the access event set of each suspected lost host so as to determine the lost host from the suspected lost hosts; and predicting the attack path according to the access event of each lost host and the access relation between the lost hosts.
According to the embodiment of the application, the overall activity of the safety event corresponding to each host is calculated, so that the comprehensive evaluation of the hosts is realized, and the quick identification of the suspected lost host is realized; meanwhile, the comprehensive evaluation of the suspected lost host and the quick identification of the lost host are realized through the access event set of the suspected lost host; and finally, the attack path can be quickly determined through the access relation and the access time of the lost host, so that an attack path graph is constructed, and the combing of the attack path is completed.
According to the embodiment of the application, the time consumed by combing and tracing the attack path graph is reduced, the combing efficiency of the attack path graph is improved, and the attack path can be quickly predicted and restored; the method solves the problems that the lost host can not be found quickly and the tracing can not be positioned accurately under the complex network environment, can position the lost host quickly, and establishes the attack path based on the lost host, thereby improving the efficiency and the accuracy of predicting the attack path.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
Fig. 1 is a schematic flowchart of an attack path prediction method disclosed in an embodiment of the present application;
fig. 2 is a schematic diagram of a prediction result of an attack path disclosed in an embodiment of the present application;
fig. 3 is a schematic flowchart of another attack path prediction method disclosed in the embodiment of the present application;
fig. 4 is a schematic flowchart of another attack path prediction method disclosed in the embodiment of the present application;
fig. 5 is a schematic structural diagram of an attack path prediction apparatus disclosed in an embodiment of the present application;
fig. 6 is a schematic structural diagram of an electronic device disclosed in an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without making any creative effort belong to the protection scope of the present application.
It is to be noted that the terms "comprises" and "comprising" and any variations thereof in the examples and figures of the present application are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements listed, but may alternatively include other steps or elements not listed, or inherent to such process, method, article, or apparatus.
The embodiment of the application discloses an attack path prediction method and device, electronic equipment and a storage medium, and can improve the prediction efficiency of an attack path. The following are detailed below.
Referring to fig. 1, fig. 1 is a schematic flowchart illustrating an attack path prediction method according to an embodiment of the present disclosure. The attack path prediction method described in fig. 1 is suitable for electronic devices such as a notebook computer, a desktop computer, and an industrial computer, and the embodiments of the present application are not limited thereto.
As shown in fig. 1, the attack path prediction method may include the steps of:
101. and aiming at each host in the multiple hosts, calculating the overall activity of the safety event corresponding to each host according to the safety event set of each host, and determining one or more suspected lost hosts from the multiple hosts according to the overall activity.
The set of security events includes one or more security events for each host and a security event type for each security event.
The security event types may include worm events, malicious access events, distributed denial of service attacks (DDoS).
The electronic device can obtain a system log of each host, and the system log can be used for detecting security events occurring in the system and finding traces left by an attacker when the attacker is attacked. The electronic device may obtain a set of security events for each host from the system log for each host.
In some embodiments, the electronic device may identify the set of security events for each host through a security event detection model, a network security system, or the like.
Optionally, the overall activity of the security event corresponding to each host may be determined according to factors such as the total number of times, time, frequency, and the like of the security event occurring at each host, or may be determined according to the number of times of the security event occurring at each host, where each type of security event belongs to different security event types, or determined by giving different weights to the security events belonging to different security event types.
The electronic equipment determines one or more suspected failing hosts from the multiple hosts according to the overall activity. In some optional embodiments, one or more hosts with an overall activity greater than the first threshold are determined as suspected lost hosts, or one or more hosts with an overall activity greater than the first threshold for a number of times exceeding a number threshold are determined as suspected lost hosts.
According to the method and the device, the overall activity of the safety event corresponding to each host is calculated according to the safety event set of each host, one or more suspected lost hosts are determined from the multiple hosts according to the overall activity, the suspected lost hosts are favorably screened out from the hosts preliminarily, and the efficiency of determining the lost hosts is improved.
102. And calculating the access activity of each suspected lost host according to the access event set of each suspected lost host, and determining one or more lost hosts from one or more suspected lost hosts according to the access activity.
