[go: up one dir, main page]

CN110365675A - A kind of methods, devices and systems of network trace reel chain attack - Google Patents

A kind of methods, devices and systems of network trace reel chain attack Download PDF

Info

Publication number
CN110365675A
CN110365675A CN201910626783.7A CN201910626783A CN110365675A CN 110365675 A CN110365675 A CN 110365675A CN 201910626783 A CN201910626783 A CN 201910626783A CN 110365675 A CN110365675 A CN 110365675A
Authority
CN
China
Prior art keywords
data
server
network node
abnormal
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910626783.7A
Other languages
Chinese (zh)
Other versions
CN110365675B (en
Inventor
娈靛浆
段彬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Sipuleng Technology Co Ltd
Original Assignee
Wuhan Sipuleng Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Sipuleng Technology Co Ltd filed Critical Wuhan Sipuleng Technology Co Ltd
Priority to CN201910626783.7A priority Critical patent/CN110365675B/en
Publication of CN110365675A publication Critical patent/CN110365675A/en
Application granted granted Critical
Publication of CN110365675B publication Critical patent/CN110365675B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a kind of methods, devices and systems of network trace reel chain attack, by collecting the data slot copy on each network node, it is merged with history big data, data slot is analyzed with the presence or absence of abnormal, it whether there is logic association between multiple abnormal data segments, abnormal point and approach point are thereby determined that and marked, obtains potentially attacking track, to realize the purpose of the pursuit attack segment in a large amount of network nodes.

