A distributed brute force attack cooperative detection and tracing method and device
By constructing a global log dataset and performing spatiotemporal correlation analysis and multidimensional feature confidence assessment, the problem of cross-tenant collaborative detection and tracing of distributed brute-force attacks in cloud platforms was solved, realizing network-wide collaborative response and efficient threat tracing, and improving the security protection capabilities of cloud platforms.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- CHINA ELECTRONICS CLOUD DIGITAL INTELLIGENCE TECH CO LTD
- Filing Date
- 2026-03-31
- Publication Date
- 2026-06-16
AI Technical Summary
Existing cloud platforms suffer from problems such as tenant data silos, limitations of static rule detection, fragmented response strategies, and lack of cross-tenant tracing capabilities when facing distributed brute-force attacks, making it difficult to effectively deal with collaborative attacks in multi-tenant environments.
By collecting and aggregating brute-force attack logs from various tenants, a global log dataset is constructed. Spatiotemporal correlation analysis is performed to identify source IP clusters, multi-dimensional feature confidence assessment is conducted, high-confidence attack clusters are generated, and global threat intelligence is distributed collaboratively to achieve cross-tenant attack tracing and report push.
Build a global attack detection perspective to achieve "one-point detection, network-wide blocking", reduce false alarm rate, enhance threat hunting capabilities, form a closed-loop mechanism for continuous detection and response, and improve the overall security protection effectiveness of the cloud platform.
Smart Images

Figure CN122226431A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of cloud computing security technology, and in particular to a method and device for collaborative detection and tracing of distributed brute-force attacks. Background Technology
[0002] Brute-force attacks, a common cyberattack method, involve attackers illegally gaining access to cloud assets by trying numerous username and password combinations, thereby committing malicious acts such as data theft, ransomware implantation, and resource abuse. In the cloud environment, brute-force attacks exhibit new characteristics: attackers often utilize distributed botnets, circumventing threshold detection at the single-tenant level by rotating source IPs and controlling attack frequency, to achieve low-frequency coordinated attacks against multiple tenants.
[0003] To address these threats, existing cloud security centers typically deploy independent detection and response mechanisms within each tenant. Specifically, each tenant's cloud security center is responsible for collecting brute-force attack logs of that tenant's cloud assets, performing anomaly detection based on preset static thresholds (such as the number of failed login attempts per unit time), and triggering alerts or implementing blocking policies upon detecting an attack. This single-tenant isolated security architecture has the following shortcomings in practical applications:
[0004] 1. Data silos among tenants lead to a lack of global perspective. Cloud security centers typically isolate logs and alerts by tenant. Each tenant can only perceive attacks targeting their own assets, making it impossible to perform global correlation analysis of cross-tenant attacks at the platform level. Attackers can bypass detection by distributing attack traffic across multiple tenants, ensuring that the attack frequency observed by each tenant is below the single-tenant threshold.
[0005] 2. Static rule detection mechanisms have limitations. Existing detection methods mainly rely on static rules based on single-tenant thresholds, which cannot detect global attack patterns. Attackers can exploit this deficiency by rotating attack IPs and controlling attack frequency to make the attack characteristics from a single-tenant perspective appear "slow" and difficult to trigger alerts. At the same time, static rules are difficult to adapt to dynamic changes in attack methods and lack the ability to identify new attack patterns.
[0006] 3. Fragmented response strategies create response time gaps. Even if a tenant detects and blocks an attacking IP, other tenants still need to independently go through the complete detection process before triggering the blocking policy. This response time gap provides attackers with a window of opportunity, allowing them to use the same attack resources to continue attacking other unblocked tenants, creating a situation of "one point blocked, multiple points compromised".
[0007] 4. Lack of in-depth analysis of attack intent. Existing systems typically only record single sign-on failures, failing to perform causal correlation analysis between brute-force attacks and subsequent intrusion activities (such as lateral movement, privilege escalation, configuration tampering, and data theft). Security personnel struggle to reconstruct the complete attack chain from isolated alerts, making it impossible to accurately assess the true scope and intent of the attack.
[0008] 5. Lack of cross-tenant attribution capabilities. When an attack affects multiple tenants, there is a lack of a unified view of the attack chain. Each tenant is unaware of the overall scale of the attack, the attacker's behavioral patterns, and the impact of the attack on other tenants, resulting in a lack of global coordination in security response and making it difficult to form an effective threat hunting capability.
