Attack information tracking and tracing method and device based on homologous analysis

Abstract

The embodiment of the invention provides an attack information tracking and tracing method and device based on homologous analysis. The method comprises the following steps of obtaining a plurality ofattack logs expressing the attack information in a target time period; extracting a plurality of similar attacking logs with similarity from the plurality of attack logs according to the feature information of the plurality of attack logs; sequencing a plurality of similar attack logs according to the preset rule to obtain the sequencing result; judging whether the relevancy exists between the plurality of similar attack logs or not according to the sequencing result; if so, determining that a plurality of source IP addresses in the plurality of similar attack logs are from the same attacker;sending the plurality of source IP addresses to network security protection equipment so as the network security protection equipment is based on a plurality of source IP addresses to generate warning prompts. Therefore in the scheme, the homologous attack can be fast analyzed; next, the warning prompt can be generated for the homologous attack in a unified way so as to remind a user of timely protecting the attack information; the network safety is further improved.

Description

technical field [0001] The present invention relates to the field of network security, in particular to a method and device for tracking and tracing attack information based on homology analysis. Background technique [0002] With the development of Internet informatization, there are more and more cyber hacking incidents, and hacking methods are also constantly evolving. Through the analysis experience of attack traffic and logs, it is found that many network hackers will use their own real IP when simply stepping on the attack target, and before the attack, they will switch to the IP address of the proxy springboard, and then There are many attack records of proxy IP addresses in the server's WEB-related logs. [0003] In order to analyze network attack incidents, the usual practice is to reverse infiltrate the proxy springboard machine through technical means. After obtaining the server authority, the real IP of the proxy can be traced, and then the proxy IP address can ...

AI Technical Summary

Problems solved by technology

[0003] In order to analyze network attack incidents, the usual practice is to reverse infiltrate the proxy springboard machine through technical means. After obtaining the server authority, the real IP of the proxy can be traced, and then the proxy IP address can be associated with the real IP, or according to According to the experience judgment of the analysts, which attack source IPs may be related. However, the technical threshold required for reverse osmosis is relatively high, and ordinary security workers cannot handle it. There may be errors in the experience judgment of the analysts. The attack information traceability of source analysis is inaccurate, and it is impossible to accurately trace the source of network attack information, thereby failing to guarantee network security

Images