The set of access events may include the event that each suspected lost host is accessed, the event that other hosts are actively accessed, the access time, the access frequency, etc.
Optionally, the access activity of each suspected lost host may be determined according to the number of times that each suspected lost host is accessed, the number of times that other hosts are actively accessed, the number of hosts that are actively accessed, and the number of hosts that are accessed.
The lost host is a host which is invaded, controlled, initiated with internal attack and initiated with malicious behavior.
If the trapped host is continuously controlled by an attacker, the higher authority of the trapped host is obtained through an installation tool and a command control stage, and the connection is established with a remote computer and a communication (C & C) server, so that the trapped host is completely controlled, the trapped host is reduced to 'meat chicken', then the 'meat chicken' is used for visiting other hosts, and various malicious activities are implemented, such as data stealing, data destruction, and rope tightening encryption. At this time, the amplification of the access amount of the lost host is abnormal, so that the access activity of each suspected lost host is calculated according to the access event set of each suspected lost host, and the accuracy of determining the lost host from the suspected lost hosts can be improved.
103. And determining an attack path according to the access time and the access relation of each lost host.
The electronic equipment can generate an access time sequence according to the access time of each lost host; the electronic equipment can obtain the access and the access relation among the various lost hosts according to the access relation of each lost host.
In some embodiments, an attack path graph with directed line connection can be established according to the access time and the access relation of each lost host, so that the prediction of the attack path is realized.
Optionally, there may be multiple directed line connections in the attack path graph, and only the directed line connection corresponding to the time when each lost host accesses or is accessed for the first time is taken as the target directed line connection, so that redundant lines are removed, and the attack path is optimized.
Referring to fig. 2, fig. 2 is a schematic diagram illustrating a predicted result of an attack path according to an embodiment of the present disclosure. As shown in fig. 2, the arabic numerals 1, 2, 3, 4, 5, 6, and 7 correspond to different lost hosts, and there are 3 attack paths, where the first attack path is an attack path composed of the lost host 1, the lost host 2, the lost host 5, and the lost host 7, the second attack path is an attack path composed of the lost host 1, the lost host 3, and the lost host 6, and the third attack path is the lost host 1 and the lost host 4. It will be appreciated that the failing host 1 is accessed, i.e. attacked, first. The lost host will continue to access other hosts and perform various malicious activities.
According to the embodiment of the application, the overall activity of the safety event corresponding to each host is calculated, so that the comprehensive evaluation of the hosts is realized, and the quick identification of the suspected lost host is realized; meanwhile, the comprehensive evaluation of the suspected lost host and the quick identification of the lost host are realized through the access event set of the suspected lost host; and finally, the attack path can be quickly determined through the access relation and the access time of the lost host, so that an attack path graph is constructed, and the combing of the attack path is completed.
According to the embodiment of the application, the time consumed by combing and tracing the attack path graph is reduced, the combing efficiency of the attack path graph is improved, and the attack path can be quickly predicted and restored; the method solves the problems that the lost host can not be found quickly and the tracing can not be positioned accurately under the complex network environment, can position the lost host quickly, and establishes the attack path based on the lost host, thereby improving the efficiency and the accuracy of predicting the attack path.
Referring to fig. 3, fig. 3 is a schematic flowchart of another attack path prediction method disclosed in the embodiment of the present application. As shown in fig. 3, the method comprises the steps of:
301. and aiming at each host in the multiple hosts, determining the number of times of the security events corresponding to each security event type in the security event set of each host and the number of hosts corresponding to different security event types respectively.
The set of security events includes one or more security events for each host and a security event type for each security event.
302. And calculating the individual activity of the security events respectively corresponding to each security event type in each host according to the number of the security event times and the number of the hosts.
Optionally, the number of times of the security events and the number of the hosts may be weighted to obtain the individual liveness of the security events corresponding to each security event type in each host.
303. And calculating the overall activity of the safety event corresponding to each host according to the sum of the individual activities of the safety events corresponding to each safety event type in each host and the square sum of the individual activities of the safety events corresponding to each safety event type in each host.
