Network security source analysis method and device

Abstract

The invention discloses a network security source analysis method and device. Log information of various types of network equipment is acquired in real time and fixedly saved, and therefore logs can be restored when the logs are attacked to be cleared; the acquired log information is subjected to deep association analysis and data mining, and a generation vein and an attack path of an attack eventare combed out to acquire related information and behaviors of an attacker, feature attributes are extracted, and an attacker relation model is built; and related information and behaviors of a visitor are acquired, feature attributes of the related information and behaviors of the visitor are matched with the attacker relation model, and therefore whether or not the visitor is the attacker can be determined.

Description

technical field

[0001] The present application relates to the technical field of network information security, in particular to a method and device for network security traceability analysis. Background technique

[0002] The forms of network attacks are becoming more and more diverse, posing a serious threat to network security. It is necessary to protect the software and hardware devices such as the host, firewall, switch or WEB server of the system. It is very necessary to trace the source of the attack and have a detailed understanding of the attacker. .

[0003] Most of the existing network attack traceability only has the attack path playback, knowing where the attacker came from, but not knowing the behavior characteristics of the attacker itself. At the same time, the attacker usually clears the system logs after the attack is over, so as to remove the traces of the attack. Therefore, a method and device capable of qualitatively analyzing the attacker itself is pro...

Images