[0009] Chinese patent CN119011184A discloses a large-scale attack monitoring method based on real-time computing. This method detects attacks based on C-segment addresses and preset thresholds. It lacks cross-tenant global correlation analysis, confidence assessment, network-wide collaborative response, and complete attack chain tracing capabilities, and cannot effectively meet the detection and response needs of distributed brute-force attacks in a multi-tenant environment of cloud platforms.
[0010] Therefore, how to provide a method that enables distributed collaborative detection and tracing of brute-force attacks at the global level of the cloud platform, in order to overcome the limitations of the single-tenant perspective and improve the overall security protection capabilities of the cloud platform, has become an urgent technical problem to be solved. Summary of the Invention
[0011] In view of this, in order to overcome the shortcomings of the prior art, the present invention aims to provide a method and device for collaborative detection and tracing of distributed brute-force attacks.
[0012] According to a first aspect of the present invention, a method for collaborative detection and tracing of distributed brute-force attacks is provided, the method comprising:
[0013] Step S1: Collect and aggregate brute-force attack logs from each tenant on the cloud platform, extract key fields, and build a global log dataset;
[0014] Step S2: Identify the source IP clusters that launch coordinated attacks against multiple tenants from the global log dataset through spatiotemporal correlation analysis, and determine the source IP clusters of distributed coordinated attacks based on the cluster size and the number of affected tenants.
[0015] Step S3: Perform multi-dimensional feature confidence assessment on the source IP clusters identified as distributed collaborative attacks to generate high-confidence attack clusters;
[0016] Step S4: Generate global threat intelligence based on the high-confidence attack cluster and distribute it to all tenants, while simultaneously conducting cross-tenant attack tracing and report push.
[0017] Optionally, in the distributed brute-force attack collaborative detection and tracing method of the present invention, step S1 includes: the platform receiving brute-force related logs reported by all tenants, cleaning and normalizing the logs, extracting key fields including source IP, target IP, tenant ID, timestamp, username, authentication result and target port, and constructing a log dataset with a globally unified format.
[0018] Optionally, in the distributed brute-force attack collaborative detection and tracing method of the present invention, step S2 identifies the source IP cluster that is launching a collaborative attack against multiple tenants through single IP cross-tenant behavior detection, sliding window aggregation and IP association graph construction.
[0019] Optionally, in the distributed brute-force attack collaborative detection and tracing method of the present invention, step S2, the single IP cross-tenant behavior detection is performed in the following manner:
[0020] The constructed global log dataset is grouped by source IP, and a status table is maintained for each source IP. This status table is used to record the tenant identifiers attacked by the source IP within a preset time window.
[0021] When any source IP attacks two or more tenants within the time window, the source IP is marked as a suspicious IP and a list of the tenants it attacked is output.
[0022] Also set a timer to periodically clean up expired states.
[0023] Optionally, in the distributed brute-force attack collaborative detection and tracing method of the present invention, step S2, the sliding window aggregation and IP association graph construction are performed in the following manner:
[0024] Set a sliding time window, and collect all suspicious IP records and their corresponding tenant lists within the current window when the window is triggered;
[0025] Using source IPs as the first type of nodes and tenants as the second type of nodes, construct an IP-tenant bipartite graph based on the attack relationship between suspicious IPs and tenants;
[0026] The connected component algorithm is used to calculate all connected components in the IP and tenant bipartite graph, and the set of all source IP nodes in each connected component is regarded as a potential attack IP cluster.
[0027] Optionally, in the distributed brute-force attack collaborative detection and tracing method of the present invention, step S2 determines the source IP cluster of the distributed collaborative attack based on the cluster size and the number of affected tenants in the following manner:
[0028] Count the number of source IPs in each potential attack IP cluster and the number of tenants affected by that cluster;
[0029] When the number of source IPs reaches three or more and the number of affected tenants reaches two or more, the IP cluster is identified as a distributed collaborative attack cluster.
