[go: up one dir, main page]

WO2024234861A1 - Threat event sourcing method and related device - Google Patents

Threat event sourcing method and related device Download PDF

Info

Publication number
WO2024234861A1
WO2024234861A1 PCT/CN2024/086045 CN2024086045W WO2024234861A1 WO 2024234861 A1 WO2024234861 A1 WO 2024234861A1 CN 2024086045 W CN2024086045 W CN 2024086045W WO 2024234861 A1 WO2024234861 A1 WO 2024234861A1
Authority
WO
WIPO (PCT)
Prior art keywords
sdp
message
user
identifier
client
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/CN2024/086045
Other languages
French (fr)
Chinese (zh)
Inventor
张淑敏
张华涛
廉莲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of WO2024234861A1 publication Critical patent/WO2024234861A1/en
Anticipated expiration legal-status Critical
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2514Translation of Internet protocol [IP] addresses between local and global IP addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the present application relates to the field of network security, and in particular to a threat event tracing method and related equipment.
  • the security big data analysis platform is centered on information security incidents. It collects, monitors and analyzes network traffic, security equipment logs, threat information and other data information in real time to achieve network risk identification, threat discovery, real-time warning of security incidents and visual display. When a security threat is detected or a notification or warning of a related network security incident is received, the system can quickly report the threat source and conduct closed-loop disposal to avoid major impacts and losses.
  • IP Internet protocol
  • NAT network address translation
  • the current tracing solution for NAT scenarios is to perform final tracing by analyzing the logs of network devices that perform NAT in the network (such as NAT conversion logs of firewalls and routers).
  • Customers collect NAT conversion logs by deploying log servers.
  • the content of NAT conversion logs includes time, source IP, source port, source IP after NAT, source port after NAT, and other information.
  • the log server queries the NAT conversion log for tracing analysis based on the time point and IP address of the reported threat event.
  • Accurate source tracing based on NAT conversion logs requires complete NAT logs, and requires that the clocks of network devices at all levels that perform NAT conversion be unified, and that the time for security big data analysis of threat events is not delayed. Since multiple levels of NAT may be performed in the existing network environment, ranging from home routers to gateway devices, it is difficult to unify the NAT conversion log format, and some home routers may not be able to store and send NAT conversion logs.
  • Threat event source tracing requires combining the logs of each session access to trace the source to the IP address before the conversion. If the log records are incomplete or the time cannot be unified, it is difficult to trace the source to the specific user.
  • the embodiment of the present application provides a threat event tracing method and related equipment.
  • the embodiment of the present application can realize the tracing of threat events, and the tracing can be carried out to a specific user.
  • an embodiment of the present application provides a threat event tracing method.
  • the method is applied to a data analysis device.
  • the data analysis device obtains the tracing data of a business message, and the business message is a message generated when a software defined perimeter (SDP) client accesses an application server.
  • the tracing data of the business message includes the device identifier of the SDP client.
  • the data analysis device generates a threat event carrying the device identifier of the SDP client according to the tracing data of the business message when there is a security risk in the business message.
  • the data analysis device obtains a user identifier corresponding to the device identifier of the SDP client from the user information table of the SDP controller according to the device identifier of the SDP client, and the user identifier is used to indicate the user corresponding to the threat event.
  • the user information table includes the correspondence between the device identifier of the SDP client and the user identifier.
  • the data analysis device can obtain the user identifier corresponding to the device identifier of the SDP client from the user information table of the SDP controller based on the device identifier of the SDP client.
  • the user identifier indicates the user corresponding to the threat event.
  • the generation of the threat event is related to the user indicated by the user identifier, thereby realizing the tracing of the threat event to a specific user, thereby improving the accuracy of tracing.
  • the traceability data of the service message is metadata of the service message
  • the metadata of the service message is generated by the network device based on the service message
  • the data analysis device analyzes the metadata of the service message according to the first security detection rule to determine whether the service message has a first security risk.
  • the security risk includes the first security risk.
  • the first security risk is a risk analyzed by the data analysis device based on metadata of the business message, such as a zero-day threat or other security risk.
  • the data analysis device may be able to discover some new risks that cannot be identified by existing rules based on message features.
  • the traceability data of the service message is threat log data
  • the threat log data is generated by the network device when it is determined that the service message has a second security risk.
  • the security risk includes the second security risk.
  • the second security risk is the security risk detected by network devices such as firewalls and security gateways through intrusion prevention systems (IPS), deep packet inspection (DPI), file scanning, etc., for example, business messages carrying virus files or other security risks.
  • IPS intrusion prevention systems
  • DPI deep packet inspection
  • file scanning etc.
  • business messages carrying virus files or other security risks for example, business messages carrying virus files or other security risks.
  • the data analysis device obtains the user identifier corresponding to the device identifier of the SDP client in the following manner:
  • the data analysis device sends a query request to the SDP controller, which carries the device identifier of the SDP client.
  • the query request is used by the SDP controller to query the user information table to obtain the first user identifier corresponding to the device identifier of the SDP client; the data analysis device receives a response message fed back by the SDP controller in response to the query request, which carries the first user identifier corresponding to the device identifier of the SDP client.
  • the user information table also includes a correspondence between the first user identifier and the authentication timestamp, the authentication timestamp being the moment when the user indicated by the first user identifier passes the authentication.
  • the response message includes multiple first user identifiers
  • the response message also includes authentication timestamps corresponding to the multiple first user identifiers respectively.
  • the data analysis device also obtains the second user identifier from the multiple first user identifiers based on the sending time period of the business message and the authentication timestamps corresponding to the multiple first user identifiers respectively.
  • the second user identifier is the first user identifier whose authentication timestamp belongs to the sending period among the multiple first user identifiers; the sending period is determined according to the moment when the data analysis device receives the traceability data.
  • the data analysis device can select the second user identifier from multiple first user identifiers, narrowing the traceability scope and thus improving the accuracy of the traceability result.
  • an embodiment of the present application provides another threat event tracing method.
  • the method is applied to a network device.
  • the network device receives a business message, which is a message generated when an SDP client accesses an application server, and the business message carries a device identifier of the SDP client.
  • the network device performs a security check on the business message according to a second security rule to determine whether the business message has a second security risk. If it is determined that the business message has a second security risk, the network device generates threat log data carrying the device identifier of the SDP client.
  • the network device sends the threat log data to a data analysis device.
  • the network device sends threat log data to the data analysis device, so that the data analysis device can determine that the service message sent by the SDP client has the second security risk based on the threat log data and generate a threat event including the device identification of the SDP client, and the data analysis device can determine the user information corresponding to the threat event based on the device identification of the SDP client in the threat log data, thereby tracing the threat event.
  • the data analysis device does not need to perform security detection on the service message to determine whether the service message has the second security risk, which reduces the workload of the data analysis device.
  • the network device is an SDP proxy gateway or a probe device.
  • the service message is a transmission control protocol (TCP) message or a tunnel message.
  • TCP transmission control protocol
  • an embodiment of the present application provides a data analysis device, which includes an acquisition unit, a generation unit, and a transceiver unit.
  • An acquisition unit used to acquire the traceability data of a service message, where the service message is a message generated when the SDP client accesses the application server, and the traceability data of the service message includes a device identifier of the SDP client;
  • a generating unit used for generating a threat event carrying a device identifier of an SDP client according to the traceability data of the service message when there is a security risk in the service message;
  • the transceiver unit is used to obtain a first user identifier corresponding to the device identifier of the SDP client from a user information table of the SDP controller according to the device identifier of the SDP client, wherein the first user identifier is used to indicate a user corresponding to the threat event, and the user information table includes a correspondence between the device identifier of the SDP client and the first user identifier.
  • the security risk includes a first security risk
  • the traceability data of the business message is metadata of the business message
  • the metadata of the business message is generated by the probe device based on the business message
  • the data analysis device further includes:
  • the analyzing unit is used to analyze the metadata of the service message according to the first security detection rule to determine whether the service message has a first security risk.
  • the security risk includes a second security risk
  • the traceability data of the business message is threat log data, which is generated by the network device when it is determined that the business message has a second security risk.
  • the transceiver unit is specifically configured to:
  • the query request carries the device identifier of the SDP client.
  • the query request is used to query the SDP controller.
  • a user information table is used to obtain a first user identifier corresponding to the device identifier of the SDP client; and a response message in response to the query request fed back by the SDP controller is received, where the response message carries the first user identifier corresponding to the device identifier of the SDP client.
  • the user information table further includes a correspondence between the first user identifier and the authentication timestamp, the authentication timestamp is the moment when the user indicated by the first user identifier passes the authentication, and when the response message includes multiple first user identifiers, the response message further includes the authentication timestamps corresponding to the multiple first user identifiers respectively, and the acquisition unit is further used to:
  • a second user identifier is obtained from multiple first user identifiers according to the sending time period of the business message and the authentication timestamps corresponding to the multiple first user identifiers; wherein the second user identifier is the first user identifier among the multiple first user identifiers whose authentication timestamp belongs to the sending time period; the sending time period is determined according to the moment when the data analysis device receives the traceability data of the business message.
  • an embodiment of the present application provides a network device, including a transceiver unit, a detection unit and a generation unit.
  • the transceiver unit is used to receive a service message.
  • the service message is a message generated when the SDP client accesses the application server.
  • the service message carries the device identifier of the SDP client.
  • a detection unit configured to perform a security detection on the service message according to the second security rule to determine whether the service message has a second security risk
  • a generating unit configured to generate threat log data carrying a device identifier of the SDP client if it is determined that the service message has a second security risk
  • the transceiver unit is also used to send threat log data to the data analysis device.
  • the network device is an SDP proxy gateway or a probe device.
  • the service message is a TCP message or a tunnel message.
  • an embodiment of the present application provides a data analysis device, including a processor and a memory.
  • the memory is used to store program code.
  • the processor is used to call the program code stored in the memory to execute the method provided in the first aspect or any possible implementation of the first aspect.
  • an embodiment of the present application provides a network device, including a processor and a memory.
  • the memory is used to store program code.
  • the processor is used to call the program code stored in the memory to execute the method provided in the second aspect or any possible implementation of the second aspect.
  • an embodiment of the present application provides a computer storage medium, including computer instructions.
  • the computer instructions When the computer instructions are executed on an electronic device, the electronic device executes a method provided in any possible implementation of the first aspect, or a method provided in any possible implementation of the second aspect.
  • an embodiment of the present application provides a computer program product.
  • the computer program product runs on a computer, it enables the computer to execute a method provided in any possible implementation of the first aspect, or a method provided in any possible implementation of the second aspect.
  • an embodiment of the present application provides a threat event tracing system, including a data analysis device, a network device, an SDP client, and an SDP controller;
  • the data analysis device is used to execute the method according to any one of the first aspects
  • the network device is used to execute the method as described in any one of the second aspects
  • the SDP controller is used to receive a query request sent by a data analysis device, the query request carries the device identifier of the SDP client; query a user information table according to the device identifier of the SDP client to obtain a first user identifier corresponding to the device identifier of the SDP client; send a response message in response to the query request to the data analysis device, the response message carries the first user identifier corresponding to the device identifier of the SDP client; the user information table includes a correspondence between the device identifier of the SDP client and the first user identifier.
  • the SDP controller determines the user ID corresponding to the device ID of the SDP client based on the device ID of the SDP client, thereby tracing the threat event to a specific user, thereby improving the accuracy of tracing.
  • the user information table further includes a correspondence between the first user identifier and the authentication timestamp, where the authentication timestamp is the time when the user indicated by the first user identifier passes the authentication; and the SDP controller is further used to:
  • the user information table is queried according to the multiple first user identifiers to obtain the authentication timestamps respectively corresponding to the multiple first user identifiers; the response message also includes the authentication timestamps respectively corresponding to the multiple first user identifiers.
  • the data analysis device can select the second user identifier from the multiple first user identifiers based on the authentication timestamp corresponding to the first user identifier when obtaining multiple first user identifiers, thereby narrowing the traceability scope and improving the accuracy of the traceability results.
  • the data analysis device described in the third aspect or the fifth aspect provided above is used to execute any of the methods provided in the first aspect
  • the SDP proxy gateway described in the fourth aspect or the sixth aspect is used to execute any of the methods provided in the second aspect
  • the computer storage medium described in the fourth aspect and the computer program product described in the fifth aspect are both used to implement any of the methods provided in the first aspect or any of the methods provided in the second aspect. Therefore, the beneficial effects that can be achieved can refer to the beneficial effects in the corresponding methods, which will not be repeated here.
  • FIG1 is a schematic diagram of a system architecture provided in an embodiment of the present application.
  • FIG2 is a schematic diagram of a flow chart of a threat event tracing method provided in an embodiment of the present application
  • FIG3 is a flow chart of another threat event tracing method provided in an embodiment of the present application.
  • FIG3a is a schematic diagram of the structure of a first TCP message
  • FIG4 is a schematic diagram of an interactive process of a threat event tracing method provided in an embodiment of the present application.
  • FIG5 is a schematic diagram of an interactive process of another threat event tracing method provided in an embodiment of the present application.
  • FIG6 is a schematic diagram of the structure of a data analysis device provided in an embodiment of the present application.
  • FIG7 is a schematic diagram of the structure of a network device provided in an embodiment of the present application.
  • FIG8 is a schematic diagram of the structure of another data analysis device provided in an embodiment of the present application.
  • FIG. 9 is a schematic diagram of the structure of another network device provided in an embodiment of the present application.
  • Multiple means two or more.
  • “And/or” describes the association relationship of the associated objects, indicating that there are three relationships. For example, A and/or B means: A exists alone, A and B exist at the same time, and B exists alone. The character “/” generally indicates that the associated objects are in an "or” relationship.
  • Fig. 1 is a schematic diagram of a system architecture provided by an embodiment of the present application.
  • the system includes an SDP client 101 , an SDP controller 102 , an SDP proxy gateway 103 , a probe device 104 , a data analysis device 105 and an application server 106 .
  • the SDP client 101 is used to implement functions such as access authentication, environment perception and data security isolation.
  • the SDP client 101 is a terminal device, such as a desktop computer, a laptop computer, a tablet computer, a smart phone, etc., or a software client installed on the terminal device.
  • the SDP client 101 sends an authentication request to the SDP controller 102, wherein the authentication request includes but is not limited to the device identification of the SDP client and the source IP of the SDP client.
  • the SDP controller 102 is an SDP authentication server, which is used to authenticate the SDP client 101, control the access of the SDP client 101, and send trusted asset information to the SDP proxy gateway 103. After the authentication is passed, the SDP controller 102 generates trusted asset information, wherein the trusted asset information includes but is not limited to the source IP of the SDP client 101, the device identification of the SDP client 101, and the list of accessible ports.
  • the SDP proxy gateway 103 performs access authentication for device access to the network and proxy access to business applications based on the trusted asset information sent by the SDP controller 102.
  • the SDP proxy gateway 103 includes a switch, a router, a firewall, or an access point (AP) device.
  • the SDP proxy gateway 103 can also perform security detection on the business message sent by the SDP client 101; when the SDP proxy gateway 103 determines that there is a security risk in the business message, it generates threat log data and sends the threat log data to the data analysis device 105.
  • the probe device 104 is a network traffic collection device that collects and processes the traffic that needs to be detected for security threats, and sends the processed data to the data analysis device 105 for security detection.
  • the data analysis device 105 is a security threat analysis and detection platform, which performs security detection on the data processed by the probe device 104, generates threat events when there are security risks, or generates threat events based on the threat log data sent by the SDP proxy gateway 103, and obtains the user ID from the SDP controller 102 to trace the threat event.
  • the data analysis device 105 displays the threat event and the user ID.
  • the application server 106 is a device that provides application services.
  • the application server 106 is a server, a server cluster, a cloud server, a cloud computing service center, or other forms of devices with computing capabilities.
  • the SDP client 101 sends an SDP authentication message to the SDP controller 102, and the authentication message is used for the identity authentication of the SDP client 101.
  • the SDP controller 102 performs identity authentication on the SDP client 101. After the authentication is passed, the SDP controller 102 generates a user information table, and the user information table includes the correspondence between the device identifier and the user identifier of the SDP client 101.
  • the user here refers to the user who uses the SDP client 101 to access the application.
  • the SDP client 101 sends a service message to the SDP proxy gateway 103.
  • the service message is a TCP message or a tunnel message.
  • the service message carries the device identifier of the SDP client 101.
  • the SDP proxy gateway 103 can forward the service message to the application server 106 through the routing device.
  • the routing device can mirror the service message to the probe device 104.
  • the probe device 104 analyzes the obtained service message, generates metadata of the service message carrying the device identifier of the SDP client 101, and transmits the metadata of the service message to the data analysis device 105.
  • the metadata of the service message includes but is not limited to the source IP, destination IP, source port, destination port, protocol, SDP, etc. of the service message.
  • the data analysis device 105 analyzes the metadata of the business message according to the first security detection rule to determine whether the business message has a first security risk.
  • the data analysis device 105 obtains the device identifier of the SDP client 101 from the metadata, and generates a threat event carrying the device identifier of the SDP client 101; the data analysis device 105 obtains the user identifier corresponding to the device identifier of the SDP client 101 from the user information table of the SDP controller 102 according to the device identifier of the SDP client 101, and the user identifier is used to indicate the user corresponding to the threat event.
  • the network device detects the service message according to the second security detection rule to determine whether the service message has a second security risk. If the service message has a second security risk, the network device generates threat log data carrying the device identifier of the SDP client 101. The network device sends the threat log data to the data analysis device 105. The data analysis device 105 generates a threat event carrying the device identifier of the SDP client 101 according to the threat log data.
  • the data analysis device 105 obtains the user identifier corresponding to the device identifier of the SDP client 101 from the user information table of the SDP controller 102 according to the device identifier of the SDP client 101, and the user identifier is used to indicate the user corresponding to the threat event.
  • the network device is an SDP proxy gateway 103 or a probe device 104. It should be understood that the security detection capabilities of the SDP proxy gateway 103 and the probe device 104 are the same, and the operation of detecting the service message according to the second security detection rule is performed by one of the SDP proxy gateway 103 and the probe device 104, and does not need to be performed by both the SDP proxy gateway 103 and the probe device 104.
  • the SDP client carries the device identification of the SDP client in the sent business message, so that when the data analysis device determines that the business message has a security risk, it can trace the source based on the device identification of the SDP client, thereby tracing the threat event, and tracing the source to a specific user, improving the accuracy of tracing the source, and solving the problem that security risks cannot be traced in NAT scenarios.
  • the solution of the embodiment of the present application is a combination of a zero-trust solution and a data analysis device solution, which can solve customer pain points without increasing customer budget costs, so as to enhance the competitiveness of the solution and increase the stickiness of the solution.
  • FIG 2 is a flow chart of a threat event tracing method provided in an embodiment of the present application.
  • the method is applied to the data analysis device 105 in Figure 1. As shown in Figure 2, the method includes:
  • the data analysis device obtains the traceability data of the business message.
  • the business message is a message generated when the SDP client accesses the application server.
  • the traceability data of the business message includes the device identifier of the SDP client.
  • the traceability data of the business message is metadata or threat log data of the business message.
  • the metadata of the business message is generated by the probe device based on the business message.
  • the threat log data is generated by the network device when it determines that the business message has a security risk.
  • the network device is an SDP proxy gateway or a probe device.
  • the SDP proxy gateway after receiving the service message sent by the SDP client, forwards the service message to the application server through the routing device; the routing device mirrors the passing service message to the probe device.
  • the probe device analyzes the service message to obtain the device identification of the SDP client, the source IP destination IP, source port, destination port and protocol of the service message; the probe device generates metadata of the service message based on the device identification of the SDP client, the source IP, destination IP, source port, destination port and protocol of the service message, and the metadata of the service message includes the device identification of the SDP client, the source IP, destination IP, source port, destination port and protocol of the service message.
  • the SDP proxy gateway after receiving the message sent by the SDP client, performs a security check on the service message according to the second security detection rule. If the service message has the second security risk, the SDP proxy gateway generates threat log data carrying the device identifier of the SDP client. If the service message does not have the second security risk, the SDP proxy gateway does not generate threat log data.
  • the second security detection rule is implemented based on an IPS detection algorithm, a DPI detection algorithm, or an anti-virus (AV) detection algorithm.
  • the second security detection rule can also be implemented by other algorithms, which are not limited here.
  • the second security risk is a security risk detected by network devices such as firewalls and security gateways through IPS, DPI, file scanning, etc., for example, a business message carries a virus file or other security risk.
  • the data analysis device analyzes the metadata of the business message according to the first security detection rule to determine whether the business message has a first security risk.
  • the data analysis device analyzes the traffic data received by the data analysis device according to the first security detection rule to determine whether the business message has a first security risk.
  • the traffic data received by the data analysis device includes the metadata of the business message.
  • the first security risk is a risk analyzed by the data analysis device based on metadata of the business message, such as a zero-day threat or other security risk.
  • the data analysis device may be able to discover some new risks that cannot be identified by existing rules based on message features.
  • the data analysis device receives the threat log data, the data analysis device determines that there is a security risk in the business message, and the data analysis device generates a threat event carrying the device identifier of the SDP client; if no threat day data is received, the data analysis device determines that there is no security risk in the business message.
  • the data analysis device obtains a first user identifier corresponding to the device identifier of the SDP client from the user information table of the SDP controller according to the device identifier of the SDP client.
  • the first user identifier indicates a user corresponding to the threat event
  • the user information table includes a correspondence between the device identifier of the SDP client and the first user identifier.
  • a data analysis device sends a query request to an SDP controller, the query request carries a device identifier of an SDP client, and the query request is used to instruct the SDP controller to query a user information table to obtain a first user identifier corresponding to the device identifier of the SDP client.
  • the SDP controller queries the user information table based on the device identifier of the SDP client to obtain a first user identifier corresponding to the device identifier of the SDP client, and the first user identifier indicates a user corresponding to a threat event.
  • the SDP controller sends a response message for responding to the query request to the data analysis device, the response message carries the first user identifier corresponding to the device identifier of the SDP client.
  • the data analysis device displays the first user identifier and the threat event. By displaying the threat event and the first user identifier, the staff can know which user sent a message that poses a security risk, thereby determining the source of the threat event.
  • the user information table also includes a correspondence between the first user identifier and the authentication timestamp, and the authentication timestamp is the moment when the user indicated by the corresponding first user identifier passes the authentication.
  • the response message also includes the authentication timestamps corresponding to the multiple first user identifiers.
  • the data analysis device obtains the second user identifier based on the sending time period of the business message and the authentication timestamps corresponding to the multiple first user identifiers.
  • the second user identifier is a user identifier whose corresponding authentication timestamp among the multiple first user identifiers belongs to the sending time period of the business message.
  • the sending time period of the business message is determined by the data analysis device based on the moment when the traceability data of the business message is received.
  • this method can be used to determine the second user identifier from multiple first user identifiers, narrowing the traceability scope and thereby improving the accuracy of the traceability results.
  • the data analysis device uses the time when the user passes the authentication as the time when the SDP client sends the service message. It takes a period of time for the SDP client to send the service message and for the data analysis device to receive the traceability data of the service message. The data analysis device can obtain the average value of this time by counting the historical data of this time. The data analysis device then obtains the sending period of the service message based on the average value of this time and the time when the data analysis device receives the traceability data of the service message.
  • the data analysis device sends a query request to the SDP controller, and the query request carries the device identification of the SDP client and the sending period of the service message.
  • the sending period of the service message is determined by the data analysis device according to the time when the traceability data of the service message is received.
  • the query request is used to instruct the SDP controller to query the user information table to obtain the second user identification corresponding to the device identification of the SDP client.
  • the user information table includes the correspondence between the device identification and the user identification of the SDP client and the correspondence between the user identification and the authentication timestamp.
  • the SDP controller queries the user information table according to the device identification of the SDP client to obtain the first user identification corresponding to the device identification of the SDP client; the SDP controller selects the second user identification from the first user identification according to the authentication timestamp corresponding to the first user identification and the sending period of the service message.
  • the second user identification is a user identification whose corresponding authentication timestamp in the first user identification belongs to the sending period of the service message.
  • the second user identification indicates the user corresponding to the threat event.
  • the SDP controller sends a response message for responding to the query request to the data analysis device, and the response message carries the second user identification.
  • the data analysis device displays the second user identification and the threat event.
  • the SDP controller is used to obtain the second user identity from the first user identity according to the authentication timestamp corresponding to the first user identity and the sending period of the service message, which reduces the workload of the data analysis device.
  • the subsequent data analysis device can trace the source based on the device identification of the SDP client after there is a security risk in the business message, thereby tracing the threat event, and tracing the source to a specific user, improving the accuracy of tracing, and solving the problem that security risks cannot be traced in NAT scenarios.
  • the scope of tracing is narrowed by introducing the sending period of the business message and the authentication timestamp corresponding to the user identification, thereby improving the accuracy of the tracing result.
  • the solution of the embodiment of the present application is a combination of the zero-trust solution and the solution of the security big data analysis platform, which can solve customer pain points without increasing customer budget costs, so as to enhance the competitiveness of the solution and increase the stickiness of the solution.
  • Figure 3 is a flow chart of a threat event tracing method provided in an embodiment of the present application. The method is applied to a network device.
  • the network device is the SDP proxy gateway 103 or the probe device 104 in Figure 1.
  • the method includes:
  • a network device receives a service message, where the service message is a message generated when an SDP client accesses an application server, and the service message carries a device identifier of the SDP client.
  • the service message is a TCP message or a tunnel message.
  • the tunnel message is an SRv6 message or a multi-protocol label switching (MPLS) message.
  • MPLS multi-protocol label switching
  • SRv6 is a segment routing technology under IPv6.
  • the SDP client establishes a TCP connection with the SDP proxy gateway, and then sends a first TCP message to the SDP proxy gateway, wherein the device identifier of the SDP client is carried in a newly added option field of the first TCP message.