The calculation formula of the individual activity of the security event corresponding to each security event type in each host may be:
Figure BDA0003646748150000081
the calculation formula of the overall activity of the security event corresponding to each host may be:
Figure BDA0003646748150000082
wherein Y represents the overall activity of the security event corresponding to the host; e i The method comprises the steps of representing the single activity of the ith type of security event in the host, namely the single activity of the security event corresponding to each security event type in the host; x is a preset duration; e.g. of the type i Representing the number of the ith type of security event in the host, namely the number of the security event corresponding to each security event type in the host; h is i Indicating the number of hosts in which the ith type of security event occurs, namely the number of hosts corresponding to different types of security events in the hosts; i is a positive integer. The method calculates the individual activity of three security event types of worm event, malicious access event and DDos attack event in unit time, and calculates the overall activity of the security event corresponding to each host according to the individual activity of the three types.
304. And calculating a first comprehensive evaluation index corresponding to each host according to the asset value of each host and the overall activity of the safety event corresponding to each host.
The calculation formula of the asset value of the host can be as follows:
Figure BDA0003646748150000091
wherein X represents the asset value of the host; a represents an asset confidentiality assignment; b represents an asset integrity assignment; c represents an asset availability valuation; d represents an asset relevance assignment; round2 indicates that 2-digit decimal is reserved.
It should be noted that, the asset value of the host is calculated by dividing the security level of the information system according to the Confidentiality (Integrity) and Availability (Availability) of the host, wherein the Confidentiality (Integrity) means that only authorized users can obtain information; integrity (Integrity) means that information is not modified and destroyed by illegal authorization in the processes of input and transmission, and the consistency of data is ensured; asset valuation reference: confidentiality rating, integrity rating, availability rating, relevance rating (1: very low; 2: low; 3: medium; 4: high; 5: very high), the asset value of each host can be quickly calculated by the above formula.
Optionally, the asset value of each host may be divided into asset classes, each asset class corresponds to one asset score, and meanwhile, the activity class is divided into the overall activity of the security event corresponding to each host, each activity class corresponds to one activity score, and the asset scores and the activity scores are added to obtain the first comprehensive evaluation index corresponding to each host.
In some embodiments, a first composite valuation index for each host is calculated based on the asset value of each host, a first weight corresponding to the asset value, an overall liveness of the security event for each host, and a second weight corresponding to the overall liveness.
The calculation formula of the first comprehensive evaluation index corresponding to each host may be:
Figure BDA0003646748150000092
wherein Z is a first comprehensive evaluation index, X represents the asset value of the host, Y represents the overall activity of the safety event corresponding to the host, and lambda 1 A first weight, λ, corresponding to asset value 2 And the second weight corresponds to the whole activity.
305. And determining one or more hosts with the first comprehensive evaluation index larger than a second threshold value as suspected lost hosts.
306. And calculating the access activity of each suspected lost host according to the access event set of each suspected lost host, and determining one or more lost hosts from one or more suspected lost hosts according to the access activity.
307. And determining an attack path according to the access time and the access relation of each lost host.
The embodiment of the application provides a method for calculating a first comprehensive evaluation index, which respectively describes the possibility of the host being attacked and the possibility of success of the attack by utilizing the asset value of the host and the overall activity of a security event, respectively assigns a first weight of the possibility of the host being attacked and a second weight of the possibility of success of the attack, further describes an evaluation value that the host can become a high-risk host, and compares the first comprehensive evaluation index with a second threshold value, thereby quickly identifying whether the host is a suspected trapped host.
Referring to fig. 4, fig. 4 is a schematic flowchart illustrating another attack path prediction method disclosed in the embodiment of the present application.
401. And aiming at each host in the multiple hosts, calculating the overall activity of the safety event corresponding to each host according to the safety event set of each host, and determining one or more suspected lost hosts from the multiple hosts according to the overall activity.
402. And calculating the access activity of each suspected lost host according to the access event set of each suspected lost host, and calculating a second comprehensive evaluation index corresponding to each suspected lost host according to the access activity of each suspected lost host and the access activity threshold corresponding to each suspected lost host.
The access event set of each suspected lost host may include the number of access hosts and the number of accesses corresponding to each suspected lost host.
Optionally, the percentage of the access activity of each suspected lost host exceeding the access activity threshold may be calculated to calculate the second comprehensive evaluation index corresponding to each suspected lost host.