[0030] Optionally, in the distributed brute-force attack collaborative detection and tracing method of the present invention, step S3 includes: dynamically profiling the source IP cluster determined to be a distributed collaborative attack, selecting cluster size, cross-tenant breadth, temporal coordination, behavioral similarity, and threat intelligence matching as evaluation features, wherein the cluster size feature is calculated by normalizing the number of source IPs in the IP cluster, the cross-tenant breadth feature is calculated by normalizing the number of attacked tenants, the temporal coordination feature is quantified based on whether the attack time between the source IPs in the IP cluster follows a relay pattern, the behavioral similarity feature is quantified based on the Jaccard similarity of the usernames and ports used by the source IPs in the cluster, and the threat intelligence matching feature is quantified based on the proportion of source IPs in the cluster that are maliciously marked in the threat intelligence database; and calculating a confidence score through a weighted scoring model, if the confidence score is higher than a preset threshold, it is determined to be a high-confidence attack cluster.
[0031] Optionally, in the distributed brute-force attack collaborative detection and tracing method of the present invention, in step S4, global threat intelligence is generated and collaboratively distributed to all tenants in the following manner: based on the source IP information in the high-confidence attack cluster, a global threat intelligence containing a list of malicious IPs is generated; through the unified policy distribution interface of the cloud platform, the global threat intelligence is distributed in real time to the boundary protection devices of all tenants, including cloud firewalls, WAFs and security groups.
[0032] Optionally, in the distributed brute-force attack collaborative detection and tracing method of the present invention, in step S4, cross-tenant attack tracing and report push are performed in the following manner: based on the source IP information in the identified high-confidence attack cluster, the historical attack behavior in the global log library is correlated and queried to restore the attack timeline, the evolution trajectory of the attack target in different tenants and the changes in attack methods, a visualized cross-tenant attack link diagram is generated, and a structured tracing report is formed and pushed to all affected tenants through the cloud security center; after the boundary protection devices of each tenant execute the blocking policy, the blocking result is fed back to the platform side.
[0033] According to a second aspect of the present invention, a computer device is provided, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the program to implement the method described in the first aspect of the present invention.
[0034] The distributed brute-force attack collaborative detection and tracing method of the present invention can construct a global attack detection field; realize a collaborative response mechanism of "discovery at one point, blocking across the entire network"; construct a multi-dimensional feature confidence evaluation model to reduce false alarm rate; restore the complete attack chain to enhance threat hunting capability; and form a closed-loop mechanism for continuous detection and response to improve the overall security protection efficiency of cloud platforms. Attached Figure Description
[0035] To more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the embodiments will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0036] Figure 1 This is a flowchart illustrating a distributed brute-force attack collaborative detection and tracing method according to an exemplary embodiment 1 of the present invention;
[0037] Figure 2 This is a flowchart illustrating the single-IP cross-tenant behavior detection process of the distributed brute-force attack collaborative detection and tracing method according to Exemplary Embodiment 1 of the present invention.
[0038] Figure 3 This is a flowchart illustrating the distributed collaborative attack determination process according to the distributed brute-force attack collaborative detection and tracing method of Exemplary Embodiment 1 of the present invention.
[0039] Figure 4 A schematic diagram illustrating the technical principle of distributed attack pattern recognition in the distributed brute-force attack collaborative detection and tracing method according to Exemplary Example 1 of the present invention.
[0040] Figure 5 A flowchart illustrating the cross-tenant attack tracing analysis process of the distributed brute-force attack collaborative detection and tracing method according to Exemplary Example 1 of the present invention;
[0041] Figure 6 This is a schematic diagram of the structure of the device provided by the present invention. Detailed Implementation
[0042] The embodiments of the present invention will now be described in detail with reference to the accompanying drawings.
[0043] It should be noted that, in the absence of conflict, the following embodiments and features can be combined with each other; and, based on the embodiments of this disclosure, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this disclosure.
[0044] It should be noted that various aspects of embodiments within the scope of the appended claims are described below. It will be apparent that the aspects described herein can be embodied in a wide variety of forms, and any particular structure and / or function described herein is merely illustrative. Based on this disclosure, those skilled in the art will understand that one aspect described herein can be implemented independently of any other aspect, and two or more of these aspects can be combined in various ways. For example, any number of aspects set forth herein can be used to implement the device and / or practice the method. Additionally, this device and / or method can be implemented using structures and / or functionalities other than one or more of the aspects set forth herein.