  • Fig. 3a shows a schematic diagram of the structure of the first TCP message. As shown in Fig. 3a, the device identifier of the SDP client is carried in the newly added option field of the first TCP message.
  • the SDP client encapsulates a new message header based on the second TCP message or user datagram protocol (UDP) message, and the message header carries the device identifier of the SDP client.
  • the new message header and the second TCP message or UDP message constitute a tunnel message. It should be understood that the second TCP message or UDP message here does not carry the device identifier of the SDP client.
  • the second TCP message or UDP message here is used for the SDP client to access the application server.
  • the SDP client encrypts the device identifier of the SDP client and then carries the encrypted result in a newly added option field of the first TCP message or a new message header of the tunnel message.
  • the network device detects the service message according to the second security detection rule; if the service message has a second security risk, the network device generates threat log data carrying the device identifier of the SDP client.
  • the network device extracts threat features from the service message according to the second security detection rule; if the threat features are extracted, the network device matches the threat features with the threat features in the pre-stored second security risk library; if the match is successful, the network device determines that the service message has the second security risk, and the SDP proxy gateway generates threat log data carrying the device identifier of the SDP client. If the threat features are not extracted or the extracted threat features do not match the threat features in the pre-stored second security risk library, it is determined that the service message does not have the second security risk, and the SDP proxy gateway does not generate threat log data.
  • the second security detection rule is implemented based on an IPS detection algorithm, a DPI detection algorithm, or an AV detection algorithm.
  • the security detection rule can also be implemented by other algorithms, which are not limited here.
  • the second security risk is a security risk detected by network devices such as firewalls and security gateways through IPS, DPI, file scanning, etc., for example, a business message carries a virus file or other security risk.
  • S303 The network device sends threat log data to the data analysis device.
  • the subsequent data analysis device can trace the source based on the device identification of the SDP client after determining that the business message has a security risk, thereby tracing the source of the threat event, and tracing the source to the specific user, solving the problem that the security risk cannot be traced in the NAT scenario.
  • the network device detects whether the business message has a second security risk, and the data analysis device does not need to detect whether the business message has a second security risk, reducing the workload of the data analysis device.
  • the solution of the present application is a combination of the zero-trust solution and the solution of the security big data analysis platform, which can solve customer pain points without increasing customer budget costs, so as to enhance the competitiveness of the solution and increase the stickiness of the solution.
  • FIG 4 is an interactive flow diagram of a threat event tracing method provided in an embodiment of the present application. The method is applied to the system architecture shown in Figure 1. As shown in Figure 4, the method includes:
  • the SDP client sends an authentication message to the SDP controller.
  • the authentication message carries the device identifier of the SDP client.
  • the authentication message carries trusted asset information, which includes but is not limited to the source IP of the SDP client, the device identification of the SDP client, and a list of accessible ports.
  • the authentication message is sent through the TCP protocol, and the device identifier of the SDP client is carried in a newly added option field of the TCP SYN message.
  • the SDP controller After the authentication is successful, the SDP controller generates a user information table.
  • the SDP controller After receiving the authentication message from the SDP controller, the SDP controller performs identity verification on the authentication system according to the device identification of the SDP client; after the identity verification passes, the SDP controller generates a user information table corresponding to the SDP client.
  • the user information table includes the device identifier of the SDP client, the user identifier, the authentication timestamp, the IP address before NAT, and the IP address after NAT.
  • the user information table can also include other information of the SDP client, which is not limited here. Among them, there is a corresponding relationship between the device identifier and the user identifier of the SDP client in the user information table, and between the user identifier and the authentication timestamp.
  • the device identifier of the SDP client is a unique identifier of the SDP client.
  • the device identifier of the SDP client is generated according to a universally unique identifier (UUID) algorithm.
  • UUID universally unique identifier
  • the device identifier of the SDP client is generated based on the hardware information of the SDP client through the UUID algorithm.
  • the hardware information includes but is not limited to the network card of the SDP client.
  • the user ID refers to the ID of the user who uses the SDP client to perform SDP authentication.
  • the authentication timestamp is the time when the SDP client passes the authentication. This timestamp can be used to determine the time when the SDP client authenticates and goes online.
  • the SDP controller After authentication, the SDP controller sends trusted asset information to the SDP proxy gateway.
  • the trusted asset information includes but is not limited to the source IP of the SDP client, the device identifier of the SDP client, and the list of accessible ports.
  • the SDP controller sends a resource list to the SDP client, which includes information about the resources accessible to the SDP client.
  • S403 The SDP client sends a service message to the SDP proxy gateway.
  • the application that the SDP client wants to access through the service message is the resource that the SDP client can access.
  • the service message sent by the SDP client to the SDP proxy gateway is a TCP message or a tunnel message.
  • the SDP client establishes a TCP connection with the SDP proxy gateway, and then sends a first TCP message to the SDP proxy gateway, wherein the device identifier of the SDP client is carried in a newly added option field of the first TCP message.
  • the SDP client encapsulates a new message header based on the second TCP message or UDP message, and the message header carries the device identifier of the SDP client.
  • the new message header and the second TCP message or UDP message constitute a tunnel message. It should be understood that the second TCP message or UDP message here does not carry the device identifier of the SDP client.
  • the second TCP message or UDP message here is used for the SDP client to access the application server.
  • the tunnel message is an SRv6 message or an MPLS message, wherein SRv6 is a segment routing technology under IPv6.
  • the SDP client first encrypts the device identifier of the SDP client, and then carries the encrypted information in a newly added option field of the first TCP message or in a new message header of the tunnel message.
  • S404 The SDP proxy gateway forwards the service message to the application server through the routing device.
  • the SDP proxy gateway After receiving the service message, the SDP proxy gateway will verify the legitimacy of the SDP client that sent the service message; if the device identification and/or source IP of the SDP client that sent the service message belongs to the trusted asset information, the SDP proxy gateway will forward the service message to the corresponding application server. The SDP proxy gateway forwards the service message to the application server through the port in the accessible port list.
  • the SDP proxy gateway transmits the service message to the application server through the router.
  • the SDP proxy gateway transmits the service message to the application server through the router according to the preset routing forwarding strategy.
  • the preset routing forwarding strategy is the shortest path priority strategy or the shortest delay strategy.
  • the SDP proxy gateway forwards the service message to the application server through other forwarding strategies, which are not limited here.
  • the routing device mirrors the traffic to the probe device.
  • the traffic here is the traffic generated by the SDP proxy gateway forwarding the service message to the application server.
  • the routing device copies the traffic passing through, and then transmits the copied traffic to the probe device, thereby achieving the purpose of mirroring the traffic to the probe device. It should be understood that the routing device mirrors the passing traffic to the probe device, which is essentially sending the service message to the probe device.
  • the probe device generates metadata of the service message carrying the device identifier of the SDP client according to the service message.
  • the probe device after the probe device obtains the service message, it analyzes the service message to obtain the device identification of the SDP client, the source IP, destination IP, source port, destination port and protocol of the service message; the probe device generates metadata of the service message based on the device identification of the SDP client, the source IP, destination IP, source port, destination port and protocol of the service message, and the metadata of the service message includes the device identification of the SDP client, the source IP, destination IP, source port, destination port and protocol of the service message.
  • the probe device after the probe device obtains the business message, if the probe device turns on the security detection function, the probe device extracts the threat feature of the business message according to the second security detection rule; if the threat feature is extracted, the probe device matches the threat feature with the threat feature in the pre-stored second security risk library; if the match is successful, the probe device determines that the business message has a second security risk, and the probe device generates threat log data carrying the device identifier of the SDP client, and sends the threat log data to the data analysis device. After receiving the threat log data, the data analysis device generates a threat event including the device identifier of the SDP client.
  • S406-S408 do not need to be executed, and the data analysis device executes S409 and S410. If the threat feature is not extracted or the extracted threat feature does not match the threat feature in the pre-stored second security risk library, it is determined that the business message does not have the second security risk, and the SDP proxy gateway does not generate threat log data. At this time, it is necessary to further determine whether the business message has the first security risk, and S407-S410 are executed.
  • S407 The probe device sends metadata of the service message to the data analysis device.
  • S408 The data analysis device performs security detection on metadata of the service message.
  • the data analysis device performs a security check on the metadata of the business message according to the first security detection rule to determine whether the business message has a first security risk.
  • the data analysis device analyzes the traffic data received by the data analysis device according to the first security detection rule to determine whether the business message has a first security risk.
  • the traffic data received by the data analysis device includes the metadata of the business message. If it is determined that the business message has a first security risk, the data analysis device obtains the device identifier of the SDP client from the metadata of the business message, and generates a threat event carrying the device identifier of the SDP controller.
  • the first security risk is a risk analyzed by the data analysis device based on the metadata of the business message, such as a zero-day threat or other security risk.
  • the data analysis device may be able to discover some new risks that cannot be identified by existing rules based on message features. It should be understood that the first security risk is different from the second security risk, and the first security detection rule is different from the second security detection rule.
  • S409 The data analysis device sends a query request to the SDP controller.
  • the SDP controller sends a response message to the data analysis device.
  • FIG. 5 is an interactive flow diagram of another threat event tracing method provided in an embodiment of the present application. The method is applied to the system architecture shown in Figure 1. As shown in Figure 5, the method includes:
  • the SDP client sends an authentication message to the SDP controller.
  • the SDP controller After the authentication is successful, the SDP controller generates a user information table.
  • S503 The SDP client sends a service message to the SDP proxy gateway.
  • S504 The SDP proxy gateway performs a security check on the service message according to the second security check rule.
  • the SDP proxy gateway if the SDP proxy gateway turns on the security detection function, the SDP proxy gateway extracts threat features from the business message according to the second security detection rule; if the threat features are extracted, the SDP proxy gateway matches the threat features with the threat features in the pre-stored second security risk library; if the match is successful, the SDP proxy gateway determines that the business message has a second security risk, and the SDP proxy gateway generates threat log data carrying the device identifier of the SDP client. If the threat features are not extracted or the extracted threat features do not match the threat features in the pre-stored second security risk library, it is determined that the business message does not have a second security risk, and the SDP proxy gateway does not generate threat log data. At this time, the business message will be mirrored to the probe device.
  • the second security detection rule is implemented based on an IPS detection algorithm, a DPI detection algorithm, or an AV detection algorithm.
  • the second security detection rule can also be implemented by other algorithms, which are not limited here.
  • the second security risk is a security risk detected by network devices such as firewalls and security gateways through IPS, DPI, file scanning, etc., for example, a business message carries a virus file or other security risk.
  • the SDP proxy gateway sends the threat log data to the data analysis device.
  • S506 The data analysis device generates a threat event based on the threat log data.
  • the data analysis device After receiving the threat log data, the data analysis device determines that the service message has a second security risk, obtains the device identification of the SDP client from the threat log data, and generates a threat event carrying the device identification of the SDP client.
  • S507 The data analysis device sends a query request to the SDP controller.
  • the SDP controller sends a response message to the data analysis device.
  • the data analysis device is the data analysis device 105 in FIG1 .
  • the data analysis device 105 includes an acquisition unit 1051 , a generation unit 1052 and a transceiver unit 1053 .
  • the acquisition unit 1051 is used to acquire the traceability data of the service message, where the service message is a message generated when the SDP client accesses the application server, and the traceability data of the service message includes the device identifier of the SDP client;
  • the generating unit 1052 is used to generate a threat event carrying a device identifier of the SDP client according to the traceability data of the service message when there is a security risk in the service message;
  • the transceiver unit 1053 is used to obtain a first user identifier corresponding to the device identifier of the SDP client from the user information table of the SDP controller according to the device identifier of the SDP client, wherein the first user identifier is used to indicate a user corresponding to the threat event, and the user information table includes a correspondence between the device identifier of the SDP client and the first user identifier.
  • the security risk includes a first security risk
  • the traceability data of the service message is metadata of the service message
  • the metadata of the service message is generated by the probe device based on the service message
  • the data analysis device 105 further includes:
  • the analyzing unit 1054 is configured to analyze the metadata of the service message according to the first security detection rule to determine whether the service message has a first security risk.
  • the security risk includes a second security risk
  • the traceability data of the business message is threat log data
  • the threat Log data is generated by the network device when it determines that a service message has a second security risk
  • the transceiver unit 1053 is specifically configured to:
  • a query request is sent to the SDP controller, the query request carries the device identifier of the SDP client, and the query request is used by the SDP controller to query the user information table to obtain a first user identifier corresponding to the device identifier of the SDP client; and a response message in response to the query request is received from the SDP controller, the response message carries the first user identifier corresponding to the device identifier of the SDP client.
  • the user information table further includes a correspondence between the first user identifier and the authentication timestamp
  • the authentication timestamp is the time when the user indicated by the first user identifier passes the authentication
  • the response message includes multiple first user identifiers
  • the response message also includes the authentication timestamps corresponding to the multiple first user identifiers
  • the acquisition unit 1051 is further used to:
  • a second user identifier is selected from multiple first user identifiers according to the sending time period of the business message and the authentication timestamps corresponding to the multiple first user identifiers; wherein the second user identifier is the first user identifier among the multiple first user identifiers whose authentication timestamp belongs to the sending time period; the sending time period is determined according to the moment when the data analysis device receives the traceability data of the business message.
  • the specific functional implementation method of the data analysis device 105 refers to the description of the above-mentioned threat event tracing method, such as the acquisition unit 1051, the transceiver unit 1053 and the analysis unit 1054 are used to execute the relevant contents of S201 and S203.
  • Each unit or module in the data analysis device 105 can be separately or completely combined into one or several other units or modules to constitute, or one (some) of the units or modules can be further divided into multiple smaller units or modules to constitute, which can achieve the same operation without affecting the realization of the technical effects of the embodiments of the present invention.
  • the above-mentioned units or modules are divided based on logical functions. In practical applications, the functions of one unit (or module) are implemented by multiple units (or modules), or the functions of multiple units (or modules) are implemented by one unit (or module).
  • the network device 700 is a schematic diagram of a network device according to an embodiment of the present application.
  • the network device is the SDP proxy gateway 103 or the probe device 104 in FIG1 .
  • the network device 700 includes a transceiver unit 701 , a detection unit 702 and a generation unit 703 .
  • the transceiver unit 701 is used to receive a service message, where the service message is a message generated when the SDP client accesses the application server, and the service message carries a device identifier of the SDP client;
  • a detection unit 702 configured to perform a security detection on the service message according to a second security detection rule to determine whether the service message has a second security risk
  • the generating unit 703 is configured to generate threat log data carrying a device identifier of the SDP client if it is determined that the service message has a second security risk;
  • the transceiver unit 701 is also used to send threat log data to the data analysis device 105 .
  • the network device 700 is an SDP proxy gateway 103 or a probe device 104 .
  • the service message is a TCP message or a tunnel message.
  • the specific functional implementation of the network device 700 refers to the description of the above-mentioned threat event tracing method, for example, the transceiver unit 701 is used to execute the relevant contents of S301 and S303, and the detection unit 702 and the generation unit 703 are used to execute the relevant contents of S302.
  • Each unit or module in the network device 700 can be separately or completely combined into one or several other units or modules to form, or one (some) of the units or modules can be further divided into multiple smaller units or modules to form, which can achieve the same operation without affecting the realization of the technical effects of the embodiments of the present invention.
  • the above-mentioned units or modules are divided based on logical functions. In practical applications, the functions of one unit (or module) are implemented by multiple units (or modules), or the functions of multiple units (or modules) are implemented by one unit (or module).
  • the embodiment of the present invention also provides a structural schematic diagram of a data analysis device 800.
  • the data analysis device 800 shown in Figure 8 (the data analysis device 800 is specifically a computer device) includes a memory 801, a processor 802, a communication interface 803 and a bus 804. Among them, the memory 801, the processor 802, and the communication interface 803 are connected to each other through the bus 804.
  • memory 801 is a read-only memory (ROM), a static storage device, a dynamic storage device or a random access memory (RAM).
  • ROM read-only memory
  • RAM random access memory
  • the memory 801 can store programs. When the program stored in the memory 801 is executed by the processor 802, the processor 802 and the communication interface 803 are used to execute each step of the threat event tracing method of the embodiment shown in FIG. 2 .
  • the processor 802 uses a general-purpose central processing unit (CPU), a microprocessor, an application-specific integrated circuit (ASIC), a graphics processing unit (GPU) or one or more integrated circuits to execute relevant programs to implement the functions required to be performed by the units in the data analysis device 105 of the embodiment of the present application. Or execute the threat event tracing method of the method embodiment of the present application.
  • CPU central processing unit
  • ASIC application-specific integrated circuit
  • GPU graphics processing unit
  • the processor 802 can also be an integrated circuit chip with signal processing capabilities. In the implementation process, each step of the threat event tracing method of the present application can be completed by the hardware integrated logic circuit or software instructions in the processor 802.
  • the processor 802 is a general-purpose processor, a digital signal processor (Digital Signal Processing, DSP), an ASIC, a field programmable gate array (Field Programmable Gate Array, FPGA) or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components.
  • the processor 802 can implement or execute the methods, steps and logic block diagrams disclosed in the embodiments of the present application.
  • the general-purpose processor is a microprocessor or the processor is any conventional processor, etc.
  • the steps of the method disclosed in the embodiments of the present application can be directly embodied as a hardware decoding processor to execute, or a combination of hardware and software modules in the decoding processor to execute.
  • the software module is located in a random access memory, a flash memory, a read-only memory, a programmable read-only memory or an electrically erasable programmable memory, a register or other mature storage media in the art.
  • the storage medium is located in the memory 801, and the processor 802 reads the information in the memory 801, and combines its hardware to complete the functions required to be performed by the units included in the data analysis device 105 of the embodiment of the present application, or executes the threat event tracing method of the embodiment shown in Figure 2.
  • the communication interface 803 uses a transceiver such as, but not limited to, a transceiver to implement communication between the data analysis device 800 and other devices (such as the SDP controller 102 and the SDP proxy gateway 103 shown in FIG. 1 ) or a communication network.
  • a transceiver such as, but not limited to, a transceiver to implement communication between the data analysis device 800 and other devices (such as the SDP controller 102 and the SDP proxy gateway 103 shown in FIG. 1 ) or a communication network.
  • the data analysis device 800 can obtain threat log data from the SDP proxy gateway 103 through the communication interface 803.
  • the bus 804 may include a path for transmitting information between various components of the data analysis device 800 (eg, the memory 801 , the processor 802 , and the communication interface 803 ).
  • the data analysis device 800 further includes a display 806 and an input device 805 .
  • the display 806 and the input device 805 are connected to other devices in the data analysis device 800 via a bus 804 .
  • the display 806 is a liquid crystal display (LCD), an organic light-emitting diode (OLED) display or other types of displays.
  • LCD liquid crystal display
  • OLED organic light-emitting diode
  • the display 806 displays threat events and user identification.
  • the input device 805 is a keyboard, a mouse, a voice acquisition device or a video acquisition device.
  • the staff can control the data analysis device 800 through the input device 805.
  • the data analysis device 800 shown in FIG8 only shows a memory, a processor, and a communication interface, in the specific implementation process, those skilled in the art should understand that the data analysis device 800 also includes other devices necessary for normal operation. At the same time, according to specific needs, those skilled in the art should understand that the data analysis device 800 may also include hardware devices for implementing other additional functions. In addition, those skilled in the art should understand that the data analysis device 800 may also include only the devices necessary for implementing the embodiments of the present application, without having to include all the devices shown in FIG8.
  • the embodiment of the present invention also provides a schematic diagram of the structure of a network device 900.
  • the network device 900 shown in Figure 9 includes a memory 901, a processor 902, a communication interface 903 and a bus 904. Among them, the memory 901, the processor 902, and the communication interface 903 are connected to each other through the bus 904.
  • the memory 901 is a ROM, a static storage device, a dynamic storage device or a RAM.
  • the memory 901 can store programs. When the program stored in the memory 901 is executed by the processor 902, the processor 902 and the communication interface 903 are used to execute each step of the threat event tracing method of the embodiment shown in FIG. 3 .
  • the processor 902 uses a general-purpose CPU, a microprocessor, an application-specific integrated circuit ASIC, a GPU or one or more integrated circuits to execute relevant programs to implement the functions required to be performed by the units in the SDP proxy gateway 103 of the embodiment shown in Figure 1, or to execute the threat event tracing method of the method embodiment of the present application.
  • the processor 902 can also be an integrated circuit chip with signal processing capabilities. In the implementation process, each step of the threat event tracing method of the present application can be completed by the hardware integrated logic circuit or software instructions in the processor 902.
  • the processor 902 is a general-purpose processor, DSP, ASIC, FPGA or other programmable logic device, discrete gate or transistor logic device, discrete hardware component.
  • the processor can implement or execute the methods, steps and logic block diagrams disclosed in the embodiments of the present application.
  • the general-purpose processor is a microprocessor or the processor is any conventional processor, etc.
  • the steps of the method disclosed in the embodiments of the present application can be directly embodied as a hardware decoding processor to execute, or a combination of hardware and software modules in the decoding processor to execute.
  • the optional software module is located in a random access memory, a flash memory, a read-only memory, a programmable read-only memory or an electrically erasable programmable memory, a register or other mature storage medium in the art.
  • the storage medium is located in the memory 901, and the processor 902 reads the information in the memory 901, and combines its hardware to complete the functions required to be performed by the units included in the threat event tracing related equipment of the embodiment of the present application, or executes the threat event tracing method of the method embodiment of the present application.
  • the communication interface 903 uses, for example but not limited to, a transceiver and other transceiver-related devices to implement communication between the network device 900 and other devices (such as the SDP client 101 and the data analysis device 105 in the embodiment shown in FIG. 1 ) or a communication network.
  • the proxy gateway 103 , the SDP proxy gateway 103 can receive the service message sent by the SDP client 101 through the communication interface 903 , and can also send the threat log data of the service message to the data analysis device 105 .
  • the bus 904 may include a path for transmitting information between various components of the network device 900 (eg, the memory 901 , the processor 902 , and the communication interface 903 ).
  • the network device 900 further includes a display 906 and an input device 905 .
  • the display 906 and the input device 905 are connected to other devices in the network device 900 via the bus 904 .
  • the display 906 is an LCD, an OLED display, or other types of displays.
  • the input device 905 is a keyboard, a mouse, a voice acquisition device or a video acquisition device.
  • the staff can control the network device 900 through the input device 905.
  • the network device 900 shown in FIG. 9 only shows a memory, a processor, and a communication interface, in the specific implementation process, those skilled in the art should understand that the network device 900 also includes other devices necessary for normal operation. At the same time, according to specific needs, those skilled in the art should understand that the network device 900 may also include hardware devices for implementing other additional functions. In addition, those skilled in the art should understand that the network device 900 may also only include the devices necessary for implementing the embodiments of the present application, and does not necessarily include all the devices shown in FIG. 9.
  • An embodiment of the present application further provides a chip, which includes a processor and a data interface.
  • the processor reads instructions stored in a memory through the data interface to implement the threat event tracing method of the embodiment of the present application.
  • the chip also includes a memory, in which instructions are stored, and the processor is used to execute the instructions stored in the memory.
  • the processor is used to execute the threat event tracing method.
  • An embodiment of the present application also provides a computer-readable storage medium, which stores instructions.
  • the computer-readable storage medium is executed on a computer or a processor, the computer or the processor executes one or more steps in any of the above methods.
  • the embodiment of the present application further provides a computer program product including instructions.
  • the computer program product is executed on a computer or a processor, the computer or the processor executes one or more steps in any of the above methods.
  • Computer-readable media may include computer-readable storage media, which corresponds to tangible media, such as data storage media, or includes any communication media that facilitates the transfer of computer programs from one place to another (e.g., based on a communication protocol).
  • computer-readable media may generally correspond to (1) non-temporary tangible computer-readable storage media, or (2) communication media, such as signals or carrier waves.
  • Data storage media may be any available media that can be accessed by one or more computers or one or more processors to retrieve instructions, codes, and/or data structures for implementing the techniques described in this application.
  • a computer program product may include computer-readable media.
  • such computer-readable storage media include RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage, flash memory, or any other media that can be used to store desired program code in the form of instructions or data structures and can be accessed by a computer.
  • any connection is properly referred to as a computer-readable medium.
  • a coaxial cable, fiber optic cable, twisted pair, digital subscriber line (DSL), or wireless technologies such as infrared, radio and microwave
  • the coaxial cable, fiber optic cable, twisted pair, DSL, or wireless technologies such as infrared, radio and microwave are included in the definition of media.
  • disk and disc include compact disc (CD), laser disc, optical disc, digital versatile disc (DVD), and Blu-ray disc, where disks usually reproduce data magnetically, while discs reproduce data optically with lasers. Combinations of the above should also be included within the scope of computer-readable media.
  • processors such as one or more DSPs, general purpose microprocessors, ASICs, FPGAs, or other equivalent integrated or discrete logic circuits.
  • processors such as one or more DSPs, general purpose microprocessors, ASICs, FPGAs, or other equivalent integrated or discrete logic circuits.
  • processors such as one or more DSPs, general purpose microprocessors, ASICs, FPGAs, or other equivalent integrated or discrete logic circuits.
  • processors such as one or more DSPs, general purpose microprocessors, ASICs, FPGAs, or other equivalent integrated or discrete logic circuits.
  • the disclosed systems, devices and methods can be implemented in other ways.
  • the division of the unit is only a logical function division, and there are other division methods in actual implementation, for example, multiple units or components can be combined or integrated into another system, or some features can be ignored or not executed.
  • the mutual coupling, direct coupling, or communication connection shown or discussed is an indirect coupling or communication connection through some interfaces, devices or units, such as electrical sexual, mechanical or other form.
  • the units described as separate components are or are not physically separated, and the components shown as units are or are not physical units, i.e. located in one place, or distributed over multiple network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
  • all or part of the embodiments can be implemented by software, hardware, firmware or any combination thereof.
  • all or part of the embodiments can be implemented in the form of a computer program product.
  • the computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, the process or function according to the embodiment of the present application is generated in whole or in part.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present application relates to the field of network security, and in particular to a threat event sourcing method and a related device. The method comprises: when determining that there is a security risk in a service packet generated by an SDP client accessing an application server, a data analysis device generates, according to sourcing data of the service packet, a threat event carrying a device identifier of the SDP client; and the data analysis device obtains, according to the device identifier of the SDP client, a user identifier corresponding to the device identifier of the SDP client, wherein the user identifier is used for indicating a user corresponding to the threat event. By using the solution of the present application, the sourcing of a threat event can be achieved, and the sourcing can be done to a specific user.