The calculation formula of the access activity of each suspected lost host can be as follows:
Figure BDA0003646748150000101
wherein m is the access activity of the suspected lost host, d is the access frequency corresponding to the suspected lost host, f is the access host amount corresponding to the suspected lost host, and x is the preset duration.
The calculation formula of the second comprehensive evaluation index corresponding to each suspected defect host may be:
Figure BDA0003646748150000111
wherein, Y represents the overall activity of the security event corresponding to the host, M is the access activity of the suspected lost host, and M is the access activity threshold corresponding to the suspected lost host.
The access liveness threshold is determined based on an average of historical access liveness for suspected lost hosts. Optionally, the access activity threshold may be determined by an average value of access activities of the suspected lost hosts within three consecutive historical preset durations.
In other optional embodiments, the determining of the one or more suspected lost hosts from the one or more suspected lost hosts according to the access activity may be determining one or more suspected lost hosts with an access activity greater than a third threshold as lost hosts. Because the access event set of each suspected lost host may include the number of access hosts and the number of access times corresponding to each suspected lost host, optionally, different weights may be given to the number of access hosts and the number of access times through a weighting algorithm, and the access activity degree may be calculated. The lost host is then determined directly by whether the access liveness is greater than a third threshold.
403. And determining one or more suspected lost hosts with the second composite evaluation index greater than a fourth threshold as lost hosts.
The second composite evaluation index is calculated by the ratio of the access activity to the access activity threshold, and the lost host can be determined by whether the ratio is greater than a fourth threshold.
404. And determining an attack path according to the access time and the access relation of each lost host.
According to the embodiment of the application, aiming at the condition that when the lost host is controlled by an attacker, malicious activities can be implemented on other hosts, so that the amplification of the access amount of the lost host is abnormal, the access activity is determined by using the access event set of the suspected lost host, so that a second comprehensive evaluation index is determined, and if the second comprehensive evaluation index of the suspected lost host exceeds a fourth threshold, the lost host can be determined.
In summary, the attack path prediction method provided by the embodiment of the application can solve the problems that the failing host cannot be quickly found in a complex network environment, and the failing host cannot accurately position and trace the source, so that the attack path cannot be accurately traced and predicted. According to the method and the device, the lost host can be quickly positioned, the attack path is established based on the lost host, comprehensive evaluation of the host is realized through the asset value of the host and the activity of the security event corresponding to the host, the suspected lost host is quickly identified, the suspected lost host is comprehensively evaluated through the access event of the suspected lost host, the suspected lost host is quickly identified, the attack path graph can be quickly established through the access relation and the access time sequence of the lost host, and therefore the prediction of the attack path is completed; according to the embodiment of the application, time consumed by combing and tracing the attack path graph is greatly reduced, the combing efficiency of the attack path graph is improved, and the accuracy and efficiency of predicting the attack path are improved.
Referring to fig. 5, fig. 5 is a schematic structural diagram of an attack path prediction apparatus disclosed in the embodiment of the present application. The device can be applied to electronic equipment such as notebook computers, desktop computers and industrial computers, and is not limited specifically. As shown in fig. 5, the attack path prediction apparatus 500 may include: a first determination module 510, a second determination module 520, and a third determination module 530.
A first determining module 510, configured to calculate, for each host in the multiple hosts, an overall activity of the security event corresponding to each host according to the security event set of each host, and determine one or more suspected trapped hosts from the multiple hosts according to the overall activity;
a second determining module 520, configured to calculate an access activity of each suspected lost host according to the access event set of each suspected lost host, and determine one or more lost hosts from the one or more suspected lost hosts according to the access activity;
and a third determining module 530, configured to determine an attack path according to the access time and the access relationship of each failed host.
In one embodiment, the first determining module 510 is further configured to determine one or more hosts with an overall activity greater than a first threshold as suspected lost hosts.
In one embodiment, the first determining module 510 is further configured to calculate a first composite valuation index corresponding to each host according to the asset value of each host and the overall liveness of the security event corresponding to each host; and determining one or more hosts with the first comprehensive evaluation index larger than a second threshold value as suspected lost hosts.