[0045] Example 1
[0046] Exemplary embodiment 1 of the present invention provides a method for collaborative detection and tracing of distributed brute-force attacks. Figure 1 This is a flowchart illustrating a distributed brute-force attack collaborative detection and tracing method according to an exemplary embodiment 1 of the present invention. Figure 1 As shown, this embodiment implements the method of the present invention in the following manner:
[0047] Step S1: Collect and aggregate brute-force attack logs from each tenant on the cloud platform, extract key fields, and build a global log dataset.
[0048] In this embodiment, the platform receives brute-force attack-related logs reported by all tenants, cleans and normalizes the logs, and extracts key fields including source IP, target IP, tenant ID, timestamp, username, authentication result and target port to construct a log dataset with a globally unified format.
[0049] Step S2: Identify the source IP clusters that launch coordinated attacks against multiple tenants from the global log dataset through spatiotemporal correlation analysis, and determine the source IP clusters of distributed coordinated attacks based on the cluster size and the number of affected tenants.
[0050] In this embodiment, source IP clusters that launch coordinated attacks against multiple tenants are identified through single IP cross-tenant behavior detection, sliding window aggregation, and IP association graph construction.
[0051] This embodiment identifies and reads the preprocessed global log dataset. It employs spatiotemporal correlation analysis algorithms (such as the Flink streaming computing framework, sliding time windows, IP association graph construction, etc.) to analyze the occurrence patterns of source IPs in different tenant logs, identifying source IPs that are launching low-frequency, rotating attacks against multiple tenants. If the attack scale of the identified IP cluster (e.g., number of IPs, total number of attacks, number of affected tenants) exceeds a preset threshold, it is determined to be a distributed, coordinated attack, and the attack cluster information is output; otherwise, the data is archived and temporarily stored for continuous monitoring.
[0052] Figure 2 This is a flowchart illustrating the single-IP cross-tenant behavior detection process of the distributed brute-force attack collaborative detection and tracing method according to Exemplary Embodiment 1 of the present invention. Figure 2 As shown, in this embodiment, single-IP cross-tenant behavior detection is performed in the following manner:
[0053] The constructed global log dataset is grouped by source IP, and a status table is maintained for each source IP. This status table is used to record the tenant identifiers attacked by the source IP within a preset time window. When the number of tenants attacked by any source IP within the time window reaches two or more, the source IP is marked as a suspicious IP, and a list of tenants attacked by it is output. At the same time, a timer is set to periodically clean up expired statuses.
[0054] In this embodiment, sliding window aggregation and IP association graph construction are performed in the following manner:
[0055] Set a sliding time window, and collect all suspicious IP records and their corresponding tenant lists within the current window when the window is triggered; construct an IP and tenant bipartite graph based on the attack relationship between suspicious IPs and tenants, with source IPs as the first type of nodes and tenants as the second type of nodes; use the connected component algorithm to calculate all connected components in the IP and tenant bipartite graph, and take the set of all source IP nodes in each connected component as a potential attack IP cluster.
[0056] Figure 3 This is a flowchart illustrating the distributed collaborative attack determination process of the distributed brute-force attack collaborative detection and tracing method according to Exemplary Embodiment 1 of the present invention. Figure 3 As shown, this embodiment determines the source IP cluster of a distributed collaborative attack based on the cluster size and the number of affected tenants in the following way: count the number of source IPs in each potential attack IP cluster and the number of tenants affected by the cluster; when the number of source IPs reaches three or more and the number of affected tenants reaches two or more, the IP cluster is determined to be a distributed collaborative attack cluster.
[0057] Figure 4 This is a schematic diagram illustrating the technical principle of distributed attack pattern recognition in the distributed brute-force attack collaborative detection and tracing method according to Exemplary Embodiment 1 of the present invention. Figure 4 As shown, a sliding window is used to analyze the temporal correlation of source IPs in different tenant logs. When the same group of IPs (IP1, IP2) is found to exhibit a relay pattern in time in the logs of different tenants, and the attack frequency is lower than the single-tenant threshold, it is determined to be a distributed coordinated attack.
[0058] Step S3: Perform multi-dimensional feature confidence assessment on the source IP clusters identified as distributed collaborative attacks to generate high-confidence attack clusters.
[0059] Dynamic profiling is performed on source IP clusters identified as distributed collaborative attacks. Cluster size, cross-tenant breadth, temporal coordination, behavioral similarity, and threat intelligence matching are selected as evaluation features. Specifically, cluster size is calculated using a normalized formula based on the number of source IPs in the cluster; cross-tenant breadth is calculated using a normalized formula based on the number of attacked tenants; temporal coordination is quantified based on whether the attack times of the source IPs within the cluster follow a relay pattern; behavioral similarity is quantified based on the Jaccard similarity of usernames and ports used by the source IPs within the cluster; and threat intelligence matching is quantified based on the proportion of source IPs within the cluster that are maliciously marked in the threat intelligence database. A weighted scoring model is used to calculate a confidence score. If the confidence score is higher than a preset threshold, the cluster is identified as a high-confidence attack cluster.
[0060] Step S4: Generate global threat intelligence based on the high-confidence attack cluster and distribute it to all tenants, while simultaneously conducting cross-tenant attack tracing and report push.
[0061] Figure 5 This is a flowchart illustrating the cross-tenant attack tracing analysis performed by the distributed brute-force attack collaborative detection and tracing method according to Exemplary Embodiment 1 of the present invention. Figure 5 As shown in this embodiment, a global threat intelligence containing a list of malicious IPs is generated based on the source IP information in the high-confidence attack cluster. The global threat intelligence is then distributed in real time to the boundary protection devices of all tenants through the unified policy distribution interface of the cloud platform. The boundary protection devices include cloud firewalls, WAFs, and security groups.
[0062] Based on the source IP information in the identified high-confidence attack clusters, the historical attack behaviors in the global log library are correlated and queried to reconstruct the attack timeline, the evolution trajectory of the attack targets across different tenants, and the changes in attack methods. A visualized cross-tenant attack chain diagram is generated, and a structured source tracing report is formed and pushed to all affected tenants through the cloud security center. After each tenant's boundary protection device executes the blocking policy, the blocking results are fed back to the platform side.
[0063] Example 2
[0064] Exemplary Example 2 of the present invention provides a method for collaborative detection and tracing of distributed brute-force attacks. This embodiment implements the method of the present invention according to the following steps:
[0065] Step 1: Log Collection and Reporting
[0066] Each tenant's cloud security center continuously collects logs related to brute-force attacks on their cloud assets (such as SSH attacks). These logs are reported to the platform in real time or in batches.
[0067] Step 2: Log aggregation and preprocessing
[0068] The platform receives logs reported by all tenants, cleans and normalizes them, and extracts key fields (such as source IP, destination IP, tenant ID, timestamp, username, authentication result, destination port, etc.) to form a global log dataset in a unified format. An example of a global log dataset formed according to the method described in the implementation example is as follows:
[0069] {"log_id":"3d7d9a0fade13758c4ab695898337394_1772175141896132620","agent_id":"3d7d9a0fade13758c4a b695898337394","assets_data":{"pin":"000000"},"os_data":{"os_type":"linux","os_version":"CCLinux 22.09.2","kernel_version":"5.15.131-26.cl9.x86_64","arch":"x86_64"},"log_timestamp":1772175141,"log_t ype":"cwp_linux_ssh_flow","host_data":{"host_ip":["10.255.168.11","10.255.168.100","10.255.168.84"],"h ost_name":"x86b-db-4"},"region_az":{"name":"clusterx86"},"log_content":{"connect_ip":"10.255.168.1"," connect_port":42006,"login_ip_type":0,"login_port":22,"login_protocol":"ssh2","login_time":"2026-02-27 14:36:45","login_timestamp":1772203005,"login_type":"publickey","login_user":"ccadmin","pid":1330005,"pname":"sshd","reason":"session closed","session_status":2,"status":0,"type":"logout","user_type":0}}
[0070] Step 3: Distributed attack pattern identification
[0071] First, the system consumes brute-force attack logs reported by each tenant in real time from the message queue, extracts key fields such as source IP, tenant ID, and timestamp, assigns an event timestamp to each log entry, and sets up a watermark mechanism to handle out-of-order data.
[0072] Then, the logs are grouped by source IP, and a status table is maintained for each IP, recording all tenants it attacked within a time window. When an IP attacks two or more tenants, it is identified as a "suspicious IP," and its list of attacked tenants is output to the next stage. The system also sets a timer to periodically clean up expired statuses.
[0073] Next, a sliding time window is set (e.g., window length 30 minutes, sliding step size 5 minutes). When the window is triggered, all suspicious IP records are collected, and an IP-tenant bipartite graph is constructed: IP nodes and tenant nodes are connected by edges. All connected components in the graph are found using a connected component algorithm, and the IP nodes in each connected component constitute a potential attack IP cluster.
[0074] Finally, the number of IPs and affected tenants in each cluster are counted. When the number of IPs reaches 3 or more and the number of affected tenants reaches 2 or more, it is determined to be a distributed coordinated attack, and the cluster information is output to the downstream confidence assessment.
[0075] Step 4: Confidence Assessment
[0076] Upon receiving information about identified attacking IP clusters, the system dynamically profiles the cluster, combining built-in or external threat intelligence (such as botnet lists and proxy IP databases) with internal historical behavior to assess the attack confidence level of the cluster. A confidence score is calculated using a weighted scoring model. If the confidence score is higher than a preset threshold, a subsequent collaborative response is triggered; otherwise, the cluster may be archived or continue to be observed.
[0077] For example, in this embodiment, evaluation features are selected and confidence levels are assessed in the following manner.
[0078] Table 1
[0079]
[0080] Total score formula: Confidence = 0.15·S′ + 0.20·T′ + 0.25·C + 0.20·B + 0.20·I
[0081] Where S′ and T′ are normalized values (e.g., S′=min(1,S / 10), with a maximum value of 10).
[0082] The following is an example illustration of this calculation:
[0083] Suppose an IP cluster containing 8 IPs is identified, which attacked 4 different tenants and had 4 valid relays within 30 minutes. The similarity of the behaviors was high (0.9), and 6 of the IPs matched the threat intelligence (e.g., were marked as proxy IPs).
[0084] Calculate the scores for each feature:
[0085] Confidence=0.15×0.8+0.20×0.8+0.25×1.0+0.20×0.9+0.20×0.75
[0086] =0.12+0.16+0.25+0.18+0.15
[0087] =0.86
[0088] If the set high confidence threshold is 0.7, then 0.86 > 0.7, triggering subsequent operations.
[0089] Step 5: Generate global threat intelligence
[0090] For high-confidence attack IP clusters, the collaborative response scheduling center automatically generates global threat intelligence (IOC), including a list of malicious IPs.
[0091] Step 6: Deployment of Collaborative Response Strategy
[0092] The Collaborative Response Dispatch Center uses a unified policy distribution interface on the cloud platform to distribute IOC policies to all tenants' boundary protection devices (cloud firewalls, WAFs, security groups, etc.) in real time, enabling network-wide collaborative blocking.
[0093] Step 7: Attack Source Tracing Analysis
[0094] Meanwhile, based on the identified attack IP clusters, the system automatically associates their historical attack behaviors (by querying the global log database), reconstructs the attack timeline, the evolution trajectory of the attack targets, and changes in attack methods, generates a visualized cross-tenant attack chain diagram, and forms a structured source tracing report.
[0095] Step 8: Source tracing report push and feedback
[0096] The source tracing report is pushed to all affected tenants through the cloud security center to help them understand the full picture of the attack and assess the scope of impact. After each tenant's perimeter protection devices execute blocking policies, the blocking results are fed back to the platform collaboration layer.
[0097] Step 9: Continuous monitoring
[0098] The system continues to monitor new logs, repeating the above steps to form a closed loop of continuous detection and response.
[0099] The distributed brute-force attack collaborative detection and tracing method of this invention has the following beneficial technical effects:
[0100] I. Constructing a global attack detection field
[0101] By using spatiotemporal correlation analysis to identify cross-tenant distributed attack patterns, low-frequency rotational attack behaviors that traditional single-tenant threshold detection cannot detect can be discovered, significantly improving the ability to detect distributed brute-force attacks.
[0102] II. Implementing a collaborative response mechanism for "detecting one point and blocking the entire network".
[0103] After identifying high-confidence attack clusters, a global threat intelligence containing a list of malicious IPs is generated. The blocking policy is then distributed to the perimeter protection devices of all tenants in real time through the unified policy distribution interface of the cloud platform. This eliminates the response time difference in traditional solutions where each tenant has to go through the detection process independently before a blocking can be triggered. It enables network-wide collaborative blocking after an attack is discovered, effectively compressing the attacker's activity window.
[0104] III. Construct a multi-dimensional feature confidence assessment model to reduce the false alarm rate.
[0105] A confidence assessment mechanism is introduced, which assigns weighted scores to identified attack IP clusters based on five dimensions: cluster size, cross-tenant breadth, temporal coordination, behavioral similarity, and threat intelligence matching. By comprehensively considering the attack's scale characteristics, temporal characteristics, behavioral characteristics, and external intelligence verification, this approach can more accurately identify real attacks compared to traditional methods based on a single threshold, effectively reducing false positives and improving the reliability of detection results.
[0106] IV. Restore the complete attack chain and enhance threat hunting capabilities
[0107] While identifying attack clusters, the system automatically reconstructs the attack timeline, the evolution of the attack target across different tenants, and the changes in attack methods by cross-tenant attack attribution analysis and querying historical attack behaviors in the global log database. The generated visualized cross-tenant attack chain diagram and structured attribution report help security personnel understand the full picture of the attack from a global perspective, establish causal relationships between isolated brute-force attacks and subsequent intrusion behaviors, and significantly improve threat hunting and incident response capabilities.
[0108] V. Establish a closed-loop mechanism for continuous monitoring and response.
[0109] By continuously collecting new brute-force attack logs and cyclically executing a complete process of detection, assessment, response, and tracing, a closed-loop mechanism for continuous monitoring and response is formed. After each tenant's boundary protection device executes its blocking policy, the blocking results are fed back to the platform, which can be used to optimize the detection model or for auditing.
[0110] VI. Enhance the overall security protection effectiveness of the cloud platform
[0111] Leveraging the multi-tenant data advantages of cloud platforms, this approach addresses the detection and attribution of distributed brute-force attacks through a globally collaborative strategy. Compared to traditional single-tenant isolated security architectures, it significantly enhances the cloud platform's perception, response speed, and attribution depth in the face of cross-tenant collaborative attacks, effectively reducing the overall security risks caused by attacks affecting multiple tenants, and providing more reliable security guarantees for cloud service providers and tenants.
[0112] like Figure 6 As shown, the present invention also provides a device including a processor 310, a communication interface 320, a memory 330 for storing processor-executable computer programs, and a communication bus 340. The processor 310, communication interface 320, and memory 330 communicate with each other via the communication bus 340. The processor 310 executes the executable computer program to implement the aforementioned distributed brute-force attack collaborative detection and tracing method.
[0113] The computer program in memory 330, when implemented as a software functional unit and sold or used as an independent product, can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this application, in essence, or the part that contributes to the prior art, or a portion of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods in the various embodiments of this application. The aforementioned storage medium includes various media capable of storing program code, such as a USB flash drive, a portable hard drive, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk.
[0114] The system embodiments described above are merely illustrative. The units described as separate components may or may not be physically separate, and the components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the modules can be selected based on actual needs to achieve the purpose of this embodiment. Those skilled in the art can understand and implement this without any creative effort.
[0115] Through the above description of the embodiments, those skilled in the art can clearly understand that each embodiment can be implemented by means of software plus necessary general-purpose hardware platforms, and of course, it can also be implemented by hardware. Based on this understanding, the above technical solutions, in essence or the part that contributes to the prior art, can be embodied in the form of a software product. This computer software product can be stored in a computer-readable storage medium, such as ROM / RAM, magnetic disk, optical disk, etc., including several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute the methods of various embodiments or some parts of embodiments.
[0116] The above description is merely a specific embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the technical scope disclosed in the present invention should be included within the scope of protection of the present invention. Therefore, the scope of protection of the present invention should be determined by the scope of the claims.
Claims
1. A method for collaborative detection and tracing of distributed brute-force attacks, characterized in that, The method includes: Step S1: Collect and aggregate brute-force attack logs from each tenant on the cloud platform, extract key fields, and build a global log dataset; Step S2: Identify the source IP clusters that launch coordinated attacks against multiple tenants from the global log dataset through spatiotemporal correlation analysis, and determine the source IP clusters of distributed coordinated attacks based on the cluster size and the number of affected tenants. Step S3: Perform multi-dimensional feature confidence assessment on the source IP clusters identified as distributed collaborative attacks to generate high-confidence attack clusters; Step S4: Generate global threat intelligence based on the high-confidence attack cluster and distribute it to all tenants, while simultaneously conducting cross-tenant attack tracing and report push.
2. The distributed brute-force attack collaborative detection and tracing method according to claim 1, characterized in that, Step S1 includes: The platform receives all brute-force attack-related logs reported by tenants, cleans and normalizes the logs, extracts key fields including source IP, target IP, tenant ID, timestamp, username, authentication result and target port, and constructs a log dataset with a globally unified format.
3. The distributed brute-force attack collaborative detection and tracing method according to claim 1, characterized in that, In step S2, the source IP cluster that is launching a coordinated attack against multiple tenants is identified through single IP cross-tenant behavior detection, sliding window aggregation, and IP association graph construction.
4. The distributed brute-force attack collaborative detection and tracing method according to claim 3, characterized in that, In step S2, single-IP cross-tenant behavior detection is performed as follows: The constructed global log dataset is grouped by source IP, and a status table is maintained for each source IP. This status table is used to record the tenant identifiers attacked by the source IP within a preset time window. When any source IP attacks two or more tenants within the time window, the source IP is marked as a suspicious IP and a list of the tenants it attacked is output. Also set a timer to periodically clean up expired states.
5. The distributed brute-force attack collaborative detection and tracing method according to claim 3, characterized in that, In step S2, the sliding window aggregation and IP association graph construction are performed as follows: Set a sliding time window, and collect all suspicious IP records and their corresponding tenant lists within the current window when the window is triggered; Using source IPs as the first type of nodes and tenants as the second type of nodes, construct an IP-tenant bipartite graph based on the attack relationship between suspicious IPs and tenants; The connected component algorithm is used to calculate all connected components in the IP and tenant bipartite graph, and the set of all source IP nodes in each connected component is regarded as a potential attack IP cluster.
6. The distributed brute-force attack collaborative detection and tracing method according to claim 1, characterized in that, In step S2, the source IP cluster of the distributed coordinated attack is determined based on the cluster size and the number of affected tenants as follows: Count the number of source IPs in each potential attack IP cluster and the number of tenants affected by that cluster; When the number of source IPs reaches three or more and the number of affected tenants reaches two or more, the IP cluster is identified as a distributed collaborative attack cluster.
7. The distributed brute-force attack collaborative detection and tracing method according to claim 1, characterized in that, Step S3 includes: dynamically profiling the source IP clusters identified as distributed collaborative attacks, selecting cluster size, cross-tenant breadth, temporal coordination, behavioral similarity, and threat intelligence matching as evaluation features. Specifically, the cluster size feature is calculated by normalizing the number of source IPs in the IP cluster; the cross-tenant breadth feature is calculated by normalizing the number of attacked tenants; the temporal coordination feature is quantified based on whether the attack times of the source IPs within the IP cluster follow a relay pattern; the behavioral similarity feature is quantified based on the Jaccard similarity of the usernames and ports used by the source IPs within the cluster; and the threat intelligence matching feature is quantified based on the proportion of source IPs within the cluster that are maliciously marked in the threat intelligence database. A confidence score is calculated using a weighted scoring model. If the confidence score is higher than a preset threshold, the cluster is identified as a high-confidence attack cluster.
8. The distributed brute-force attack collaborative detection and tracing method according to claim 1, characterized in that, In step S4, global threat intelligence is generated and distributed to all tenants in the following manner: Based on the source IP information in the high-confidence attack cluster, a global threat intelligence containing a list of malicious IPs is generated; through the unified policy distribution interface of the cloud platform, the global threat intelligence is distributed in real time to the boundary protection devices of all tenants, including cloud firewalls, WAFs, and security groups.
9. The distributed brute-force attack collaborative detection and tracing method according to claim 1, characterized in that, In step S4, cross-tenant attack tracing and report push are performed as follows: Based on the source IP information in the identified high-confidence attack cluster, the historical attack behavior in the global log library is correlated and queried to reconstruct the attack timeline, the evolution trajectory of the attack target among different tenants, and the changes in attack methods. A visualized cross-tenant attack chain diagram is generated, and a structured tracing report is formed and pushed to all affected tenants through the cloud security center. After each tenant's boundary protection device executes the blocking policy, the blocking result is fed back to the platform side.
10. A computer device, characterized in that, The computer device includes a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the program to implement the steps of the method according to any one of claims 1-9.