Description

A kind of methods, devices and systems of network trace reel chain attack
Technical field
This application involves the method, apparatus that technical field of network security more particularly to a kind of network trace reel chain are attacked And system.
Background technique
Current network communication faces more and more hidden safety problem, and many attacks are from hidden, fragmentation shape The method of formula, existing guarding network attack can fail.Especially present network usually has a large amount of network nodes, and attacker will Segment can be dispersed on each different network node, be found to escape.Being badly in need of one kind can be based on big data, tracking The method of the network monitor attack of segment.
Summary of the invention
The purpose of the present invention is to provide a kind of methods, devices and systems of network trace reel chain attack, pass through collection Data slot copy on each network node merges it with history big data, and analysis data slot is more with the presence or absence of exception It whether there is logic association between a abnormal data segment, thereby determine that and mark abnormal point and approach point, potentially attacked Track is hit, solves the problems, such as that segment can not be tracked in a large amount of network nodes in the prior art.
In a first aspect, the application provides a kind of method of network trace reel chain attack, which comprises
Network side server sends to each network node and instructs, and described instruction is for ordering each network node local Data slot is uploaded onto the server;
After each network node receives instruction, several numbers will be split as via the data flow of network node local According to segment, data slot copy is saved, encapsulation is uploaded to server in business processing gap by the data slot copy;
After the server receives the data slot copy after encapsulation, by the data slot and server local after parsing Historical data segment merge;The merging includes according to belonging network node, affiliated transmission terminal, data type, corresponding visit Ask that at least one of behavior standard merges;
The server analyzes the combined data slot using analysis model, finds wherein that may be present Network node belonging to several abnormal data segments or terminal are labeled as abnormal point by abnormal data segment, and if analysis It whether there is logic association between dry abnormal data segment;
If there are logic association between several described abnormal data segments, before the abnormal point corresponding to it is established Incidence relation afterwards, an approach point being labeled as in potential attack track;If between several described abnormal data segments not There are logic associations, then disconnect the forward-backward correlation relationship between its corresponding abnormal point, delete it in potential attack track Approach point;
The server passes to the forward-backward correlation relationship, the transit point, the potential attack track at display Manage device;
The server is according to the forward-backward correlation relationship, the abnormal data segment training analysis model;
After the display processing unit receives the forward-backward correlation relationship, the transit point, the potential attack track, By transit point label on the network node architecture figure of mapable, its corresponding front and back is marked to close on each node in figure Connection relationship is drawn potential attack track, is shown on large screen.
With reference to first aspect, in a first possible implementation of that first aspect, the network side server is cluster Server.
With reference to first aspect, in a second possible implementation of that first aspect, the network side server fixed week Phase sends to each network node and instructs.
With reference to first aspect, in first aspect in the third possible implementation, the network node is in business processing Gap upload data slot copy include: priority processing business datum, when do not have business datum need handle or transmit when, just to Server uploads data slot copy.
Second aspect, the application provide a kind of device of network trace reel chain attack, are applied on network node, execute All or part of method, described device include:
Instruction receiving unit, the instruction sent for receiving network side server to each network node, described instruction are used It uploads onto the server in each network node local data segment of order;
Data processing unit is saved for will be split as several data slots via the data flow of network node local Data slot copy;
Data transmission unit, for encapsulation to be uploaded to server in business processing gap by the data slot copy.
The third aspect, the application provide a kind of server of network trace reel chain attack, are located at network side, execute whole Or partial method, the server include:
Instruction sending unit is instructed for sending to each network node, and described instruction is for ordering each network node Local data segment is uploaded onto the server;
Data combination unit, after receiving the data slot copy after encapsulating, by the data slot and clothes after parsing The historical data segment of business device local merges;The merging includes according to belonging network node, affiliated transmission terminal, data class At least one of type, corresponding access behavior standard merge;
Anomaly unit is analyzed, for analyzing using analysis model the combined data slot, searching wherein may be used Network node belonging to several abnormal data segments or terminal are labeled as abnormal point by abnormal data segment existing for energy, with And it analyzes between several abnormal data segments with the presence or absence of logic association;
If there are logic association between several described abnormal data segments, before the abnormal point corresponding to it is established Incidence relation afterwards, an approach point being labeled as in potential attack track;If between several described abnormal data segments not There are logic associations, then disconnect the forward-backward correlation relationship between its corresponding abnormal point, delete it in potential attack track Approach point;
Transfer unit, for the forward-backward correlation relationship, the transit point, the potential attack track to be passed to display Processing unit;
Model training unit, for according to the forward-backward correlation relationship, the abnormal data segment training analysis mould Type.
Fourth aspect, the application provide a kind of system of network trace reel chain attack, the system comprises application just like Multiple network nodes of second aspect described device, and the server as described in the third aspect.
The present invention provides a kind of methods, devices and systems of network trace reel chain attack, by collecting each network section Data slot copy on point merges it with history big data, and analysis data slot is with the presence or absence of abnormal, multiple abnormal datas It whether there is logic association between segment, thereby determine that and mark abnormal point and approach point, obtain potentially attacking track, thus Realize the purpose of the pursuit attack segment in a large amount of network nodes.
Detailed description of the invention
It to describe the technical solutions in the embodiments of the present invention more clearly, below will be to needed in the embodiment Attached drawing is briefly described, it should be apparent that, for those of ordinary skills, before not making the creative labor It puts, is also possible to obtain other drawings based on these drawings.
Fig. 1 is the flow chart for the method that inventive network tracks reel chain attack;
