Evidence obtaining and tracing method and device for terminal attack and computer equipment

Abstract

The invention discloses an evidence obtaining and tracing method and device for terminal attacks and computer equipment. The evidence obtaining and tracing method comprises the steps: obtaining an evidence obtaining and tracing request; according to the evidence obtaining and tracing request, obtaining an object corresponding to a process, a file or an event to be subjected to evidence obtaining and tracing, all tags of the object and event information of the event related to each tag, and adding the object to a pre-constructed attack graph; adding all labels corresponding to the object into apre-established label set; traversing the label set; for each label, obtaining an object corresponding to the label and adding the object into the attack graph, and meanwhile, obtaining an associatedlabel of the label and adding the associated label into the label set for traversing. According to the forensic traceability method, the forensic traceability device and the computer equipment, the sources of all the labels on the object are explained, traceability is carried out according to the generation process of the labels, so that a relatively complete attack graph is rapidly constructed,the storage consumption and the calculated amount are greatly reduced, and the application universality of the forensic traceability method is improved.

Description

technical field [0001] The present application relates to the field of computer technology, in particular to a method, device, and computer equipment for obtaining evidence and traceability for terminal attacks. Background technique [0002] APT attack, that is, advanced persistent threat attack, also known as targeted threat attack, refers to a continuous and effective attack activity launched by an organization against a specific target. This kind of attack is highly concealed and targeted, and usually uses various means such as infected media, supply chain and social engineering to carry out advanced, persistent and effective threats and attacks. The increasingly complex Advanced Persistent Threat (APT) has become a major topic of enterprise IT security. Over the past decade, more than 6,000 serious APT incidents have been reported. Large businesses, in particular, such as Target and HomeDepot, have suffered significant financial and reputational damage. [0003] Attac...

AI Technical Summary

Problems solved by technology

[0006] However, the above works all aim to restore the complete attack steps, so they consume a lot of space when storing events, and consume a lot of time when calculating

Most importantly, because the problem of relying on explosion cannot be solved by existing methods, that is, the huge calculation and storage costs can only alleviate the problem, so it is currently impossible to obtain a complete attack graph that does not involve misjudgment; at the same time , in an enterprise environment, hundreds or even more warnings will be generated every day, and security managers need to manually determine whether it is a real attack

Images