In one embodiment, the first determining module 510 further includes a first calculating unit;
the first calculation unit is used for calculating a first comprehensive evaluation index corresponding to each host according to the asset value of each host, the first weight corresponding to the asset value, the overall activity of the safety event corresponding to each host and the second weight corresponding to the overall activity.
In one embodiment, the set of security events includes one or more security events for each host, and a security event type for each security event; a first determination module 510, further comprising a second calculation unit;
the second calculation unit is used for determining the number of times of the security events corresponding to each security event type in the security time set and the number of hosts corresponding to different security event types; calculating the individual activity of the safety events corresponding to each safety event type in each host according to the times of the safety events and the number of the hosts; and calculating the integral activity of the safety event corresponding to each host according to the sum of the individual activity of the safety event corresponding to each safety event type in each host and the square sum of the individual activity of the safety event corresponding to each safety event type in each host.
In one embodiment, the access event set of each suspected lost host includes the access host amount and the access times corresponding to each suspected lost host; the second determining module 520 is further configured to determine one or more suspected lost hosts with an access activity greater than a third threshold as lost hosts.
In one embodiment, the second determining module 520 further comprises a third calculating unit;
the third calculation unit is used for calculating a second comprehensive evaluation index corresponding to each suspected lost host according to the access activity of each suspected lost host and the access activity threshold corresponding to each suspected lost host; the access activity threshold value is determined according to the average value of the historical access activity of the suspected lost host; and determining one or more suspected lost hosts with the second composite evaluation index greater than a fourth threshold as lost hosts.
Referring to fig. 6, fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure.
As shown in fig. 6, the electronic device 600 may include:
a memory 610 storing executable program code;
a processor 620 coupled to the memory 610;
the processor 620 calls the executable program code stored in the memory 610 to execute any one of the attack path prediction methods disclosed in the embodiments of the present application.
The embodiment of the application discloses a computer-readable storage medium, which stores a computer program, wherein when the computer program is executed by a processor, the processor is enabled to realize any one of the attack path prediction methods disclosed in the embodiment of the application.
It should be appreciated that reference throughout this specification to "one embodiment" or "an embodiment" means that a particular feature, structure or characteristic described in connection with the embodiment is included in at least one embodiment of the present application. Thus, the appearances of the phrases "in one embodiment" or "in an embodiment" in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. Those skilled in the art should also appreciate that the embodiments described in this specification are all alternative embodiments and that the acts and modules involved are not necessarily required for this application.
In various embodiments of the present application, it should be understood that the size of the serial number of each process described above does not mean that the execution sequence is necessarily sequential, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation on the implementation process of the embodiments of the present application.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated units, if implemented as software functional units and sold or used as a stand-alone product, may be stored in a computer accessible memory. Based on such understanding, the technical solutions of the present application, which essentially or partly contribute to the prior art, or all or part of the technical solutions, may be embodied in the form of a software product, which is stored in a memory and includes several requests for causing a computer device (which may be a personal computer, a server, or a network device, etc., and may specifically be a processor in the computer device) to execute some or all of the steps of the above methods of the embodiments of the present application.
It will be understood by those skilled in the art that all or part of the steps in the methods of the above embodiments may be implemented by program instructions associated with hardware, and the program may be stored in a computer-readable storage medium, wherein the storage medium includes Read-Only Memory (ROM), Random Access Memory (RAM), Programmable Read-Only Memory (PROM), Erasable Programmable Read-Only Memory (EPROM), One-time Programmable Read-Only Memory (OTPROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Compact Disc Read-Only Memory (CD-ROM), or other Memory, disk Memory, or other storage device, A tape memory, or any other medium readable by a computer that can be used to carry or store data.
The attack path prediction method, the attack path prediction device, the electronic device, and the storage medium disclosed in the embodiments of the present application are described in detail above, and specific examples are applied in the present application to explain the principles and embodiments of the present application. Meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.

