[go: up one dir, main page]

CN112351008B - Network attack analysis method, device, readable storage medium and computer equipment - Google Patents

Network attack analysis method, device, readable storage medium and computer equipment Download PDF

Info

Publication number
CN112351008B
CN112351008B CN202011163928.3A CN202011163928A CN112351008B CN 112351008 B CN112351008 B CN 112351008B CN 202011163928 A CN202011163928 A CN 202011163928A CN 112351008 B CN112351008 B CN 112351008B
Authority
CN
China
Prior art keywords
query interface
name
searching
source address
alarm
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011163928.3A
Other languages
Chinese (zh)
Other versions
CN112351008A (en
Inventor
罗家强
范渊
刘博�
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN202011163928.3A priority Critical patent/CN112351008B/en
Publication of CN112351008A publication Critical patent/CN112351008A/en
Application granted granted Critical
Publication of CN112351008B publication Critical patent/CN112351008B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a network attack analysis method, a device, a readable storage medium and computer equipment, wherein the network attack analysis method comprises the following steps: when a network attack alarm occurs, reading a first object entity selected by a user; analyzing the first object entity through a preset analysis query interface to generate first query result data, wherein the analysis query interface has query logic information; extracting the query result data to generate a second object entity; analyzing the second object entity through the analysis query interface to generate second query result data; and acquiring the relation between the first query result data and the second query result data, connecting the first object entity and the second object entity through a relation graph, and displaying the relation graph. The method and the device can solve the problems that the learning cost is high and the incidence relation behind the data cannot be visually seen in the prior art.

Description

网络攻击分析方法、装置、可读存储介质及计算机设备Network attack analysis method, device, readable storage medium and computer equipment

技术领域technical field

本发明涉及网络安全技术领域,特别是涉及一种网络攻击分析方法、装置、可读存储介质及计算机设备。The present invention relates to the technical field of network security, and in particular, to a network attack analysis method, device, readable storage medium and computer equipment.

背景技术Background technique

当今网络中存在各种各样怀揣不同目的黑客在互联网对其他个人或企业进行网络攻击,以达到他们的获取利益、提高声望、政治意图等目的。而在以往爆发的安全事件中,企业对于网络中已经失陷的主机感知能力存在问题,往往不能第一时间发现网络中的攻击。黑客在组织内部进行长期的潜伏,进行信息收集、敏感资料窃取甚至是破坏等行为。In today's network, there are all kinds of hackers with different purposes to carry out network attacks on other individuals or enterprises on the Internet, in order to achieve their goals such as gaining interests, increasing prestige, and political intentions. In the past security incidents, enterprises have problems with the ability to perceive the lost hosts in the network, and often fail to detect attacks in the network at the first time. Hackers conduct long-term lurking within the organization, collecting information, stealing sensitive data, and even destroying them.

为了加强企业安全感知能力,目前越来越多的企业建立日志分析平台。但是目前日志分析平台还存在以下问题:目前的日志分析平台在每次检索数据都要数据繁琐的查询语句,不同日志平台的查询语法也不尽相同,给用户造成了较高的学习成本;此外,现有的日志分析平台主要以列表形式展现,在威胁溯源时,列表形式是展现出的结果无法直观的看出数据背后的关联关系。In order to strengthen the security awareness of enterprises, more and more enterprises are currently establishing log analysis platforms. However, the current log analysis platform still has the following problems: the current log analysis platform requires complicated data query statements every time the data is retrieved, and the query syntax of different log platforms is not the same, which causes high learning costs for users; , the existing log analysis platform is mainly displayed in the form of a list. When the threat source is traced, the results displayed in the form of a list cannot intuitively see the relationship behind the data.

发明内容SUMMARY OF THE INVENTION

为此,本发明的一个目的在于提出一种网络攻击分析方法,以解决现有技术学习成本高、无法直观的看出数据背后的关联关系的问题。Therefore, an object of the present invention is to propose a network attack analysis method, so as to solve the problem of high learning cost and inability to intuitively see the correlation behind the data in the prior art.

本发明提供一种网络攻击分析方法,包括:The present invention provides a network attack analysis method, comprising:

当发生网络攻击告警时,读取用户选择的第一对象实体;When a network attack alarm occurs, read the first object entity selected by the user;

通过预置的分析查询接口对所述第一对象实体进行分析,以生成第一查询结果数据,所述分析查询接口具有查询逻辑信息;Analyze the first object entity through a preset analysis query interface to generate first query result data, and the analysis query interface has query logic information;

提取所述查询结果数据,以生成第二对象实体;extracting the query result data to generate a second object entity;

通过所述分析查询接口对所述第二对象实体进行分析,以生成第二查询结果数据;Analyze the second object entity through the analysis query interface to generate second query result data;

获取所述第一查询结果数据和所述第二查询结果数据之间的关系,通过关系图将所述第一对象实体和所述第二对象实体进行连接,并对所述关系图进行展示。Obtain the relationship between the first query result data and the second query result data, connect the first object entity and the second object entity through a relationship diagram, and display the relationship diagram.

根据本发明提供的网络攻击分析方法,通过封装查询接口,用户可以直接通过交互式的方法调用查询接口,得到想要的查询结果数据,降低了网络威胁溯源、日志分析的门槛,学习成本低,且方便便捷。此外,通过关系图结构展示查询结果,可以让用户直观的解析行为间的关系,更快的定位攻击源,更快的评估攻击影响范围,帮助用户快速的理解数据背后的关系。According to the network attack analysis method provided by the present invention, by encapsulating the query interface, the user can directly call the query interface through an interactive method to obtain the desired query result data, which reduces the threshold of network threat traceability and log analysis, and the learning cost is low. And convenient and convenient. In addition, displaying query results through a relational graph structure allows users to intuitively analyze the relationship between behaviors, locate attack sources more quickly, evaluate the impact of attacks more quickly, and help users quickly understand the relationship behind the data.

另外,根据本发明上述的网络攻击分析方法,还可以具有如下附加的技术特征:In addition, according to the above-mentioned network attack analysis method of the present invention, it can also have the following additional technical features:

进一步地,所述分析查询接口包括告警名称查询接口、源地址与目的地址查询接口、源端口与目的端口查询接口、HTTP查询接口;Further, the analysis query interface includes an alarm name query interface, a source address and destination address query interface, a source port and destination port query interface, and an HTTP query interface;

所述告警名称查询接口用于根据源地址搜索告警名称、或根据目的地址搜索告警名称、或根据源主机搜索告警名称、或根据目的主机搜索告警名称、或根据域名搜索告警名称;The alarm name query interface is used to search for the alarm name according to the source address, or search for the alarm name according to the destination address, or search for the alarm name according to the source host, or search for the alarm name according to the destination host, or search for the alarm name according to the domain name;

所述源地址与目的地址查询接口用于根据告警名称搜索源地址、或根据告警名称搜索目的地址、或根据源地址和告警名称搜索目的地址、或根据目的地址和告警名称搜索源地址、或根据源地址和目的端口搜索目的地址;The source address and destination address query interface is used to search for the source address according to the alarm name, or search for the destination address according to the alarm name, or search for the destination address according to the source address and the alarm name, or search for the source address according to the destination address and the alarm name, or according to the alarm name. Source address and destination port search destination address;

所述源端口与目的端口查询接口用于根据源地址搜索目的端口、或根据目的地址和告警名称搜索源端口、或根据源地址和告警名称搜索目的端口;The source port and destination port query interface is used to search for the destination port according to the source address, or search for the source port according to the destination address and the alarm name, or search for the destination port according to the source address and the alarm name;

所述HTTP查询接口用于根据告警名称搜索请求URL、或根据源地址搜索请求URL、或根据告警名称搜索HTTP返回状态码、或根据源地址搜索HTTP返回状态码。The HTTP query interface is used to search the request URL according to the alarm name, or search the request URL according to the source address, or search for the HTTP return status code according to the alarm name, or search for the HTTP return status code according to the source address.

