CN120200815A

CN120200815A - A network attack analysis method, device and electronic device based on attack chain

Info

Publication number: CN120200815A
Application number: CN202510374692.4A
Authority: CN
Inventors: 龙晓晖; 雷春; 任大勇; 曹轲; 尹鑫洋; 杨磊; 刘琦; 葛聪
Original assignee: Du Xiaoman Technology Beijing Co Ltd
Current assignee: Du Xiaoman Technology Beijing Co Ltd
Priority date: 2025-03-27
Filing date: 2025-03-27
Publication date: 2025-06-24

Abstract

The present invention provides a network attack analysis method, device and electronic device based on an attack chain, which matches alarm data based on a predefined attack chain model, divides the attack stage corresponding to each alarm data, and associates each alarm data based on the attack stage of each alarm data to obtain an alarm data association graph, extracts an attack link including a complete attack stage from the first attack stage based on the alarm data association for analysis, and because the alarm data is usually a large amount of scattered data, by dividing the attack stage, data belonging to the same attack chain can be found from a large amount of scattered data based on the attack stage, which helps to find the association between the alarm data and then find the hidden attack behavior, thereby improving the efficiency of attack analysis and the detection rate of attack behavior. At the same time, because the alarm data needs to constitute a complete attack stage before it can be identified as an attack behavior, the false positives of the attack behavior are reduced, and the accuracy of the attack behavior analysis is improved.

Description

Network attack analysis method and device based on attack chain and electronic equipment

Technical Field

The present invention relates to the field of network security technologies, and in particular, to a network attack analysis method and apparatus based on an attack chain, and an electronic device.

Background

With the rapid development of network technology, network attack means are increasingly complex and variable. Traditional network security measures tend to focus on single-level defenses, and are difficult to cope with highly complex and hidden network attacks.

In addition, the hidden attack behaviors are difficult to find out due to timeliness and the counterfeiting of an attacker and the simulation of the behaviors of a real user, and the information such as the attack technique and the attack target of the attacker cannot be clearly distinguished.

Disclosure of Invention

In view of the above, the embodiment of the invention provides a network attack analysis method, a device and electronic equipment based on an attack chain, so as to improve the analysis accuracy of network attack behaviors.

According to an aspect of the present invention, there is provided a network attack analysis method based on an attack chain, the method including:

Acquiring attribute information of each piece of alarm data, wherein the attribute information comprises generation time of the alarm data and an attacker identifier;

Performing phase matching on each alarm data based on attribute information of each alarm data on the basis of a preset attack chain model to obtain an attack phase corresponding to each alarm data, wherein the preset attack chain model is preset on the basis of a time sequence attack phase, and different attack phases comprise a plurality of attack behaviors;

Associating the alarm data based on attack stage information corresponding to the alarm data to obtain an alarm data association diagram, wherein the alarm data association diagram comprises a plurality of nodes and edges among the nodes, the nodes correspond to the alarm data one by one, and the edges are used for representing association relations among the nodes, and the association relations comprise time relations and attacker relations;

Traversing the alarm data association diagram, and extracting a plurality of attack links based on edges among nodes from the alarm data in a first attack stage, wherein each attack link comprises the alarm data in the complete time sequence attack stage;

and analyzing each attack link based on a preset analysis rule to determine whether the attack link is a real attack behavior.

In a possible embodiment, the attribute information further includes an alarm risk level and an attack source, and the method further includes:

Screening the alarm data according to a preset risk level threshold and/or attack sources based on the risk level and attack sources of the alarm data to obtain screened alarm data;

the step of performing phase matching on each alarm data based on the attribute information of each alarm data based on a preset attack chain model to obtain an attack phase corresponding to each alarm data comprises the following steps:

and carrying out phase matching on the alarm data based on the attribute information of the screened alarm data based on a preset attack chain model to obtain attack phases corresponding to the alarm data.

In a possible embodiment, the associating the alarm data based on the attack stage information corresponding to the alarm data to obtain an alarm data association diagram includes:

Based on the attribute information of each alarm data, determining the associated alarm data of the same attack source, the adjacent time period, the same attack method or the same attack load;

and adding edges between nodes corresponding to the associated alarm data, and adding edge attributes for the edges according to the association relation represented by the edges.