Claims (10)

1. An attack path prediction method, characterized in that the method comprises:
for each host in a plurality of hosts, calculating the overall activity of the security event corresponding to each host according to the security event set of each host, and determining one or more suspected lost hosts from the plurality of hosts according to the overall activity;
calculating the access activity of each suspected lost host according to the access event set of each suspected lost host, and determining one or more lost hosts from the one or more suspected lost hosts according to the access activity;
and determining an attack path according to the access time and the access relation of each lost host.
2. The method of claim 1, wherein determining one or more suspected failing hosts from the plurality of hosts based on the overall liveness comprises:
and determining one or more hosts with the overall activity greater than a first threshold as suspected lost hosts.
3. The method of claim 1, wherein determining one or more suspected failing hosts from the plurality of hosts based on the overall liveness comprises:
calculating a first comprehensive evaluation index corresponding to each host according to the asset value of each host and the overall activity of the safety event corresponding to each host;
determining one or more hosts for which the first composite evaluation index is greater than a second threshold as suspected lost hosts.
4. The method of claim 3, wherein calculating the first composite valuation index for each host based on the asset value of each host and the overall liveness of the security event for each host comprises:
and calculating a first comprehensive evaluation index corresponding to each host according to the asset value of each host, the first weight corresponding to the asset value, the overall activity of the safety event corresponding to each host and the second weight corresponding to the overall activity.
5. The method of claim 1, wherein the set of security events comprises one or more of the security events corresponding to each of the hosts and a security event type corresponding to each of the security events; the calculating the overall activity of the security event corresponding to each host according to the security event set of each host includes:
determining the number of times of the security events corresponding to each security event type in the security time set and the number of hosts corresponding to different security event types;
calculating the individual activity of the security events respectively corresponding to each security event type in each host according to the number of the security event times and the number of the hosts;
and calculating the overall activity of the security event corresponding to each host according to the sum of the individual activities of the security events corresponding to each security event type in each host and the sum of squares of the individual activities of the security events corresponding to each security event type in each host.
6. The method of claim 1, wherein determining one or more suspected lost hosts from the one or more suspected lost hosts based on the access liveness comprises:
and determining one or more suspected lost hosts with the access activity greater than a third threshold as lost hosts.
7. The method of claim 1, wherein determining one or more suspected lost hosts from the one or more suspected lost hosts based on the access liveness comprises:
calculating a second comprehensive evaluation index corresponding to each suspected lost host according to the access activity of each suspected lost host and the access activity threshold corresponding to each suspected lost host; the access activity threshold is determined according to the average value of the historical access activity of the suspected lost host;
determining one or more suspected lost hosts for which the second composite evaluation index is greater than a fourth threshold as lost hosts.
8. An attack path prediction apparatus, comprising:
the first determining module is used for calculating the overall activity of the security event corresponding to each host according to the security event set of each host aiming at each host in a plurality of hosts and determining one or more suspected lost hosts from the plurality of hosts according to the overall activity;
a second determining module, configured to calculate an access activity level of each suspected lost host according to the access event set of each suspected lost host, and determine one or more lost hosts from the one or more suspected lost hosts according to the access activity level;
and the third determining module is used for determining an attack path according to the access time and the access relation of each lost host.
9. An electronic device comprising a memory and a processor, the memory having stored thereon a computer program that, when executed by the processor, causes the processor to carry out the method of any one of claims 1 to 7.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1 to 7.