Fig. 2 is the internal structure chart for the device that inventive network tracks reel chain attack;
Fig. 3 is the internal structure chart for the server that inventive network tracks reel chain attack;
Fig. 4 is the architecture diagram for the system that inventive network tracks reel chain attack.
Specific embodiment
The preferred embodiment of the present invention is described in detail with reference to the accompanying drawing, so that advantages and features of the invention energy It is easier to be readily appreciated by one skilled in the art, so as to make a clearer definition of the protection scope of the present invention.
Fig. 1 is the flow chart of the method for network trace reel chain provided by the present application attack, which comprises network side Server sends to each network node and instructs, and described instruction is for ordering each network node local data segment to upload to Server;
After each network node receives instruction, several numbers will be split as via the data flow of network node local According to segment, data slot copy is saved, encapsulation is uploaded to server in business processing gap by the data slot copy;
After the server receives the data slot copy after encapsulation, by the data slot and server local after parsing Historical data segment merge;The merging includes according to belonging network node, affiliated transmission terminal, data type, corresponding visit Ask that at least one of behavior standard merges;
The server analyzes the combined data slot using analysis model, finds wherein that may be present Network node belonging to several abnormal data segments or terminal are labeled as abnormal point by abnormal data segment, and if analysis It whether there is logic association between dry abnormal data segment;
If there are logic association between several described abnormal data segments, before the abnormal point corresponding to it is established Incidence relation afterwards, an approach point being labeled as in potential attack track;If between several described abnormal data segments not There are logic associations, then disconnect the forward-backward correlation relationship between its corresponding abnormal point, delete it in potential attack track Approach point;
The server passes to the forward-backward correlation relationship, the transit point, the potential attack track at display Manage device;
The server is according to the forward-backward correlation relationship, the abnormal data segment training analysis model;
After the display processing unit receives the forward-backward correlation relationship, the transit point, the potential attack track, By transit point label on the network node architecture figure of mapable, its corresponding front and back is marked to close on each node in figure Connection relationship is drawn potential attack track, is shown on large screen.
In some preferred embodiments, the network side server is cluster server.
In some preferred embodiments, the network side server fixed cycle sends instruction shelves to each network node.
In some preferred embodiments, it includes: excellent that the network node, which uploads data slot copy in business processing gap, First processing business data just upload data slot copy to server when not having business datum to need to handle or transmit.
Fig. 2 is the internal structure chart of the device of network trace reel chain provided by the present application attack, and described device includes:
Instruction receiving unit, the instruction sent for receiving network side server to each network node, described instruction are used It uploads onto the server in each network node local data segment of order;
Data processing unit is saved for will be split as several data slots via the data flow of network node local Data slot copy;
Data transmission unit, for encapsulation to be uploaded to server in business processing gap by the data slot copy.
In some preferred embodiments, it includes: preferential place that described device, which uploads data slot copy in business processing gap, Business datum is managed, when not having business datum to need to handle or transmit, just uploads data slot copy to server.
Fig. 3 is the internal structure chart of the server of network trace reel chain provided by the present application attack, the server packet It includes:
Instruction sending unit is instructed for sending to each network node, and described instruction is for ordering each network node Local data segment is uploaded onto the server;
Data combination unit, after receiving the data slot copy after encapsulating, by the data slot and clothes after parsing The historical data segment of business device local merges;The merging includes according to belonging network node, affiliated transmission terminal, data class At least one of type, corresponding access behavior standard merge;
Anomaly unit is analyzed, for analyzing using analysis model the combined data slot, searching wherein may be used Network node belonging to several abnormal data segments or terminal are labeled as abnormal point by abnormal data segment existing for energy, with And it analyzes between several abnormal data segments with the presence or absence of logic association;
If there are logic association between several described abnormal data segments, before the abnormal point corresponding to it is established Incidence relation afterwards, an approach point being labeled as in potential attack track;If between several described abnormal data segments not There are logic associations, then disconnect the forward-backward correlation relationship between its corresponding abnormal point, delete it in potential attack track Approach point;
Transfer unit, for the forward-backward correlation relationship, the transit point, the potential attack track to be passed to display Processing unit;
Model training unit, for according to the forward-backward correlation relationship, the abnormal data segment training analysis mould Type.
In some preferred embodiments, the network side server is cluster server.
In some preferred embodiments, the network side server fixed cycle sends instruction shelves to each network node.
Fig. 4 is the architecture diagram of the system of network trace reel chain provided by the present application attack, and the system comprises applications to have The multiple network nodes and server as shown in Figure 3 of device as shown in Figure 2.
In the specific implementation, the present invention also provides a kind of computer storage mediums, wherein the computer storage medium can deposit Program is contained, which may include step some or all of in each embodiment of the present invention when executing.The storage medium It can be magnetic disk, CD, read-only memory (referred to as: ROM) or random access memory (referred to as: RAM) etc..
It is required that those skilled in the art can be understood that the technology in the embodiment of the present invention can add by software The mode of general hardware platform realize.Based on this understanding, the technical solution in the embodiment of the present invention substantially or The part that contributes to existing technology can be embodied in the form of software products, which can store In storage medium, such as ROM/RAM, magnetic disk, CD, including some instructions use is so that a computer equipment (can be Personal computer, server or network equipment etc.) it executes described in certain parts of each embodiment of the present invention or embodiment Method.
The same or similar parts between the embodiments can be referred to each other for this specification.For embodiment, Since it is substantially similar to the method embodiment, so being described relatively simple, related place is referring to the explanation in embodiment of the method ?.
Invention described above embodiment is not intended to limit the scope of the present invention..