In a possible embodiment, the method further comprises determining, for each of the attack links, alarm data belonging to the same attack stage in the same attack link;

And aggregating the alarm data in the same attack stage in the same attack link to obtain each target attack link.

According to another aspect of the present invention, there is provided a network attack analysis device based on an attack chain, the device including:

The acquisition module is used for acquiring attribute information of each alarm data, wherein the attribute information comprises generation time of the alarm data and an attacker identifier;

The matching module is used for carrying out phase matching on the alarm data based on the attribute information of the alarm data based on a preset attack chain model to obtain attack phases corresponding to the alarm data, wherein the preset attack chain model is preset based on time sequence attack phases, and different attack phases comprise a plurality of attack behaviors;

The association module is used for associating the alarm data based on attack stage information corresponding to the alarm data to obtain an alarm data association diagram, wherein the alarm data association diagram comprises a plurality of nodes and edges among the nodes, the nodes correspond to the alarm data one by one, the edges are used for representing association relations among the nodes, and the association relations comprise time relations and attacker relations;

The extraction module is used for traversing the alarm data association graph, and extracting a plurality of attack links based on edges among nodes from the alarm data in a first attack stage, wherein each attack link comprises the alarm data in the complete time sequence attack stage;

and the analysis module is used for analyzing each attack link based on a preset analysis rule so as to determine whether the attack link is a real attack behavior.

In a possible embodiment, the attribute information further includes an alarm risk level and an attack source, and the apparatus further includes:

The screening module is used for screening the alarm data according to a preset risk level threshold and/or attack sources based on the risk level and attack sources of the alarm data to obtain screened alarm data;

In one possible embodiment, the apparatus further comprises:

The aggregation module is used for determining the alarm data belonging to the same attack stage in the same attack link aiming at each attack link, and aggregating the alarm data of the same attack stage in the same attack link to obtain each target attack link.

According to another aspect of the present invention, there is provided an electronic apparatus including:

processor, and

A memory in which a program is stored,

Wherein the program comprises instructions which, when executed by the processor, cause the processor to perform any of the attack chain-based network attack analysis methods described above.

According to another aspect of the present invention, there is provided a non-transitory computer-readable storage medium storing computer instructions for causing a computer to execute any of the attack chain-based network attack analysis methods described above.

According to the one or more technical schemes provided by the embodiment of the invention, the alarm data are matched based on the predefined attack chain model, the attack stage corresponding to each alarm data is divided, each alarm data is associated based on the attack stage of each alarm data, the alarm data association diagram is obtained, the attack link containing the complete attack stage is extracted from the first attack stage based on the alarm data association for analysis, and because the alarm data are usually a large amount of scattered data, the data belonging to the same attack chain can be found from the large amount of scattered data based on the attack stage by dividing the attack stage, so that the association between the alarm data is found, the hidden attack behavior is found, and the efficiency of attack analysis and the attack behavior detection rate are improved. Meanwhile, the alarm data can be identified as the attack behavior only when the alarm data needs to form a complete attack stage, so that false alarm of the attack behavior is reduced, and the analysis accuracy of the attack behavior is improved.

Drawings

Further details, features and advantages of the invention are disclosed in the following description of exemplary embodiments with reference to the following drawings, in which:

fig. 1 is a schematic flow chart of a network attack analysis method based on an attack chain according to an embodiment of the present invention;

Fig. 2 is a schematic flow chart of a network attack analysis method based on an attack chain according to an embodiment of the present invention;

Fig. 3 is a schematic logic structure diagram of an attack chain-based network attack analysis device according to an embodiment of the present invention;

fig. 4 shows a block diagram of an exemplary electronic device that can be used to implement an embodiment of the invention.

Detailed Description

Embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While the invention is susceptible of embodiment in the drawings, it is to be understood that the invention may be embodied in various forms and should not be construed as limited to the embodiments set forth herein, but rather are provided to provide a more thorough and complete understanding of the invention. It should be understood that the drawings and embodiments of the invention are for illustration purposes only and are not intended to limit the scope of the present invention.

It should be understood that the various steps recited in the method embodiments of the present invention may be performed in a different order and/or performed in parallel. Furthermore, method embodiments may include additional steps and/or omit performing the illustrated steps. The scope of the invention is not limited in this respect.

The term "including" and variations thereof as used herein are intended to be open-ended, i.e., including, but not limited to. The term "based on" is based at least in part on. The term "one embodiment" means "at least one embodiment," another embodiment "means" at least one additional embodiment, "and" some embodiments "means" at least some embodiments. Related definitions of other terms will be given in the description below. It should be noted that the terms "first," "second," and the like herein are merely used for distinguishing between different devices, modules, or units and not for limiting the order or interdependence of the functions performed by such devices, modules, or units.

It should be noted that references to "one", "a plurality" and "a plurality" in this disclosure are intended to be illustrative rather than limiting, and those skilled in the art will appreciate that "one or more" is intended to be construed as "one or more" unless the context clearly indicates otherwise.

The names of messages or information interacted between the devices in the embodiments of the present invention are for illustrative purposes only and are not intended to limit the scope of such messages or information.

In the related art, common network alarm analysis methods are classified into three types:

1. The analysis method based on single alarm is that the alarm itself contains part of attacker information, attack behavior, time, targets and other information sources, and the analyst makes reasonable judgment to the alarm by analyzing the information in the alarm.

2. The analysis method based on multi-alarm association is that for an attacker, one attack action often generates more than one alarm, so that when the alarm analysis is carried out, a large number of abnormal alarms or alarms of the same type in adjacent time are often combined to judge the attack action.

3. According to the analysis method based on the attack effectiveness, an attacker often has purposeful attack, such as data stealing, account passwords, uploading backdoors and the like, and the alarm analysis can also carry out attack analysis by judging whether the attacker has subsequent actions of successful attack or not, so that response measures can be timely taken.

The method is difficult to accurately judge whether the attack is successful or not and the influence range from a large number of alarms, and a large amount of manual checking cost is consumed; in addition, due to timeliness and counterfeits of an attacker, the behavior of a real user is simulated, hidden attack behaviors are difficult to find, and information such as attack methods and attack targets of the attacker cannot be clearly distinguished.

Based on this, the embodiment of the invention provides a network attack analysis method, a device and an electronic device based on an attack chain, and the network attack analysis method based on the attack chain provided by the embodiment of the invention can be applied to any electronic device with a network attack analysis function, wherein the electronic device can be a server, a computer or a mobile terminal, and the scheme of the invention is described below with reference to the accompanying drawings:

fig. 1 is a schematic flow chart of a network attack analysis method based on an attack chain according to an embodiment of the present invention, which may include the following steps:

s101, acquiring attribute information of each piece of alarm data, wherein the attribute information comprises generation time of the alarm data and an attacker identifier;

S102, carrying out phase matching on each alarm data based on attribute information of each alarm data based on a preset attack chain model to obtain an attack phase corresponding to each alarm data, wherein the preset attack chain model is preset based on a time sequence attack phase, and different attack phases comprise a plurality of attack behaviors;

S103, associating the alarm data based on attack stage information corresponding to the alarm data to obtain an alarm data association diagram, wherein the alarm data association diagram comprises a plurality of nodes and edges among the nodes, the nodes correspond to the alarm data one by one, and the edges are used for representing association relations among the nodes, and the association relations comprise time relations and attacker relations;

S104, traversing the alarm data association diagram, and extracting a plurality of attack links based on edges among nodes from the alarm data in a first attack stage, wherein each attack link comprises the alarm data in the complete time sequence attack stage;

S105, analyzing each attack link based on a preset analysis rule to determine whether the attack link is a real attack behavior.

By applying the embodiment of the invention, the alarm data is matched based on the predefined attack chain model, the attack stage corresponding to each alarm data is divided, each alarm data is associated based on the attack stage of each alarm data, the alarm data association diagram is obtained, the attack link containing the complete attack stage is extracted from the first attack stage based on the alarm data association for analysis, and because the alarm data is usually a large amount of scattered data, the data belonging to the same attack chain can be found from the large amount of scattered data based on the attack stage by dividing the attack stage, thereby being beneficial to finding the association among the alarm data and further finding out the hidden attack behavior, and improving the efficiency of attack analysis and the attack behavior detection rate. Meanwhile, the alarm data can be identified as the attack behavior only when the alarm data needs to form a complete attack stage, so that false alarm of the attack behavior is reduced, and the analysis accuracy of the attack behavior is improved.

S101 to S105 are exemplarily described below:

in one possible embodiment, the network attack behavior analysis method based on the attack chain provided by the embodiment of the invention can be applied to a distributed cluster, wherein the distributed cluster is a system composed of a group of interconnected computers or servers, and the computers or servers are regarded as a whole and cooperate to provide high-performance, high-availability and scalable services. Various alarm data generated within the cluster may be monitored in the distributed cluster by a monitoring tool, which may be Prometheus, nagio or the like.

Accordingly, in S101, the alarm data and the attribute information of the alarm data may be obtained through the monitoring tool. The alarm data may be obtained through a preset interface of the monitoring tool, where the preset interface is used to interact with the alarm data collected by the monitoring tool. As another possible implementation manner, the monitoring tool may store the collected alarm data in a preset database, and correspondingly, may obtain the alarm data and attribute information of the alarm data from the preset database. In a possible embodiment, the alarm data may also be obtained by pre-writing a script, a monitoring log, etc., which is not limited in detail in the present invention.

The attribute information of the alarm data is used for identifying basic information of the alarm data, and the attribute information can comprise generation time, source, attacker identification, attack target, risk level of the alarm and the like of the alarm data. The generation time of the alarm data refers to a time node when the monitoring tool detects suspicious activities or attack behaviors and generates an alarm, and the time node can be generated based on the self-defined time in the monitoring tool or according to the geographic time. The source of the alert data refers to the particular device, system, application, or network location that triggered the alert. These sources may be servers, firewalls, intrusion Detection Systems (IDS), antivirus software, log management systems, and the like. An attacker identity refers to a unique marking or description of the entity that initiated the attack. This may be identity information such as an IP address, domain name, user name, mailbox address, telephone number, etc. of the attacker, or may be a feature of the tool, technique, or method used by the attacker. An attack goal refers to a system, network resource, data, or service that an attacker attempts to infringe or destroy. This may be a particular server, database, website, application, user account, etc.

The risk level of the alarm can be obtained according to an alarm grading model based on pre-training, and also can be obtained according to a preset alarm grading rule. For example, an alarm classification model may be trained in advance based on information such as an alarm source, an attacker identifier, and an attack target, and information such as generation time, source, attacker identifier, and attack target of alarm data may be input to the alarm classification model, so as to obtain a corresponding alarm risk level output. For another example, different risk levels may also be divided for different alarm types, which may include a network attack class, a system failure class, an application security class, and so on.

In a possible embodiment, after obtaining the attribute information of the alarm data, the alarm data may be screened based on the attribute information, and specifically, based on the risk level and the attack source of each alarm data, each alarm data may be screened according to a preset risk level threshold and/or the attack source, so as to obtain screened alarm data.

After obtaining the attribute information of the alarm data, the stage matching can be performed on each alarm data based on the attribute information and a predefined attack chain model. The attack chain model is defined in advance according to different stages of attack, and exemplary attack stages included in the attack chain may include a investigation stage, an attack attempt stage, an exploit stage, a defense bypassing stage, a lateral movement stage, a post-exploit stage, and the like.

The investigation stage is a process of collecting information of an attacker on the target system. An attacker may obtain detailed information of the target system through various means, such as active scanning, passive sniffing, social engineering, etc., in preparation for subsequent attacks. In the attack attempt stage, an attacker initiates a preliminary attack attempt on the target system by using the information collected in the investigation stage. These attempts typically include scanning for common vulnerabilities, guessing for weak passwords, checking for default configurations, and so forth. The exploit stage is a process in which an attacker exploits a security vulnerability in a target system, executes malicious code or commands, and obtains higher authority or controls the target system. During the defensive bypass phase, an attacker may attempt to bypass the security defense mechanisms of the target system, such as firewalls, intrusion Detection Systems (IDS), antivirus software, etc., to continue the attack. The lateral movement phase is the process of an attacker expanding in the internal network of the target system. An attacker may further explore and penetrate other devices or systems in the target network using the acquired access rights and control capabilities. The post-utilization stage is the process by which the attacker achieves the final attack objective. An attacker will choose an appropriate way to take advantage of the access rights and control capabilities that have been obtained, depending on his purpose and needs.

Different attack phases in the attack chain model can comprise attack behaviors corresponding to the attack phases, and the main activities of the investigation phase comprise port scanning, service version detection, operating system identification, domain name and IP address collection, network topology analysis and the like, so that alarm data corresponding to the attack behaviors can be stored as an attack behavior set corresponding to the investigation phase. Specifically, information such as a corresponding alarm source, an attack target and the like can be stored, and attribute information of alarm data can be matched based on the information in actual application to determine whether the alarm data is in a detection stage.

The main activities of the attack attempt stage comprise vulnerability scanning, weak password guessing, default configuration checking, permission testing and the like, wherein the weak password guessing refers to the attempt of guessing the weak password of the target system through dictionary attack, violent cracking and the like, the default configuration checking refers to the check of whether a default account, an unmodified default password, unnecessary service and the like exist in the target system, and the permission testing refers to the attempt of an attacker to promote the permission of the attacker in the target system, such as through directory traversal, file uploading and the like. Accordingly, the alarm data information corresponding to the attack means can be stored corresponding to the attack attempt stage, so as to detect the alarm data belonging to the attack attempt stage.

The exploit phase involves the activity of a buffer overflow attack, utilizing the program to send a large amount of data to the program, causing buffer overflow, and executing malicious code, with insufficient length restrictions on the input data. Kernel loopholes are utilized, namely, advanced rights of the system are obtained by utilizing loopholes in the kernel of the operating system, such as a right-raising loophole, an arbitrary code execution loophole and the like. And the Web application loophole is utilized, such as SQL injection (malicious codes are injected into a database by utilizing improper processing of user input data by the application program, thereby achieving the aim of attacking the database), cross-site script attack (XSS), file containing loopholes and the like, and malicious operation is executed or sensitive information is acquired.

The defending bypass stage comprises port hiding, namely using means such as custom ports, dynamic ports and the like to avoid rule limitation of a firewall. Encryption communication-encryption communication using SSL/TLS, bypassing the detection rules of IDS (Intrusion Detection System ). Signature tampering-modifying the signature or feature of malicious code to avoid recognition by anti-virus software. Protocol attack, namely bypassing a network defense mechanism by utilizing protocol loopholes or design defects such as slicing attack, overlapping sliding window attack and the like.

The lateral movement phase involves network scanning, scanning the internal network for surviving hosts and running services. Credential hijacking-using acquired credentials (e.g., user name and password, token, etc.), accessing other systems or resources. Remote Desktop Protocol (RDP) exploits access by connecting to other Windows systems through the RDP protocol, exploiting existing credentials or vulnerabilities. Intranet penetration, which is to access other systems or the Internet by using proxy servers, tunnel technology and other means to bypass intranet restriction.

The post-utilization stage involves data theft, which is the theft of sensitive information from the target system. Software installation-installing software in the target system to encrypt the critical files. Long-term latency-implantation of a backdoor or malicious program in the target system, maintaining long-term control and monitoring of the system. And the destructive activity is to tamper, delete or destroy the data of the target system, so that the service is interrupted or the data is lost.

In a possible embodiment, the attack behavior included in each attack stage may be a relationship or a relationship, where a relationship refers to that the attribute information of the alarm data needs to be successfully matched with all attack behaviors included in the attack stage to determine that the alarm data belongs to the stage. Or the relation means that the attribute information of the alarm data is successfully matched with at least one attack behavior contained in the attack stage, and the alarm data can be determined to belong to the stage.

In a possible embodiment, the attack chain model may include a time sequence of attack phases, i.e. each attack phase may include a time sequence identifier, where the time sequence identifier is used to mark the sequence of the attack phases in a complete attack chain. As a possible implementation manner, after matching each alarm data based on the attack chain model and determining the attack stage to which each alarm data belongs, a timing identifier may be added to each alarm data for marking the order of the alarm data in the attack chain.

After the attack stage division of each alarm data is completed, each alarm data can be imported into a graph database to carry out relationship association so as to obtain an alarm data association graph, wherein the alarm data association graph comprises a plurality of nodes and edges among the nodes, each node corresponds to each alarm data one by one, each edge is used for representing the association relationship among the nodes, and the association relationship comprises a time relationship and an attacker relationship.

The edges between the nodes can be determined based on attribute information of alarm data corresponding to the nodes, specifically, the associations between the alarm data can be determined based on the attribute information, and the associations can comprise the same attacker, adjacent time periods, the same attack methods, the same attack loads and the like, wherein the same attacker can be determined through the attacker identification, the adjacent time periods can be determined through the alarm data generation time, and the same attack methods and the same attack loads can be determined through the alarm types.

After obtaining the alarm data association graph, each attack chain may be identified based on the association graph, and in a possible embodiment, the alarm data association graph may be traversed to determine each predefined first attack stage, where the first attack stage refers to an attack stage in the attack chain that belongs to the first bit in time sequence, and may be the investigation stage as described above. And then, starting from the first attack stage, extracting the alarm data which has edges with the alarm data of the first attack stage and belongs to different attack stages according to the edges among the nodes to serve as the same attack chain. For example, for node A, B, C, D, A belongs to the first attack stage, B, C belongs to the second attack stage, D belongs to the third attack stage, and there is an edge between A and B, and an edge between B and D, so an attack chain A-B-D can be obtained.

In one possible embodiment, in the process of associating nodes to determine an attack chain, it may be determined whether two alarm data belong to the same attack chain based on the dependency strength of the edge representation. As described above, the edge attribute of the edge is determined based on the dependency relationship represented by the edge, and the dependency relationship between the two alarm data may include multiple types, for example, the two alarm data may belong to the same attacker, the adjacent time period, the same attack method, the same attack load, and the like, so that the dependency strength threshold may be preset, where the dependency relationship between the alarm data may include three or more, and accordingly, only the alarm data connected by the edge with the dependency strength higher than the dependency strength threshold may be divided into the same attack chain. For example, three or more relationships among the same attacker, adjacent time periods, the same attack methods and the same attack loads can be considered to belong to the same attack chain.

By the technical scheme, the strongly-correlated alarm data are divided into the same attack chain, so that the influence on the accuracy of supply analysis or the omission of supply caused by the division of different attack behaviors into the same attack chain is avoided, and the attack detection rate and accuracy are improved.

In one possible embodiment, for the same alarm data in the first attack stage, a plurality of same alarm data belonging to the same attack stage may be determined, which may be caused by that the same attacker makes a plurality of attempts in the attack, and the plurality of alarm data generated in the process is not necessary for all analysis, so in order to reduce the data volume to be analyzed and further improve the attack analysis efficiency, the method may further include the following steps:

And aggregating the alarm data of the same attack stage in the same attack link to obtain each target attack chain.

Illustratively, for node A, B, C, D, A belongs to the first attack stage, B, C belongs to the second attack stage, D belongs to the third attack stage, and there is an edge between A and B, C, and an edge between B, C and D, so an attack chain A-B, C-D can be obtained. In this case, node B and node C may be aggregated in the attack chain, leaving only one alarm data for the second attack stage. The aggregation may be to randomly select the alarm data for reservation in the same attack stage of the same attack chain, or to filter the attribute information of the alarm data belonging to the same stage, and to reserve the attribute information with the largest occurrence number in each item of attribute information.

After each attack chain is obtained, each attack chain can be analyzed, specifically, each attack chain is analyzed based on a preset analysis rule, so as to determine whether the attack chain is a real attack. The preset analysis rule may include a time sequence feature of the attack behavior, that is, the time sequence feature of the attack chain and the preset attack behavior may be compared to determine whether the attack chain generates a real attack behavior. In a possible embodiment, since the number of attack chains obtained through the above technical solution is small, the attack chains may be sent to a preset client, so that a relevant person analyzes the attack chains based on the preset client to determine whether the attack behavior is a real attack behavior and a response measure for the attack behavior.

In one possible embodiment, the attack chain may be sent to a pre-trained attack behavior analysis model, which may be trained in advance based on a historical attack chain record and attack results corresponding to the historical attack chain record. And inputting the obtained attack chain into the attack behavior analysis model to obtain an attack prediction result output by the attack behavior analysis model. Based on the attack prediction result, a work order can be generated so that related personnel can repair corresponding loopholes.

As shown in fig. 2, fig. 2 is a schematic flow chart of a network attack alarm association analysis method based on an attack chain according to an embodiment of the present invention, which may include the following steps:

And in the step of alarm collection, the existing alarm data can be classified and graded, such as the importance degree, the source, the attacker information and the like of the alarm data can be marked, an importance degree threshold value, the source and the attacker white list can be set, each alarm data is filtered, and only the alarm data with the importance degree higher than the threshold value, the source and the attacker identification not in the white list are reserved so as to reduce the data quantity of subsequent analysis.

And (3) stage division, wherein in the step, each alarm data can be stage-divided according to a predefined attack chain model. The attack chain model may be partitioned according to pre-partitioned attack phases, which may include a investigation phase, an attack attempt phase, an exploit phase, a defense bypass phase, a lateral movement phase, a post-exploit phase, and the like. Each attack stage of the attack chain model comprises an alarm data set for identifying the attack stage, and the alarm data can be divided into stages by matching the alarm data set contained in each attack stage in the attack chain model with the alarm data collected in the previous step, and the attack stage identification can be added for each alarm data.

And (3) association matching, namely leading the alarms which are already divided into stages into a graph database to perform relationship association, wherein the association types among the alarms need to be defined, such as the same attacker, adjacent time periods, the same attack methods, the same attack loads and the like, and different alarms are connected in a chained mode.

And extracting and identifying chain attack behaviors, namely extracting the alarms belonging to the same phase from the whole graph by taking the alarms of different first phases as starting points through graph traversal operation in a graph database, and treating the alarms with close association as the alarms in the same attack chain.

And analyzing the extracted alarm, judging whether the alarm is a real attack behavior, and timely making corresponding response measures according to the attack behavior.

By applying the embodiment of the invention, the full-quantity security alarms are classified and graded based on the attack chain model, meanwhile, the path tracking is carried out on the strongly-correlated alarms to extract hidden attack behaviors, the characteristics of single alarm timeliness, attack skill diversity of an attacker and the like are overcome, the alarm analysis processing efficiency and the real attack behavior detection rate are improved, and the processing cost of manually analyzing a large quantity of alarms is reduced.

Based on the same inventive concept, the embodiment of the present invention further provides a network attack analysis device based on an attack chain, as shown in fig. 3, the device 300 may include:

The acquiring module 301 is configured to acquire attribute information of each alarm data, where the attribute information includes generation time of the alarm data and an attacker identifier;

The matching module 302 is configured to perform phase matching on each alarm data based on attribute information of each alarm data based on a preset attack chain model, so as to obtain an attack phase corresponding to each alarm data, where the preset attack chain model is preset based on a time sequence attack phase, and different attack phases include a plurality of attack behaviors;

The association module 303 is configured to associate each alarm data based on attack stage information corresponding to each alarm data, to obtain an alarm data association graph, where the alarm data association graph includes a plurality of nodes and edges between the nodes, each node corresponds to each alarm data one by one, and each edge is used to represent an association relationship between the nodes, where the association relationship includes a time relationship and an attacker relationship;

The extraction module 304 is configured to traverse the alarm data association graph, and extract a plurality of attack links based on edges between nodes from alarm data in a first attack stage, where each attack link includes alarm data in a complete time sequence attack stage;

The analysis module 305 is configured to analyze each of the attack links based on a preset analysis rule, so as to determine whether the attack link is a real attack behavior.

In one possible embodiment, the apparatus further comprises:

The processing of collecting, storing, using, processing, transmitting, providing, disclosing and the like of the personal information of the user, which is involved in the invention, accords with the rules of relevant laws and regulations and does not violate the public order colloquial.

The exemplary embodiment of the invention also provides an electronic device comprising at least one processor and a memory communicatively coupled to the at least one processor. The memory stores a computer program executable by the at least one processor for causing the electronic device to perform a method according to an embodiment of the invention when executed by the at least one processor.

The exemplary embodiments of the present invention also provide a non-transitory computer readable storage medium storing a computer program, wherein the computer program, when executed by a processor of a computer, is for causing the computer to perform a method according to an embodiment of the present invention.

The exemplary embodiments of the invention also provide a computer program product comprising a computer program, wherein the computer program, when being executed by a processor of a computer, is for causing the computer to perform a method according to an embodiment of the invention.

Referring to fig. 4, a block diagram of an electronic device 400 that may be a server or a client of the present invention will now be described, which is an example of a hardware device that may be applied to aspects of the present invention. Electronic devices are intended to represent various forms of digital electronic computer devices, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other suitable computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.

As shown in fig. 4, the electronic device 400 includes a computing unit 401 that can perform various suitable actions and processes according to a computer program stored in a Read Only Memory (ROM) 402 or a computer program loaded from a storage unit 408 into a Random Access Memory (RAM) 403. In the RAM 403, various programs and data required for the operation of the electronic device 400 may also be stored. The computing unit 401, ROM 402, and RAM 403 are connected to each other by a bus 404. An input/output (I/O) interface 405 is also connected to bus 404.

Various components in the electronic device 400 are connected to the I/O interface 405, including an input unit 406, an output unit 407, a storage unit 408, and a communication unit 409. The input unit 406 may be any type of device capable of inputting information to the electronic device 400, and the input unit 406 may receive input numeric or character information and generate key signal inputs related to user settings and/or function controls of the electronic device. The output unit 407 may be any type of device capable of presenting information and may include, but is not limited to, a display, speakers, video/audio output terminals, vibrators, and/or printers. Storage unit 408 may include, but is not limited to, magnetic disks, optical disks. The communication unit 409 allows the electronic device 400 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunications networks, and may include, but is not limited to, modems, network cards, infrared communication devices, wireless communication transceivers and/or chipsets, such as bluetooth (TM) devices, wiFi devices, wiMax devices, cellular communication devices, and/or the like.

The computing unit 401 may be a variety of general purpose and/or special purpose processing components having processing and computing capabilities. Some examples of computing unit 401 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various computing units running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, etc. The computing unit 401 performs the respective methods and processes described above. For example, in some embodiments, any of the above described attack chain-based network attack analysis methods may be implemented as a computer software program tangibly embodied on a machine-readable medium, such as storage unit 408. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 400 via the ROM 402 and/or the communication unit 409. In some embodiments, the computing unit 401 may be configured by any other suitable means (e.g., by means of firmware) to perform any of the attack chain-based network attack analysis methods described above.

Program code for carrying out methods of the present invention may be written in any combination of one or more programming languages. These program code may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus such that the program code, when executed by the processor or controller, causes the functions/operations specified in the flowchart and/or block diagram to be implemented. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.

In the context of the present invention, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. The machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.

As used herein, the terms "machine-readable medium" and "computer-readable medium" refer to any computer program product, apparatus, and/or device (e.g., magnetic discs, optical disks, memory, programmable Logic Devices (PLDs)) used to provide machine instructions and/or data to a programmable processor, including a machine-readable medium that receives machine instructions as a machine-readable signal. The term "machine-readable signal" refers to any signal used to provide machine instructions and/or data to a programmable processor.

To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to the user and a keyboard and a pointing device (e.g., a mouse or a trackball) by which the user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user, for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback), and input from the user may be received in any form, including acoustic input, speech input, or tactile input.

The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include a Local Area Network (LAN), a Wide Area Network (WAN), and the Internet.

The computer system may include a client and a server. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other.

Claims

1. A network attack analysis method based on an attack chain, the method comprising:

2. The method according to claim 1, wherein the attribute information further includes an alarm risk level and an attack source, and the method further includes:

3. The method of claim 1, wherein the associating each alarm data based on attack stage information corresponding to each alarm data to obtain an alarm data association graph includes:

4. The method according to claim 1, wherein the method further comprises:

for each attack link, determining alarm data belonging to the same attack stage in the same attack link;

5. A network attack analysis device based on an attack chain, the device comprising:

6. The apparatus of claim 5, wherein the attribute information further includes an alarm risk level and an attack source, and the apparatus further comprises:

7. The apparatus of claim 5, wherein the associating each of the alarm data based on attack stage information corresponding to each of the alarm data to obtain an alarm data association graph comprises:

8. The apparatus of claim 5, wherein the apparatus further comprises:

9. An electronic device, comprising:

processor, and

A memory in which a program is stored,

Wherein the program comprises instructions which, when executed by the processor, cause the processor to perform the method according to any of claims 1-4.

10. A non-transitory computer readable storage medium storing computer instructions for causing a computer to perform the method of any one of claims 1-4.