Description

威胁事件溯源方法及相关设备Threat event tracing method and related equipment

本申请要求于2023年5月16日提交中国国家知识产权局、申请号为202310553333.6、发明名称为“威胁事件溯源方法及相关设备”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims priority to the Chinese patent application filed with the State Intellectual Property Office of China on May 16, 2023, with application number 202310553333.6 and invention name “Threat Event Tracing Method and Related Equipment”, the entire contents of which are incorporated by reference in this application.

技术领域Technical Field

本申请涉及网络安全领域,尤其涉及一种威胁事件溯源方法及相关设备。The present application relates to the field of network security, and in particular to a threat event tracing method and related equipment.

背景技术Background Art

安全大数据分析平台是以信息安全事件为核心,通过对网络流量、安全设备日志、威胁信息等数据信息进行实时采集、监测和分析,实现网络风险识别、威胁发现、安全事件实时告警及可视化展现的系统,在监测到安全威胁或接到相关网络安全事件的通告预警时,能够对威胁源进行快速的通报及闭环处置,避免造成重大影响和损失。The security big data analysis platform is centered on information security incidents. It collects, monitors and analyzes network traffic, security equipment logs, threat information and other data information in real time to achieve network risk identification, threat discovery, real-time warning of security incidents and visual display. When a security threat is detected or a notification or warning of a related network security incident is received, the system can quickly report the threat source and conduct closed-loop disposal to avoid major impacts and losses.

终端设备接入网络后,互联网协议(Internet procotol,IP)地址可能会进行一级或者多级的网络地址转换(network address translation,NAT)。当安全大数据分析平台发现威胁事件后,只能通报NAT后的IP地址,这种大范围通报无法关联到某台电脑或者某个人。如果威胁需要进行处置,防火墙或者网关只能基于IP地址维度直接阻断,会导致大范围用户无法接入到网络。After the terminal device is connected to the network, the Internet protocol (IP) address may undergo one or more levels of network address translation (NAT). When the security big data analysis platform discovers a threat event, it can only report the IP address after NAT. This large-scale report cannot be associated with a certain computer or person. If the threat needs to be handled, the firewall or gateway can only directly block it based on the IP address dimension, which will prevent a large number of users from accessing the network.

当前针对NAT场景下的溯源方案是:通过分析网络中进行NAT的网络设备的日志(比如防火墙、路由器的NAT转换日志)来进行最终溯源。客户通过部署日志服务器收集NAT转换日志,NAT转换日志的内容包括时间、源IP、源端口、NAT后的源IP、NAT后源端口等信息。日志服务器根据通报的威胁事件的时间点和IP地址来查询NAT转换日志进行溯源分析。The current tracing solution for NAT scenarios is to perform final tracing by analyzing the logs of network devices that perform NAT in the network (such as NAT conversion logs of firewalls and routers). Customers collect NAT conversion logs by deploying log servers. The content of NAT conversion logs includes time, source IP, source port, source IP after NAT, source port after NAT, and other information. The log server queries the NAT conversion log for tracing analysis based on the time point and IP address of the reported threat event.

基于NAT转换日志进行精准溯源,需要完整的NAT日志,并要求各级进行NAT转换的网络设备的时钟能够统一,并且对威胁事件就那些安全大数据分析的时间不滞后。由于现网环境中可能进行了小到家庭路由器,大到网关设备的多级NAT,NAT转换日志格式很难统一,且一些家庭路由器可能都无法存储上送NAT转换日志,而威胁事件溯源需要结合每条会话访问的日志才可能溯源到转换前的IP地址,如果日志记录不全或者时间无法统一,则很难溯源到具体用户。Accurate source tracing based on NAT conversion logs requires complete NAT logs, and requires that the clocks of network devices at all levels that perform NAT conversion be unified, and that the time for security big data analysis of threat events is not delayed. Since multiple levels of NAT may be performed in the existing network environment, ranging from home routers to gateway devices, it is difficult to unify the NAT conversion log format, and some home routers may not be able to store and send NAT conversion logs. Threat event source tracing requires combining the logs of each session access to trace the source to the IP address before the conversion. If the log records are incomplete or the time cannot be unified, it is difficult to trace the source to the specific user.

发明内容Summary of the invention

本申请实施例提供一种威胁事件溯源方法及相关设备,采用本申请实施例能够实现威胁事件的溯源,并且是溯源到具体用户。The embodiment of the present application provides a threat event tracing method and related equipment. The embodiment of the present application can realize the tracing of threat events, and the tracing can be carried out to a specific user.

第一方面,本申请实施例提供一种威胁事件溯源方法。该方法应用于数据分析设备。数据分析设备获取业务报文的溯源数据,业务报文为软件定义边界(software defined perimeter,SDP)客户端访问应用服务器时产生的报文。其中,业务报文的溯源数据包括SDP客户端的设备标识。数据分析设备在业务报文存在安全风险,根据业务报文的溯源数据生成携带SDP客户端的设备标识的威胁事件。数据分析设备根据SDP客户端的设备标识从SDP控制器的用户信息表中获取所述SDP客户端的设备标识对应的用户标识,用户标识用于指示与威胁事件对应的用户。用户信息表包括SDP客户端的设备标识与用户标识之间的对应关系。In a first aspect, an embodiment of the present application provides a threat event tracing method. The method is applied to a data analysis device. The data analysis device obtains the tracing data of a business message, and the business message is a message generated when a software defined perimeter (SDP) client accesses an application server. Among them, the tracing data of the business message includes the device identifier of the SDP client. The data analysis device generates a threat event carrying the device identifier of the SDP client according to the tracing data of the business message when there is a security risk in the business message. The data analysis device obtains a user identifier corresponding to the device identifier of the SDP client from the user information table of the SDP controller according to the device identifier of the SDP client, and the user identifier is used to indicate the user corresponding to the threat event. The user information table includes the correspondence between the device identifier of the SDP client and the user identifier.

通过在业务报文的溯源数据中携带SDP客户端的设备标识,使得数据分析设备在业务报文存在安全风险的情况下,能够根据SDP客户端的设备标识从SDP控制器的用户信息表中得到SDP客户端的设备标识对应的用户标识,该用户标识指示与威胁事件对应的用户,也就是说,威胁事件的产生与用户标识所指示的用户有关,实现了威胁事件的溯源,并且是溯源到具体用户,从而提高了溯源的准确性。By carrying the device identifier of the SDP client in the traceability data of the business message, when there is a security risk in the business message, the data analysis device can obtain the user identifier corresponding to the device identifier of the SDP client from the user information table of the SDP controller based on the device identifier of the SDP client. The user identifier indicates the user corresponding to the threat event. In other words, the generation of the threat event is related to the user indicated by the user identifier, thereby realizing the tracing of the threat event to a specific user, thereby improving the accuracy of tracing.

结合第一方面,在一个可能的实现方式中,业务报文的溯源数据为业务报文的元数据,业务报文的元数据是网络设备基于业务报文生成的,数据分析设备根据第一安全检测规则对业务报文的元数据进行分析,以确定业务报文是否存在第一安全风险。其中,安全风险包括第一安全风险。In conjunction with the first aspect, in a possible implementation, the traceability data of the service message is metadata of the service message, the metadata of the service message is generated by the network device based on the service message, and the data analysis device analyzes the metadata of the service message according to the first security detection rule to determine whether the service message has a first security risk. The security risk includes the first security risk.

可选的,第一安全风险是数据分析设备基于业务报文的元数据分析出的风险,例如零日(0day)威胁或者其他安全风险。数据分析设备通过分析来自于大量探针的元数据,可能能够发现一些新型的、通过现有的基于报文特征的规则无法识别出的风险。Optionally, the first security risk is a risk analyzed by the data analysis device based on metadata of the business message, such as a zero-day threat or other security risk. By analyzing metadata from a large number of probes, the data analysis device may be able to discover some new risks that cannot be identified by existing rules based on message features.

结合第一方面,在一个可能的实现方式中,业务报文的溯源数据为威胁日志数据,该威胁日志数据是网络设备在确定业务报文存在第二安全风险时生成的。其中,安全风险包括第二安全风险。 In conjunction with the first aspect, in a possible implementation, the traceability data of the service message is threat log data, and the threat log data is generated by the network device when it is determined that the service message has a second security risk. The security risk includes the second security risk.

可选的,第二安全风险为防火墙、安全网关等网络设备通过入侵防御系统(intrusion prevention system,IPS)、深度报文解析(deep packet inspection,DPI)、文件扫描等方式检测出的安全风险,例如业务报文承载了病毒文件或者其他安全风险。Optionally, the second security risk is the security risk detected by network devices such as firewalls and security gateways through intrusion prevention systems (IPS), deep packet inspection (DPI), file scanning, etc., for example, business messages carrying virus files or other security risks.

在本实现方式中,通过网络设备对业务报文进行安全检测,能够确定业务报文是否存在第二安全风险;不需要数据分析设备对业务报文进行安全检测以确定业务报文是否存在第二安全风险,减少了数据分析设备的工作量。In this implementation, by performing security checks on business messages through network equipment, it is possible to determine whether the business messages pose a second security risk; there is no need for data analysis equipment to perform security checks on business messages to determine whether the business messages pose a second security risk, thereby reducing the workload of the data analysis equipment.

结合第一方面,在一个可能的实现方式中,数据分析设备采用如下方式得到SDP客户端的设备标识对应的用户标识:In combination with the first aspect, in a possible implementation, the data analysis device obtains the user identifier corresponding to the device identifier of the SDP client in the following manner:

数据分析设备向SDP控制器发送查询请求,该查询请求携带SDP客户端的设备标识,查询请求用于SDP控制器查询用户信息表,以得到SDP客户端的设备标识对应的第一用户标识;数据分析设备接收SDP控制器反馈的响应于查询请求的响应消息,该响应消息携带SDP客户端的设备标识对应的第一用户标识。The data analysis device sends a query request to the SDP controller, which carries the device identifier of the SDP client. The query request is used by the SDP controller to query the user information table to obtain the first user identifier corresponding to the device identifier of the SDP client; the data analysis device receives a response message fed back by the SDP controller in response to the query request, which carries the first user identifier corresponding to the device identifier of the SDP client.

结合第一方面,在一个可能的实现方式中,用户信息表还包括第一用户标识与认证时间戳之间的对应关系,认证时间戳为第一用户标识所指示的用户通过认证的时刻,当响应消息包括的第一用户标识有多个时,响应消息还包括多个所述第一用户标识分别对应的认证时间戳,数据分析设备还根据业务报文的发送时段及多个第一用户标识分别对应的认证时间戳从多个所述第一用户标识获取第二用户标识。In combination with the first aspect, in a possible implementation method, the user information table also includes a correspondence between the first user identifier and the authentication timestamp, the authentication timestamp being the moment when the user indicated by the first user identifier passes the authentication. When the response message includes multiple first user identifiers, the response message also includes authentication timestamps corresponding to the multiple first user identifiers respectively. The data analysis device also obtains the second user identifier from the multiple first user identifiers based on the sending time period of the business message and the authentication timestamps corresponding to the multiple first user identifiers respectively.

其中,第二用户标识为多个所述第一用户标识中认证时间戳属于发送时段的第一用户标识;发送时段是根据数据分析设备接收溯源数据的时刻确定的。Among them, the second user identifier is the first user identifier whose authentication timestamp belongs to the sending period among the multiple first user identifiers; the sending period is determined according to the moment when the data analysis device receives the traceability data.

通过引入发送时段和第一用户标识对应的认证时间戳,数据分析设备能够从多个第一用户标识中选择出第二用户标识,缩小了溯源范围,从而提高了溯源结果的准确性。By introducing the sending period and the authentication timestamp corresponding to the first user identifier, the data analysis device can select the second user identifier from multiple first user identifiers, narrowing the traceability scope and thus improving the accuracy of the traceability result.

第二方面,本申请实施例提供另一种威胁事件溯源方法。该方法应用于网络设备。网络设备接收业务报文,该业务报文为SDP客户端访问应用服务器时产生报文,该业务报文携带SDP客户端的设备标识。网络设备根据第二安全规则对业务报文进行安全检测,以确定业务报文是否存在第二安全风险。若确定业务报文存在第二安全风险,网络设备生携带SDP客户端的设备标识的威胁日志数据。网络设备向数据分析设备发送威胁日志数据。In the second aspect, an embodiment of the present application provides another threat event tracing method. The method is applied to a network device. The network device receives a business message, which is a message generated when an SDP client accesses an application server, and the business message carries a device identifier of the SDP client. The network device performs a security check on the business message according to a second security rule to determine whether the business message has a second security risk. If it is determined that the business message has a second security risk, the network device generates threat log data carrying the device identifier of the SDP client. The network device sends the threat log data to a data analysis device.

网络设备向数据分析设备发送威胁日志数据,使得数据分析设备能够基于威胁日志数据确定SDP客户端发送的业务报文存在第二安全风险和生成包括SDP客户端的设备标识的威胁事件,并使得数据分析设备能够基于威胁日志数据中SDP客户端的设备标识确定威胁事件对应的用户信息,从而实现威胁事件的溯源。并且数据分析设备不需要对业务报文进行安全检测以确定业务报文是否存在第二安全风险,减少了数据分析设备的工作量。The network device sends threat log data to the data analysis device, so that the data analysis device can determine that the service message sent by the SDP client has the second security risk based on the threat log data and generate a threat event including the device identification of the SDP client, and the data analysis device can determine the user information corresponding to the threat event based on the device identification of the SDP client in the threat log data, thereby tracing the threat event. In addition, the data analysis device does not need to perform security detection on the service message to determine whether the service message has the second security risk, which reduces the workload of the data analysis device.

可选的,网络设备为SDP代理网关或者探针设备。Optionally, the network device is an SDP proxy gateway or a probe device.

结合第一方面,在一个可能的实现方式中,业务报文为传输控制协议(transmission control protocol,TCP)报文或者隧道报文。In combination with the first aspect, in one possible implementation, the service message is a transmission control protocol (TCP) message or a tunnel message.

第三方面,本申请实施例提供一种数据分析设备。该数据分析设备包括获取单元、生成单元和收发单元。In a third aspect, an embodiment of the present application provides a data analysis device, which includes an acquisition unit, a generation unit, and a transceiver unit.

获取单元,用于获取业务报文的溯源数据,业务报文为SDP客户端访问应用服务器时产生的报文,业务报文的溯源数据包括SDP客户端的设备标识;An acquisition unit, used to acquire the traceability data of a service message, where the service message is a message generated when the SDP client accesses the application server, and the traceability data of the service message includes a device identifier of the SDP client;

生成单元,用于在业务报文存在安全风险时,根据业务报文的溯源数据生成携带SDP客户端的设备标识的威胁事件;A generating unit, used for generating a threat event carrying a device identifier of an SDP client according to the traceability data of the service message when there is a security risk in the service message;

收发单元,用于根据SDP客户端的设备标识从SDP控制器的用户信息表中得到SDP客户端的设备标识对应的第一用户标识,其中,第一用户标识用于指示与威胁事件对应的用户,用户信息表包括SDP客户端的设备标识与第一用户标识之间的对应关系。The transceiver unit is used to obtain a first user identifier corresponding to the device identifier of the SDP client from a user information table of the SDP controller according to the device identifier of the SDP client, wherein the first user identifier is used to indicate a user corresponding to the threat event, and the user information table includes a correspondence between the device identifier of the SDP client and the first user identifier.

结合第三方面,在一个可能的实现方式中,安全风险包括第一安全风险,业务报文的溯源数据为业务报文的元数据,业务报文的元数据是探针设备基于业务报文生成的,数据分析设备还包括:In conjunction with the third aspect, in a possible implementation, the security risk includes a first security risk, the traceability data of the business message is metadata of the business message, the metadata of the business message is generated by the probe device based on the business message, and the data analysis device further includes:

分析单元,用于根据第一安全检测规则对业务报文的元数据进行分析,以确定业务报文是否存在第一安全风险。The analyzing unit is used to analyze the metadata of the service message according to the first security detection rule to determine whether the service message has a first security risk.

结合第三方面,在一个可能的实现方式中,安全风险包括第二安全风险,业务报文的溯源数据为威胁日志数据,威胁日志数据是网络设备在确定业务报文存在第二安全风险时生成的。In combination with the third aspect, in a possible implementation, the security risk includes a second security risk, and the traceability data of the business message is threat log data, which is generated by the network device when it is determined that the business message has a second security risk.

结合第三方面,在一个可能的实现方式中,收发单元具体用于:In conjunction with the third aspect, in a possible implementation, the transceiver unit is specifically configured to:

向SDP控制器发送查询请求,查询请求携带SDP客户端的设备标识,查询请求用于SDP控制器查询 用户信息表,以得到SDP客户端的设备标识对应的第一用户标识;接收SDP控制器反馈的响应于查询请求的响应消息,响应消息携带SDP客户端的设备标识对应的第一用户标识。Send a query request to the SDP controller. The query request carries the device identifier of the SDP client. The query request is used to query the SDP controller. A user information table is used to obtain a first user identifier corresponding to the device identifier of the SDP client; and a response message in response to the query request fed back by the SDP controller is received, where the response message carries the first user identifier corresponding to the device identifier of the SDP client.

结合第三方面,在一个可能的实现方式中,用户信息表还包括第一用户标识与认证时间戳之间的对应关系,认证时间戳为第一用户标识所指示的用户通过认证的时刻,当响应消息包括的第一用户标识有多个时,响应消息还包括多个第一用户标识分别对应的认证时间戳,获取单元还用于:In conjunction with the third aspect, in a possible implementation manner, the user information table further includes a correspondence between the first user identifier and the authentication timestamp, the authentication timestamp is the moment when the user indicated by the first user identifier passes the authentication, and when the response message includes multiple first user identifiers, the response message further includes the authentication timestamps corresponding to the multiple first user identifiers respectively, and the acquisition unit is further used to:

根据业务报文的发送时段及多个第一用户标识分别对应的认证时间戳从多个第一用户标识获取第二用户标识;其中,第二用户标识为多个第一用户标识中认证时间戳属于发送时段的第一用户标识;发送时段是根据数据分析设备接收业务报文的溯源数据的时刻确定的。A second user identifier is obtained from multiple first user identifiers according to the sending time period of the business message and the authentication timestamps corresponding to the multiple first user identifiers; wherein the second user identifier is the first user identifier among the multiple first user identifiers whose authentication timestamp belongs to the sending time period; the sending time period is determined according to the moment when the data analysis device receives the traceability data of the business message.

第四方面,本申请实施例提供一种网络设备,包括收发单元、检测单元和生成单元。In a fourth aspect, an embodiment of the present application provides a network device, including a transceiver unit, a detection unit and a generation unit.

收发单元,用于接收业务报文,业务报文为SDP客户端访问应用服务器时产生报文,业务报文携带SDP客户端的设备标识;The transceiver unit is used to receive a service message. The service message is a message generated when the SDP client accesses the application server. The service message carries the device identifier of the SDP client.

检测单元,用于根据第二安全规则对业务报文进行安全检测,以确定业务报文是否存在第二安全风险;A detection unit, configured to perform a security detection on the service message according to the second security rule to determine whether the service message has a second security risk;

生成单元,用于若确定业务报文存在第二安全风险,则生成携带SDP客户端的设备标识的威胁日志数据;A generating unit, configured to generate threat log data carrying a device identifier of the SDP client if it is determined that the service message has a second security risk;

收发单元,还用于向数据分析设备发送威胁日志数据。The transceiver unit is also used to send threat log data to the data analysis device.

可选的,网络设备为SDP代理网关或者探针设备。Optionally, the network device is an SDP proxy gateway or a probe device.

结合第三方面,在一个可能的实现方式中,业务报文为TCP报文或者隧道报文。In combination with the third aspect, in a possible implementation, the service message is a TCP message or a tunnel message.

第五方面,本申请实施例提供一种数据分析设备,包括处理器和存储器。存储器用于存储程序代码。处理器用于调用存储于存储器的程序代码,以执行第一方面或第一方面的任一种可能的实施方式提供的方法。In a fifth aspect, an embodiment of the present application provides a data analysis device, including a processor and a memory. The memory is used to store program code. The processor is used to call the program code stored in the memory to execute the method provided in the first aspect or any possible implementation of the first aspect.

第六方面,本申请实施例提供一种网络设备,包括处理器和存储器。存储器用于存储程序代码。处理器用于调用存储于存储器的程序代码,以执行第二方面或第二方面的任一种可能的实施方式提供的方法。In a sixth aspect, an embodiment of the present application provides a network device, including a processor and a memory. The memory is used to store program code. The processor is used to call the program code stored in the memory to execute the method provided in the second aspect or any possible implementation of the second aspect.

第七方面,本申请实施例提供了一种计算机存储介质,包括计算机指令,当所述计算机指令在电子设备上运行时,使得所述电子设备执行如第一方面任一种可能的实施方式提供的方法,或者第二方面任一种可能的实施方式提供的方法。In the seventh aspect, an embodiment of the present application provides a computer storage medium, including computer instructions. When the computer instructions are executed on an electronic device, the electronic device executes a method provided in any possible implementation of the first aspect, or a method provided in any possible implementation of the second aspect.

第八方面,本申请实施例提供一种计算机程序产品,当计算机程序产品在计算机上运行时,使得计算机执行如第一方面任一种可能的实施方式提供的方法,或者第二方面任一种可能的实施方式提供的方法。In an eighth aspect, an embodiment of the present application provides a computer program product. When the computer program product runs on a computer, it enables the computer to execute a method provided in any possible implementation of the first aspect, or a method provided in any possible implementation of the second aspect.

第九方面,本申请实施例提供一种威胁事件溯源系统,包括数据分析设备,网络设备、SDP客户端和SDP控制器;In a ninth aspect, an embodiment of the present application provides a threat event tracing system, including a data analysis device, a network device, an SDP client, and an SDP controller;

数据分析设备用于执行如第一方面任一项所述的方法;The data analysis device is used to execute the method according to any one of the first aspects;

网络设备用于执行如第二方面任一项所述的方法;The network device is used to execute the method as described in any one of the second aspects;

SDP控制器,用于接收数据分析设备发送的查询请求,查询请求携带SDP客户端的设备标识;根据SDP客户端的设备标识查询用户信息表,以得到SDP客户端的设备标识对应的第一用户标识;向数据分析设备发送响应于查询请求的响应消息,该响应消息携带SDP客户端的设备标识对应的第一用户标识;用户信息表包括SDP客户端的设备标识与第一用户标识之间的对应关系。The SDP controller is used to receive a query request sent by a data analysis device, the query request carries the device identifier of the SDP client; query a user information table according to the device identifier of the SDP client to obtain a first user identifier corresponding to the device identifier of the SDP client; send a response message in response to the query request to the data analysis device, the response message carries the first user identifier corresponding to the device identifier of the SDP client; the user information table includes a correspondence between the device identifier of the SDP client and the first user identifier.

通过引入用户信息表,使得SDP控制器基于SDP客户端的设备标识确定SDP客户端的设备标识对应的用户标识,实现了威胁事件的溯源,并且是溯源到具体用户,从而提高了溯源的准确性。By introducing the user information table, the SDP controller determines the user ID corresponding to the device ID of the SDP client based on the device ID of the SDP client, thereby tracing the threat event to a specific user, thereby improving the accuracy of tracing.

结合第九方面,在一个可能的实现方式中,用户信息表还包括第一用户标识与认证时间戳之间的对应关系,认证时间戳为第一用户标识所指示的用户通过认证的时刻;SDP控制器还用于:In conjunction with the ninth aspect, in a possible implementation manner, the user information table further includes a correspondence between the first user identifier and the authentication timestamp, where the authentication timestamp is the time when the user indicated by the first user identifier passes the authentication; and the SDP controller is further used to:

在第一用户标识有多个时,根据多个第一用户标识查询用户信息表,以得到多个第一用户标识分别对应的认证时间戳;响应消息还包括多个第一用户标识分别对应的认证时间戳。When there are multiple first user identifiers, the user information table is queried according to the multiple first user identifiers to obtain the authentication timestamps respectively corresponding to the multiple first user identifiers; the response message also includes the authentication timestamps respectively corresponding to the multiple first user identifiers.

通过引入第一用户标识对应的认证时间戳,便于数据分析设备在得到多个第一用户标识时,能够基于第一用户标识对应的认证时间戳从多个第一用户标识中选择出第二用户标识,缩小了溯源范围,从而提高了溯源结果的准确性。By introducing the authentication timestamp corresponding to the first user identifier, the data analysis device can select the second user identifier from the multiple first user identifiers based on the authentication timestamp corresponding to the first user identifier when obtaining multiple first user identifiers, thereby narrowing the traceability scope and improving the accuracy of the traceability results.

能够理解地,上述提供的第三方面或第五方面所述的数据分析设备用于执行第一方面中任一所提供的方法,第四方面或者第六方面所述的SDP代理网关用于执行第二方面中任一所提供的方法,第四方面所述的计算机存储介质和第五方面所述的计算机程序产品均用于实现第一方面中任一所提供的方法或第二方面中任一所提供的方法。因此,其所能达到的有益效果可参考对应方法中的有益效果,此处不再赘述。It can be understood that the data analysis device described in the third aspect or the fifth aspect provided above is used to execute any of the methods provided in the first aspect, the SDP proxy gateway described in the fourth aspect or the sixth aspect is used to execute any of the methods provided in the second aspect, and the computer storage medium described in the fourth aspect and the computer program product described in the fifth aspect are both used to implement any of the methods provided in the first aspect or any of the methods provided in the second aspect. Therefore, the beneficial effects that can be achieved can refer to the beneficial effects in the corresponding methods, which will not be repeated here.

附图说明 BRIEF DESCRIPTION OF THE DRAWINGS

图1为本申请实施例提供的一种系统架构示意图;FIG1 is a schematic diagram of a system architecture provided in an embodiment of the present application;

图2为本申请实施例提供的一种威胁事件溯源方法的流程示意图;FIG2 is a schematic diagram of a flow chart of a threat event tracing method provided in an embodiment of the present application;

图3为本申请实施例提供的另一种威胁事件溯源方法的流程示意图;FIG3 is a flow chart of another threat event tracing method provided in an embodiment of the present application;

图3a为第一TCP报文的结构示意图;FIG3a is a schematic diagram of the structure of a first TCP message;

图4为本申请实施例提供的一种威胁事件溯源方法的交互式流程示意图;FIG4 is a schematic diagram of an interactive process of a threat event tracing method provided in an embodiment of the present application;

图5为本申请实施例提供的另一种威胁事件溯源方法的交互式流程示意图;FIG5 is a schematic diagram of an interactive process of another threat event tracing method provided in an embodiment of the present application;

图6为本申请实施例提供的一种数据分析设备的结构示意图;FIG6 is a schematic diagram of the structure of a data analysis device provided in an embodiment of the present application;

图7为本申请实施例提供的一种网络设备的结构示意图;FIG7 is a schematic diagram of the structure of a network device provided in an embodiment of the present application;

图8为本申请实施例提供的另一种数据分析设备的结构示意图;FIG8 is a schematic diagram of the structure of another data analysis device provided in an embodiment of the present application;

图9为本申请实施例提供的另一种网络设备的结构示意图。FIG. 9 is a schematic diagram of the structure of another network device provided in an embodiment of the present application.

具体实施方式DETAILED DESCRIPTION

本申请的说明书和权利要求书及所述附图中的术语“第一”、“第二”、“第三”和“第四”等是用于区别不同对象,而不是用于描述特定顺序。The terms "first", "second", "third", "fourth" and the like in the specification, claims and drawings of this application are used to distinguish different objects rather than to describe a specific order.

“多个”是指两个或两个以上。“和/或”,描述关联对象的关联关系,表示存在三种关系,例如,A和/或B表示:单独存在A,同时存在A和B,单独存在B这三种情况。字符“/”一般表示前后关联对象是一种“或”的关系。"Multiple" means two or more. "And/or" describes the association relationship of the associated objects, indicating that there are three relationships. For example, A and/or B means: A exists alone, A and B exist at the same time, and B exists alone. The character "/" generally indicates that the associated objects are in an "or" relationship.

下面结合附图对本申请的实施例进行描述。The embodiments of the present application are described below in conjunction with the accompanying drawings.

参见图1,图1为本申请实施例提供的一种系统架构示意图。如图1所示,该系统包括SDP客户端101、SDP控制器102、SDP代理网关103、探针设备104、数据分析设备105和应用服务器106。Referring to Fig. 1 , Fig. 1 is a schematic diagram of a system architecture provided by an embodiment of the present application. As shown in Fig. 1 , the system includes an SDP client 101 , an SDP controller 102 , an SDP proxy gateway 103 , a probe device 104 , a data analysis device 105 and an application server 106 .

其中,SDP客户端101,用于实现接入认证、环境感知和数据安全隔离等功能。SDP客户端101为终端设备,比如台式电脑,笔记本电脑、平板电脑、智能手机等,或者为安装在终端设备上的软件客户端。在认证时,SDP客户端101向SDP控制器102发送认证请求,其中,认证请求包括但不限于SDP客户端的设备标识、SDP客户端的源IP。Among them, the SDP client 101 is used to implement functions such as access authentication, environment perception and data security isolation. The SDP client 101 is a terminal device, such as a desktop computer, a laptop computer, a tablet computer, a smart phone, etc., or a software client installed on the terminal device. During authentication, the SDP client 101 sends an authentication request to the SDP controller 102, wherein the authentication request includes but is not limited to the device identification of the SDP client and the source IP of the SDP client.

SDP控制器102,为SDP认证服务端,用于为SDP客户端101进行身份认证,控制SDP客户端101的准入和向SDP代理网关103下发可信资产信息。其中,在认证通过后,SDP控制器102生成可信资产信息,其中,可信资产信息包括但不限于SDP客户端101的源IP,SDP客户端101的设备标识和能够访问的端口列表。The SDP controller 102 is an SDP authentication server, which is used to authenticate the SDP client 101, control the access of the SDP client 101, and send trusted asset information to the SDP proxy gateway 103. After the authentication is passed, the SDP controller 102 generates trusted asset information, wherein the trusted asset information includes but is not limited to the source IP of the SDP client 101, the device identification of the SDP client 101, and the list of accessible ports.

SDP代理网关103,基于SDP控制器102下发的可信资产信息进行设备入网的准入认证和业务应用的代理访问。可选的,SDP代理网关103包括交换机、路由器、防火墙、或接入点(access point,AP)设备等。可选的,SDP代理网关103还能够对SDP客户端101发送的业务报文进行安全检测;SDP代理网关103在确定业务报文存在安全风险时生成威胁日志数据,并将威胁日志数据上送到数据分析设备105。The SDP proxy gateway 103 performs access authentication for device access to the network and proxy access to business applications based on the trusted asset information sent by the SDP controller 102. Optionally, the SDP proxy gateway 103 includes a switch, a router, a firewall, or an access point (AP) device. Optionally, the SDP proxy gateway 103 can also perform security detection on the business message sent by the SDP client 101; when the SDP proxy gateway 103 determines that there is a security risk in the business message, it generates threat log data and sends the threat log data to the data analysis device 105.

探针设备104,为网络流量采集设备,将需要进行安全威胁检测的流量进行采集处理,处理完成后的数据上送到数据分析设备105进行安全检测。The probe device 104 is a network traffic collection device that collects and processes the traffic that needs to be detected for security threats, and sends the processed data to the data analysis device 105 for security detection.

数据分析设备105,为安全威胁分析检测平台,对探针设备104处理完成后的数据进行安全检测,在存在安全风险生成威胁事件,或者根据SDP代理网关103上送的威胁日志数据生成威胁事件,并从SDP控制器102中获取用户标识,以实现威胁事件的溯源。数据分析设备105显示威胁事件及用户标识。The data analysis device 105 is a security threat analysis and detection platform, which performs security detection on the data processed by the probe device 104, generates threat events when there are security risks, or generates threat events based on the threat log data sent by the SDP proxy gateway 103, and obtains the user ID from the SDP controller 102 to trace the threat event. The data analysis device 105 displays the threat event and the user ID.

应用服务器106,为提供应用服务的设备。可选的,应用服务器106为服务器、服务器集群、云服务器、云计算服务中心或者其他形式的具有计算能力的设备。The application server 106 is a device that provides application services. Optionally, the application server 106 is a server, a server cluster, a cloud server, a cloud computing service center, or other forms of devices with computing capabilities.

SDP客户端101向SDP控制器102发送SDP认证报文,该认证报文用于SDP客户端101的身份认证。SDP控制器102对SDP客户端101进行身份认证,在认证通过后,SDP控制器102生成用户信息表,用户信息表包括SDP客户端101的设备标识和用户标识之间的对应关系,这里的用户是指使用SDP客户端101访问应用的用户。SDP客户端101向SDP代理网关103发送业务报文。可选的,该业务报文为TCP报文或者隧道报文。业务报文携带SDP客户端101的设备标识。The SDP client 101 sends an SDP authentication message to the SDP controller 102, and the authentication message is used for the identity authentication of the SDP client 101. The SDP controller 102 performs identity authentication on the SDP client 101. After the authentication is passed, the SDP controller 102 generates a user information table, and the user information table includes the correspondence between the device identifier and the user identifier of the SDP client 101. The user here refers to the user who uses the SDP client 101 to access the application. The SDP client 101 sends a service message to the SDP proxy gateway 103. Optionally, the service message is a TCP message or a tunnel message. The service message carries the device identifier of the SDP client 101.

在一个示例中,SDP代理网关103能够通过路由设备将业务报文转发至应用服务器106。业务报文在经过路由设备时,路由设备能够将业务报文镜像到探针设备104。探针设备104对得到的业务报文进行分析,生成携带SDP客户端101的设备标识的业务报文的元数据,并将业务报文的元数据传输至数据分析设备105。其中,业务报文的元数据包括但不限于业务报文的源IP、目的IP、源端口、目的端口、协议、SDP 客户端的设备标识。数据分析设备105根据第一安全检测规则对业务报文元数据进行分析,以确定业务报文是否存在第一安全风险。若确定存在安全风险,数据分析设备105从元数据中获取SDP客户端101的设备标识,并生成携带SDP客户端101的设备标识的威胁事件;数据分析设备105根据SDP客户端101的设备标识从SDP控制器102的用户信息表中获取SDP客户端101的设备标识对应的用户标识,该用户标识用于指示与威胁事件对应的用户。In one example, the SDP proxy gateway 103 can forward the service message to the application server 106 through the routing device. When the service message passes through the routing device, the routing device can mirror the service message to the probe device 104. The probe device 104 analyzes the obtained service message, generates metadata of the service message carrying the device identifier of the SDP client 101, and transmits the metadata of the service message to the data analysis device 105. The metadata of the service message includes but is not limited to the source IP, destination IP, source port, destination port, protocol, SDP, etc. of the service message. The device identifier of the client. The data analysis device 105 analyzes the metadata of the business message according to the first security detection rule to determine whether the business message has a first security risk. If it is determined that there is a security risk, the data analysis device 105 obtains the device identifier of the SDP client 101 from the metadata, and generates a threat event carrying the device identifier of the SDP client 101; the data analysis device 105 obtains the user identifier corresponding to the device identifier of the SDP client 101 from the user information table of the SDP controller 102 according to the device identifier of the SDP client 101, and the user identifier is used to indicate the user corresponding to the threat event.

在另一个示例中,网络设备接收到业务报文后,网络设备根据第二安全检测规则对业务报文进行检测,以确定业务报文是否存在第二安全风险,若业务报文存在第二安全风险,网络设备生成携带SDP客户端101的设备标识的威胁日志数据。网络设备将威胁日志数据发送至数据分析设备105。数据分析设备105根据威胁日志数据生成携带SDP客户端101的设备标识的威胁事件。数据分析设备105根据SDP客户端101的设备标识从SDP控制器102的用户信息表中获取SDP客户端101的设备标识对应的用户标识,该用户标识用于指示与威胁事件对应的用户。In another example, after the network device receives the service message, the network device detects the service message according to the second security detection rule to determine whether the service message has a second security risk. If the service message has a second security risk, the network device generates threat log data carrying the device identifier of the SDP client 101. The network device sends the threat log data to the data analysis device 105. The data analysis device 105 generates a threat event carrying the device identifier of the SDP client 101 according to the threat log data. The data analysis device 105 obtains the user identifier corresponding to the device identifier of the SDP client 101 from the user information table of the SDP controller 102 according to the device identifier of the SDP client 101, and the user identifier is used to indicate the user corresponding to the threat event.

可选的,网络设备为SDP代理网关103或者探针设备104。应理解,SDP代理网关103和探针设备104的安全检测能力是相同的,在根据第二安全检测规则对业务报文进行检测的操作是由SDP代理网关103和探针设备104中的一个执行的,不用SDP代理网关103和探针设备104均执行。Optionally, the network device is an SDP proxy gateway 103 or a probe device 104. It should be understood that the security detection capabilities of the SDP proxy gateway 103 and the probe device 104 are the same, and the operation of detecting the service message according to the second security detection rule is performed by one of the SDP proxy gateway 103 and the probe device 104, and does not need to be performed by both the SDP proxy gateway 103 and the probe device 104.

在本申请实施例的方案中,SDP客户端在发送的业务报文中携带SDP客户端的设备标识,使得数据分析设备在确定业务报文存在安全风险时,能够基于SDP客户端的设备标识进行溯源,从而实现威胁事件的溯源,并且是溯源到具体用户,提高了溯源的准确性,解决了在NAT场景下安全风险无法溯源的问题。本申请实施例的方案是零信任方案和数据分析设备的方案的结合,能够在不增加客户预算成本的情况下,解决客户痛点问题,以提升解决方案的竞争力和增加解决方案的黏性。In the solution of the embodiment of the present application, the SDP client carries the device identification of the SDP client in the sent business message, so that when the data analysis device determines that the business message has a security risk, it can trace the source based on the device identification of the SDP client, thereby tracing the threat event, and tracing the source to a specific user, improving the accuracy of tracing the source, and solving the problem that security risks cannot be traced in NAT scenarios. The solution of the embodiment of the present application is a combination of a zero-trust solution and a data analysis device solution, which can solve customer pain points without increasing customer budget costs, so as to enhance the competitiveness of the solution and increase the stickiness of the solution.

下面具体介绍本申请的实现流程。The implementation process of this application is described in detail below.

参见图2,图2为本申请实施例提供的一种威胁事件溯源方法的流程示意图。该方法应用于图1中的数据分析设备105。如图2所示,该方法包括:See Figure 2, which is a flow chart of a threat event tracing method provided in an embodiment of the present application. The method is applied to the data analysis device 105 in Figure 1. As shown in Figure 2, the method includes:

S201、数据分析设备获取业务报文的溯源数据,业务报文为SDP客户端访问应用服务器时产生的报文,业务报文的溯源数据包括SDP客户端的设备标识。S201. The data analysis device obtains the traceability data of the business message. The business message is a message generated when the SDP client accesses the application server. The traceability data of the business message includes the device identifier of the SDP client.

可选的,业务报文的溯源数据为业务报文的元数据或者威胁日志数据。其中,业务报文的元数据是探针设备在基于业务报文生成的。威胁日志数据是网络设备在确定业务报文存在安全风险时生成的。可选的,网络设备为SDP代理网关或者探针设备。Optionally, the traceability data of the business message is metadata or threat log data of the business message. The metadata of the business message is generated by the probe device based on the business message. The threat log data is generated by the network device when it determines that the business message has a security risk. Optionally, the network device is an SDP proxy gateway or a probe device.

在一个示例中,网络设备在接收SDP客户端发送的业务报文后,SDP代理网关通过路由设备将业务报文转发至应用服务器;路由设备将经过的业务报文镜像到探针设备。探针设备对业务报文进行分析,以得到SDP客户端的设备标识、业务报文的源IP目的IP、源端口、目的端口和协议;探针设备根据SDP客户端的设备标识、业务报文的源IP、目的IP、源端口、目的端口和协议生成业务报文的元数据,业务报文的元数据包括SDP客户端的设备标识、业务报文的源IP、目的IP、源端口、目的端口和协议。In one example, after receiving the service message sent by the SDP client, the SDP proxy gateway forwards the service message to the application server through the routing device; the routing device mirrors the passing service message to the probe device. The probe device analyzes the service message to obtain the device identification of the SDP client, the source IP destination IP, source port, destination port and protocol of the service message; the probe device generates metadata of the service message based on the device identification of the SDP client, the source IP, destination IP, source port, destination port and protocol of the service message, and the metadata of the service message includes the device identification of the SDP client, the source IP, destination IP, source port, destination port and protocol of the service message.

在一个示例中,SDP代理网关接收到SDP客户端发送的报文后,根据第二安全检测规则对业务报文进行安全检测,若业务报文存在第二安全风险,SDP代理网关生成携带SDP客户端的设备标识的威胁日志数据。若业务报文不存在第二安全风险,SDP代理网关则不生成威胁日志数据。In one example, after receiving the message sent by the SDP client, the SDP proxy gateway performs a security check on the service message according to the second security detection rule. If the service message has the second security risk, the SDP proxy gateway generates threat log data carrying the device identifier of the SDP client. If the service message does not have the second security risk, the SDP proxy gateway does not generate threat log data.

可选的,第二安全检测规则是基于IPS检测算法、DPI检测算法或防病毒(anti-virus,AV)检测算法实现的。当然第二安全检测规则还能够通过其他算法实现,在此不做限定。Optionally, the second security detection rule is implemented based on an IPS detection algorithm, a DPI detection algorithm, or an anti-virus (AV) detection algorithm. Of course, the second security detection rule can also be implemented by other algorithms, which are not limited here.

可选的,第二安全风险为防火墙、安全网关等网络设备通过IPS、DPI、文件扫描等方式检出来的安全风险,例如业务报文中承载了病毒文件或者其他安全风险。Optionally, the second security risk is a security risk detected by network devices such as firewalls and security gateways through IPS, DPI, file scanning, etc., for example, a business message carries a virus file or other security risk.

S202、若业务报文存在安全风险,数据分析设备生成携带SDP客户端的设备标识的威胁事件。S202: If there is a security risk in the service message, the data analysis device generates a threat event carrying the device identifier of the SDP client.

具体的,当业务报文的溯源数据为业务报文的元数据时,数据分析设备根据第一安全检测规则对业务报文的元数据进行分析,以确定业务报文是否存在第一安全风险。在一个示例中,数据分析设备根据第一安全检测规则对数据分析设备接收到流量数据分析,以确定业务报文是否存在第一安全风险。其中,数据分析设备接收到的流量数据包括业务报文的元数据。在确定业务报文存在第一安全风险时,数据分析设备生成携带SDP客户端的设备标识的威胁事件。Specifically, when the traceability data of a business message is the metadata of the business message, the data analysis device analyzes the metadata of the business message according to the first security detection rule to determine whether the business message has a first security risk. In one example, the data analysis device analyzes the traffic data received by the data analysis device according to the first security detection rule to determine whether the business message has a first security risk. Among them, the traffic data received by the data analysis device includes the metadata of the business message. When it is determined that the business message has a first security risk, the data analysis device generates a threat event carrying the device identifier of the SDP client.

可选的,第一安全风险是数据分析设备基于业务报文的元数据分析出的风险,例如零日(0day)威胁或者其他安全风险。数据分析设备通过分析来自于大量探针的元数据,可能能够发现一些新型的、通过现有的基于报文特征的规则无法识别出的风险。 Optionally, the first security risk is a risk analyzed by the data analysis device based on metadata of the business message, such as a zero-day threat or other security risk. By analyzing metadata from a large number of probes, the data analysis device may be able to discover some new risks that cannot be identified by existing rules based on message features.

当业务报文的溯源数据为威胁日志数据时,若数据分析设备在接收到威胁日志数据,数据分析设备确定业务报文存在安全风险,数据分析设备生成携带SDP客户端的设备标识的威胁事件;若未接收到威胁日数数据,数据分析设备则确定业务报文不存在安全风险。When the traceability data of a business message is threat log data, if the data analysis device receives the threat log data, the data analysis device determines that there is a security risk in the business message, and the data analysis device generates a threat event carrying the device identifier of the SDP client; if no threat day data is received, the data analysis device determines that there is no security risk in the business message.

S203、数据分析设备根据SDP客户端的设备标识从SDP控制器的用户信息表中获取SDP客户端的设备标识对应的第一用户标识。S203: The data analysis device obtains a first user identifier corresponding to the device identifier of the SDP client from the user information table of the SDP controller according to the device identifier of the SDP client.

其中,第一用户标识指示的与威胁事件对应的用户,用户信息表包括SDP客户端的设备标识与第一用户标识之间的对应关系。Among them, the first user identifier indicates a user corresponding to the threat event, and the user information table includes a correspondence between the device identifier of the SDP client and the first user identifier.

在一个示例中,数据分析设备向SDP控制器发送查询请求,该查询请求携带SDP客户端的设备标识,查询请求用于指示SDP控制器查询用户信息表,以得到SDP客户端的设备标识对应的第一用户标识。SDP控制器根据SDP客户端的设备标识查询用户信息表,以得到SDP客户端的设备标识对应的第一用户标识,该第一用户标识指示与威胁事件对应的用户。SDP控制器向数据分析设备发送用于响应查询请求的响应消息,该响应消息携带SDP客户端的设备标识对应的第一用户标识。数据分析设备显示第一用户标识与威胁事件。通过显示威胁事件和第一用户标识,能够让工作人员知晓哪个用户发出的报文存在安全风险,从而确定产生威胁事件的源头。In one example, a data analysis device sends a query request to an SDP controller, the query request carries a device identifier of an SDP client, and the query request is used to instruct the SDP controller to query a user information table to obtain a first user identifier corresponding to the device identifier of the SDP client. The SDP controller queries the user information table based on the device identifier of the SDP client to obtain a first user identifier corresponding to the device identifier of the SDP client, and the first user identifier indicates a user corresponding to a threat event. The SDP controller sends a response message for responding to the query request to the data analysis device, the response message carries the first user identifier corresponding to the device identifier of the SDP client. The data analysis device displays the first user identifier and the threat event. By displaying the threat event and the first user identifier, the staff can know which user sent a message that poses a security risk, thereby determining the source of the threat event.

可选的,用户信息表还包括第一用户标识与认证时间戳之间的对应关系,认证时间戳为对应的第一用户标识所指示的用户通过认证的时刻。当响应消息中携带的第一用户标识有多个时,响应消息还包括多个第一用户标识对应的认证时间戳,数据分析设备根据业务报文的发送时段及从多个第一用户标识对应的认证时间戳获取第二用户标识,第二用户标识为多个第一用户标识中对应的认证时间戳属于业务报文的发送时段的用户标识。业务报文的发送时段是数据分析设备根据接收到业务报文的溯源数据的时刻确定的。当第一用户标识有多个时,通过该方式,能够从多个第一用户标识中确定第二用户标识,缩小了溯源范围,从而提高了溯源结果的准确性。Optionally, the user information table also includes a correspondence between the first user identifier and the authentication timestamp, and the authentication timestamp is the moment when the user indicated by the corresponding first user identifier passes the authentication. When there are multiple first user identifiers carried in the response message, the response message also includes the authentication timestamps corresponding to the multiple first user identifiers. The data analysis device obtains the second user identifier based on the sending time period of the business message and the authentication timestamps corresponding to the multiple first user identifiers. The second user identifier is a user identifier whose corresponding authentication timestamp among the multiple first user identifiers belongs to the sending time period of the business message. The sending time period of the business message is determined by the data analysis device based on the moment when the traceability data of the business message is received. When there are multiple first user identifiers, this method can be used to determine the second user identifier from multiple first user identifiers, narrowing the traceability scope and thereby improving the accuracy of the traceability results.

应理解,用户在通过认证后,会通过SDP客户端会发送业务报文,因此数据分析设备将用户通过认证的时刻作为SDP客户端发送业务报文的时刻。SDP客户端发出业务报文到数据分析设备接收到业务报文的溯源数据需要一段时间,数据分析设备能够通过统计这个时间的历史数据得到这个时间的平均值。数据分析设备再根据这个时间的平均值与数据分析设备接收到业务报文的溯源数据的时刻得到业务报文的发送时段。It should be understood that after the user passes the authentication, the user will send a service message through the SDP client. Therefore, the data analysis device uses the time when the user passes the authentication as the time when the SDP client sends the service message. It takes a period of time for the SDP client to send the service message and for the data analysis device to receive the traceability data of the service message. The data analysis device can obtain the average value of this time by counting the historical data of this time. The data analysis device then obtains the sending period of the service message based on the average value of this time and the time when the data analysis device receives the traceability data of the service message.

在另一个示例中,数据分析设备向SDP控制器发送查询请求,该查询请求携带SDP客户端的设备标识和业务报文的发送时段。业务报文的发送时段是数据分析设备根据接收到业务报文的溯源数据的时刻确定的。查询请求用于指示SDP控制器查询用户信息表,以得到SDP客户端的设备标识对应的第二用户标识。用户信息表包括SDP客户端的设备标识与用户标识之间的对应关系及用户标识与认证时间戳之间的对应关系。SDP控制器根据SDP客户端的设备标识查询用户信息表,以得到SDP客户端的设备标识对应的第一用户标识;SDP控制器根据第一用户标识对应的认证时间戳和业务报文的发送时段从第一用户标识中选择出第二用户标识。第二用户标识为第一用户标识中对应的认证时间戳属于业务报文的发送时段的用户标识。第二用户标识指示与威胁事件对应的用户。SDP控制器向数据分析设备发送用于响应查询请求的响应消息,该响应消息携带第二用户标识。数据分析设备显示第二用户标识与威胁事件。In another example, the data analysis device sends a query request to the SDP controller, and the query request carries the device identification of the SDP client and the sending period of the service message. The sending period of the service message is determined by the data analysis device according to the time when the traceability data of the service message is received. The query request is used to instruct the SDP controller to query the user information table to obtain the second user identification corresponding to the device identification of the SDP client. The user information table includes the correspondence between the device identification and the user identification of the SDP client and the correspondence between the user identification and the authentication timestamp. The SDP controller queries the user information table according to the device identification of the SDP client to obtain the first user identification corresponding to the device identification of the SDP client; the SDP controller selects the second user identification from the first user identification according to the authentication timestamp corresponding to the first user identification and the sending period of the service message. The second user identification is a user identification whose corresponding authentication timestamp in the first user identification belongs to the sending period of the service message. The second user identification indicates the user corresponding to the threat event. The SDP controller sends a response message for responding to the query request to the data analysis device, and the response message carries the second user identification. The data analysis device displays the second user identification and the threat event.

通过引入业务报文的发送时段和用户标识对应的认证时间戳,缩小了溯源范围,从而提高了溯源结果的准确性。并且根据第一用户标识对应的认证时间戳和业务报文的发送时段从第一用户标识中获取第二用户标识是由SDP控制器执行的,减少了数据分析设备的工作量。By introducing the sending period of the service message and the authentication timestamp corresponding to the user identity, the scope of tracing is narrowed, thereby improving the accuracy of the tracing result. In addition, the SDP controller is used to obtain the second user identity from the first user identity according to the authentication timestamp corresponding to the first user identity and the sending period of the service message, which reduces the workload of the data analysis device.

在本申请实施例的方案中,通过在业务报文中携带SDP客户端的设备标识,使得后续数据分析设备在业务报文存在安全风险后,能够基于SDP客户端的设备标识进行溯源,从而实现威胁事件的溯源,并且是溯源到具体用户,提高了溯源的准确性,解决了在NAT场景下安全风险无法溯源的问题。在溯源到的用户有多个时,通过引入业务报文的发送时段和用户标识对应的认证时间戳,缩小了溯源范围,从而提高了溯源结果的准确性。本申请实施例的方案是零信任方案和安全大数据分析平台的方案的结合,能够在不增加客户预算成本的情况下,解决客户痛点问题,以提升解决方案的竞争力和增加解决方案的黏性。In the solution of the embodiment of the present application, by carrying the device identification of the SDP client in the business message, the subsequent data analysis device can trace the source based on the device identification of the SDP client after there is a security risk in the business message, thereby tracing the threat event, and tracing the source to a specific user, improving the accuracy of tracing, and solving the problem that security risks cannot be traced in NAT scenarios. When there are multiple users traced, the scope of tracing is narrowed by introducing the sending period of the business message and the authentication timestamp corresponding to the user identification, thereby improving the accuracy of the tracing result. The solution of the embodiment of the present application is a combination of the zero-trust solution and the solution of the security big data analysis platform, which can solve customer pain points without increasing customer budget costs, so as to enhance the competitiveness of the solution and increase the stickiness of the solution.

参见图3,图3为本申请实施例提供的一种威胁事件溯源方法的流程示意图。该方法应用于网络设备。Referring to Figure 3, Figure 3 is a flow chart of a threat event tracing method provided in an embodiment of the present application. The method is applied to a network device.

可选的,网络设备为图1中的SDP代理网关103或者探针设备104。如图3所示,该方法包括:Optionally, the network device is the SDP proxy gateway 103 or the probe device 104 in Figure 1. As shown in Figure 3, the method includes:

S301、网络设备接收业务报文,该业务报文为SDP客户端访问应用服务器时产生的报文,该业务报文携带SDP客户端的设备标识。 S301. A network device receives a service message, where the service message is a message generated when an SDP client accesses an application server, and the service message carries a device identifier of the SDP client.

可选的,业务报文为TCP报文或者隧道报文。Optionally, the service message is a TCP message or a tunnel message.

可选的,隧道报文是SRv6报文或者多协议标签转换(multi-protocol label switching,MPLS)报文。其中,SRv6是IPv6下的分段路由(segment routing)技术。Optionally, the tunnel message is an SRv6 message or a multi-protocol label switching (MPLS) message. SRv6 is a segment routing technology under IPv6.

在一个示例中,SDP客户端建立与SDP代理网关之间的TCP连接,然后向SDP代理网关发送第一TCP报文,其中,SDP客户端的设备标识携带在第一TCP报文的新增选项(option)字段中。In one example, the SDP client establishes a TCP connection with the SDP proxy gateway, and then sends a first TCP message to the SDP proxy gateway, wherein the device identifier of the SDP client is carried in a newly added option field of the first TCP message.

图3a示意出了第一TCP报文的结构示意图。如图3a所示,SDP客户端的设备标识是携带在第一TCP报文的新增选项字段中。Fig. 3a shows a schematic diagram of the structure of the first TCP message. As shown in Fig. 3a, the device identifier of the SDP client is carried in the newly added option field of the first TCP message.

在另一个示例中,SDP客户端在第二TCP报文或者用户数据报协议(user datagram protocol,UDP)报文的基础上,封装新的报文头,该报文头中携带SDP客户端的设备标识。新的报文头与第二TCP报文或者UDP报文构成隧道报文。应理解,这里的第二TCP报文或者UDP报文中不携带SDP客户端的设备标识。这里的第二TCP报文或者UDP报文用于SDP客户端访问应用服务器。In another example, the SDP client encapsulates a new message header based on the second TCP message or user datagram protocol (UDP) message, and the message header carries the device identifier of the SDP client. The new message header and the second TCP message or UDP message constitute a tunnel message. It should be understood that the second TCP message or UDP message here does not carry the device identifier of the SDP client. The second TCP message or UDP message here is used for the SDP client to access the application server.

可选的,SDP客户端对SDP客户端的设备标识加密处理后,再将加密后的结果携带在第一TCP报文的新增选项字段或者隧道报文的新的报文头中。Optionally, the SDP client encrypts the device identifier of the SDP client and then carries the encrypted result in a newly added option field of the first TCP message or a new message header of the tunnel message.

S302、网络设备根据第二安全检测规则对业务报文进行检测;若业务报文存在第二安全风险,网络设备生成携带SDP客户端的设备标识的威胁日志数据。S302. The network device detects the service message according to the second security detection rule; if the service message has a second security risk, the network device generates threat log data carrying the device identifier of the SDP client.

具体的,网络设备根据第二安全检测规则对业务报文进行威胁特征提取;若提取出威胁特征,网络设备将威胁特征与预先存储的第二安全风险库中的威胁特征进行匹配;若匹配成功,网络设备确定业务报文存在第二安全风险,SDP代理网关生成携带SDP客户端的设备标识的威胁日志数据。若未提取出威胁特征或者提取的威胁特征与预先存储的第二安全风险库中的威胁特征均不匹配,则确定业务报文不存在第二安全风险,SDP代理网关则不生成威胁日志数据。Specifically, the network device extracts threat features from the service message according to the second security detection rule; if the threat features are extracted, the network device matches the threat features with the threat features in the pre-stored second security risk library; if the match is successful, the network device determines that the service message has the second security risk, and the SDP proxy gateway generates threat log data carrying the device identifier of the SDP client. If the threat features are not extracted or the extracted threat features do not match the threat features in the pre-stored second security risk library, it is determined that the service message does not have the second security risk, and the SDP proxy gateway does not generate threat log data.

可选的,第二安全检测规则是基于IPS检测算法、DPI检测算法或AV检测算法实现的。当然安全检测规则还能够通过其他算法实现,在此不做限定。Optionally, the second security detection rule is implemented based on an IPS detection algorithm, a DPI detection algorithm, or an AV detection algorithm. Of course, the security detection rule can also be implemented by other algorithms, which are not limited here.

可选的,可选的,第二安全风险为防火墙、安全网关等网络设备通过IPS、DPI、文件扫描等方式检出来的安全风险,例如业务报文中承载了病毒文件或者其他安全风险。Optionally, the second security risk is a security risk detected by network devices such as firewalls and security gateways through IPS, DPI, file scanning, etc., for example, a business message carries a virus file or other security risk.

S303、网络设备向数据分析设备发送威胁日志数据。S303: The network device sends threat log data to the data analysis device.

在本申请实施例的方案中,通过在业务报文中携带SDP客户端的设备标识,使得后续数据分析设备在确定业务报文存在安全风险后,能够基于SDP客户端的设备标识进行溯源,从而实现威胁事件的溯源,并且是溯源到具体用户,解决了在NAT场景下安全风险无法溯源的问题。网络设备检测业务报文是否存在第二安全风险,数据分析设备不需要检测业务报文是否存在第二安全风险,降低了数据分析设备的工作量。并且本申请的方案是零信任方案和安全大数据分析平台的方案的结合,能够在不增加客户预算成本的情况下,解决客户痛点问题,以提升解决方案的竞争力和增加解决方案的黏性。In the solution of the embodiment of the present application, by carrying the device identification of the SDP client in the business message, the subsequent data analysis device can trace the source based on the device identification of the SDP client after determining that the business message has a security risk, thereby tracing the source of the threat event, and tracing the source to the specific user, solving the problem that the security risk cannot be traced in the NAT scenario. The network device detects whether the business message has a second security risk, and the data analysis device does not need to detect whether the business message has a second security risk, reducing the workload of the data analysis device. In addition, the solution of the present application is a combination of the zero-trust solution and the solution of the security big data analysis platform, which can solve customer pain points without increasing customer budget costs, so as to enhance the competitiveness of the solution and increase the stickiness of the solution.

参见图4,图4为本申请实施例提供的一种威胁事件溯源方法的交互式流程示意图。该方法应用于图1所示的系统架构。如图4所示,该方法包括:See Figure 4, which is an interactive flow diagram of a threat event tracing method provided in an embodiment of the present application. The method is applied to the system architecture shown in Figure 1. As shown in Figure 4, the method includes:

S401、SDP客户端向SDP控制器发送认证报文。S401. The SDP client sends an authentication message to the SDP controller.

其中,认证报文携带SDP客户端的设备标识。The authentication message carries the device identifier of the SDP client.

在一个示例中,认证报文携带可信资产信息,该可信资产信息包括但不限于SDP客户端的源IP、SDP客户端的设备标识及可访问的端口列表。In one example, the authentication message carries trusted asset information, which includes but is not limited to the source IP of the SDP client, the device identification of the SDP client, and a list of accessible ports.

在一个示例中,认证报文是通过TCP协议发送的,SDP客户端的设备标识是携带在TCP的SYN报文的新增option字段中。In one example, the authentication message is sent through the TCP protocol, and the device identifier of the SDP client is carried in a newly added option field of the TCP SYN message.

S402、SDP控制器在认证通过后,生成用户信息表。S402: After the authentication is successful, the SDP controller generates a user information table.

SDP控制器在接收到SDP控制器的认证报文后,SDP控制器根据SDP客户端的设备标识向认证系统进行身份校验;在身份校验通过后,SDP控制器生成SDP客户端对应的用户信息表。After receiving the authentication message from the SDP controller, the SDP controller performs identity verification on the authentication system according to the device identification of the SDP client; after the identity verification passes, the SDP controller generates a user information table corresponding to the SDP client.

在一个示例中,用户信息表包括SDP客户端的设备标识,用户标识、认证时间戳、NAT前的IP地址、NAT后的IP地址。当然用户信息表还能够包括SDP客户端的其他信息,在此不做限定。其中,用户信息表中的SDP客户端的设备标识与用户标识之间、用户标识及认证时间戳之间均存在对应关系。In one example, the user information table includes the device identifier of the SDP client, the user identifier, the authentication timestamp, the IP address before NAT, and the IP address after NAT. Of course, the user information table can also include other information of the SDP client, which is not limited here. Among them, there is a corresponding relationship between the device identifier and the user identifier of the SDP client in the user information table, and between the user identifier and the authentication timestamp.

其中,SDP客户端的设备标识是SDP客户端的唯一标识。在一个示例中,SDP客户端的设备标识是根据通用唯一标识(universally unique identifier,UUID)算法生成的。具体的,SDP客户端的设备标识是通过UUID算法,基于SDP客户端的硬件信息生成的。其中,硬件信息包括但不限于SDP客户端的网卡 的物理地址、SDP客户端的硬盘信息,CPU信息、计数器信息等。The device identifier of the SDP client is a unique identifier of the SDP client. In one example, the device identifier of the SDP client is generated according to a universally unique identifier (UUID) algorithm. Specifically, the device identifier of the SDP client is generated based on the hardware information of the SDP client through the UUID algorithm. The hardware information includes but is not limited to the network card of the SDP client. The physical address of the SDP client, the hard disk information, CPU information, counter information, etc.

用户标识是指使用SDP客户端进行SDP认证的用户的标识。The user ID refers to the ID of the user who uses the SDP client to perform SDP authentication.

认证时间戳,为SDP客户端通过认证的时刻。通过该时间戳能够确定SDP客户端认证上线时刻。The authentication timestamp is the time when the SDP client passes the authentication. This timestamp can be used to determine the time when the SDP client authenticates and goes online.

在认证通过后,SDP控制器向SDP代理网关发送可信资产信息。其中,可信资产信息包括但不限于SDP客户端的源IP、SDP客户端的设备标识及可访问的端口列表。同时,SDP控制器向SDP客户端发送资源列表,该资源列表包括SDP客户端可访问资源的信息。After authentication, the SDP controller sends trusted asset information to the SDP proxy gateway. The trusted asset information includes but is not limited to the source IP of the SDP client, the device identifier of the SDP client, and the list of accessible ports. At the same time, the SDP controller sends a resource list to the SDP client, which includes information about the resources accessible to the SDP client.

S403、SDP客户端向SDP代理网关发送业务报文。S403: The SDP client sends a service message to the SDP proxy gateway.

其中,SDP客户端通过业务报文所要访问的应用为SDP客户端能够访问的资源。Among them, the application that the SDP client wants to access through the service message is the resource that the SDP client can access.

可选的,SDP客户端向SDP代理网关发送的业务报文是TCP报文或者隧道报文。Optionally, the service message sent by the SDP client to the SDP proxy gateway is a TCP message or a tunnel message.

在一个示例中,SDP客户端建立与SDP代理网关之间的TCP连接,然后向SDP代理网关发送第一TCP报文,其中,SDP客户端的设备标识携带在第一TCP报文的新增选项字段中。In one example, the SDP client establishes a TCP connection with the SDP proxy gateway, and then sends a first TCP message to the SDP proxy gateway, wherein the device identifier of the SDP client is carried in a newly added option field of the first TCP message.

在另一个示例中,SDP客户端在第二TCP报文或者UDP报文的基础上,封装新的报文头,该报文头中携带SDP客户端的设备标识。新的报文头与第二TCP报文或者UDP报文构成隧道报文。应理解,这里的第二TCP报文或者UDP报文中不携带SDP客户端的设备标识。这里的第二TCP报文或者UDP报文用于SDP客户端访问应用服务器。In another example, the SDP client encapsulates a new message header based on the second TCP message or UDP message, and the message header carries the device identifier of the SDP client. The new message header and the second TCP message or UDP message constitute a tunnel message. It should be understood that the second TCP message or UDP message here does not carry the device identifier of the SDP client. The second TCP message or UDP message here is used for the SDP client to access the application server.

可选的,隧道报文是SRv6报文或者MPLS报文。其中,SRv6是IPv6下的分段路由技术。Optionally, the tunnel message is an SRv6 message or an MPLS message, wherein SRv6 is a segment routing technology under IPv6.

可选的,SDP客户端先对SDP客户端的设备标识进行加密,然后将加密信息携带在第一TCP报文的新增选项字段中或者隧道报文的新的报文头中。Optionally, the SDP client first encrypts the device identifier of the SDP client, and then carries the encrypted information in a newly added option field of the first TCP message or in a new message header of the tunnel message.

S404、SDP代理网关通过路由设备向应用服务器转发业务报文。S404: The SDP proxy gateway forwards the service message to the application server through the routing device.

SDP代理网关在接收到业务报文后,会对发送该业务报文的SDP客户端的合法性进行验证;若发送该业务报文的SDP客户端的设备标识和/或源IP属于可信资产信息,则SDP代理网关向对应的应用服务器转发业务报文。其中,SDP代理网关是通过可访问端口列表中的端口向应用服务器转发业务报文。After receiving the service message, the SDP proxy gateway will verify the legitimacy of the SDP client that sent the service message; if the device identification and/or source IP of the SDP client that sent the service message belongs to the trusted asset information, the SDP proxy gateway will forward the service message to the corresponding application server. The SDP proxy gateway forwards the service message to the application server through the port in the accessible port list.

应理解,SDP代理网关将业务报文经过路由器传输至应用服务器。SDP代理网关按照预设路由转发策略将业务报文经路由器传输至应用服务器。可选的,预设路由转发策略为最短路径优先策略或最短延时策略。当然SDP代理网关将业务报文转发至应用服务器还能够通过其他转发策略实现,在此不做限定。It should be understood that the SDP proxy gateway transmits the service message to the application server through the router. The SDP proxy gateway transmits the service message to the application server through the router according to the preset routing forwarding strategy. Optionally, the preset routing forwarding strategy is the shortest path priority strategy or the shortest delay strategy. Of course, the SDP proxy gateway forwards the service message to the application server through other forwarding strategies, which are not limited here.

S405、路由设备将流量镜像到探针设备。S405. The routing device mirrors the traffic to the probe device.

需要指出的是,这里的流量是SDP代理网关向应用服务器转发业务报文产生的流量。流量在经过路由设备时,路由设备将经过的流量复制一份,然后复制的流量传输至探针设备,从而达到将流量镜像到探针设备的目的。应理解,路由设备将经过的流量镜像到探针设备其本质是将业务报文发送至探针设备。It should be noted that the traffic here is the traffic generated by the SDP proxy gateway forwarding the service message to the application server. When the traffic passes through the routing device, the routing device copies the traffic passing through, and then transmits the copied traffic to the probe device, thereby achieving the purpose of mirroring the traffic to the probe device. It should be understood that the routing device mirrors the passing traffic to the probe device, which is essentially sending the service message to the probe device.

S406、探针设备根据业务报文生成携带SDP客户端的设备标识的业务报文的元数据。S406: The probe device generates metadata of the service message carrying the device identifier of the SDP client according to the service message.

在一个示例中,探针设备获取业务报文后,对业务报文进行分析,以得到SDP客户端的设备标识、业务报文的源IP、目的IP、源端口、目的端口和协议;探针设备根据SDP客户端的设备标识、业务报文的源IP、目的IP、源端口、目的端口和协议生成业务报文的元数据,业务报文的元数据包括SDP客户端的设备标识、业务报文的源IP、目的IP、源端口、目的端口和协议。In an example, after the probe device obtains the service message, it analyzes the service message to obtain the device identification of the SDP client, the source IP, destination IP, source port, destination port and protocol of the service message; the probe device generates metadata of the service message based on the device identification of the SDP client, the source IP, destination IP, source port, destination port and protocol of the service message, and the metadata of the service message includes the device identification of the SDP client, the source IP, destination IP, source port, destination port and protocol of the service message.

在一个示例中,探针设备获取业务报文后,若探针设备开启安全检测功能,探针设备根据第二安全检测规则对业务报文进行威胁特征提取;若提取出威胁特征,探针设备将威胁特征与预先存储的第二安全风险库中的威胁特征进行匹配;若匹配成功,探针设备确定业务报文存在第二安全风险,探针设备生成携带SDP客户端的设备标识的威胁日志数据,向数据分析设备发送威胁日志数据。数据分析设备接收威胁日志数据后,生成包括SDP客户端的设备标识的威胁事件。此时,S406-S408不需要被执行,数据分析设备执行S409和S410。若未提取出威胁特征或者提取的威胁特征与预先存储的第二安全风险库中的威胁特征均不匹配,则确定业务报文不存在第二安全风险,SDP代理网关则不生成威胁日志数据。此时,需要进一步确定业务报文是否存在第一安全风险,S407-S410被执行。In one example, after the probe device obtains the business message, if the probe device turns on the security detection function, the probe device extracts the threat feature of the business message according to the second security detection rule; if the threat feature is extracted, the probe device matches the threat feature with the threat feature in the pre-stored second security risk library; if the match is successful, the probe device determines that the business message has a second security risk, and the probe device generates threat log data carrying the device identifier of the SDP client, and sends the threat log data to the data analysis device. After receiving the threat log data, the data analysis device generates a threat event including the device identifier of the SDP client. At this time, S406-S408 do not need to be executed, and the data analysis device executes S409 and S410. If the threat feature is not extracted or the extracted threat feature does not match the threat feature in the pre-stored second security risk library, it is determined that the business message does not have the second security risk, and the SDP proxy gateway does not generate threat log data. At this time, it is necessary to further determine whether the business message has the first security risk, and S407-S410 are executed.

S407、探针设备向数据分析设备发送业务报文的元数据。S407: The probe device sends metadata of the service message to the data analysis device.

S408、数据分析设备对业务报文的元数据进行安全检测。S408: The data analysis device performs security detection on metadata of the service message.

具体的,数据分析设备根据第一安全检测规则对业务报文的元数据进行安全检测,以确定业务报文是否存在第一安全风险。在一个示例中,数据分析设备根据第一安全检测规则对数据分析设备接收到流量数据分析,以确定业务报文是否存在第一安全风险。其中,数据分析设备接收到的流量数据包括业务报文的元数据。若确定业务报文存在第一安全风险,数据分析设备从业务报文的元数据中获取SDP客户端的设备标识,并生成携带SDP控制器的设备标识的威胁事件。 Specifically, the data analysis device performs a security check on the metadata of the business message according to the first security detection rule to determine whether the business message has a first security risk. In one example, the data analysis device analyzes the traffic data received by the data analysis device according to the first security detection rule to determine whether the business message has a first security risk. Among them, the traffic data received by the data analysis device includes the metadata of the business message. If it is determined that the business message has a first security risk, the data analysis device obtains the device identifier of the SDP client from the metadata of the business message, and generates a threat event carrying the device identifier of the SDP controller.

可选的,第一安全风险是数据分析设备基于业务报文的元数据分析出的风险,例如零日(0day)威胁或者其他安全风险。数据分析设备通过分析来自于大量探针的元数据,可能能够发现一些新型的、通过现有的基于报文特征的规则无法识别出的风险。应理解,第一安全风险与第二安全风险不相同,第一安全检测规则与第二安全检测规则不相同。Optionally, the first security risk is a risk analyzed by the data analysis device based on the metadata of the business message, such as a zero-day threat or other security risk. By analyzing the metadata from a large number of probes, the data analysis device may be able to discover some new risks that cannot be identified by existing rules based on message features. It should be understood that the first security risk is different from the second security risk, and the first security detection rule is different from the second security detection rule.

S409、数据分析设备向SDP控制器发送查询请求。S409: The data analysis device sends a query request to the SDP controller.

S410、SDP控制器向数据分析设备发送响应消息。S410. The SDP controller sends a response message to the data analysis device.

在此需要指出的是,S409和S410的具体实现过程参见S203中的相关描述,在此不再叙述。图4所示实施例的方案的有益效果参见S201-S203中的相关描述。It should be noted that the specific implementation process of S409 and S410 refers to the relevant description in S203, which will not be described here. The beneficial effects of the solution of the embodiment shown in FIG4 refer to the relevant description in S201-S203.

参见图5,图5为本申请实施例提供的另一种威胁事件溯源方法的交互式流程示意图。该方法应用于图1所示的系统架构。如图5所示,该方法包括:See Figure 5, which is an interactive flow diagram of another threat event tracing method provided in an embodiment of the present application. The method is applied to the system architecture shown in Figure 1. As shown in Figure 5, the method includes:

S501、SDP客户端向SDP控制器发送认证报文。S501. The SDP client sends an authentication message to the SDP controller.

S502、SDP控制器在认证通过后,生成用户信息表。S502: After the authentication is successful, the SDP controller generates a user information table.

S503、SDP客户端向SDP代理网关发送业务报文。S503: The SDP client sends a service message to the SDP proxy gateway.

在此需要指出的是,S501-S503的具体实现过程可参见S401-S403的相关描述,在此不再叙述。It should be pointed out here that the specific implementation process of S501-S503 can refer to the relevant description of S401-S403, which will not be described here.

S504、SDP代理网关根据第二安全检测规则对业务报文进行安全检测。S504: The SDP proxy gateway performs a security check on the service message according to the second security check rule.

在一个可能的实现方式中,若SDP代理网关开启安全检测功能,SDP代理网关根据第二安全检测规则对业务报文进行威胁特征提取;若提取出威胁特征,SDP代理网关将威胁特征与预先存储的第二安全风险库中的威胁特征进行匹配;若匹配成功,SDP代理网关确定业务报文存在第二安全风险,SDP代理网关生成携带SDP客户端的设备标识的威胁日志数据。若未提取出威胁特征或者提取的威胁特征与预先存储的第二安全风险库中的威胁特征均不匹配,则确定业务报文不存在第二安全风险,SDP代理网关则不生成威胁日志数据。此时,业务报文会被镜像到探针设备。In one possible implementation, if the SDP proxy gateway turns on the security detection function, the SDP proxy gateway extracts threat features from the business message according to the second security detection rule; if the threat features are extracted, the SDP proxy gateway matches the threat features with the threat features in the pre-stored second security risk library; if the match is successful, the SDP proxy gateway determines that the business message has a second security risk, and the SDP proxy gateway generates threat log data carrying the device identifier of the SDP client. If the threat features are not extracted or the extracted threat features do not match the threat features in the pre-stored second security risk library, it is determined that the business message does not have a second security risk, and the SDP proxy gateway does not generate threat log data. At this time, the business message will be mirrored to the probe device.

可选的,第二安全检测规则是基于IPS检测算法、DPI检测算法或AV检测算法实现。当然第二安全检测规则还能够通过其他算法实现,在此不做限定。Optionally, the second security detection rule is implemented based on an IPS detection algorithm, a DPI detection algorithm, or an AV detection algorithm. Of course, the second security detection rule can also be implemented by other algorithms, which are not limited here.

可选的,第二安全风险为防火墙、安全网关等网络设备通过IPS、DPI、文件扫描等方式检出来的安全风险,例如业务报文中承载了病毒文件或者其他安全风险。Optionally, the second security risk is a security risk detected by network devices such as firewalls and security gateways through IPS, DPI, file scanning, etc., for example, a business message carries a virus file or other security risk.

S505、SDP代理网关将威胁日志数据发送至数据分析设备。S505. The SDP proxy gateway sends the threat log data to the data analysis device.

S506、数据分析设备根据威胁日志数据生成威胁事件。S506: The data analysis device generates a threat event based on the threat log data.

在接收到威胁日志数据后,数据分析设备就确定业务报文存在第二安全风险,从威胁日志数据中获取SDP客户端的设备标识。数据分析设备生成携带SDP客户端的设备标识的威胁事件。After receiving the threat log data, the data analysis device determines that the service message has a second security risk, obtains the device identification of the SDP client from the threat log data, and generates a threat event carrying the device identification of the SDP client.

S507、数据分析设备向SDP控制器发送查询请求。S507: The data analysis device sends a query request to the SDP controller.

S508、SDP控制器向数据分析设备发送响应消息。S508. The SDP controller sends a response message to the data analysis device.

在此需要指出的是,S507和S508的具体实现过程参见S203中的相关描述,在此不再叙述。图5所示实施例的方案的有益效果参见S201-S203中的相关描述。It should be noted that the specific implementation process of S507 and S508 refers to the relevant description in S203, which will not be described here. The beneficial effects of the solution of the embodiment shown in FIG5 refer to the relevant description in S201-S203.

参照图6所示,为本申请实施例提供的一种数据分析设备的结构示意图。该数据分析设备为图1中的数据分析设备105。如图6所示,该数据分析设备105包括获取单元1051、生成单元1052和收发单元1053。6 is a schematic diagram of the structure of a data analysis device provided in an embodiment of the present application. The data analysis device is the data analysis device 105 in FIG1 . As shown in FIG6 , the data analysis device 105 includes an acquisition unit 1051 , a generation unit 1052 and a transceiver unit 1053 .

获取单元1051,用于获取业务报文的溯源数据,业务报文为SDP客户端访问应用服务器时产生的报文,业务报文的溯源数据包括SDP客户端的设备标识;The acquisition unit 1051 is used to acquire the traceability data of the service message, where the service message is a message generated when the SDP client accesses the application server, and the traceability data of the service message includes the device identifier of the SDP client;

生成单元1052,用于在业务报文存在安全风险时,根据业务报文的溯源数据生成携带SDP客户端的设备标识的威胁事件;The generating unit 1052 is used to generate a threat event carrying a device identifier of the SDP client according to the traceability data of the service message when there is a security risk in the service message;

收发单元1053,用于根据SDP客户端的设备标识从SDP控制器的用户信息表中得到SDP客户端的设备标识对应的第一用户标识,其中,第一用户标识用于指示与威胁事件对应的用户,用户信息表包括SDP客户端的设备标识与第一用户标识之间的对应关系。The transceiver unit 1053 is used to obtain a first user identifier corresponding to the device identifier of the SDP client from the user information table of the SDP controller according to the device identifier of the SDP client, wherein the first user identifier is used to indicate a user corresponding to the threat event, and the user information table includes a correspondence between the device identifier of the SDP client and the first user identifier.

在一个可能的实现方式中,安全风险包括第一安全风险,业务报文的溯源数据为业务报文的元数据,业务报文的元数据是探针设备基于业务报文生成的,数据分析设备105还包括:In a possible implementation, the security risk includes a first security risk, the traceability data of the service message is metadata of the service message, the metadata of the service message is generated by the probe device based on the service message, and the data analysis device 105 further includes:

分析单元1054,用于根据第一安全检测规则对业务报文的元数据进行分析,以确定业务报文是否存在第一安全风险。The analyzing unit 1054 is configured to analyze the metadata of the service message according to the first security detection rule to determine whether the service message has a first security risk.

在一个可能的实现方式中,安全风险包括第二安全风险,业务报文的溯源数据为威胁日志数据,威胁 日志数据是网络设备在确定业务报文存在第二安全风险时生成的。In a possible implementation, the security risk includes a second security risk, the traceability data of the business message is threat log data, and the threat Log data is generated by the network device when it determines that a service message has a second security risk.

在一个可能的实现方式中,收发单元1053具体用于:In a possible implementation, the transceiver unit 1053 is specifically configured to:

向SDP控制器发送查询请求,查询请求携带SDP客户端的设备标识,查询请求用于SDP控制器查询用户信息表,以得到SDP客户端的设备标识对应的第一用户标识;接收SDP控制器反馈的响应于查询请求的响应消息,响应消息携带SDP客户端的设备标识对应的第一用户标识。A query request is sent to the SDP controller, the query request carries the device identifier of the SDP client, and the query request is used by the SDP controller to query the user information table to obtain a first user identifier corresponding to the device identifier of the SDP client; and a response message in response to the query request is received from the SDP controller, the response message carries the first user identifier corresponding to the device identifier of the SDP client.

在一个可能的实现方式中,用户信息表还包括第一用户标识与认证时间戳之间的对应关系,认证时间戳为第一用户标识所指示的用户通过认证的时刻,当响应消息包括的第一用户标识有多个时,响应消息还包括多个第一用户标识分别对应的认证时间戳,获取单元1051还用于:In a possible implementation, the user information table further includes a correspondence between the first user identifier and the authentication timestamp, the authentication timestamp is the time when the user indicated by the first user identifier passes the authentication, when the response message includes multiple first user identifiers, the response message also includes the authentication timestamps corresponding to the multiple first user identifiers, and the acquisition unit 1051 is further used to:

根据业务报文的发送时段及多个第一用户标识分别对应的认证时间戳从多个第一用户标识选择出第二用户标识;其中,第二用户标识为多个第一用户标识中认证时间戳属于发送时段的第一用户标识;发送时段是根据数据分析设备接收业务报文的溯源数据的时刻确定的。A second user identifier is selected from multiple first user identifiers according to the sending time period of the business message and the authentication timestamps corresponding to the multiple first user identifiers; wherein the second user identifier is the first user identifier among the multiple first user identifiers whose authentication timestamp belongs to the sending time period; the sending time period is determined according to the moment when the data analysis device receives the traceability data of the business message.

值得指出的是,其中,数据分析设备105的具体功能实现方式参见上述威胁事件溯源方法的描述,比如获取单元1051、收发单元1053及分析单元1054用于执行S201和S203的相关内容。数据分析设备105中的各个单元或模块能够分别或全部合并为一个或若干个另外的单元或模块来构成,或者其中的某个(些)单元或模块还能够再拆分为功能上更小的多个单元或模块来构成,这能够实现同样的操作,而不影响本发明的实施例的技术效果的实现。上述单元或模块是基于逻辑功能划分的,在实际应用中,一个单元(或模块)的功能由多个单元(或模块)来实现,或者多个单元(或模块)的功能由一个单元(或模块)实现。It is worth pointing out that, among them, the specific functional implementation method of the data analysis device 105 refers to the description of the above-mentioned threat event tracing method, such as the acquisition unit 1051, the transceiver unit 1053 and the analysis unit 1054 are used to execute the relevant contents of S201 and S203. Each unit or module in the data analysis device 105 can be separately or completely combined into one or several other units or modules to constitute, or one (some) of the units or modules can be further divided into multiple smaller units or modules to constitute, which can achieve the same operation without affecting the realization of the technical effects of the embodiments of the present invention. The above-mentioned units or modules are divided based on logical functions. In practical applications, the functions of one unit (or module) are implemented by multiple units (or modules), or the functions of multiple units (or modules) are implemented by one unit (or module).

参照图7所示,为本申请实施例提供的一种网络设备的结构示意图。该网络设备为图1中的SDP代理网关103或者探针设备104。如图7所示,该网络设备700包括收发单元701、检测单元702和生成单元703。7 is a schematic diagram of a network device according to an embodiment of the present application. The network device is the SDP proxy gateway 103 or the probe device 104 in FIG1 . As shown in FIG7 , the network device 700 includes a transceiver unit 701 , a detection unit 702 and a generation unit 703 .

收发单元701,用于接收业务报文,业务报文为SDP客户端访问应用服务器时产生的报文,业务报文携带SDP客户端的设备标识;The transceiver unit 701 is used to receive a service message, where the service message is a message generated when the SDP client accesses the application server, and the service message carries a device identifier of the SDP client;

检测单元702,用于根据第二安全检测规则对业务报文进行安全检测,以确定业务报文是否存在第二安全风险;A detection unit 702, configured to perform a security detection on the service message according to a second security detection rule to determine whether the service message has a second security risk;

生成单元703,用于若确定业务报文存在第二安全风险,则生成携带SDP客户端的设备标识的威胁日志数据;The generating unit 703 is configured to generate threat log data carrying a device identifier of the SDP client if it is determined that the service message has a second security risk;

收发单元701,还用于向数据分析设备105发送威胁日志数据。The transceiver unit 701 is also used to send threat log data to the data analysis device 105 .

可选的,网络设备700为SDP代理网关103或者探针设备104。Optionally, the network device 700 is an SDP proxy gateway 103 or a probe device 104 .

在一个可能的实现方式中,业务报文为TCP报文或者隧道报文。In a possible implementation, the service message is a TCP message or a tunnel message.

值得指出的是,其中,网络设备700的具体功能实现方式参见上述威胁事件溯源方法的描述,比如收发单元701用于执行S301和S303的相关内容,检测单元702和生成单元703用于执行S302的相关内容。网络设备700中的各个单元或模块能够分别或全部合并为一个或若干个另外的单元或模块来构成,或者其中的某个(些)单元或模块还能够再拆分为功能上更小的多个单元或模块来构成,这能够实现同样的操作,而不影响本发明的实施例的技术效果的实现。上述单元或模块是基于逻辑功能划分的,在实际应用中,一个单元(或模块)的功能由多个单元(或模块)来实现,或者多个单元(或模块)的功能由一个单元(或模块)实现。It is worth pointing out that, the specific functional implementation of the network device 700 refers to the description of the above-mentioned threat event tracing method, for example, the transceiver unit 701 is used to execute the relevant contents of S301 and S303, and the detection unit 702 and the generation unit 703 are used to execute the relevant contents of S302. Each unit or module in the network device 700 can be separately or completely combined into one or several other units or modules to form, or one (some) of the units or modules can be further divided into multiple smaller units or modules to form, which can achieve the same operation without affecting the realization of the technical effects of the embodiments of the present invention. The above-mentioned units or modules are divided based on logical functions. In practical applications, the functions of one unit (or module) are implemented by multiple units (or modules), or the functions of multiple units (or modules) are implemented by one unit (or module).

基于上述方法实施例以及相关设备实施例的描述,请参见图8,本发明实施例还提供一种数据分析设备800的结构示意图。图8所示的数据分析设备800(该数据分析设备800具体是一种计算机设备)包括存储器801、处理器802、通信接口803以及总线804。其中,存储器801、处理器802、通信接口803通过总线804实现彼此之间的通信连接。Based on the description of the above method embodiment and the related device embodiment, please refer to Figure 8, the embodiment of the present invention also provides a structural schematic diagram of a data analysis device 800. The data analysis device 800 shown in Figure 8 (the data analysis device 800 is specifically a computer device) includes a memory 801, a processor 802, a communication interface 803 and a bus 804. Among them, the memory 801, the processor 802, and the communication interface 803 are connected to each other through the bus 804.

可选的,存储器801为只读存储器(Read Only Memory,ROM),静态存储设备,动态存储设备或者随机存取存储器(Random Access Memory,RAM)。Optionally, memory 801 is a read-only memory (ROM), a static storage device, a dynamic storage device or a random access memory (RAM).

存储器801能够存储程序,当存储器801中存储的程序被处理器802执行时,处理器802、通信接口803用于执行图2所示实施例的威胁事件溯源方法的各个步骤。The memory 801 can store programs. When the program stored in the memory 801 is executed by the processor 802, the processor 802 and the communication interface 803 are used to execute each step of the threat event tracing method of the embodiment shown in FIG. 2 .

处理器802采用通用的中央处理器(Central Processing Unit,CPU),微处理器,应用专用集成电路(Application Specific Integrated Circuit,ASIC),图形处理器(graphics processing unit,GPU)或者一个或多个集成电路,用于执行相关程序,以实现本申请实施例的数据分析设备105中的单元所需执行的功能, 或者执行本申请方法实施例的威胁事件溯源方法。The processor 802 uses a general-purpose central processing unit (CPU), a microprocessor, an application-specific integrated circuit (ASIC), a graphics processing unit (GPU) or one or more integrated circuits to execute relevant programs to implement the functions required to be performed by the units in the data analysis device 105 of the embodiment of the present application. Or execute the threat event tracing method of the method embodiment of the present application.

处理器802还能够是一种集成电路芯片,具有信号的处理能力。在实现过程中,本申请的威胁事件溯源方法的各个步骤能够通过处理器802中的硬件的集成逻辑电路或者软件形式的指令完成。可选的,处理器802是通用处理器、数字信号处理器(Digital Signal Processing,DSP)、ASIC、现成可编程门阵列(Field Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件。处理器802能够实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器是微处理器或者该处理器是任何常规的处理器等。结合本申请实施例所公开的方法的步骤能够直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。可选的,软件模块位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器或者本领域其他成熟的存储介质中。该存储介质位于存储器801,处理器802读取存储器801中的信息,结合其硬件完成本申请实施例的数据分析设备105中包括的单元所需执行的功能,或者执行图2所示实施例的威胁事件溯源方法。The processor 802 can also be an integrated circuit chip with signal processing capabilities. In the implementation process, each step of the threat event tracing method of the present application can be completed by the hardware integrated logic circuit or software instructions in the processor 802. Optionally, the processor 802 is a general-purpose processor, a digital signal processor (Digital Signal Processing, DSP), an ASIC, a field programmable gate array (Field Programmable Gate Array, FPGA) or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components. The processor 802 can implement or execute the methods, steps and logic block diagrams disclosed in the embodiments of the present application. The general-purpose processor is a microprocessor or the processor is any conventional processor, etc. The steps of the method disclosed in the embodiments of the present application can be directly embodied as a hardware decoding processor to execute, or a combination of hardware and software modules in the decoding processor to execute. Optionally, the software module is located in a random access memory, a flash memory, a read-only memory, a programmable read-only memory or an electrically erasable programmable memory, a register or other mature storage media in the art. The storage medium is located in the memory 801, and the processor 802 reads the information in the memory 801, and combines its hardware to complete the functions required to be performed by the units included in the data analysis device 105 of the embodiment of the present application, or executes the threat event tracing method of the embodiment shown in Figure 2.

通信接口803使用例如但不限于收发器一类的收发装置,来实现数据分析设备800与其他设备(比如图1中所示的SDP控制器102和SDP代理网关103)或通信网络之间的通信。例如,数据分析设备800能够通过通信接口803从SDP代理网关103获取威胁日志数据。The communication interface 803 uses a transceiver such as, but not limited to, a transceiver to implement communication between the data analysis device 800 and other devices (such as the SDP controller 102 and the SDP proxy gateway 103 shown in FIG. 1 ) or a communication network. For example, the data analysis device 800 can obtain threat log data from the SDP proxy gateway 103 through the communication interface 803.

总线804可包括在数据分析设备800各个部件(例如,存储器801、处理器802、通信接口803)之间传送信息的通路。The bus 804 may include a path for transmitting information between various components of the data analysis device 800 (eg, the memory 801 , the processor 802 , and the communication interface 803 ).

可选的,数据分析设备800还包括显示器806和输入设备805。显示器806和输入设备805通过总线804实现与数据分析设备800中的其他器件之间的通信连接。Optionally, the data analysis device 800 further includes a display 806 and an input device 805 . The display 806 and the input device 805 are connected to other devices in the data analysis device 800 via a bus 804 .

显示器806为液晶显示器(Liquid Crystal Display,LCD)、有机发光二极管(Organic Light-Emitting Diode,OLED)显示器或者其他类型的显示器。显示器806显示威胁事件及用户标识。The display 806 is a liquid crystal display (LCD), an organic light-emitting diode (OLED) display or other types of displays. The display 806 displays threat events and user identification.

输入设备805为键盘、鼠标、语音采集设备或者视频采集设备。工作人员能够通过输入设备805实现对数据分析设备800的控制。The input device 805 is a keyboard, a mouse, a voice acquisition device or a video acquisition device. The staff can control the data analysis device 800 through the input device 805.

应注意,尽管图8所示的数据分析设备800仅仅示出了存储器、处理器、通信接口,但是在具体实现过程中,本领域的技术人员应当理解,数据分析设备800还包括实现正常运行所必须的其他器件。同时,根据具体需要,本领域的技术人员应当理解数据分析设备800还可包括实现其他附加功能的硬件器件。此外,本领域的技术人员应当理解,数据分析设备800也可仅仅包括实现本申请实施例所必须的器件,而不必包括图8中所示的全部器件。It should be noted that although the data analysis device 800 shown in FIG8 only shows a memory, a processor, and a communication interface, in the specific implementation process, those skilled in the art should understand that the data analysis device 800 also includes other devices necessary for normal operation. At the same time, according to specific needs, those skilled in the art should understand that the data analysis device 800 may also include hardware devices for implementing other additional functions. In addition, those skilled in the art should understand that the data analysis device 800 may also include only the devices necessary for implementing the embodiments of the present application, without having to include all the devices shown in FIG8.

基于上述方法实施例以及相关设备实施例的描述,请参见图9,本发明实施例还提供一种网络设备900的结构示意图。图9所示的网络设备900包括存储器901、处理器902、通信接口903以及总线904。其中,存储器901、处理器902、通信接口903通过总线904实现彼此之间的通信连接。Based on the description of the above method embodiment and the related device embodiment, please refer to Figure 9, the embodiment of the present invention also provides a schematic diagram of the structure of a network device 900. The network device 900 shown in Figure 9 includes a memory 901, a processor 902, a communication interface 903 and a bus 904. Among them, the memory 901, the processor 902, and the communication interface 903 are connected to each other through the bus 904.

可选的,存储器901为ROM,静态存储设备,动态存储设备或者RAM。Optionally, the memory 901 is a ROM, a static storage device, a dynamic storage device or a RAM.

存储器901能够存储程序,当存储器901中存储的程序被处理器902执行时,处理器902和通信接口903用于执行图3所示实施例的威胁事件溯源方法的各个步骤。The memory 901 can store programs. When the program stored in the memory 901 is executed by the processor 902, the processor 902 and the communication interface 903 are used to execute each step of the threat event tracing method of the embodiment shown in FIG. 3 .

处理器902采用通用的CPU,微处理器,应用专用集成电路ASIC,GPU或者一个或多个集成电路,用于执行相关程序,以实现图1所示实施例的SDP代理网关103中的单元所需执行的功能,或者执行本申请方法实施例的威胁事件溯源方法。The processor 902 uses a general-purpose CPU, a microprocessor, an application-specific integrated circuit ASIC, a GPU or one or more integrated circuits to execute relevant programs to implement the functions required to be performed by the units in the SDP proxy gateway 103 of the embodiment shown in Figure 1, or to execute the threat event tracing method of the method embodiment of the present application.

处理器902还能够是一种集成电路芯片,具有信号的处理能力。在实现过程中,本申请的威胁事件溯源方法的各个步骤能够通过处理器902中的硬件的集成逻辑电路或者软件形式的指令完成。可选的,处理器902是通用处理器、DSP、ASIC、FPGA或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件。处理器能够实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器是微处理器或者该处理器是任何常规的处理器等。结合本申请实施例所公开的方法的步骤能够直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。可选的软件模块位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器或者本领域其他成熟的存储介质中。该存储介质位于存储器901,处理器902读取存储器901中的信息,结合其硬件完成本申请实施例的威胁事件溯源相关设备中包括的单元所需执行的功能,或者执行本申请方法实施例的威胁事件溯源方法。The processor 902 can also be an integrated circuit chip with signal processing capabilities. In the implementation process, each step of the threat event tracing method of the present application can be completed by the hardware integrated logic circuit or software instructions in the processor 902. Optionally, the processor 902 is a general-purpose processor, DSP, ASIC, FPGA or other programmable logic device, discrete gate or transistor logic device, discrete hardware component. The processor can implement or execute the methods, steps and logic block diagrams disclosed in the embodiments of the present application. The general-purpose processor is a microprocessor or the processor is any conventional processor, etc. The steps of the method disclosed in the embodiments of the present application can be directly embodied as a hardware decoding processor to execute, or a combination of hardware and software modules in the decoding processor to execute. The optional software module is located in a random access memory, a flash memory, a read-only memory, a programmable read-only memory or an electrically erasable programmable memory, a register or other mature storage medium in the art. The storage medium is located in the memory 901, and the processor 902 reads the information in the memory 901, and combines its hardware to complete the functions required to be performed by the units included in the threat event tracing related equipment of the embodiment of the present application, or executes the threat event tracing method of the method embodiment of the present application.

通信接口903使用例如但不限于收发器一类的收发相关设备,来实现网络设备900与其他设备(比如图1所示实施例中的SDP客户端101、数据分析设备105)或通信网络之间的通信。例如,网络设备为SDP 代理网关103,SDP代理网关103能够通过通信接口903接收SDP客户端101发送的业务报文,还能够向数据分析设备105发送业务报文的威胁日志数据。The communication interface 903 uses, for example but not limited to, a transceiver and other transceiver-related devices to implement communication between the network device 900 and other devices (such as the SDP client 101 and the data analysis device 105 in the embodiment shown in FIG. 1 ) or a communication network. The proxy gateway 103 , the SDP proxy gateway 103 can receive the service message sent by the SDP client 101 through the communication interface 903 , and can also send the threat log data of the service message to the data analysis device 105 .

总线904可包括在网络设备900各个部件(例如,存储器901、处理器902、通信接口903)之间传送信息的通路。The bus 904 may include a path for transmitting information between various components of the network device 900 (eg, the memory 901 , the processor 902 , and the communication interface 903 ).

可选的,网络设备900还包括显示器906和输入设备905。显示器906和输入设备905通过总线904实现与网络设备900中的其他器件之间的通信连接。Optionally, the network device 900 further includes a display 906 and an input device 905 . The display 906 and the input device 905 are connected to other devices in the network device 900 via the bus 904 .

显示器906为LCD、OLED显示器或者其他类型的显示器。The display 906 is an LCD, an OLED display, or other types of displays.

输入设备905为键盘、鼠标、语音采集设备或者视频采集设备。工作人员能够通过输入设备905实现对网络设备900的控制。The input device 905 is a keyboard, a mouse, a voice acquisition device or a video acquisition device. The staff can control the network device 900 through the input device 905.

应注意,尽管图9所示的网络设备900仅仅示出了存储器、处理器、通信接口,但是在具体实现过程中,本领域的技术人员应当理解,网络设备900还包括实现正常运行所必须的其他器件。同时,根据具体需要,本领域的技术人员应当理解网络设备900还可包括实现其他附加功能的硬件器件。此外,本领域的技术人员应当理解,网络设备900也可仅仅包括实现本申请实施例所必须的器件,而不必包括图9中所示的全部器件。It should be noted that although the network device 900 shown in FIG. 9 only shows a memory, a processor, and a communication interface, in the specific implementation process, those skilled in the art should understand that the network device 900 also includes other devices necessary for normal operation. At the same time, according to specific needs, those skilled in the art should understand that the network device 900 may also include hardware devices for implementing other additional functions. In addition, those skilled in the art should understand that the network device 900 may also only include the devices necessary for implementing the embodiments of the present application, and does not necessarily include all the devices shown in FIG. 9.

本申请实施例还提供了一种芯片,所述芯片包括处理器与数据接口,所述处理器通过所述数据接口读取存储器上存储的指令,以实现本申请实施例的威胁事件溯源方法。An embodiment of the present application further provides a chip, which includes a processor and a data interface. The processor reads instructions stored in a memory through the data interface to implement the threat event tracing method of the embodiment of the present application.

可选地,作为一种实现方式,所述芯片还包括存储器,所述存储器中存储有指令,所述处理器用于执行所述存储器上存储的指令,当所述指令被执行时,所述处理器用于执行所述的威胁事件溯源方法。Optionally, as an implementation method, the chip also includes a memory, in which instructions are stored, and the processor is used to execute the instructions stored in the memory. When the instructions are executed, the processor is used to execute the threat event tracing method.

本申请实施例还提供了一种计算机可读存储介质,该计算机可读存储介质中存储有指令,当其在计算机或处理器上运行时,使得计算机或处理器执行上述任一个方法中的一个或多个步骤。An embodiment of the present application also provides a computer-readable storage medium, which stores instructions. When the computer-readable storage medium is executed on a computer or a processor, the computer or the processor executes one or more steps in any of the above methods.

本申请实施例还提供了一种包含指令的计算机程序产品。当该计算机程序产品在计算机或处理器上运行时,使得计算机或处理器执行上述任一个方法中的一个或多个步骤。The embodiment of the present application further provides a computer program product including instructions. When the computer program product is executed on a computer or a processor, the computer or the processor executes one or more steps in any of the above methods.

本领域技术人员能够领会,结合本文公开描述的各种说明性逻辑框、模块和算法步骤所描述的功能能够通过硬件、软件、固件或其任何组合来实施。如果以软件来实施,那么各种说明性逻辑框、模块、和步骤描述的功能可作为一或多个指令或代码在计算机可读媒体上存储或传输,且由基于硬件的处理单元执行。计算机可读媒体可包含计算机可读存储媒体,其对应于有形媒体,例如数据存储媒体,或包括任何促进将计算机程序从一处传送到另一处的媒体(例如,基于通信协议)的通信媒体。以此方式,计算机可读媒体大体上可对应于(1)非暂时性的有形计算机可读存储媒体,或(2)通信媒体,例如信号或载波。数据存储媒体可为可由一或多个计算机或一或多个处理器存取以检索用于实施本申请中描述的技术的指令、代码和/或数据结构的任何可用媒体。计算机程序产品可包含计算机可读媒体。Those skilled in the art will appreciate that the functions described in conjunction with the various illustrative logic blocks, modules, and algorithm steps disclosed herein can be implemented by hardware, software, firmware, or any combination thereof. If implemented in software, the functions described by the various illustrative logic blocks, modules, and steps may be stored or transmitted as one or more instructions or codes on a computer-readable medium and executed by a hardware-based processing unit. Computer-readable media may include computer-readable storage media, which corresponds to tangible media, such as data storage media, or includes any communication media that facilitates the transfer of computer programs from one place to another (e.g., based on a communication protocol). In this manner, computer-readable media may generally correspond to (1) non-temporary tangible computer-readable storage media, or (2) communication media, such as signals or carrier waves. Data storage media may be any available media that can be accessed by one or more computers or one or more processors to retrieve instructions, codes, and/or data structures for implementing the techniques described in this application. A computer program product may include computer-readable media.

作为实例而非限制,此类计算机可读存储媒体包括RAM、ROM、EEPROM、CD-ROM或其它光盘存储装置、磁盘存储装置或其它磁性存储装置、快闪存储器或可用来存储指令或数据结构的形式的所要程序代码并且可由计算机存取的任何其它媒体。并且,任何连接被恰当地称作计算机可读媒体。举例来说,如果使用同轴缆线、光纤缆线、双绞线、数字订户线(digital subscriber line,DSL)或例如红外线、无线电和微波等无线技术从网站、服务器或其它远程源传输指令,那么同轴缆线、光纤缆线、双绞线、DSL或例如红外线、无线电和微波等无线技术包含在媒体的定义中。但是,应理解,所述计算机可读存储媒体和数据存储媒体并不包括连接、载波、信号或其它暂时媒体,而是实际上针对于非暂时性有形存储媒体。如本文中所使用,磁盘和光盘包含压缩光盘(Compact Disc,CD)、激光光盘、光学光盘、数字多功能光盘(digital versatiledisc,DVD)和蓝光光盘,其中磁盘通常以磁性方式再现数据,而光盘利用激光以光学方式再现数据。以上各项的组合也应包含在计算机可读媒体的范围内。As an example and not limitation, such computer-readable storage media include RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage, flash memory, or any other media that can be used to store desired program code in the form of instructions or data structures and can be accessed by a computer. Also, any connection is properly referred to as a computer-readable medium. For example, if instructions are transmitted from a website, server or other remote source using a coaxial cable, fiber optic cable, twisted pair, digital subscriber line (DSL), or wireless technologies such as infrared, radio and microwave, then the coaxial cable, fiber optic cable, twisted pair, DSL, or wireless technologies such as infrared, radio and microwave are included in the definition of media. However, it should be understood that the computer-readable storage media and data storage media do not include connections, carriers, signals or other temporary media, but are actually directed to non-temporary tangible storage media. As used herein, disk and disc include compact disc (CD), laser disc, optical disc, digital versatile disc (DVD), and Blu-ray disc, where disks usually reproduce data magnetically, while discs reproduce data optically with lasers. Combinations of the above should also be included within the scope of computer-readable media.

可通过例如一或多个DSP、通用微处理器、ASIC、FPGA或其它等效集成或离散逻辑电路等一或多个处理器来执行指令。因此,如本文中所使用的术语“处理器”可指前述结构或适合于实施本文中所描述的技术的任一其它结构中的任一者。另外,在一些方面中,本文中所描述的各种说明性逻辑框、模块、和步骤所描述的功能提供于经配置以用于编码和解码的专用硬件和/或软件模块内,或者并入在组合编解码器中。而且,所述技术可完全实施于一或多个电路或逻辑元件中。Instructions may be executed by one or more processors, such as one or more DSPs, general purpose microprocessors, ASICs, FPGAs, or other equivalent integrated or discrete logic circuits. Thus, the term "processor" as used herein may refer to any of the aforementioned structures or any other structures suitable for implementing the techniques described herein. Additionally, in some aspects, the functions described by the various illustrative logic blocks, modules, and steps described herein are provided within dedicated hardware and/or software modules configured for encoding and decoding, or incorporated in a combined codec. Moreover, the techniques may be fully implemented in one or more circuits or logic elements.

在本申请所提供的几个实施例中,应该理解到,所揭露的系统、装置和方法,能够通过其它的方式实现。例如,该单元的划分,仅仅为一种逻辑功能划分,实际实现时有另外的划分方式,例如,多个单元或组件能够结合或者能够集成到另一个系统,或一些特征能够忽略,或不执行。可选的,所显示或讨论的相互之间的耦合、或直接耦合、或通信连接是通过一些接口,装置或单元的间接耦合或通信连接,比如是电 性,机械或其它的形式。In the several embodiments provided in the present application, it should be understood that the disclosed systems, devices and methods can be implemented in other ways. For example, the division of the unit is only a logical function division, and there are other division methods in actual implementation, for example, multiple units or components can be combined or integrated into another system, or some features can be ignored or not executed. Optionally, the mutual coupling, direct coupling, or communication connection shown or discussed is an indirect coupling or communication connection through some interfaces, devices or units, such as electrical sexual, mechanical or other form.

可选的,作为分离部件说明的单元是或者不是物理上分开的,作为单元显示的部件是或者不是物理单元,即位于一个地方,或者分布到多个网络单元上。能够根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。Optionally, the units described as separate components are or are not physically separated, and the components shown as units are or are not physical units, i.e. located in one place, or distributed over multiple network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.

在上述实施例中,能够全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,能够全部或部分地以计算机程序产品的形式实现。该计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行该计算机程序指令时,全部或部分地产生按照本申请实施例的流程或功能。In the above embodiments, all or part of the embodiments can be implemented by software, hardware, firmware or any combination thereof. When implemented by software, all or part of the embodiments can be implemented in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, the process or function according to the embodiment of the present application is generated in whole or in part.

以上所述,仅为本申请实施例的具体实施方式,但本申请实施例的保护范围并不局限于此,任何在本申请实施例揭露的技术范围内的变化或替换,都应涵盖在本申请实施例的保护范围之内。因此,本申请实施例的保护范围应以所述权利要求的保护范围为准。 The above is only a specific implementation of the embodiment of the present application, but the protection scope of the embodiment of the present application is not limited thereto, and any changes or replacements within the technical scope disclosed in the embodiment of the present application should be included in the protection scope of the embodiment of the present application. Therefore, the protection scope of the embodiment of the present application should be based on the protection scope of the claims.

Claims (19)

一种威胁事件溯源方法,其特征在于,应用于数据分析设备,所述方法包括:A threat event tracing method, characterized in that it is applied to a data analysis device, and the method comprises: 获取业务报文的溯源数据,所述业务报文为软件定义边界SDP客户端访问应用服务器时产生报文,所述业务报文的溯源数据包括所述SDP客户端的设备标识;Acquire the traceability data of the service message, where the service message is a message generated when the software-defined boundary SDP client accesses the application server, and the traceability data of the service message includes the device identifier of the SDP client; 在所述业务报文存在安全风险时,根据所述业务报文的溯源数据生成携带所述SDP客户端的设备标识的威胁事件;When there is a security risk in the service message, generating a threat event carrying the device identification of the SDP client according to the traceability data of the service message; 根据所述SDP客户端的设备标识从SDP控制器的用户信息表中得到所述SDP客户端的设备标识对应的第一用户标识,其中,所述第一用户标识用于指示与所述威胁事件对应的用户,所述用户信息表包括所述SDP客户端的设备标识与第一用户标识之间的对应关系。According to the device identifier of the SDP client, a first user identifier corresponding to the device identifier of the SDP client is obtained from the user information table of the SDP controller, wherein the first user identifier is used to indicate a user corresponding to the threat event, and the user information table includes a correspondence between the device identifier of the SDP client and the first user identifier. 根据权利要求1所述的方法,其特征在于,所述安全风险包括第一安全风险,所述业务报文的溯源数据为所述业务报文的元数据,所述业务报文的元数据是探针设备基于所述业务报文生成的,所述方法还包括:The method according to claim 1 is characterized in that the security risk includes a first security risk, the traceability data of the business message is metadata of the business message, the metadata of the business message is generated by a probe device based on the business message, and the method further includes: 根据第一安全检测规则对所述业务报文的元数据进行分析,以确定所述业务报文是否存在所述第一安全风险。The metadata of the business message is analyzed according to the first security detection rule to determine whether the business message has the first security risk. 根据权利要求1所述的方法,其特征在于,所述安全风险包括第二安全风险,所述业务报文的溯源数据为威胁日志数据,所述威胁日志数据是网络设备在确定所述业务报文存在所述第二安全风险时生成的。The method according to claim 1 is characterized in that the security risk includes a second security risk, the traceability data of the business message is threat log data, and the threat log data is generated by the network device when it is determined that the business message has the second security risk. 根据权利要求1-3任一项所述的方法,其特征在于,所述根据所述SDP客户端的设备标识从SDP控制器的用户信息表中得到所述SDP客户端的设备标识对应的第一用户标识,包括:The method according to any one of claims 1 to 3 is characterized in that obtaining the first user identifier corresponding to the device identifier of the SDP client from the user information table of the SDP controller according to the device identifier of the SDP client comprises: 向SDP控制器发送查询请求,所述查询请求携带所述SDP客户端的设备标识,所述查询请求用于所述SDP控制器查询所述用户信息表,以得到所述SDP客户端的设备标识对应的第一用户标识;Sending a query request to the SDP controller, the query request carrying the device identifier of the SDP client, the query request being used by the SDP controller to query the user information table to obtain a first user identifier corresponding to the device identifier of the SDP client; 接收所述SDP控制器反馈的响应于所述查询请求的响应消息,所述响应消息携带所述SDP客户端的设备标识对应的第一用户标识。A response message fed back by the SDP controller in response to the query request is received, where the response message carries a first user identifier corresponding to the device identifier of the SDP client. 根据权利要求4所述的方法,其特征在于,所述用户信息表还包括所述第一用户标识与认证时间戳之间的对应关系,所述认证时间戳为所述第一用户标识所指示的用户通过认证的时刻,当所述响应消息包括的所述第一用户标识有多个时,所述响应消息还包括多个所述第一用户标识分别对应的认证时间戳,所述方法还包括:The method according to claim 4 is characterized in that the user information table further includes a correspondence between the first user identifier and an authentication timestamp, the authentication timestamp being the moment when the user indicated by the first user identifier passes the authentication, and when the response message includes multiple first user identifiers, the response message further includes authentication timestamps corresponding to the multiple first user identifiers respectively, and the method further includes: 根据所述业务报文的发送时段及所述多个所述第一用户标识分别对应的认证时间戳从所述多个所述第一用户标识中选择出第二用户标识;Selecting a second user identifier from the plurality of first user identifiers according to a sending period of the service message and authentication timestamps respectively corresponding to the plurality of first user identifiers; 其中,所述第二用户标识为所述多个所述第一用户标识中认证时间戳属于所述发送时段的第一用户标识,所述发送时段是根据所述数据分析设备接收所述溯源数据的时刻确定的。The second user identifier is the first user identifier among the multiple first user identifiers whose authentication timestamp belongs to the sending time period, and the sending time period is determined according to the moment when the data analysis device receives the traceability data. 一种威胁事件溯源方法,其特征在于,所述方法应用于网络设备,所述方法包括:A threat event tracing method, characterized in that the method is applied to a network device, and the method comprises: 接收业务报文,所述业务报文为软件定义边界SDP客户端访问应用服务器时产生报文,所述业务报文携带所述SDP客户端的设备标识;Receive a service message, where the service message is a message generated when a software defined boundary SDP client accesses an application server, and the service message carries a device identifier of the SDP client; 根据第二安全检测规则对所述业务报文进行安全检测,以确定所述业务报文是否存在第二安全风险;若确定所述业务报文存在第二安全风险,则生成携带所述SDP客户端的设备标识的威胁日志数据;Performing a security check on the service message according to the second security check rule to determine whether the service message has a second security risk; if it is determined that the service message has a second security risk, generating threat log data carrying a device identifier of the SDP client; 向数据分析设备发送所述威胁日志数据。The threat log data is sent to a data analysis device. 根据权利要求6所述的方法,其特征在于,所述网络设备为SDP代理网关或者探针设备。The method according to claim 6 is characterized in that the network device is an SDP proxy gateway or a probe device. 一种数据分析设备,其特征在于,所述数据分析设备包括:A data analysis device, characterized in that the data analysis device comprises: 获取单元,用于获取业务报文的溯源数据,所述业务报文为软件定义边界SDP客户端访问应用服务器时产生报文,所述业务报文的溯源数据包括所述SDP客户端的设备标识;An acquisition unit, used to acquire traceability data of a service message, wherein the service message is a message generated when a software-defined boundary SDP client accesses an application server, and the traceability data of the service message includes a device identifier of the SDP client; 生成单元,用于在所述业务报文存在安全风险时,根据所述业务报文的溯源数据生成携带所述SDP客户端的设备标识的威胁事件;A generating unit, configured to generate a threat event carrying a device identifier of the SDP client according to the traceability data of the service message when there is a security risk in the service message; 收发单元,用于根据所述SDP客户端的设备标识从SDP控制器的用户信息表中得到所述SDP客户端的设备标识对应的第一用户标识,其中,所述第一用户标识用于指示与所述威胁事件对应的用户,所述用户信息表包括所述SDP客户端的设备标识与第一用户标识之间的对应关系。A transceiver unit is used to obtain a first user identifier corresponding to the device identifier of the SDP client from a user information table of the SDP controller according to the device identifier of the SDP client, wherein the first user identifier is used to indicate a user corresponding to the threat event, and the user information table includes a correspondence between the device identifier of the SDP client and the first user identifier. 根据权利要求8所述的数据分析设备,其特征在于,所述安全风险包括第一安全风险,所述业务报文的溯源数据为所述业务报文的元数据,所述业务报文的元数据是探针设备基于所述业务报文生成的,所述数据分析设备还包括: The data analysis device according to claim 8, characterized in that the security risk includes a first security risk, the traceability data of the business message is metadata of the business message, the metadata of the business message is generated by a probe device based on the business message, and the data analysis device further includes: 分析单元,用于根据第一安全检测规则对所述业务报文的元数据进行分析,以确定所述业务报文是否存在所述第一安全风险。An analyzing unit is used to analyze the metadata of the business message according to a first security detection rule to determine whether the business message has the first security risk. 根据权利要求8所述的数据分析设备,其特征在于,所述安全风险包括第二安全风险,所述业务报文的溯源数据为威胁日志数据,所述威胁日志数据是网络设备在确定所述业务报文存在所述第二安全风险时生成的。The data analysis device according to claim 8 is characterized in that the security risk includes a second security risk, the traceability data of the business message is threat log data, and the threat log data is generated by the network device when it is determined that the business message has the second security risk. 根据权利要求8-10任一项所述的数据分析设备,其特征在于,所述收发单元具体用于:The data analysis device according to any one of claims 8 to 10, characterized in that the transceiver unit is specifically used for: 向SDP控制器发送查询请求,所述查询请求携带所述SDP客户端的设备标识,所述查询请求用于所述SDP控制器查询所述用户信息表,以得到所述SDP客户端的设备标识对应的第一用户标识;Sending a query request to the SDP controller, the query request carrying the device identifier of the SDP client, the query request being used by the SDP controller to query the user information table to obtain a first user identifier corresponding to the device identifier of the SDP client; 接收所述SDP控制器反馈的响应于所述查询请求的响应消息,所述响应消息携带所述SDP客户端的设备标识对应的第一用户标识。A response message fed back by the SDP controller in response to the query request is received, where the response message carries a first user identifier corresponding to the device identifier of the SDP client. 根据权利要求11所述的数据分析设备,其特征在于,所述用户信息表还包括所述第一用户标识与认证时间戳之间的对应关系,所述认证时间戳为所述第一用户标识所指示的用户通过认证的时刻,当所述响应消息包括的所述第一用户标识有多个时,所述响应消息还包括多个所述第一用户标识分别对应的认证时间戳,所述获取单元具体用于:The data analysis device according to claim 11 is characterized in that the user information table also includes a correspondence between the first user identifier and an authentication timestamp, the authentication timestamp is the time when the user indicated by the first user identifier passes the authentication, when the response message includes multiple first user identifiers, the response message also includes authentication timestamps corresponding to the multiple first user identifiers, and the acquisition unit is specifically used to: 根据所述业务报文的发送时段及所述多个所述第一用户标识分别对应的认证时间戳从所述多个所述第一用户标识中选择出第二用户标识;Selecting a second user identifier from the plurality of first user identifiers according to a sending period of the service message and authentication timestamps respectively corresponding to the plurality of first user identifiers; 其中,所述第二用户标识为所述多个所述第一用户标识中认证时间戳属于所述发送时段的第一用户标识,所述发送时段是根据所述数据分析设备接收所述溯源数据的时刻确定的。The second user identifier is the first user identifier among the multiple first user identifiers whose authentication timestamp belongs to the sending time period, and the sending time period is determined according to the moment when the data analysis device receives the traceability data. 一种网络设备,其特征在于,包括:A network device, comprising: 收发单元,用于接收业务报文,所述业务报文为软件定义边界SDP客户端访问应用服务器时产生报文,所述业务报文携带所述SDP客户端的设备标识;A transceiver unit, configured to receive a service message, wherein the service message is a message generated when a software defined boundary SDP client accesses an application server, and the service message carries a device identifier of the SDP client; 检测单元,用于根据第二安全检测规则对所述业务报文进行安全检测,以确定所述业务报文是否存在第二安全风险;A detection unit, configured to perform a security detection on the service message according to a second security detection rule to determine whether the service message has a second security risk; 生成单元,用于若确定所述业务报文存在所述第二安全风险,则生成携带所述SDP客户端的设备标识的威胁日志数据;a generating unit, configured to generate threat log data carrying a device identifier of the SDP client if it is determined that the service message has the second security risk; 所述收发单元,还用于向数据分析设备发送所述威胁日志数据。The transceiver unit is also used to send the threat log data to the data analysis device. 根据权利要求13所述的网络设备,其特征在于,所述网络设备为SDP代理网关或者探针设备。The network device according to claim 13 is characterized in that the network device is an SDP proxy gateway or a probe device. 一种威胁事件溯源系统,其特征在于,所述系统包括数据分析设备,网络设备、软件定义边界SDP客户端和SDP控制器;A threat event tracing system, characterized in that the system includes a data analysis device, a network device, a software defined boundary SDP client and an SDP controller; 所述数据分析设备用于执行如权利要求1-5任一项所述的方法;The data analysis device is used to perform the method according to any one of claims 1 to 5; 所述网络设备用于执行如权利要求6或7所述的方法;The network device is used to perform the method according to claim 6 or 7; 所述SDP控制器,用于接收所述数据分析设备发送的查询请求,所述查询请求携带所述SDP客户端的设备标识;根据所述SDP客户端的设备标识查询用户信息表,以得到所述SDP客户端的设备标识对应的第一用户标识;向所述数据分析设备发送响应于所述查询请求的响应消息,所述响应消息携带所述SDP客户端的设备标识对应的第一用户标识;所述用户信息表包括所述SDP客户端的设备标识与第一用户标识之间的对应关系。The SDP controller is used to receive a query request sent by the data analysis device, the query request carrying the device identifier of the SDP client; query a user information table according to the device identifier of the SDP client to obtain a first user identifier corresponding to the device identifier of the SDP client; send a response message in response to the query request to the data analysis device, the response message carrying the first user identifier corresponding to the device identifier of the SDP client; the user information table includes a correspondence between the device identifier of the SDP client and the first user identifier. 根据权利要求15所述的系统,其特征在于,所述用户信息表还包括所述第一用户标识与认证时间戳之间的对应关系,所述认证时间戳为所述第一用户标识所指示的用户通过认证的时刻;所述SDP控制器还用于:The system according to claim 15, characterized in that the user information table further includes a correspondence between the first user identifier and an authentication timestamp, the authentication timestamp being the time when the user indicated by the first user identifier passes the authentication; and the SDP controller is further used to: 在所述第一用户标识有多个时,根据多个所述第一用户标识查询所述用户信息表,以得到所述多个所述第一用户标识分别对应的认证时间戳;When there are multiple first user identifiers, query the user information table according to the multiple first user identifiers to obtain authentication timestamps corresponding to the multiple first user identifiers respectively; 所述响应消息还包括所述多个所述第一用户标识分别对应的认证时间戳。The response message also includes authentication timestamps corresponding to the multiple first user identifiers respectively. 一种数据分析设备,其特征在于,包括处理器和存储器,其中,所述存储器用于存储程序代码,所述处理器用于执行所述程序代码,以实现权利要求1至5任一项所述的方法。A data analysis device, characterized in that it includes a processor and a memory, wherein the memory is used to store program code, and the processor is used to execute the program code to implement the method described in any one of claims 1 to 5. 一种网络设备,其特征在于,包括处理器和存储器,其中,所述存储器用于存储程序代码,所述处理器用于执行所述程序代码,以实现权利要求6至7任一项所述的方法。A network device, characterized in that it includes a processor and a memory, wherein the memory is used to store program code, and the processor is used to execute the program code to implement the method described in any one of claims 6 to 7. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质存储有计算机程序,所述计算机程序被处理器执行时,实现权利要求1-7任一项所述的方法。 A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program, and when the computer program is executed by a processor, the method described in any one of claims 1 to 7 is implemented.
PCT/CN2024/086045 2023-05-16 2024-04-03 Threat event sourcing method and related device Pending WO2024234861A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202310553333.6 2023-05-16
CN202310553333.6A CN119011160A (en) 2023-05-16 2023-05-16 Threat event tracing method and related equipment

Publications (1)

Publication Number Publication Date
WO2024234861A1 true WO2024234861A1 (en) 2024-11-21

Family

ID=93469698

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2024/086045 Pending WO2024234861A1 (en) 2023-05-16 2024-04-03 Threat event sourcing method and related device

Country Status (2)

Country Link
CN (1) CN119011160A (en)
WO (1) WO2024234861A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119853979A (en) * 2024-12-25 2025-04-18 中国人民解放军网络空间部队信息工程大学 Real-time tracing graph compression method and device for reserving causal association
CN120785651A (en) * 2025-09-03 2025-10-14 中移(苏州)软件技术有限公司 Network defense method and device, equipment, program product and storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140201836A1 (en) * 2012-08-23 2014-07-17 David B. Amsler Automated Internet Threat Detection and Mitigation System and Associated Methods
CN107465702A (en) * 2017-09-30 2017-12-12 北京奇虎科技有限公司 Method for early warning and device based on wireless network invasion
CN107484173A (en) * 2017-09-30 2017-12-15 北京奇虎科技有限公司 Wireless network intrusion detection method and device
CN107509200A (en) * 2017-09-30 2017-12-22 北京奇虎科技有限公司 Equipment localization method and device based on wireless network invasion
CN107566401A (en) * 2017-09-30 2018-01-09 北京奇虎科技有限公司 The means of defence and device of virtualized environment
CN107579997A (en) * 2017-09-30 2018-01-12 北京奇虎科技有限公司 Wireless Network Intrusion Detection System
CN107612924A (en) * 2017-09-30 2018-01-19 北京奇虎科技有限公司 Attacker's localization method and device based on wireless network invasion

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140201836A1 (en) * 2012-08-23 2014-07-17 David B. Amsler Automated Internet Threat Detection and Mitigation System and Associated Methods
CN107465702A (en) * 2017-09-30 2017-12-12 北京奇虎科技有限公司 Method for early warning and device based on wireless network invasion
CN107484173A (en) * 2017-09-30 2017-12-15 北京奇虎科技有限公司 Wireless network intrusion detection method and device
CN107509200A (en) * 2017-09-30 2017-12-22 北京奇虎科技有限公司 Equipment localization method and device based on wireless network invasion
CN107566401A (en) * 2017-09-30 2018-01-09 北京奇虎科技有限公司 The means of defence and device of virtualized environment
CN107579997A (en) * 2017-09-30 2018-01-12 北京奇虎科技有限公司 Wireless Network Intrusion Detection System
CN107612924A (en) * 2017-09-30 2018-01-19 北京奇虎科技有限公司 Attacker's localization method and device based on wireless network invasion

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
BIAN WEICHENG: "Path to improving the comprehensive defense capability of e-government external network security", ELECTRONIC TECHNOLOGY & SOFTWARE ENGINEERING, vol. 6, 1 January 2022 (2022-01-01), pages 5 - 8, XP093240755 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119853979A (en) * 2024-12-25 2025-04-18 中国人民解放军网络空间部队信息工程大学 Real-time tracing graph compression method and device for reserving causal association
CN120785651A (en) * 2025-09-03 2025-10-14 中移(苏州)软件技术有限公司 Network defense method and device, equipment, program product and storage medium

Also Published As

Publication number Publication date
CN119011160A (en) 2024-11-22

Similar Documents

Publication Publication Date Title
KR102580898B1 (en) System and method for selectively collecting computer forensics data using DNS messages
US9942270B2 (en) Database deception in directory services
US9860265B2 (en) System and method for identifying exploitable weak points in a network
US9609019B2 (en) System and method for directing malicous activity to a monitoring system
US10257227B1 (en) Computer security threat correlation
US9917850B2 (en) Deterministic reproduction of client/server computer state or output sent to one or more client computers
US11930031B2 (en) Distributed network based vulnerability scanning via endpoint agent deployment
US12445410B2 (en) In-line detection of algorithmically generated domains
WO2016081561A1 (en) System and method for directing malicious activity to a monitoring system
WO2024234861A1 (en) Threat event sourcing method and related device
JP5980968B2 (en) Information processing apparatus, information processing method, and program
CN109639705B (en) Cloud platform security detection method
US20240020390A1 (en) Vulnerability assessment of machine images in development phase
CN113904843B (en) Analysis method and device for abnormal DNS behaviors of terminal
US11789743B2 (en) Host operating system identification using transport layer probe metadata and machine learning
US11102243B1 (en) Resource address resolution based on resource ownership changes to block communications with computing resources
Silaen et al. ApiPot: A Novelty API Honeypot for Exhaustive Attack Feature Detection in HTTP Protocol
US20230370492A1 (en) Identify and block domains used for nxns-based ddos attack
HK40062438A (en) Systems and methods for using dns messages to selectively collect computer forensic data
HK40062438B (en) Systems and methods for using dns messages to selectively collect computer forensic data
HK40084296A (en) Business data access method, device and apparatus, and computer storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 24806220

Country of ref document: EP

Kind code of ref document: A1