进一步地,所述分析查询接口还包括DNS域名查询接口,DNS域名查询接口用于根据源地址和告警名称搜索DNS域名。Further, the analysis query interface further includes a DNS domain name query interface, and the DNS domain name query interface is used to search the DNS domain name according to the source address and the alarm name.

进一步地,所述方法具体包括:Further, the method specifically includes:

当发生网络攻击告警时,读取告警对象实体;When a network attack alarm occurs, read the alarm object entity;

通过所述分析查询接口中的源地址与目的地址查询接口获取所述告警对象实体的源地址;Obtain the source address of the alarm object entity through the source address and destination address query interfaces in the analysis query interface;

选择所述源地址作为对象实体,调用所述分析查询接口中的告警名称查询接口获取与所述源地址相关的其他告警;Select the source address as the object entity, and call the alarm name query interface in the analysis query interface to obtain other alarms related to the source address;

选择与所述源地址相关的其他告警作为对象实体,调用所述分析查询接口中的源端口与目的端口查询接口获取目的端口;Select other alarms related to the source address as object entities, and call the source port and destination port query interfaces in the analysis query interface to obtain the destination port;

选择所述目的端口作为对象实体,调用所述分析查询接口中的源地址与目的地址查询接口获取目的地址;Select the destination port as the object entity, and call the source address and destination address query interface in the analysis query interface to obtain the destination address;

选择所述目的地址作为对象实体,调用所述分析查询接口中的告警名称查询接口获取与所述目的地址相关的其他告警;Select the destination address as the object entity, and call the alarm name query interface in the analysis query interface to obtain other alarms related to the destination address;

获取所述分析查询接口的各个查询结果数据之间的关系,通过关系图将各个对象实体进行连接,并对所述关系图进行展示。The relationship between each query result data of the analysis query interface is acquired, each object entity is connected through a relationship diagram, and the relationship diagram is displayed.

进一步地,所述第一对象实体包括源地址、目的地址、源端口、目的端口、传输协议、应用协议、告警名称、事件名称、文件名称、病毒名称、DNS域名、请求URL、HTTP返回状态码、进程名称、用户名称、操作、操作结果中的任一中。Further, the first object entity includes source address, destination address, source port, destination port, transmission protocol, application protocol, alarm name, event name, file name, virus name, DNS domain name, request URL, HTTP return status code , process name, user name, operation, and operation result.

本发明的另一个目的在于提出一种网络攻击分析装置,以解决现有技术测试效率低、测试成本高的问题。Another object of the present invention is to provide a network attack analysis device to solve the problems of low test efficiency and high test cost in the prior art.

本发明提供一种网络攻击分析装置,包括:The present invention provides a network attack analysis device, comprising:

第一读取模块,用于当发生网络攻击告警时,读取用户选择的第一对象实体;a first reading module, configured to read the first object entity selected by the user when a network attack alarm occurs;

第一分析模块,用于通过预置的分析查询接口对所述第一对象实体进行分析,以生成第一查询结果数据,所述分析查询接口具有查询逻辑信息;a first analysis module, configured to analyze the first object entity through a preset analysis and query interface to generate first query result data, and the analysis and query interface has query logic information;

提取生成模块,用于提取所述查询结果数据,以生成第二对象实体;an extraction and generation module for extracting the query result data to generate a second object entity;

第二分析模块,用于通过所述分析查询接口对所述第二对象实体进行分析,以生成第二查询结果数据;a second analysis module, configured to analyze the second object entity through the analysis query interface to generate second query result data;

第一展示模块,用于获取所述第一查询结果数据和所述第二查询结果数据之间的关系,通过关系图将所述第一对象实体和所述第二对象实体进行连接,并对所述关系图进行展示。The first display module is used to obtain the relationship between the first query result data and the second query result data, connect the first object entity and the second object entity through a relationship diagram, and The relationship diagram is shown.

根据本发明提供的网络攻击分析装置,通过封装查询接口,用户可以直接通过交互式的方法调用查询接口,得到想要的查询结果数据,降低了网络威胁溯源、日志分析的门槛,学习成本低,且方便便捷。此外,通过关系图结构展示查询结果,可以让用户直观的解析行为间的关系,更快的定位攻击源,更快的评估攻击影响范围,帮助用户快速的理解数据背后的关系。According to the network attack analysis device provided by the present invention, by encapsulating the query interface, the user can directly call the query interface through an interactive method to obtain the desired query result data, thereby lowering the threshold of network threat tracing and log analysis, and the learning cost is low. And convenient and convenient. In addition, displaying query results through a relational graph structure allows users to intuitively analyze the relationship between behaviors, locate attack sources more quickly, evaluate the impact of attacks more quickly, and help users quickly understand the relationship behind the data.

另外,根据本发明上述的网络攻击分析装置,还可以具有如下附加的技术特征:In addition, according to the above-mentioned network attack analysis device of the present invention, it can also have the following additional technical features:

进一步地,所述分析查询接口包括告警名称查询接口、源地址与目的地址查询接口、源端口与目的端口查询接口、HTTP查询接口;Further, the analysis query interface includes an alarm name query interface, a source address and destination address query interface, a source port and destination port query interface, and an HTTP query interface;

所述告警名称查询接口用于根据源地址搜索告警名称、或根据目的地址搜索告警名称、或根据源主机搜索告警名称、或根据目的主机搜索告警名称、或根据域名搜索告警名称;The alarm name query interface is used to search for the alarm name according to the source address, or search for the alarm name according to the destination address, or search for the alarm name according to the source host, or search for the alarm name according to the destination host, or search for the alarm name according to the domain name;

所述源地址与目的地址查询接口用于根据告警名称搜索源地址、或根据告警名称搜索目的地址、或根据源地址和告警名称搜索目的地址、或根据目的地址和告警名称搜索源地址、或根据源地址和目的端口搜索目的地址;The source address and destination address query interface is used to search for the source address according to the alarm name, or search for the destination address according to the alarm name, or search for the destination address according to the source address and the alarm name, or search for the source address according to the destination address and the alarm name, or according to the alarm name. Source address and destination port search destination address;

所述源端口与目的端口查询接口用于根据源地址搜索目的端口、或根据目的地址和告警名称搜索源端口、或根据源地址和告警名称搜索目的端口;The source port and destination port query interface is used to search for the destination port according to the source address, or search for the source port according to the destination address and the alarm name, or search for the destination port according to the source address and the alarm name;

所述HTTP查询接口用于根据告警名称搜索请求URL、或根据源地址搜索请求URL、或根据告警名称搜索HTTP返回状态码、或根据源地址搜索HTTP返回状态码。The HTTP query interface is used to search the request URL according to the alarm name, or search the request URL according to the source address, or search for the HTTP return status code according to the alarm name, or search for the HTTP return status code according to the source address.

进一步地,所述分析查询接口还包括DNS域名查询接口,DNS域名查询接口用于根据源地址和告警名称搜索DNS域名。Further, the analysis query interface further includes a DNS domain name query interface, and the DNS domain name query interface is used to search the DNS domain name according to the source address and the alarm name.

进一步地,所述第一对象实体包括源地址、目的地址、源端口、目的端口、传输协议、应用协议、告警名称、事件名称、文件名称、病毒名称、DNS域名、请求URL、HTTP返回状态码、进程名称、用户名称、操作、操作结果中的任一中。Further, the first object entity includes source address, destination address, source port, destination port, transmission protocol, application protocol, alarm name, event name, file name, virus name, DNS domain name, request URL, HTTP return status code , process name, user name, operation, and operation result.

此外,在一个示例中,所述装置包括:Additionally, in one example, the apparatus includes:

第二读取模块,用于当发生网络攻击告警时,读取告警对象实体;The second reading module is used to read the alarm object entity when a network attack alarm occurs;

第一查询模块,用于通过所述分析查询接口中的源地址与目的地址查询接口获取所述告警对象实体的源地址;a first query module, configured to obtain the source address of the alarm object entity through the source address and destination address query interfaces in the analysis query interface;

第二查询模块,用于选择所述源地址作为对象实体,调用所述分析查询接口中的告警名称查询接口获取与所述源地址相关的其他告警;a second query module, configured to select the source address as an object entity, and call the alarm name query interface in the analysis query interface to acquire other alarms related to the source address;

第三查询模块,用于选择与所述源地址相关的其他告警作为对象实体,调用所述分析查询接口中的源端口与目的端口查询接口获取目的端口;a third query module, configured to select other alarms related to the source address as object entities, and call the source port and destination port query interfaces in the analysis query interface to obtain the destination port;

第四查询模块,用于选择所述目的端口作为对象实体,调用所述分析查询接口中的源地址与目的地址查询接口获取目的地址;a fourth query module, configured to select the destination port as an object entity, and call the source address and destination address query interface in the analysis query interface to obtain the destination address;

第五查询模块,用于选择所述目的地址作为对象实体,调用所述分析查询接口中的告警名称查询接口获取与所述目的地址相关的其他告警;a fifth query module, configured to select the destination address as an object entity, and call the alarm name query interface in the analysis query interface to acquire other alarms related to the destination address;

第二展示模块,用于获取所述分析查询接口的各个查询结果数据之间的关系,通过关系图将各个对象实体进行连接,并对所述关系图进行展示。The second display module is used for acquiring the relationship between each query result data of the analysis query interface, connecting each object entity through a relationship diagram, and displaying the relationship diagram.

本发明还提出一种可读存储介质,其上存储有计算机程序,该程序被处理器执行时实现上述网络攻击分析方法的步骤。The present invention also provides a readable storage medium on which a computer program is stored, and when the program is executed by a processor, implements the steps of the above network attack analysis method.

本发明还提出一种计算机设备,包括存储器、处理器以及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述程序时实现上述网络攻击分析方法的步骤。The present invention also provides a computer device, comprising a memory, a processor, and a computer program stored in the memory and running on the processor, the processor implementing the steps of the network attack analysis method when the processor executes the program.

本发明的附加方面和优点将在下面的描述中部分给出,部分将从下面的描述中变得明显,或通过本发明的实施例了解到。Additional aspects and advantages of the present invention will be set forth, in part, from the following description, and in part will be apparent from the following description, or may be learned from the embodiments of the invention.

附图说明Description of drawings

本发明实施例的上述和/或附加的方面和优点从结合下面附图对实施例的描述中将变得明显和容易理解,其中:The above and/or additional aspects and advantages of embodiments of the present invention will become apparent and readily understood from the following description of the embodiments in conjunction with the accompanying drawings, wherein:

图1是根据本发明一实施例的网络攻击分析方法的流程图;1 is a flowchart of a network attack analysis method according to an embodiment of the present invention;

图2是根据本发明另一实施例的网络攻击分析方法的流程图;2 is a flowchart of a network attack analysis method according to another embodiment of the present invention;

图3是一示例性的多个对象实体之间的关系网示意图;3 is a schematic diagram of a relationship network between an exemplary plurality of object entities;

图4是根据本发明一实施例的网络攻击分析装置的结构框图;4 is a structural block diagram of a network attack analysis apparatus according to an embodiment of the present invention;

图5是根据本发明另一实施例的网络攻击分析装置的结构框图;5 is a structural block diagram of a network attack analysis apparatus according to another embodiment of the present invention;

图6是根据本发明一实施例中计算机设备的内部结构图。FIG. 6 is an internal structure diagram of a computer device according to an embodiment of the present invention.

具体实施方式Detailed ways

为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the purposes, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments These are some embodiments of the present invention, but not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.

请参阅图1,本发明一实施例提出的网络攻击分析方法,至少包括步骤S101~S105。Referring to FIG. 1 , a network attack analysis method proposed by an embodiment of the present invention includes at least steps S101 to S105.

在S101中,当发生网络攻击告警时,读取用户选择的第一对象实体。当用户在日常的运维工作中观察到需要分析的可疑事件后,即当发生网络攻击告警时,为用户提供可视化交互界面,用户可以通过点击第一对象实体进行交互,然后选择分析查询接口,下发查询任务。In S101, when a network attack alarm occurs, the first object entity selected by the user is read. When a user observes a suspicious event that needs to be analyzed in the daily operation and maintenance work, that is, when a network attack alarm occurs, a visual interaction interface is provided for the user. The user can interact by clicking on the first object entity, and then select the analysis query interface. Issue a query task.

其中,第一对象实体包括且不限于源地址、目的地址、源端口、目的端口、传输协议、应用协议、告警名称、事件名称、文件名称、病毒名称、DNS域名、请求URL、HTTP返回状态码、进程名称、用户名称、操作、操作结果中的任一中。The first object entity includes but is not limited to source address, destination address, source port, destination port, transmission protocol, application protocol, alarm name, event name, file name, virus name, DNS domain name, request URL, HTTP return status code , process name, user name, operation, and operation result.

在S102中,通过预置的分析查询接口对所述第一对象实体进行分析,以生成第一查询结果数据,所述分析查询接口具有查询逻辑信息。In S102, the first object entity is analyzed through a preset analysis and query interface to generate first query result data, and the analysis and query interface has query logic information.

其中,用户可以预先将查询逻辑信息编写在分析查询接口中,然后对分析查询接口进行封装,供需要时调用。Among them, the user can write the query logic information in the analysis query interface in advance, and then encapsulate the analysis query interface for calling when needed.

具体的,分析查询接口包括告警名称查询接口、源地址与目的地址查询接口、源端口与目的端口查询接口、HTTP查询接口。Specifically, the analysis query interface includes an alarm name query interface, a source address and destination address query interface, a source port and destination port query interface, and an HTTP query interface.

所述告警名称查询接口用于根据源地址搜索告警名称、或根据目的地址搜索告警名称、或根据源主机搜索告警名称、或根据目的主机搜索告警名称、或根据域名搜索告警名称。The alarm name query interface is used to search for the alarm name according to the source address, or search for the alarm name according to the destination address, or search for the alarm name according to the source host, or search for the alarm name according to the destination host, or search for the alarm name according to the domain name.