Claims (7)

1. a kind of method of network trace reel chain attack characterized by comprising
Network side server sends to each network node and instructs, and described instruction is for ordering each network node local data Segment is uploaded onto the server;
After each network node receives instruction, several data slices will be split as via the data flow of network node local Section saves data slot copy, and by the data slot copy, in business processing gap, encapsulation is uploaded to server;
After the server receives the data slot copy after encapsulation, by after parsing data slot and server local go through History data slot merges;The merging includes according to belonging network node, affiliated transmission terminal, data type, corresponding access row For at least one of standard merge;
The server analyzes the combined data slot using analysis model, finds wherein exception that may be present Network node belonging to several abnormal data segments or terminal are labeled as abnormal point, and analyze several by data slot It whether there is logic association between abnormal data segment;
If there are logic associations between several described abnormal data segments, the abnormal point corresponding to it is established into front and back pass Connection relationship, an approach point being labeled as in potential attack track;If be not present between several described abnormal data segments Logic association then disconnects the forward-backward correlation relationship between its corresponding abnormal point, deletes its approach in potential attack track Point;
The forward-backward correlation relationship, the transit point, the potential attack track are passed to display processing dress by the server It sets;
The server is according to the forward-backward correlation relationship, the abnormal data segment training analysis model;
After the display processing unit receives the forward-backward correlation relationship, the transit point, the potential attack track, by institute Transit point label is stated on the network node architecture figure of mapable, marks its corresponding forward-backward correlation to close on each node in figure System draws potential attack track, is shown on large screen.
2. the method according to claim 1, wherein the network side server is cluster server.
3. method according to claim 1 to 2, which is characterized in that the network side server fixed cycle is to each Network node sends instruction.
4. method according to claim 1 to 3, which is characterized in that the network node uploads in business processing gap Data slot copy includes: priority processing business datum, when not having business datum to need to handle or transmit, just on server Pass data slot copy.
5. a kind of device of network trace reel chain attack, is applied on network node, executes such as any one of claim 1-4 institute The method stated characterized by comprising
Instruction receiving unit, the instruction sent for receiving network side server to each network node, described instruction is for ordering Each network node local data segment is enabled to upload onto the server;
Data processing unit saves data for will be split as several data slots via the data flow of network node local Segment copy;
Data transmission unit, for encapsulation to be uploaded to server in business processing gap by the data slot copy.
6. a kind of server of network trace reel chain attack, is located at network side, executes according to any one of claims 1-4 Method characterized by comprising
Instruction sending unit is instructed for sending to each network node, and described instruction is for ordering each network node sheet Ground data slot is uploaded onto the server;
Data combination unit, after receiving the data slot copy after encapsulating, by the data slot and server after parsing Local historical data segment merges;The merging includes according to belonging network node, affiliated transmission terminal, data type, right At least one of behavior standard should be accessed to merge;
Anomaly unit is analyzed, for analyzing using analysis model the combined data slot, searching may wherein be deposited Abnormal data segment, network node belonging to several abnormal data segments or terminal are labeled as abnormal point, Yi Jifen It analyses between several abnormal data segments with the presence or absence of logic association;
If there are logic associations between several described abnormal data segments, the abnormal point corresponding to it is established into front and back pass Connection relationship, an approach point being labeled as in potential attack track;If be not present between several described abnormal data segments Logic association then disconnects the forward-backward correlation relationship between its corresponding abnormal point, deletes its approach in potential attack track Point;
Transfer unit, for the forward-backward correlation relationship, the transit point, the potential attack track to be passed to display processing Device;
Model training unit, for according to the forward-backward correlation relationship, the abnormal data segment training analysis model.
7. a kind of system of network trace reel chain attack, which is characterized in that the system comprises applications just like claim 5 institute State the multiple network nodes and server as claimed in claim 6 of device.
CN201910626783.7A 2019-07-11 2019-07-11 Method, device and system for network tracking long chain attack Active CN110365675B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910626783.7A CN110365675B (en) 2019-07-11 2019-07-11 Method, device and system for network tracking long chain attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910626783.7A CN110365675B (en) 2019-07-11 2019-07-11 Method, device and system for network tracking long chain attack

Publications (2)

Publication Number Publication Date
CN110365675A true CN110365675A (en) 2019-10-22
CN110365675B CN110365675B (en) 2021-09-03

Family

ID=68218956

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910626783.7A Active CN110365675B (en) 2019-07-11 2019-07-11 Method, device and system for network tracking long chain attack

Country Status (1)

Country Link
CN (1) CN110365675B (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100318852A1 (en) * 2009-06-16 2010-12-16 Microsoft Corporation Visualization tool for system tracing infrastructure events
CN104539626A (en) * 2015-01-14 2015-04-22 中国人民解放军信息工程大学 Network attack scene generating method based on multi-source alarm logs
CN104731816A (en) * 2013-12-23 2015-06-24 阿里巴巴集团控股有限公司 Method and device for processing abnormal business data
CN105208000A (en) * 2015-08-21 2015-12-30 深信服网络科技(深圳)有限公司 Network attack retrospective analysis method and network security equipment
CN105763529A (en) * 2015-12-12 2016-07-13 哈尔滨安天科技股份有限公司 Attack chain obtaining method and system in network environment
US20170302691A1 (en) * 2016-04-18 2017-10-19 Acalvio Technologies, Inc. Systems and Methods for Detecting and Tracking Adversary Trajectory
US9998480B1 (en) * 2016-02-29 2018-06-12 Symantec Corporation Systems and methods for predicting security threats
CN109067815A (en) * 2018-11-06 2018-12-21 深信服科技股份有限公司 Attack Source Tracing method, system, user equipment and storage medium
CN109688161A (en) * 2019-02-14 2019-04-26 上海鹏越惊虹信息技术发展有限公司 A kind of network trace method, apparatus, system, equipment and storage medium

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100318852A1 (en) * 2009-06-16 2010-12-16 Microsoft Corporation Visualization tool for system tracing infrastructure events
CN104731816A (en) * 2013-12-23 2015-06-24 阿里巴巴集团控股有限公司 Method and device for processing abnormal business data
CN104539626A (en) * 2015-01-14 2015-04-22 中国人民解放军信息工程大学 Network attack scene generating method based on multi-source alarm logs
CN105208000A (en) * 2015-08-21 2015-12-30 深信服网络科技(深圳)有限公司 Network attack retrospective analysis method and network security equipment
CN105763529A (en) * 2015-12-12 2016-07-13 哈尔滨安天科技股份有限公司 Attack chain obtaining method and system in network environment
US9998480B1 (en) * 2016-02-29 2018-06-12 Symantec Corporation Systems and methods for predicting security threats
US20170302691A1 (en) * 2016-04-18 2017-10-19 Acalvio Technologies, Inc. Systems and Methods for Detecting and Tracking Adversary Trajectory
CN109067815A (en) * 2018-11-06 2018-12-21 深信服科技股份有限公司 Attack Source Tracing method, system, user equipment and storage medium
CN109688161A (en) * 2019-02-14 2019-04-26 上海鹏越惊虹信息技术发展有限公司 A kind of network trace method, apparatus, system, equipment and storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
李秋霞: "基于地图的网络攻击可视化系统设计与实现", 《中国优秀硕士学位论文全文数据库》 *

Also Published As

Publication number Publication date
CN110365675B (en) 2021-09-03

Similar Documents

Publication Publication Date Title
US20230362200A1 (en) Dynamic cybersecurity scoring and operational risk reduction assessment
US20200287927A1 (en) Anomaly detection based on changes in an entity relationship graph
US20200412754A1 (en) System and method for comprehensive data loss prevention and compliance management
US20160226893A1 (en) Methods for optimizing an automated determination in real-time of a risk rating of cyber-attack and devices thereof
CN107465651A (en) Network attack detecting method and device
US10250465B2 (en) Network traffic monitoring and classification
CN112187764A (en) System and method for webflow logging for multi-tenant environments
CN102043702A (en) Method for monitoring events, rule engine device and rule engine system
WO2016022720A2 (en) Method and apparatus of identifying a transaction risk
KR20110131094A (en) Methods and systems for identifying communities within an information network
CN110198248B (en) Method and device for detecting IP address
KR102462128B1 (en) Systems and methods for reporting computer security incidents
US10984111B2 (en) Data driven parser selection for parsing event logs to detect security threats in an enterprise system
US10015192B1 (en) Sample selection for data analysis for use in malware detection
CN110365674A (en) A kind of method, server and system for predicting network attack face
Shahid et al. Detecting network attacks using federated learning for iot devices
CN108351941A (en) Analytical equipment, analysis method and analysis program
Suchacka Analysis of aggregated bot and human traffic on e-commerce site
CN109213801A (en) Data digging method and device based on incidence relation
CN106878240A (en) Zombie host recognition methods and device
CN110381047A (en) A kind of method, server and the system of the tracking of network attack face
KR20220073657A (en) Image-based malicious code analysis method and apparatus and artificial intelligence-based endpoint detection and response system using the same
CN107231364B (en) Website vulnerability detection method and device, computer device and storage medium
CN110351273A (en) A kind of methods, devices and systems of network trace reel chain attack
CN110365673A (en) Method, server and the system in a kind of isolation network attack face

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant