Warning association method and device

Abstract

The invention provides a warning association method and device. The problems that the real attack intention of an attacker cannot be easily discovered since the existing network attack frequently combines multiple tools and methods to implement multistep attack in a certain time and space span, but the WAF warning only aims at the single attack behavior is solved. The method comprises the following steps: obtaining attack behavior information according to a WAF warning log of an application firewall; acquiring attack mode information of the attacker according to the attack behavior information, wherein the attack mode information comprises attack type information corresponding to each attack behavior in an attack process of the attacker; associating the different attackers according to the similarity between the attack mode information of different attackers. By use of the warning association method provided by the invention, multiple disperse fine-grained attack behaviors in a logic relation are combined as a coarse-grained attack process, thereby providing basis and convenience for eliminating redundant warning, reappearing an attack scene, analyzing the attack intention of the attacker and other related works.

Images