所述源地址与目的地址查询接口用于根据告警名称搜索源地址、或根据告警名称搜索目的地址、或根据源地址和告警名称搜索目的地址、或根据目的地址和告警名称搜索源地址、或根据源地址和目的端口搜索目的地址。The source address and destination address query interface is used to search for the source address according to the alarm name, or search for the destination address according to the alarm name, or search for the destination address according to the source address and the alarm name, or search for the source address according to the destination address and the alarm name, or according to the alarm name. The source address and destination port search for the destination address.

所述源端口与目的端口查询接口用于根据源地址搜索目的端口、或根据目的地址和告警名称搜索源端口、或根据源地址和告警名称搜索目的端口。The source port and destination port query interface is used to search for the destination port according to the source address, or search for the source port according to the destination address and the alarm name, or search for the destination port according to the source address and the alarm name.

所述HTTP查询接口用于根据告警名称搜索请求URL、或根据源地址搜索请求URL、或根据告警名称搜索HTTP返回状态码、或根据源地址搜索HTTP返回状态码。The HTTP query interface is used to search the request URL according to the alarm name, or search the request URL according to the source address, or search for the HTTP return status code according to the alarm name, or search for the HTTP return status code according to the source address.

可选的,所述分析查询接口还包括DNS域名查询接口,DNS域名查询接口用于根据源地址和告警名称搜索DNS域名。Optionally, the analysis query interface further includes a DNS domain name query interface, and the DNS domain name query interface is used to search the DNS domain name according to the source address and the alarm name.

在S103中,提取所述查询结果数据,以生成第二对象实体。其中,将上一步得到的查询结果数据再次作为新的对象实体。In S103, the query result data is extracted to generate a second object entity. Among them, the query result data obtained in the previous step is used as a new object entity again.

其中,第二对象实体同样包括且不限于源地址、目的地址、源端口、目的端口、传输协议、应用协议、告警名称、事件名称、文件名称、病毒名称、DNS域名、请求URL、HTTP返回状态码、进程名称、用户名称、操作、操作结果中的任一中。The second object entity also includes but is not limited to source address, destination address, source port, destination port, transmission protocol, application protocol, alarm name, event name, file name, virus name, DNS domain name, request URL, HTTP return status code, process name, user name, operation, operation result.

在S104中,通过所述分析查询接口对所述第二对象实体进行分析,以生成第二查询结果数据。其中,可以通过分析查询接口中告警名称查询接口、源地址与目的地址查询接口、源端口与目的端口查询接口、HTTP查询接口、DNS域名查询接口中的任一查询接口进行分析。In S104, the second object entity is analyzed through the analysis query interface to generate second query result data. The analysis can be performed by analyzing any query interface among the alarm name query interface, source address and destination address query interface, source port and destination port query interface, HTTP query interface, and DNS domain name query interface in the query interface.

在S105中,获取所述第一查询结果数据和所述第二查询结果数据之间的关系,通过关系图将所述第一对象实体和所述第二对象实体进行连接,并对所述关系图进行展示。其中,根据两次查询结果数据之间的关系,就能够建立第一对象实体和第二对象实体之间的联系,进而通过关系图的方式展示给用户。,In S105, the relationship between the first query result data and the second query result data is acquired, the first object entity and the second object entity are connected through a relationship graph, and the relationship is Figure to show. The relationship between the first object entity and the second object entity can be established according to the relationship between the two query result data, and then displayed to the user in the form of a relationship diagram. ,

此外,需要说明的是,若用户的分析查询需求在预置的分析查询接口中无法满足,也可以自主新增查询接口进行调用。In addition, it should be noted that if the user's analysis query requirements cannot be satisfied in the preset analysis query interface, the user can also independently add a new query interface to call.

根据本实施例提供的网络攻击分析方法,通过封装查询接口,用户可以直接通过交互式的方法调用查询接口,得到想要的查询结果数据,降低了网络威胁溯源、日志分析的门槛,学习成本低,且方便便捷。此外,通过关系图结构展示查询结果,可以让用户直观的解析行为间的关系,更快的定位攻击源,更快的评估攻击影响范围,帮助用户快速的理解数据背后的关系。According to the network attack analysis method provided in this embodiment, by encapsulating the query interface, the user can directly call the query interface through an interactive method to obtain the desired query result data, which reduces the threshold for network threat tracing and log analysis, and the learning cost is low , and convenient and convenient. In addition, displaying query results through a relational graph structure allows users to intuitively analyze the relationship between behaviors, locate attack sources more quickly, evaluate the impact of attacks more quickly, and help users quickly understand the relationship behind the data.

本发明另一实施例提出一种网络攻击分析方法,其是在上一实施例的基础上,以ElasticSearch作为数据仓库,Python编程实现数据查询接口为例进行详细说明,请参阅图2,本实施例的方法包括步骤S201~S207。Another embodiment of the present invention proposes a network attack analysis method, which is based on the previous embodiment, taking ElasticSearch as a data warehouse and Python programming to implement a data query interface as an example for detailed description, please refer to FIG. 2, this implementation The example method includes steps S201 to S207.

S201,当发生网络攻击告警时,读取告警对象实体。其中,当发生了一个告警时,我们想要通过该告警去溯源整个事件发生的过程及影响范围,例如,检测到发生“主机扫描特定端口后发起针对该端口的攻击”,则会读取“主机扫描特定端口后发起针对该端口的攻击”这一告警对象实体。S201, when a network attack alarm occurs, read the alarm object entity. Among them, when an alarm occurs, we want to trace the process and scope of the entire event through the alarm. For example, if it is detected that "the host scans a specific port and then launches an attack on the port", it will read " After the host scans a specific port, it initiates an attack against the port" This alarm object entity.

S202,通过所述分析查询接口中的源地址与目的地址查询接口获取所述告警对象实体的源地址。其中,通过分析查询接口中的源地址与目的地址查询接口,在告警对象实体“主机扫描特定端口后发起针对该端口的攻击”上选择“根据告警名称搜索源地址”得到触发改该告警的源地址“172.16.100.21”。S202: Obtain the source address of the alarm object entity through the source address and destination address query interfaces in the analysis query interface. Among them, by analyzing the source address and destination address query interface in the query interface, on the alarm object entity “host scans a specific port and then initiates an attack on the port”, select “search for source address based on alarm name” to obtain the source that triggers the alarm. Address "172.16.100.21".

S203,选择所述源地址作为对象实体,调用所述分析查询接口中的告警名称查询接口获取与所述源地址相关的其他告警。其中,选择源地址“172.16.100.21”作为对象实体,调用分析查询接口中的告警名称查询接口“根据源地址搜索告警名称”得到该源地址其他相关的四个告警“内网主机发起特定端口扫描”、“漏洞攻击-Wannacry攻击”、“漏洞攻击”、“威胁情报命中-内网主机与恶意域名通讯”。S203: Select the source address as the object entity, and call the alarm name query interface in the analysis query interface to acquire other alarms related to the source address. Among them, select the source address "172.16.100.21" as the object entity, call the alarm name query interface in the analysis query interface "Search the alarm name according to the source address" to get other related four alarms of the source address "Intranet host initiates a specific port scan. ", "Vulnerability Attack - Wannacry Attack", "Vulnerability Attack", "Threat Intelligence Hit - Communication between Intranet Hosts and Malicious Domain Names".

S204,选择与所述源地址相关的其他告警作为对象实体,调用所述分析查询接口中的源端口与目的端口查询接口获取目的端口。S204: Select other alarms related to the source address as object entities, and call the source port and destination port query interfaces in the analysis query interface to obtain the destination port.

其中,选择告警对象实体“内网主机发起特定端口扫描”,调用分析查询接口中的源端口与目的端口查询接口“根据源地址和告警名称搜索目的端口”得到源地址“172.16.100.21”曾经针对445端口发起扫描行为。Among them, select the alarm object entity "Intranet host initiates a specific port scan", and call the source port and destination port query interface in the analysis query interface "Search destination port according to source address and alarm name" to obtain the source address "172.16.100.21". 445 port initiates scanning behavior.

选择告警对象实体“漏洞攻击-Wannacry攻击”,调用分析查询接口中的源地址与目的地址查询接口“根据源地址和告警名称搜索目的地址”得到源地址“172.16.100.21”曾经攻击过目的地址“172.16.100.134”、“172.16.100.18”。Select the alarm object entity "vulnerability attack-Wannacry attack", and call the source address and destination address query interface in the analysis query interface "Search destination address according to source address and alarm name" to obtain the source address "172.16.100.21" has attacked the destination address" 172.16.100.134", "172.16.100.18".

选择告警对象实体“漏洞攻击”,调用分析查询接口中的源地址与目的地址查询接口“根据源地址和告警名称搜索目的地址”得到源地址“172.16.100.21”曾经攻击过目的地址“172.16.100.134”、“172.16.100.18”。Select the alarm object entity "vulnerability attack", and call the source address and destination address query interface in the analysis query interface "search the destination address according to the source address and alarm name" to obtain the source address "172.16.100.21" that has attacked the destination address "172.16.100.134". ", "172.16.100.18".

选择告警对象实体“威胁情报命中-内网主机与恶意域名通讯”,调用分析查询接口中的DNS域名查询接口“根据源地址和告警名称搜索DNS域名”得到源地址“172.16.100.21”曾经访问过恶意域名“morning.circle.net”。Select the alarm object entity "Threat Intelligence Hit - Communication between Intranet Hosts and Malicious Domain Names", and call the DNS domain name query interface in the analysis query interface "Search DNS domain name according to source address and alarm name" to obtain the source address "172.16.100.21" that has been accessed Malicious domain name "morning.circle.net".

S205,选择所述目的端口作为对象实体,调用所述分析查询接口中的源地址与目的地址查询接口获取目的地址。其中,选择目的端口对象实体“445”,调用分析查询接口中的源地址与目的地址查询接口“根据源地址和目的端口搜索目的地址”得到源地址“172.16.100.21”访问过目的地址“172.16.100.147”、“172.16.100.157”、“172.16.100.174”、“172.16.100.217”、“172.16.100.17”、“172.16.100.18”、“172.16.100.134”的“445”端口。S205: Select the destination port as the object entity, and call the source address and destination address query interfaces in the analysis query interface to obtain the destination address. Among them, select the destination port object entity "445", call the source address and destination address query interface in the analysis query interface "search for the destination address according to the source address and the destination port", and obtain the source address "172.16.100.21" and visit the destination address "172.16. 100.147", "172.16.100.157", "172.16.100.174", "172.16.100.217", "172.16.100.17", "172.16.100.18", "172.16.100.134" port "445".

S206,选择所述目的地址作为对象实体,调用所述分析查询接口中的告警名称查询接口获取与所述目的地址相关的其他告警。其中,选择目的地址“172.16.100.134”作为对象实体,调用分析查询接口中的告警名称查询接口“根据源地址搜索告警名称”得到该目的地址也存在告警“威胁情报命中-内网主机与恶意域名通讯”,再次调用分析查询接口中的DNS域名查询接口“根据源地址和告警名称搜索DNS域名”得到目的地址“172.16.100.134”曾经访问过恶意域名“morning.circle.net”。S206: Select the destination address as the object entity, and call the alarm name query interface in the analysis query interface to acquire other alarms related to the destination address. Among them, select the destination address "172.16.100.134" as the object entity, call the alarm name query interface "Search alarm name according to source address" in the analysis query interface, and get the destination address. There is also an alarm "Threat Intelligence Hit - Intranet Host and Malicious Domain Name" Communication”, call the DNS domain name query interface “Search DNS domain name according to source address and alarm name” in the analysis query interface again, and get the destination address “172.16.100.134” that has visited the malicious domain name “morning.circle.net”.

同理,还可以选择目的地址“172.16.100.18”作为对象实体,调用分析查询接口中的告警名称查询接口“根据源地址搜索告警名称”得到目的源地址也存在告警“威胁情报命中-内网主机与恶意域名通讯”,再次调用分析查询接口中的DNS域名查询接口“根据源地址和告警名称搜索DNS域名”得到目的地址“172.16.100.18”曾经访问过恶意域名“morning.circle.net”。In the same way, you can also select the destination address "172.16.100.18" as the object entity, and call the alarm name query interface "Search alarm name according to source address" in the analysis query interface to get the destination source address. There is also an alarm "Threat Intelligence Hit - Intranet Host". "Communicate with malicious domain name", call the DNS domain name query interface in the analysis query interface again "Search DNS domain name according to the source address and alarm name" to get the destination address "172.16.100.18" once visited the malicious domain name "morning.circle.net".

S207,获取所述分析查询接口的各个查询结果数据之间的关系,通过关系图将各个对象实体进行连接,并对所述关系图进行展示。S207: Acquire the relationship between each query result data of the analysis query interface, connect each object entity through a relationship diagram, and display the relationship diagram.

其中,如图3所示,得到了各个对象实体之间的关系网,可以清晰的从关系网中得出结论:源地址“172.16.100.21”在感染病毒的情况下对内网主机的“445”端口进行扫描后对主机“172.16.100.134”、“172.16.100.18”发起了漏洞攻击结果为成功,并且三台受感染的主机“172.16.100.21”、172.16.100.134”、“172.16.100.18”均连接了恶意域名“morning.circle.net”。Among them, as shown in Figure 3, the relationship network between each object entity is obtained, and the conclusion can be clearly drawn from the relationship network: the source address "172.16.100.21" is infected with the virus to the "445" of the intranet host. "After scanning the port, the vulnerability attack was launched on the hosts "172.16.100.134" and "172.16.100.18". The malicious domain name "morning.circle.net" is connected.

请参阅图4,本发明一实施例提出的网络攻击分析装置,包括:Referring to FIG. 4 , a network attack analysis device according to an embodiment of the present invention includes:

第一读取模块11,用于当发生网络攻击告警时,读取用户选择的第一对象实体;The first reading module 11 is configured to read the first object entity selected by the user when a network attack alarm occurs;

第一分析模块12,用于通过预置的分析查询接口对所述第一对象实体进行分析,以生成第一查询结果数据,所述分析查询接口具有查询逻辑信息;a first analysis module 12, configured to analyze the first object entity through a preset analysis and query interface to generate first query result data, and the analysis and query interface has query logic information;

提取生成模块13,用于提取所述查询结果数据,以生成第二对象实体;Extraction and generation module 13, for extracting the query result data to generate the second object entity;

第二分析模块14,用于通过所述分析查询接口对所述第二对象实体进行分析,以生成第二查询结果数据;A second analysis module 14, configured to analyze the second object entity through the analysis query interface to generate second query result data;

第一展示模块15,用于获取所述第一查询结果数据和所述第二查询结果数据之间的关系,通过关系图将所述第一对象实体和所述第二对象实体进行连接,并对所述关系图进行展示。The first display module 15 is configured to obtain the relationship between the first query result data and the second query result data, connect the first object entity and the second object entity through a relationship diagram, and The relationship diagram is displayed.

本实施例中,所述分析查询接口包括告警名称查询接口、源地址与目的地址查询接口、源端口与目的端口查询接口、HTTP查询接口;In this embodiment, the analysis query interface includes an alarm name query interface, a source address and destination address query interface, a source port and destination port query interface, and an HTTP query interface;

所述告警名称查询接口用于根据源地址搜索告警名称、或根据目的地址搜索告警名称、或根据源主机搜索告警名称、或根据目的主机搜索告警名称、或根据域名搜索告警名称;The alarm name query interface is used to search for the alarm name according to the source address, or search for the alarm name according to the destination address, or search for the alarm name according to the source host, or search for the alarm name according to the destination host, or search for the alarm name according to the domain name;

所述源地址与目的地址查询接口用于根据告警名称搜索源地址、或根据告警名称搜索目的地址、或根据源地址和告警名称搜索目的地址、或根据目的地址和告警名称搜索源地址、或根据源地址和目的端口搜索目的地址;The source address and destination address query interface is used to search for the source address according to the alarm name, or search for the destination address according to the alarm name, or search for the destination address according to the source address and the alarm name, or search for the source address according to the destination address and the alarm name, or according to the alarm name. Source address and destination port search destination address;

所述源端口与目的端口查询接口用于根据源地址搜索目的端口、或根据目的地址和告警名称搜索源端口、或根据源地址和告警名称搜索目的端口;The source port and destination port query interface is used to search for the destination port according to the source address, or search for the source port according to the destination address and the alarm name, or search for the destination port according to the source address and the alarm name;

所述HTTP查询接口用于根据告警名称搜索请求URL、或根据源地址搜索请求URL、或根据告警名称搜索HTTP返回状态码、或根据源地址搜索HTTP返回状态码。The HTTP query interface is used to search the request URL according to the alarm name, or search the request URL according to the source address, or search for the HTTP return status code according to the alarm name, or search for the HTTP return status code according to the source address.

本实施例中,所述分析查询接口还包括DNS域名查询接口,DNS域名查询接口用于根据源地址和告警名称搜索DNS域名。In this embodiment, the analysis query interface further includes a DNS domain name query interface, and the DNS domain name query interface is used to search the DNS domain name according to the source address and the alarm name.

本实施例中,所述第一对象实体包括源地址、目的地址、源端口、目的端口、传输协议、应用协议、告警名称、事件名称、文件名称、病毒名称、DNS域名、请求URL、HTTP返回状态码、进程名称、用户名称、操作、操作结果中的任一中。In this embodiment, the first object entity includes source address, destination address, source port, destination port, transmission protocol, application protocol, alarm name, event name, file name, virus name, DNS domain name, request URL, HTTP return Any of status code, process name, user name, operation, and operation result.

根据本实施例提供的网络攻击分析装置,通过封装查询接口,用户可以直接通过交互式的方法调用查询接口,得到想要的查询结果数据,降低了网络威胁溯源、日志分析的门槛,学习成本低,且方便便捷。此外,通过关系图结构展示查询结果,可以让用户直观的解析行为间的关系,更快的定位攻击源,更快的评估攻击影响范围,帮助用户快速的理解数据背后的关系。According to the network attack analysis device provided in this embodiment, by encapsulating the query interface, the user can directly call the query interface through an interactive method to obtain the desired query result data, which reduces the threshold for network threat tracing and log analysis, and the learning cost is low , and convenient and convenient. In addition, displaying query results through a relational graph structure allows users to intuitively analyze the relationship between behaviors, locate attack sources more quickly, evaluate the impact of attacks more quickly, and help users quickly understand the relationship behind the data.

请参阅图5,本发明另一实施例提出的网络攻击分析装置,包括:Referring to FIG. 5 , a network attack analysis apparatus proposed by another embodiment of the present invention includes:

第二读取模块21,用于当发生网络攻击告警时,读取告警对象实体;The second reading module 21 is configured to read the alarm object entity when a network attack alarm occurs;

第一查询模块22,用于通过所述分析查询接口中的源地址与目的地址查询接口获取所述告警对象实体的源地址;a first query module 22, configured to obtain the source address of the alarm object entity through the source address and destination address query interfaces in the analysis query interface;

第二查询模块23,用于选择所述源地址作为对象实体,调用所述分析查询接口中的告警名称查询接口获取与所述源地址相关的其他告警;The second query module 23 is configured to select the source address as the object entity, and call the alarm name query interface in the analysis query interface to obtain other alarms related to the source address;

第三查询模块24,用于选择与所述源地址相关的其他告警作为对象实体,调用所述分析查询接口中的源端口与目的端口查询接口获取目的端口;The third query module 24 is configured to select other alarms related to the source address as object entities, and call the source port and destination port query interfaces in the analysis query interface to obtain the destination port;

第四查询模块25,用于选择所述目的端口作为对象实体,调用所述分析查询接口中的源地址与目的地址查询接口获取目的地址;The fourth query module 25 is configured to select the destination port as the object entity, and call the source address and destination address query interface in the analysis query interface to obtain the destination address;

第五查询模块26,用于选择所述目的地址作为对象实体,调用所述分析查询接口中的告警名称查询接口获取与所述目的地址相关的其他告警;a fifth query module 26, configured to select the destination address as an object entity, and call the alarm name query interface in the analysis query interface to acquire other alarms related to the destination address;

第二展示模块27,用于获取所述分析查询接口的各个查询结果数据之间的关系,通过关系图将各个对象实体进行连接,并对所述关系图进行展示。The second display module 27 is configured to acquire the relationship between each query result data of the analysis query interface, connect each object entity through a relationship diagram, and display the relationship diagram.

需要指出的是,关于网络攻击分析装置的具体限定可以参见上文中对于网络攻击分析方法的限定,在此不再赘述。上述网络攻击分析装置中的各个模块可全部或部分通过软件、硬件及其组合来实现。上述各模块可以硬件形式内嵌于或独立于计算机设备中的处理器中,也可以以软件形式存储于计算机设备中的存储器中,以便于处理器调用执行以上各个模块对应的操作。It should be pointed out that, for the specific limitation of the network attack analysis apparatus, please refer to the limitation of the network attack analysis method above, which will not be repeated here. All or part of the modules in the above network attack analysis device can be implemented by software, hardware and combinations thereof. The above modules can be embedded in or independent of the processor in the computer device in the form of hardware, or stored in the memory in the computer device in the form of software, so that the processor can call and execute the operations corresponding to the above modules.

在一个实施例中,提供了一种计算机设备,该计算机设备可以是终端,其内部结构图可以如图6所示。该计算机设备包括通过系统总线连接的处理器、存储器、通信接口、显示屏和输入装置。其中,该计算机设备的处理器用于提供计算和控制能力。该计算机设备的存储器包括非易失性存储介质、内存储器。该非易失性存储介质存储有操作系统和计算机程序。该内存储器为非易失性存储介质中的操作系统和计算机程序的运行提供环境。该计算机设备的通信接口用于与外部的终端进行有线或无线方式的通信,无线方式可通过WIFI、运营商网络、NFC(近场通信)或其他技术实现。该计算机程序被处理器执行时以实现一种视频帧预测方法。该计算机设备的显示屏可以是液晶显示屏或者电子墨水显示屏,该计算机设备的输入装置可以是显示屏上覆盖的触摸层,也可以是计算机设备外壳上设置的按键、轨迹球或触控板,还可以是外接的键盘、触控板或鼠标等。In one embodiment, a computer device is provided, and the computer device may be a terminal, and its internal structure diagram may be as shown in FIG. 6 . The computer equipment includes a processor, memory, a communication interface, a display screen, and an input device connected by a system bus. Among them, the processor of the computer device is used to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium, an internal memory. The nonvolatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the execution of the operating system and computer programs in the non-volatile storage medium. The communication interface of the computer device is used for wired or wireless communication with an external terminal, and the wireless communication can be realized by WIFI, operator network, NFC (Near Field Communication) or other technologies. The computer program, when executed by a processor, implements a video frame prediction method. The display screen of the computer equipment may be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment may be a touch layer covered on the display screen, or a button, a trackball or a touchpad set on the shell of the computer equipment , or an external keyboard, trackpad, or mouse.

本领域技术人员可以理解,图6中示出的结构,仅仅是与本申请方案相关的部分结构的框图,并不构成对本申请方案所应用于其上的计算机设备的限定,具体的计算机设备可以包括比图中所示更多或更少的部件,或者组合某些部件,或者具有不同的部件布置。Those skilled in the art can understand that the structure shown in FIG. 6 is only a block diagram of a partial structure related to the solution of the present application, and does not constitute a limitation on the computer equipment to which the solution of the present application is applied. Include more or fewer components than shown in the figures, or combine certain components, or have a different arrangement of components.

在一个实施例中,提供了一种计算机设备,包括存储器、处理器以及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述程序时实现上述网络攻击分析方法的步骤。In one embodiment, a computer device is provided, comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, the processor implementing the above-mentioned network attack analysis method when the program is executed. step.

上述实施例提供的计算机设备,其实现原理和技术效果与上述方法实施例类似,在此不再赘述。The implementation principles and technical effects of the computer equipment provided by the above embodiments are similar to those of the above method embodiments, and details are not described herein again.

在一个实施例中,提供了一种计算机可读存储介质,其上存储有计算机程序,该程序被处理器执行时实现上述网络攻击分析方法的步骤。In one embodiment, a computer-readable storage medium is provided, on which a computer program is stored, and when the program is executed by a processor, implements the steps of the above-mentioned network attack analysis method.

上述实施例提供的计算机可读存储介质,其实现原理和技术效果与上述方法实施例类似,在此不再赘述。The implementation principles and technical effects of the computer-readable storage medium provided by the foregoing embodiments are similar to those of the foregoing method embodiments, and details are not described herein again.

本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程,是可以通过计算机程序来指令相关的硬件来完成,所述的计算机程序可存储于一非易失性计算机可读取存储介质中,该计算机程序在执行时,可包括如上述各方法的实施例的流程。其中,本申请所提供的各实施例中所使用的对存储器、存储、数据库或其它介质的任何引用,均可包括非易失性和易失性存储器中的至少一种。非易失性存储器可包括只读存储器(Read-Only Memory,ROM)、磁带、软盘、闪存或光存储器等。易失性存储器可包括随机存取存储器(Random Access Memory,RAM)或外部高速缓冲存储器。作为说明而非局限,RAM可以是多种形式,比如静态随机存取存储器(Static Random Access Memory,SRAM)或动态随机存取存储器(Dynamic Random Access Memory,DRAM)等。Those of ordinary skill in the art can understand that all or part of the processes in the methods of the above embodiments can be implemented by instructing relevant hardware through a computer program, and the computer program can be stored in a non-volatile computer-readable storage In the medium, when the computer program is executed, it may include the processes of the above-mentioned method embodiments. Wherein, any reference to memory, storage, database or other media used in the various embodiments provided in this application may include at least one of non-volatile and volatile memory. The non-volatile memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash memory or optical memory, and the like. Volatile memory may include random access memory (RAM) or external cache memory. By way of illustration and not limitation, the RAM may be in various forms, such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM).

以上实施例的各技术特征可以进行任意的组合,为使描述简洁,未对上述实施例中的各个技术特征所有可能的组合都进行描述,然而,只要这些技术特征的组合不存在矛盾,都应当认为是本说明书记载的范围。The technical features of the above embodiments can be combined arbitrarily. For the sake of brevity, all possible combinations of the technical features in the above embodiments are not described. However, as long as there is no contradiction in the combination of these technical features, all It is considered to be the range described in this specification.

以上所述实施例仅表达了本申请的几种实施方式,其描述较为具体和详细,但并不能因此而理解为对发明专利范围的限制。应当指出的是,对于本领域的普通技术人员来说,在不脱离本申请构思的前提下,还可以做出若干变形和改进,这些都属于本申请的保护范围。因此,本申请专利的保护范围应以所附权利要求为准。The above-mentioned embodiments only represent several embodiments of the present application, and the descriptions thereof are relatively specific and detailed, but should not be construed as a limitation on the scope of the invention patent. It should be noted that, for those skilled in the art, without departing from the concept of the present application, several modifications and improvements can be made, which all belong to the protection scope of the present application. Therefore, the scope of protection of the patent of the present application shall be subject to the appended claims.

Claims (10)

1. A network attack analysis method, comprising:
when a network attack alarm occurs, reading a first object entity selected by a user;
analyzing the first object entity through a preset analysis query interface to generate first query result data, wherein the analysis query interface has query logic information;
extracting the query result data to generate a second object entity;
analyzing the second object entity through the analysis query interface to generate second query result data;
and acquiring the relationship between the first query result data and the second query result data, connecting the first object entity and the second object entity through a relationship graph, and displaying the relationship graph.
2. The network attack analysis method according to claim 1, wherein the analysis query interface comprises an alarm name query interface, a source address and destination address query interface, a source port and destination port query interface, and an HTTP query interface;
the alarm name query interface is used for searching an alarm name according to a source address, or searching an alarm name according to a destination address, or searching an alarm name according to a source host, or searching an alarm name according to a destination host, or searching an alarm name according to a domain name;
the source address and destination address query interface is used for searching a source address according to an alarm name, or searching a destination address according to the source address and the alarm name, or searching a source address according to the destination address and the alarm name, or searching a destination address according to the source address and a destination port;
the source port and the destination port query interface are used for searching the destination port according to a source address, or searching the source port according to a destination address and an alarm name, or searching the destination port according to the source address and the alarm name;
the HTTP query interface is used for searching the request URL according to the alarm name, or searching the request URL according to the source address, or searching the HTTP return status code according to the alarm name, or searching the HTTP return status code according to the source address.
3. The network attack analysis method according to claim 2, wherein the analysis query interface further comprises a DNS domain name query interface for searching for a DNS domain name according to the source address and the alarm name.
4. The network attack analysis method according to claim 1, wherein the method specifically comprises:
when a network attack alarm occurs, reading an alarm object entity;
obtaining the source address of the alarm object entity through the source address and the destination address query interface in the analysis query interface;
selecting the source address as an object entity, and calling an alarm name query interface in the analysis query interface to acquire other alarms related to the source address;
selecting other alarms related to the source address as object entities, and calling a source port and a destination port query interface in the analysis query interface to acquire a destination port;
selecting the destination port as an object entity, and calling a source address in the analysis query interface and a destination address query interface to acquire a destination address;
selecting the destination address as an object entity, and calling an alarm name query interface in the analysis query interface to acquire other alarms related to the destination address;
and obtaining the relationship among the query result data of the analysis query interface, connecting the object entities through a relationship graph, and displaying the relationship graph.
5. The network attack analysis method according to claim 1, wherein the first object entity comprises any one of a source address, a destination address, a source port, a destination port, a transport protocol, an application protocol, an alarm name, an event name, a file name, a virus name, a DNS domain name, a request URL, an HTTP return status code, a process name, a user name, an operation, and an operation result.
6. A cyber attack analysis apparatus, comprising:
the first reading module is used for reading a first object entity selected by a user when a network attack alarm occurs;
the first analysis module is used for analyzing the first object entity through a preset analysis query interface to generate first query result data, and the analysis query interface has query logic information;
the extraction generation module is used for extracting the query result data to generate a second object entity;
the second analysis module is used for analyzing the second object entity through the analysis query interface to generate second query result data;
and the first display module is used for acquiring the relationship between the first query result data and the second query result data, connecting the first object entity and the second object entity through a relationship graph, and displaying the relationship graph.
7. The apparatus according to claim 6, wherein the analysis query interface comprises an alarm name query interface, a source address and destination address query interface, a source port and destination port query interface, and an HTTP query interface;
the alarm name query interface is used for searching an alarm name according to a source address, or searching an alarm name according to a destination address, or searching an alarm name according to a source host, or searching an alarm name according to a destination host, or searching an alarm name according to a domain name;
the source address and destination address query interface is used for searching a source address according to an alarm name, or searching a destination address according to the source address and the alarm name, or searching a source address according to the destination address and the alarm name, or searching a destination address according to the source address and a destination port;
the source port and the destination port query interface are used for searching the destination port according to a source address, or searching the source port according to a destination address and an alarm name, or searching the destination port according to the source address and the alarm name;
the HTTP query interface is used for searching the request URL according to the alarm name, or searching the request URL according to the source address, or searching the HTTP return status code according to the alarm name, or searching the HTTP return status code according to the source address.
8. The cyber attack analysis device according to claim 7, wherein the analysis query interface further comprises a DNS domain name query interface for searching a DNS domain name according to a source address and an alarm name.
9. A readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1-5.
10. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method according to any of claims 1 to 5 when executing the program.
CN202011163928.3A 2020-10-27 2020-10-27 Network attack analysis method, device, readable storage medium and computer equipment Active CN112351008B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011163928.3A CN112351008B (en) 2020-10-27 2020-10-27 Network attack analysis method, device, readable storage medium and computer equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011163928.3A CN112351008B (en) 2020-10-27 2020-10-27 Network attack analysis method, device, readable storage medium and computer equipment

Publications (2)

Publication Number Publication Date
CN112351008A CN112351008A (en) 2021-02-09
CN112351008B true CN112351008B (en) 2022-07-22

Family

ID=74359106

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011163928.3A Active CN112351008B (en) 2020-10-27 2020-10-27 Network attack analysis method, device, readable storage medium and computer equipment

Country Status (1)

Country Link
CN (1) CN112351008B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114760189A (en) * 2022-03-30 2022-07-15 深信服科技股份有限公司 Information determination method, equipment and computer readable storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3223495A1 (en) * 2016-03-21 2017-09-27 Light Cyber Ltd Detecting an anomalous activity within a computer network
CN110474885A (en) * 2019-07-24 2019-11-19 桂林电子科技大学 Alert correlation analysis method based on time series and IP address
CN110933101A (en) * 2019-12-10 2020-03-27 腾讯科技(深圳)有限公司 Security event log processing method, device and storage medium
CN111490970A (en) * 2020-02-19 2020-08-04 西安交大捷普网络科技有限公司 Tracing analysis method for network attack

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3223495A1 (en) * 2016-03-21 2017-09-27 Light Cyber Ltd Detecting an anomalous activity within a computer network
CN110474885A (en) * 2019-07-24 2019-11-19 桂林电子科技大学 Alert correlation analysis method based on time series and IP address
CN110933101A (en) * 2019-12-10 2020-03-27 腾讯科技(深圳)有限公司 Security event log processing method, device and storage medium
CN111490970A (en) * 2020-02-19 2020-08-04 西安交大捷普网络科技有限公司 Tracing analysis method for network attack

Also Published As

Publication number Publication date
CN112351008A (en) 2021-02-09

Similar Documents

Publication Publication Date Title
JP7018920B2 (en) Confidential information processing methods, devices, servers, and security decision systems
CN106411578B (en) A kind of web publishing system and method being adapted to power industry
US10193929B2 (en) Methods and systems for improving analytics in distributed networks
CN103984900B (en) Android application leak detection method and system
RU2726032C2 (en) Systems and methods for detecting malicious programs with a domain generation algorithm (dga)
US9973525B1 (en) Systems and methods for determining the risk of information leaks from cloud-based services
CN108667855B (en) Network flow abnormity monitoring method and device, electronic equipment and storage medium
US11328056B2 (en) Suspicious event analysis device and related computer program product for generating suspicious event sequence diagram
CN113489713B (en) Network attack detection method, device, equipment and storage medium
EP3349137A1 (en) Client-side attack detection in web applications
CN104992117B (en) The anomaly detection method and behavior model method for building up of HTML5 mobile applications
CN111221625B (en) File detection method, device and equipment
CN113014549B (en) HTTP-based malicious traffic classification method and related equipment
US20190222587A1 (en) System and method for detection of attacks in a computer network using deception elements
CN112182561B (en) Rear door detection method and device, electronic equipment and medium
CN106250761B (en) Equipment, device and method for identifying web automation tool
US20250030723A1 (en) Automated actions in a security platform
CN112351008B (en) Network attack analysis method, device, readable storage medium and computer equipment
CN112685255A (en) Interface monitoring method and device, electronic equipment and storage medium
US20220191177A1 (en) System and method for securing messages
CN114531294A (en) Network anomaly sensing method and device, terminal and storage medium
CN115630362A (en) Detection method, device, equipment and storage medium for no-file attack
CN114900375A (en) Malicious threat detection method based on AI graph analysis
CN113691518B (en) Intelligence analysis methods, devices, equipment and storage media
CN103207968B (en) Method for recording operation history, and management method and system for information security

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
EE01 Entry into force of recordation of patent licensing contract
EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20210209

Assignee: Hangzhou Anheng Information Security Technology Co.,Ltd.

Assignor: Dbappsecurity Co.,Ltd.

Contract record no.: X2024980043366

Denomination of invention: Network attack analysis methods, devices, readable storage media, and computer equipment

Granted publication date: 20220722

License type: Common License

Record date: 20241231