CN202210534140.1A 2022-05-17 2022-05-17 Attack path prediction method, device, electronic equipment and storage medium Active CN115021978B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210534140.1A CN115021978B (en) 2022-05-17 2022-05-17 Attack path prediction method, device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210534140.1A CN115021978B (en) 2022-05-17 2022-05-17 Attack path prediction method, device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN115021978A true CN115021978A (en) 2022-09-06
CN115021978B CN115021978B (en) 2023-11-24

Family

ID=83069740

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210534140.1A Active CN115021978B (en) 2022-05-17 2022-05-17 Attack path prediction method, device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115021978B (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108965346A (en) * 2018-10-10 2018-12-07 上海工程技术大学 One kind is fallen Host Detection method
CN109660539A (en) * 2018-12-20 2019-04-19 北京神州绿盟信息安全科技股份有限公司 It falls device identification method, device, electronic equipment and storage medium
CN111245787A (en) * 2019-12-31 2020-06-05 西安交大捷普网络科技有限公司 A method and device for identifying equipment that has failed and evaluating the failure degree of equipment
CN112367340A (en) * 2020-11-30 2021-02-12 杭州安恒信息技术股份有限公司 Intranet asset risk assessment method, device, equipment and medium
CN113312625A (en) * 2021-06-21 2021-08-27 深信服科技股份有限公司 Attack path graph construction method, device, equipment and medium
CN113806753A (en) * 2021-09-30 2021-12-17 中孚安全技术有限公司 Intranet host threat prediction method and system based on label calculation
CN113839817A (en) * 2021-09-23 2021-12-24 北京天融信网络安全技术有限公司 Network asset risk assessment method, device and system
CN114124560A (en) * 2021-12-01 2022-03-01 北京天融信网络安全技术有限公司 Method and device for detecting defect host, electronic equipment and storage medium
CN114297632A (en) * 2021-12-02 2022-04-08 安天科技集团股份有限公司 Host failure detection method, device, electronic device and storage medium

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108965346A (en) * 2018-10-10 2018-12-07 上海工程技术大学 One kind is fallen Host Detection method
CN109660539A (en) * 2018-12-20 2019-04-19 北京神州绿盟信息安全科技股份有限公司 It falls device identification method, device, electronic equipment and storage medium
CN111245787A (en) * 2019-12-31 2020-06-05 西安交大捷普网络科技有限公司 A method and device for identifying equipment that has failed and evaluating the failure degree of equipment
CN112367340A (en) * 2020-11-30 2021-02-12 杭州安恒信息技术股份有限公司 Intranet asset risk assessment method, device, equipment and medium
CN113312625A (en) * 2021-06-21 2021-08-27 深信服科技股份有限公司 Attack path graph construction method, device, equipment and medium
CN113839817A (en) * 2021-09-23 2021-12-24 北京天融信网络安全技术有限公司 Network asset risk assessment method, device and system
CN113806753A (en) * 2021-09-30 2021-12-17 中孚安全技术有限公司 Intranet host threat prediction method and system based on label calculation
CN114124560A (en) * 2021-12-01 2022-03-01 北京天融信网络安全技术有限公司 Method and device for detecting defect host, electronic equipment and storage medium
CN114297632A (en) * 2021-12-02 2022-04-08 安天科技集团股份有限公司 Host failure detection method, device, electronic device and storage medium

Also Published As

Publication number Publication date
CN115021978B (en) 2023-11-24

Similar Documents

Publication Publication Date Title
US8549645B2 (en) System and method for detection of denial of service attacks
US7748039B2 (en) Method and apparatus for detecting malicious code in an information handling system
CN110598404B (en) Security risk monitoring method, monitoring device, server and storage medium
KR101654099B1 (en) System and method for non-signature based detection of malicious processes
US20130152200A1 (en) Predictive Heap Overflow Protection
CN112688930B (en) Brute force detection method, system, device and medium
WO2002079907A2 (en) Overall risk in a system
CN118228211B (en) Software authorization authentication method
CN116628705A (en) Data security processing method, system, electronic equipment and storage medium
CN113079182B (en) Network security control system
CN112583841B (en) Virtual machine safety protection method and system, electronic equipment and storage medium
Meriah et al. A survey of quantitative security risk analysis models for computer systems
Alese et al. A machine learning approach for information system security
CN115021978A (en) Attack path prediction method and device, electronic equipment and storage medium
US20230121158A1 (en) Virus autonomous defense system (vads)
CN116318799A (en) Attack and defense countermeasure testing method, device, medium and equipment
JP6857627B2 (en) White list management system
CN116094801A (en) Security attack protection method, device, equipment and readable storage medium
WO2023042192A1 (en) A top-down cyber security system and method
Sriram Cyber security control systems for operational technology
JP7682073B2 (en) Security measures support device and security measures support method
CN118631592B (en) Network security protection method and system based on virtual cloud
CN118677661B (en) Threat information detection method and device, electronic equipment and storage medium
CN116074114B (en) Network target range defense efficiency evaluation method, device, equipment and storage medium
KR102818364B1 (en) Method for handling security incident and system therefor

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant