[0051] Following with reference to the embodiment of the technical solution of the present invention will be described in detail. The following examples serve only to more clearly illustrate the technical solutions of the present invention, therefore only by way of example, and are not intended to limit the scope of the invention.
[0052] It should be understood that when used in this specification and the appended claims, the terms "including" and "include" indicate the description of the features, overall, steps, operations, elements, and / or components, but does not exclude one or A plurality of other features, overall, steps, operations, elements, components, and / or their set are present or added.
[0053] It should also be understood that the terms used in the specification of the present invention are merely intended to limit the invention. As used in the specification of the present invention and the appended claims, unless the context clearly specifies other conditions, the singular form "one", "one" and "one" and "" "" intended to include the plural form.
[0054] It should also be further understood that the terms "and / or" used in the specification of the present invention and the appended claims are any combination of one or more of the associated items and all possible combinations, and including these combinations. .
[0055] Graphics database is ideal for security threat detection network, which is a component and process networks, the Internet is an interconnected system consisting of servers, routers, bridges, notebook computers, smart phones and other components, and there are some processes to define how these systems work together. Any attack will depend on the success of these entities in order to interconnect the attack was a series of events between these entities. Interconnection between these entities can be represented perfectly in the drawing database. Any attack, whether from external or internal attacks, you can use the graphical database modeling. Accordingly, embodiments provide a network-based attack pattern database traceability system of the present invention, as figure 1 As shown, including:
[0056] FIG database module, stores the sample data set; sample data set is constructed based on user habits and real mode data set of network attacks.
[0057] Sample data sets including the relationship between the entity information, the attribute information corresponding to the entity information and entity information and entity information;
[0058] Attack detection module for acquiring alarm information;
[0059] Tracing analysis module, according to alarm information, in conjunction with the sample data set of network attacks the source, to obtain the IP address of the originating network attacks; Specifically, traceability is based on alarm information analysis module, information on the relationship between the entity and entity information , traceable to network attacks, network attacks launched to obtain an IP address;
[0060] Among them, the type of entity information including alarms, events, services, processes, IP, user ID, resources and alerts. Attribute information alerts corresponding to the type includes an alarm type name; attribute information corresponding to the event including the event number, start time, end time, event type, the return code and termination points; attribute information service process corresponding to include service process number, service name, service process type; attribute information corresponding IP including IP address; user attribute information corresponding to the ID includes a user ID number; attribute information corresponding to the resources, including the resource ID, resource type and URL; attribute information alerts corresponding to include an alarm number and alarm type.
[0061] Embodiments of the present invention, the sample data set contains a type of alarm, an alarm 10, event 38, the service processes 10, IP addresses 3, user ID information 3, 7 resources.
[0062] Specifically, the user basic information to the user comprises an outer unique identification ID; alert type information an alert type, which contains a different alarm, as in Example of the present invention, the sample data set is set at the same ten different types alarm; event information, the user operation is an event, the event includes the IP address, and it will call the computer resources, resulting in the service process.
[0063] Network attacks traceability system also includes a recording module for recording the IP address of the originating network attacks and stored as a blacklist IP addresses.
[0064] Network attacks traceability system also includes a warning module configured to detect whether the IP address is blacklisted IP address, reminding If so, then an alarm.
[0065] Network attacks traceability system further includes a display module for displaying the IP address to the blacklist form of visual chart.
[0066] Embodiments of the present invention can help combat network security threats through a variety of ways, such as:
[0067] 1) Find related malicious behavior patterns (this may include the user inserts a removable disk, copy the files and then delete the removable disk) or from the restricted user to read the file after bypass the firewall inspection. Graphic database can be used to find these patterns in real-time, prevents confidential information from being stolen.
[0068] 2) The error / alarm / problem dates back to its source, for example: When someone tries to send an alert to it and generate, files may be damaged or the user is connected to it received high CPU usage alarm. Map database can be traced back to the user for these alerts, even dating back to a specific IP address (It is worth noting that the successful implementation of these alerts require across multiple hops), while using the graphical database may only require minutes and seconds of time, but using relational databases take several minutes or even hours.
[0069] 3) detection of abnormal conditions (when the service receives far more requests than usual, including flood detection events) or when the service receives a large number of requests from a single user, the user may detect security weaknesses in the service when the foot detection event occurs, the normal model patterns of behavior within the map database that can detect abnormal events in real time. Extracting feature set available for machine learning (a function of the number of new users to the shortest path to the blacklisted user and IP address), another function is set-hop, two-hop, three-hop, etc. in the number of users in the blacklist, another feature is the use of the k-nearest neighbor (KNN, K-Nearest Neighbor) description of the new environment. These types of graphics capabilities can be easily generated and used for training artificial intelligence, real-time detection and prevention of Internet-scale network security attacks.
[0070] Embodiments of the present invention further provides a method for the trace network attacks based on the map database, based on the kind of network attacks based traceability system map database, network attacks tracing method comprising the steps of:
[0071] This data set to build the sample; sample data sets including the relationship between the attribute information of the entity information and entity information and entity information, information corresponding to the entity;
[0072] Get alarm information;
[0073] According to alarm information, combined with the sample data set, tracing network attacks, network attacks launched to obtain an IP address.
[0074] The type of entity information including alerts, events, services, processes, IP, user ID, resources and alarms;
[0075] Attribute information alerts corresponding to the type includes an alarm type name; attribute information corresponding to the event including the event number, start time, end time, event type, the return code and termination points; attribute information service process corresponding to include service process number, service name, service process type; attribute information corresponding IP including IP address; user attribute information corresponding to the ID includes a user ID number; attribute information corresponding to the resources, including the resource ID, resource type and URL; attribute information alerts corresponding to include an alarm number and alarm type.
[0076] Network attack source tracing method further comprising the steps of:
[0077] Record launch network attacks and stored as the IP address blacklist IP addresses;
[0078] Detect whether the IP address is blacklisted IP address, and if so, an alarm reminder;
[0079] Graphically displaying the IP address blacklist visual form.
[0080] In particular, embodiments of the map database is a map database of the present invention constructed in accordance with a relationship similar to the nodes of the network entity, wherein the entity is a relationship between the information point type, entity information entity type information side. like figure 2 , An embodiment of a multi-user network security FIG simple model based on a user including ID, IP, resources, event service process, an alarm, the type of the present invention. Wherein, in the model of FIG point type as shown in Table 1:
[0081] Table 1
[0082]
[0083]
[0084] FIG edge type in the model are shown in Table 2:
[0085] Table 2
[0086] Start point type Edge type Termary point type Attributes Service process Service_lert alarm / event TO_SERVICE Service process / event HAS_IP IP / event OUTPUT_TO_RESOURCE resource / User ID User_event event / resource Read_From_Resource event / alarm Alert_HAS_TYPE Alarm type / Service process From_service event /
[0087] Based on Table 1, Table 2, and figure 2 , Embodiments of the present invention the relationship between the dots can be fixed in specific alert alarm type, sources of risk analysis in the specified type of alarm, can be traced to specific service, the service is recorded in the event, the event is also recorded call resource, the same resources will be called by other events, which are generated by some of the user, can be traced back to their IP. This involves multi-table events related queries, relational databases when dealing with deep-chain query, takes too long, the result is not ideal. In network security, time is the first one, the longer the time-consuming, the greater the losses. By map database, a good source of risk analysis in advance next time there is this type of IP come in, we can focus on the type of alarm associated with, good early warning.
[0088] Embodiments of the present invention further provides a network-based attacks traceability map database apparatus, such as image 3 , The device includes an input device, an input interface, a central processing unit, a memory, an output interface and an output device. Wherein the input interface, a central processor, a memory and an output interface interconnected by a bus, the input and output devices, respectively, in turn connected to other components of the device through the input and output interfaces connected to a bus. Specifically, the input device receives input information from the outside via the input interface and transmits the input information to the central processor. A central processing unit for processing the input information based on computer executable program code stored in the memory to generate output information, output information temporarily or permanently stored in a memory, and then output through the output interface information is transmitted to the output device, the output device outputs information is output to an external device for the user to use.
[0089]In the face of increasingly growing and associated data, existing solutions have not been able to meet the needs of corporate needs.A network attack traceability system, method, method, and equipment based on the map database, using the map database to find the hidden relationship between data, can find the risk IP faster, do a good warning in advance, will be possibleReduce to minimize.
[0090] It will be noted in that the above examples are intended to illustrate the technical solutions of the present invention, not to limit the present invention;The technical scheme described in the foregoing embodiments can still be modified, or partially or all of the technical features are still equivalent to alternative; and these modifications or replacements do not allow the nature of the corresponding technical solution from the present invention.The scope should be included in the scope of the claims and description of the invention.
