CN118337403B - Attack path restoration method and device based on IOC, electronic equipment and medium - Google Patents

Abstract

The present application relates to an IOC-based attack path restoration method, device, electronic device and storage medium. The method includes: determining the victim's device information and threat intrusion indicator IOC; determining candidate attack means and corresponding reliability scores based on the device information and IOC in combination with a preset database; the preset database stores log data; determining attack means and corresponding direct attackers from the candidate attack means based on the type of IOC and the reliability score; determining the victim's peer victims based on the device information of the victim's direct attacker in combination with a preset database; determining whether the victim's direct attacker is the final attack source; if not, taking the victim's direct attacker as the victim, and repeating the above steps until the final attack source is determined. Improve the efficiency and accuracy of tracing with more reliable clues.

Description

IOC-based attack path restoration method, device, electronic device and medium

Technical Field

The present application relates to the field of data processing technology, and in particular to an IOC-based attack path restoration method, device, electronic device and storage medium.

Background Art

With the progress of society and the development of information technology, the cybersecurity situation faced by governments and enterprises has become quite severe: the sources of attacks are more diverse, the attack methods are more complex, and the attack methods are more covert. The occurrence of cybersecurity incidents is inevitable, and the importance of learning from experience and summarizing lessons after the incident has become increasingly prominent. From the incident, we can dig out information such as where the attacker started the invasion, the affected assets, and the attack methods used. Combining the above data to generate the hacker attack path of the incident will help the victim organization better eliminate the impact and summarize the experience and lessons.

Among the related technologies, the technologies related to generating hacker attack paths are usually divided into two categories: prediction and restoration. Prediction refers to predicting hacker attack paths based on existing information through various machine learning and deep learning algorithms; restoration refers to restoring hacker attack paths and attack methods in the business environment after a security incident occurs.

Among them, the technology of restoring the attack path often relies on the alarm events and traffic monitoring data of security equipment. However, the alarms of security equipment are not completely accurate, and there will inevitably be a lot of false positives. In the absence of other evidence, it is easy to cause errors in the information of the attacker and the victim, which makes the method of restoring the attack path based on the alarm of security equipment less accurate.

Summary of the invention

The present application provides an IOC-based attack path restoration method, device, electronic device and storage medium. The threat intrusion indicator (Indicator of compromise, IOC) is used instead of the alarm event as the key identifier for path generation, and the final attack path is formed by continuously determining the IOC and the victim.

In a first aspect, the present application provides an IOC-based attack path restoration method, comprising:

Determine the victim’s device information and threat intrusion indicators (IOCs);

Determine candidate attack methods and corresponding reliability scores based on the device information and IOC in combination with a preset database; the preset database stores log data;

Determine an attack method and a corresponding direct attacker from the candidate attack methods according to the type of IOC and the reliability score;

Determine the victim's peer victims based on the device information of the victim's direct attacker and in combination with a preset database;

Determining whether the direct attacker of the victim is the ultimate attack source;

If not, the direct attacker of the victim is taken as the victim, and the above steps are repeated until the final attack source is determined.

Optionally, the determining of the victim's device information and threat intrusion indicators (IOCs) includes:

Determine the victim’s device information and IOC based on the content uploaded by the user;

or,

Determine the victim’s device information and the time range of the intrusion based on the content uploaded by the user;

According to the device information and the time range of the intrusion, combined with the preset database, the related logs are searched, and the related logs are merged according to the event type;

For each type of associated log, the IOC corresponding to the associated log is determined as a candidate IOC according to the correspondence between the event type and the IOC type; the reliability score of the candidate IOC corresponding to the associated log is calculated according to the degree of correlation between the vulnerability information of the victim and the event type, the threat level of the associated log, and the number of occurrences of the associated log.

Optionally, the method further includes:

According to the time range of the intrusion, in combination with the preset database, a communication baseline of the victim is established;

According to the victim's communication baseline, the victim's communication status is counted at a set period, wherein the communication status includes the number of communication objects, the communication object list, the number of accesses, and the accessed port list;

For the statistical data corresponding to each communication situation, the amount of data whose deviation from the median is greater than the set amount is calculated; if the proportion of the data amount in the statistical data is greater than the set ratio, the median is regarded as abnormal data; if the proportion of the data amount in the statistical data is less than or equal to the set ratio, the data whose deviation from the median is greater than the set amount is regarded as abnormal data;

According to the abnormal data, a corresponding candidate direct attacker is determined.

Optionally, the method further includes:

For each of the candidate IOCs, determine a candidate attack method and a corresponding reliability score according to the device information, the candidate IOC, and a preset database; determine an attack method and a corresponding candidate direct attacker from the candidate attack methods according to the type of the candidate IOC and the reliability score of the candidate IOC;

If the content uploaded by the user includes attacker information, determining the IOC from the candidate IOCs according to the attacker information and the candidate direct attackers corresponding to the candidate IOCs;

If the content uploaded by the user does not include attacker information, for each candidate IOC, the suspected victim corresponding to the candidate direct attacker and the IOC corresponding to each suspected victim are determined based on the device information of the candidate direct attacker and combined with a preset database; the IOC is determined from the candidate IOCs based on the similarity between each candidate IOC and the IOC corresponding to the suspected victim.

Optionally, the determining of candidate attack methods and corresponding reliability scores based on the device information and IOC in combination with a preset database; the preset database stores log data, including:

Determine the type of security incident based on the IOC and the correspondence between IOC and security incident type;

Searching for a log corresponding to the security event type in a preset log database;

Classify and merge the logs according to the preset log types, and determine the attack means corresponding to each type of log;

For each type of log, the reliability of this type of log is calculated based on the relevance of the security event corresponding to this type of log, the threat level of this type of log, and the number of occurrences of this type of log.

Optionally, calculating the reliability of the log according to the degree of relevance of the security event corresponding to the log, the threat level of the log, and the number of occurrences of the log includes:

The reliability of this type of log is calculated according to the following formula:

The security event relevance level of this type of log * 0.7 + the threat level of this type of log * 0.2 + the number of occurrences of this type of log / the total number of related logs * 100 * 0.1.

Optionally, the calculating the reliability score of the candidate IOC corresponding to the type of associated log according to the degree of association between the vulnerability information of the victim and the event type, the threat level of the type of associated log, and the number of occurrences of the type of associated log includes:

The reliability of the candidate IOC corresponding to this type of associated log is calculated according to the following formula:

The correlation degree between vulnerability and security incident*0.5+the threat level of the associated log*0.3+the number of occurrences of the associated log/the total number of related logs*100*0.2.

In a second aspect, the present application provides an IOC-based attack path restoration device, comprising:

The victim identification module is used to determine the victim's device information and threat intrusion indicators (IOCs);

A candidate attack means determination module, used to determine candidate attack means and corresponding reliability scores based on the device information and IOC in combination with a preset database; the preset database stores log data;

An attack means determination module, used to determine an attack means and a corresponding direct attacker from the candidate attack means according to the type of IOC and the reliability score;

A peer victim determination module, used to determine peer victims of the victim based on device information of the victim's direct attacker in combination with a preset database;

The attack source determination module is used to determine whether the direct attacker of the victim is the final attack source; if not, the direct attacker of the victim is regarded as the victim, and the above steps are repeatedly executed until the final attack source is determined.

Optionally, the victim determination module is specifically used to:

Determine the victim’s device information and IOC based on the content uploaded by the user;

or,

Determine the victim’s device information and the time range of the intrusion based on the content uploaded by the user;

According to the device information and the time range of the intrusion, combined with the preset database, the related logs are searched, and the related logs are merged according to the event type;

For each type of associated log, the IOC corresponding to the associated log is determined as a candidate IOC according to the correspondence between the event type and the IOC type; the reliability score of the candidate IOC corresponding to the associated log is calculated according to the degree of correlation between the vulnerability information of the victim and the event type, the threat level of the associated log, and the number of occurrences of the associated log.

Optionally, the device further includes a candidate direct attacker module, configured to:

According to the time range of the intrusion, in combination with the preset database, a communication baseline of the victim is established;

According to the victim's communication baseline, the victim's communication status is counted at a set period, wherein the communication status includes the number of communication objects, the communication object list, the number of accesses, and the accessed port list;

For the statistical data corresponding to each communication situation, the amount of data whose deviation from the median is greater than the set amount is calculated; if the proportion of the data amount in the statistical data is greater than the set ratio, the median is regarded as abnormal data; if the proportion of the data amount in the statistical data is less than or equal to the set ratio, the data whose deviation from the median is greater than the set amount is regarded as abnormal data;

According to the abnormal data, a corresponding candidate direct attacker is determined.

Optionally, the device further includes an IOC determination module, configured to:

For each of the candidate IOCs, determine a candidate attack method and a corresponding reliability score according to the device information, the candidate IOC, and a preset database; determine an attack method and a corresponding candidate direct attacker from the candidate attack methods according to the type of the candidate IOC and the reliability score of the candidate IOC;

If the content uploaded by the user includes attacker information, determining the IOC from the candidate IOCs according to the attacker information and the candidate direct attackers corresponding to the candidate IOCs;

If the content uploaded by the user does not include attacker information, for each candidate IOC, the suspected victim corresponding to the candidate direct attacker and the IOC corresponding to each suspected victim are determined based on the device information of the candidate direct attacker and combined with a preset database; the IOC is determined from the candidate IOCs based on the similarity between each candidate IOC and the IOC corresponding to the suspected victim.

Optionally, the candidate attack means determination module is specifically used to:

Determine the type of security incident based on the IOC and the correspondence between IOC and security incident type;

Searching for a log corresponding to the security event type in a preset log database;

Classify and merge the logs according to the preset log types, and determine the attack means corresponding to each type of log;

For each type of log, the reliability of this type of log is calculated based on the relevance of the security event corresponding to this type of log, the threat level of this type of log, and the number of occurrences of this type of log.

Optionally, when the candidate attack means determination module calculates the reliability of the log according to the security event correlation degree corresponding to the log, the threat level of the log, and the number of occurrences of the log, the module is specifically used to:

The reliability of this type of log is calculated according to the following formula:

The security event relevance level of this type of log * 0.7 + the threat level of this type of log * 0.2 + the number of occurrences of this type of log / the total number of related logs * 100 * 0.1.

Optionally, when the victim determination module calculates the reliability score of the candidate IOC corresponding to the type of associated log according to the degree of association between the vulnerability information of the victim and the event type, the threat level of the type of associated log, and the number of occurrences of the type of associated log, it is specifically used to:

The reliability of the candidate IOC corresponding to this type of associated log is calculated according to the following formula:

The correlation degree between vulnerability and security incident*0.5+the threat level of the associated log*0.3+the number of occurrences of the associated log/the total number of related logs*100*0.2.

In a third aspect, the present application provides an electronic device, comprising: a memory and a processor, wherein the memory stores a computer program that can be loaded by the processor and execute the method of the first aspect.

In a fourth aspect, the present application provides a computer-readable storage medium storing a computer program that can be loaded by a processor and execute the method of the first aspect.

In a fifth aspect, the present application provides a computer program product, comprising: a computer program; when the computer program is executed by a processor, it implements the method described in any one of the first aspects.

The present application provides an attack path restoration method, device, electronic device and storage medium based on IOC. The attack path restoration method based on IOC includes: determining the device information of the victim and the threat intrusion indicator IOC; determining the candidate attack means and the corresponding reliability score according to the device information and IOC, combined with a preset database; the preset database stores log data; determining the attack means and the corresponding direct attacker from the candidate attack means according to the type of IOC and the reliability score; determining the victim's peer victim according to the device information of the victim's direct attacker, combined with a preset database; judging whether the victim's direct attacker is the final attack source; if not, taking the victim's direct attacker as the victim, repeating the above steps until the final attack source is determined. IOC is the substantial evidence that the device is attacked. IOC is used as the tracing clue in the device attack event, combined with a large amount of log data in the database, by filtering the attacker and the attack means, the final attack source is gradually found, and the tracing efficiency and accuracy are improved with more reliable clues. At the same time, in this process, the relevant log data is efficiently screened in the form of reliability scoring to eliminate errors in the log data as much as possible and accurately restore the attack path.

BRIEF DESCRIPTION OF THE DRAWINGS

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, a brief introduction will be given below to the drawings required for use in the embodiments or the description of the prior art. Obviously, the drawings described below are some embodiments of the present application. For ordinary technicians in this field, other drawings can be obtained based on these drawings without paying any creative labor.

FIG1 is a schematic diagram of an application scenario provided by the present application;

FIG2 is a flow chart of an IOC-based attack path restoration method provided in an embodiment of the present application;

FIG3 is a schematic diagram of a single-segment attack path provided by an embodiment of the present application;

FIG4 is a schematic diagram of an attack path including a victim at the same level provided by an embodiment of the present application;

FIG5 is a schematic diagram of a complete attack path provided in an embodiment of the present application;

FIG6 is a flow chart of a complete implementation process of an IOC-based attack path restoration method provided in an embodiment of the present application;

FIG7 is a schematic diagram of the structure of an IOC-based attack path restoration device provided in an embodiment of the present application;

FIG8 is a schematic diagram of the structure of an electronic device provided in one embodiment of the present application.

DETAILED DESCRIPTION

In order to make the purpose, technical scheme and advantages of the embodiments of the present application clearer, the technical scheme in the embodiments of the present application will be clearly and completely described below in conjunction with the drawings in the embodiments of the present application. Obviously, the described embodiments are part of the embodiments of the present application, not all of the embodiments. Based on the embodiments in the present application, all other embodiments obtained by ordinary technicians in this field without creative work are within the scope of protection of this application.

In addition, the term "and/or" in this article is only a description of the association relationship of associated objects, indicating that there can be three relationships. For example, A and/or B can represent: A exists alone, A and B exist at the same time, and B exists alone. In addition, the character "/" in this article, unless otherwise specified, generally means that the associated objects before and after are in an "or" relationship.

The embodiments of the present application are further described in detail below in conjunction with the drawings in the specification.

IOC: Indicator of compromise, threat intrusion indicator. Refers to data objects found on the network or device, which can be used as evidence of suspected system intrusion. For example, files that do not belong to the system directory, suspicious IP addresses, and emails that have been opened and contain Trojans. IOC is "hard evidence", that is, a post-indicator of damage, which is generally generated passively. Generally, a hit means that the device or network has been compromised.

Based on this, the present application provides an IOC-based attack path restoration method, device, electronic device and storage medium. The method provided by the present application can be integrated into a function and built into software products such as log audit systems, security management platforms, and situational awareness platforms. These software products can be installed in intelligent devices with storage and computing functions such as servers and computers. A common feature of these platforms and systems is that they will collect logs generated by various types of equipment in the business network, such as security device logs, network device logs, host logs, application logs, etc. In these software products, these log information can be directly used by the program corresponding to the attack path restoration method to provide a traceability basis during the execution of the method. Specifically, by creating a corresponding log database, data such as security logs, application logs, and host logs can be stored in the log database. When the method of the present application is executed, the log database can be accessed to search for the log data therein.

Figure 1 is a schematic diagram of an application scenario provided by the present application. In this scenario, taking a certain system and the management of each business subsystem therein as an example, the network architecture is shown in the figure. The specific implementation method can refer to the following embodiments.

FIG2 is a flow chart of an IOC-based attack path restoration method provided in an embodiment of the present application. The method of this embodiment can be applied to servers, computers and other smart devices with storage and computing functions in the above scenarios. As shown in FIG2, the method includes the following steps.

S201. Determine the victim's device information and threat intrusion indicators (IOCs).

In specific scenarios, users operate intranet devices to perform normal work and execute corresponding tasks, which inevitably generates data interaction with other devices. When a device is invaded because of receiving or operating data sent by a certain device, the device can be called an attacker, and the intranet device operated by the user can be called a victim.

In some implementations, victim information and corresponding IOC information may be provided by a user.

If the occurrence of a network security incident is perceived by the user, the victim is often relatively clear, and the compromised host is the victim. For example, in data leakage incidents, the victim is generally determined to be the server where the leaked data is located; while in vulnerability exploitation incidents, the victim can be determined to be the server where the vulnerability is located.

The determination of IOC requires the user to combine the accident information, network traffic, host logs or other characteristic data. For example, in a malicious program incident, the user found an unknown file on the compromised host. After the file was opened, the macro virus script was executed. This file is usually determined to be an IOC, and the traffic log that records the transmission of this file can also be determined as an IOC.

In this way, after discovering device anomalies, users can confirm the victims and IOCs in this network security incident and upload the corresponding information to the system. The victim's device information and IOC can be determined based on the content uploaded by the user.

S202: Determine candidate attack methods and corresponding reliability scores based on the device information and IOC in combination with a preset database; the preset database stores log data.

In order to ensure the implementation of this solution, it is necessary to build a pre-set database to store log data in the database. Log data includes security logs, traffic logs and other log record data generated during the operation of the device.

In addition, there is a mapping relationship between the IOC type and the security event type and traffic log type, which can also be stored in the preset database. For example: unknown file-file transfer, abnormal email reception-phishing attack, abnormal system command execution-vulnerability exploitation and other mapping relationships.

Specifically, the security event type is determined according to the correspondence between IOC and the security event type; the log corresponding to the security event type is searched in a preset log database; the logs are classified and merged according to the preset log types to determine the attack means corresponding to each type of log; for each type of log, the reliability of the log is calculated according to the threat level of the log, the number of occurrences of the log, and the occurrence time of the log.

When the IOC has been determined by the user, the system can automatically list the possible attack methods used by the attacker according to the type of IOC. Attack methods are used to express how the attacker harms the victim. Once the IOC and the attacker are determined, the traffic log, alarm log, host log and other log data must contain key information such as the attacker's network communication records with the victim, security event alarms or command execution records. This key information is the attack method. The specific implementation is as follows.

1. The user enters parameters such as the victim's device identifier (such as a common IP address), IOC, and the approximate time period of the invasion into the system.

2. Based on the parameters entered by the user, the system retrieves and merges the relevant logs from the security event database and traffic log database, and sorts them by reliability based on threat level, number of occurrences, time of occurrence and other conditions, and puts the possible attack methods at the top.

Among them, the reliability sorting mechanism is: sorting according to the reliability score (if the reliability scores are the same, the logs with the most recent occurrence time are ranked at the top), with a total score of 100 points.

Security incident relevance: built into the knowledge base, used to reflect the correspondence between the IOC and this type of security incident, with a score range of 0-100.

Threat Level: The danger level of the log. There are five danger levels: emergency, high, medium, low, and information, corresponding to 100, 80, 60, 30, and 10 respectively.

Occurrence count: reflects the number of times the log occurs.

Calculation formula: security incident relevance*0.7+threat level*0.2+number of occurrences/total number of related logs*100*0.1.

S203: Determine an attack method and a corresponding direct attacker from the candidate attack methods according to the type of the IOC and the reliability score.

In one implementation, based on the ranking result, the candidate attack means with the highest reliability score may be directly determined as the attack means, and the attacker associated with the candidate attack means may be determined as the direct attacker.

In another implementation, the user may also re-screen the several possibilities listed by the system according to the specific circumstances of the security incident and the type of IOC to determine the direct attacker and the means of attack.

After identifying the victim and IOC, the attacker is retrieved from the database storing alarm logs or traffic data, thus forming a short one-way attack path. The attack path is shown in Figure 3.

Attacker retrieval uses IOC and related evidence as query conditions. For example, when the IOC type is file or md5 value, the victim, file name, and md5 value can be used as query conditions in the alarm log or traffic log. The file transferor is the attacker. When the IOC type is abnormal network activity or unauthorized remote connection, the initiator of these abnormal activities is usually the attacker. If the user is not clear about the query conditions corresponding to the IOC, the attacker and attack method can be found in the security event list generated by the system. If the user is clear about the query conditions corresponding to the IOC, he or she can also search according to these query conditions.

S204: Determine the victim's peer victims based on the device information of the victim's direct attacker and in combination with a preset database.

In an intranet environment, attackers often do not attack only one asset, but attack surrounding assets in batches. This means that after an asset is compromised and an IOC is generated, it is highly likely that the same IOC can be found on surrounding assets. Based on this, we can continue to search and restore other hosts that have been attacked by the attacker and have the same IOC. Using the direct attacker as the source IP, search for the same IOC in the assets that the direct attacker has visited. Merge the search results into the path, as shown in Figure 4.

S205: Determine whether the direct attacker of the victim is the final attack source.

In an intranet environment, the attacker found in the above process is often not the first host to be taken down. It is likely to be a victim, and it is necessary to determine whether the attacker is the final source of the attack.

The final idea for determining the source of the attack is: the attacker is an external IP, and/or, although the attacker is an internal IP, no victims at the same level are found, and the internal IP does not generate any suspicious network communications or command execution, etc.

That is, the attacker may be an external network device or an internal network device. As information security issues become increasingly prominent today, it is possible that attackers use social engineering methods to directly use internal network assets to launch attacks at the business site. This application is not limited to using only external network devices as the end point of the attack path, and does not distinguish between internal and external network devices in determining the end point of the attack path.

S206: If not, the direct attacker of the victim is regarded as the victim, and the above steps are repeated until the final attack source is determined.

Before the final attack source is found, S201-S205 are repeatedly executed, the direct attacker is regarded as the victim, the IOC of the attacker is identified, and the attacker is continuously searched until the final attack source is determined.

After sorting out the victims and attackers that can be found in the existing data, a relatively complete attack path map is formed. This path map is the final output result, as shown in Figure 5.

Figure 5 shows the entire process of generating this attack path (the arrow indicates the direction of this tracing): from victim A, evidence of A's compromise, namely IOC-1, was found. Then, based on the victim information and IOC, the first-level attacker B was found from the alarm log, traffic log and other information. At the same time, other victims A1 and A2 attacked by B in the same way were also found in the business network. After the remaining victims could not be found, B was then taken as the victim and the reason for its compromise was sought. The above process was repeated to find the attacker C who attacked B and other victims attacked by C until the final attacker D was found.

In the solution of this embodiment, IOC is the substantial evidence that the device has been attacked. IOC is used as the tracing clue in the device attack event. Based on IOC, combined with a large amount of log data in the database, the final attack source is gradually found by filtering the attackers and attack methods, and the efficiency and accuracy of tracing are improved with more reliable clues. At the same time, in this process, the relevant log data is efficiently screened in the form of reliability scoring to eliminate errors in the log data as much as possible and accurately restore the attack path.

After generating the attack path of this network security incident, all the key information of the incident has been basically collected, including: when the attacker's intrusion occurred, on which asset the attacker first attempted to intrude, the attack method used by the attacker during the first intrusion, etc. For these network security incidents that have already occurred, after tracing the relevant paths and attack methods through the system, the characteristics of this network security incident can be extracted, including the event name, IOC type, communication protocol, communication type and other information, and automatically included in the network security incident knowledge base, completing the update of the preset database for reference next time.

However, due to its definition and characteristics, not all security incidents can be easily found by users after the IOC occurs. Therefore, in other implementations, an automatic reporting program can also be set for the intranet device to detect the data interaction and data processing actions of the device and the corresponding related data changes in real time. Once the related data changes are abnormal, the abnormal data changes are recorded as evidence of the attack and actively reported. Or when the user cannot accurately determine the IOC, by summarizing the security alarm situation and traffic communication situation of the time period when the accident occurred, help the user determine the IOC, the attacker and his attack methods.

As shown in Figure 2, the process of determining each group of victims and the corresponding direct attackers is consistent, corresponding to S201-S204. The difference is that the information of the victim in the first cycle (i.e., the final victim indicated in the figure) can be determined by the information input by the user, and the victims in each subsequent cycle are converted from the direct attackers determined in the previous cycle (corresponding to the first-level attackers, second-level attackers, etc. indicated in the figure).

Specifically, the victim's device information and the time range of the invasion can be determined based on the content uploaded by the user; the associated logs can be found based on the device information and the time range of the invasion in combination with the preset database, and the associated logs can be merged according to the event type; for each type of associated log, the IOC corresponding to the type of associated log is determined as a candidate IOC based on the correspondence between the event type and the IOC type; the reliability score of the candidate IOC corresponding to the type of associated log is calculated based on the degree of association between the victim's vulnerability information and the event type, the threat level of the type of associated log, and the number of occurrences of the type of associated log.

When it is difficult for users to identify IOCs: the program automatically lists event records, log records, etc. that may reveal IOCs. The specific implementation is as follows.

1. The user enters parameters such as the victim's device identifier (such as a common IP address) and the approximate time period of the invasion into the system.

2. Based on the parameters entered by the user, the system retrieves logs related to the time range and the victim's IP from the security event database and merges them according to the event type.

3. The system contains asset information, vulnerability information, and knowledge base in the business environment. Based on the vulnerability information already available to the victim and the security events merged in the second step, the system ranks the vulnerabilities according to their relevance, threat level, and number of occurrences, and prompts the user with the IOC indicators that correspond to each security event and may be discovered.

In this application, vulnerability refers to defects that are caused by negligence in the system design, implementation, configuration, etc. of smart devices, which may lead to the destruction of system security policies. These vulnerabilities may be exploited by threats, affecting the confidentiality, integrity and availability of smart devices, resulting in security consequences. These vulnerabilities may exist in various aspects such as physical environment, organization, process, personnel, management, configuration, hardware, software and information. For example, vulnerabilities at the software level such as operating system and application, or weak passwords and baseline configurations.

Reliability sorting mechanism: sorting is based on reliability scores (if the reliability scores are the same, the logs with the most recent occurrence time are at the top), with a total score of 100 points.

The degree of correlation between vulnerability and security incident: It is built into the knowledge base and is used to reflect the degree of correspondence between vulnerability and security incident of this type. The score range is: 0-100.

Threat Level: The danger level of the log. There are five danger levels: emergency, high, medium, low, and information, corresponding to 100, 80, 60, 30, and 10 respectively.

Occurrence count: reflects the number of times the log occurs.

Calculation formula: Degree of correlation between vulnerability and security incident*0.5+threat level*0.3+number of occurrences/total number of related logs*100*0.2.

In some embodiments, a communication baseline of the victim can also be established based on the time range of the invasion in combination with the preset database; based on the communication baseline of the victim, the communication status of the victim is counted at a set period, and the communication status includes the number of communication objects, the communication object list, the number of accesses, and the list of accessed ports; for the statistical data corresponding to each communication situation, the amount of data that deviates from the median by more than a set amount is calculated; if the proportion of the data amount in the statistical data is greater than a set ratio, the median is regarded as abnormal data; if the proportion of the data amount in the statistical data is less than or equal to the set ratio, the data that deviates from the median by more than the set amount is regarded as abnormal data; based on the abnormal data, the corresponding candidate direct attacker is determined.

The system can also establish a baseline of communication with the victim based on the time interval of the incident input by the user, and generate a profile of the initiator of abnormal behavior during this period, including abnormal communication times, abnormal access port range, and abnormal number of login attempts. The specific implementation is as follows.

1. Statistics on the victim’s daily communication, including: the number of communication objects per day, the list of communication objects per day, the number of visits per day, the list of ports visited per day, etc., to form: the trend of the number of communication objects, the trend of the number of communications, the trend of visits, the trend of the number of visited ports, the distribution of visited ports, etc.

2. Visually display the data information collected in the first step in the form of line graphs, scatter graphs, pie charts, word clouds, etc., so that users can analyze more intuitively.

3. Get the median of the number of communication objects, number of communications, number of visits, and number of visited ports per day, draw a baseline with the number, and highlight the points that are 30% higher than the baseline. If 80% of the statistics in the list differ from the median by 30%, the baseline will be highlighted regardless of whether it is high or low. Here, 30% and 80% are just examples. In actual application scenarios, technicians can set the threshold of abnormal points based on the actual communication situation to accurately capture abnormal information.

4. The highlighted points in the third step are suspected abnormal behavior points, and the statistical information in these points is suspected to be abnormal information. For example, in the communication frequency trend chart, the number of communications on a certain day is too large. Since the number of communications on that day is the sum of the visits of devices that have communicated with the victim, this list of devices and their number of communications on that day are abnormal information.

5. Through the statistics and analysis in the fourth step, the program can eventually obtain a list of suspected abnormal communication initiator devices and their corresponding abnormal reasons, such as device IP: 192.168.1.1, abnormal reason: the number of communications with the victim IP on a certain day was too large.

6. A word cloud is formed based on the number of times the above abnormal devices appear, and is visualized in the second step. By clicking on the device ID, the abnormal cause of the device and the distribution of communication types and event types generated during the abnormal period are displayed.

This can help users find the IOCs, attackers, and attack methods involved in security incidents.

Furthermore, the IOC can be accurately verified from the candidate IOCs. Specifically, for each of the candidate IOCs, the candidate attack means and the corresponding reliability score are determined based on the device information, the candidate IOCs, and a preset database; the attack means and the corresponding candidate direct attacker are determined from the candidate attack means based on the type of the candidate IOC and the reliability score of the candidate IOC; if the content uploaded by the user includes attacker information, the IOC is determined from the candidate IOCs based on the attacker information and the candidate direct attackers corresponding to the candidate IOCs; if the content uploaded by the user does not include attacker information, for each of the candidate IOCs, the suspected victim corresponding to the candidate direct attacker and the IOC corresponding to each of the suspected victims are determined based on the device information of the candidate direct attacker and a preset database; the IOC is determined from the candidate IOCs based on the similarity between each of the candidate IOCs and the IOC corresponding to the suspected victim.

When the user initially selects the IOC for this accident or when there are multiple IOC candidates at the same time, the user needs more evidence to prove that the currently selected IOC is accurate.

The program provides the ability to further verify IOC. The main idea is to verify by listing information related to other assets, that is, whether the corresponding features of the current IOC appear on other assets. The specific implementation is as follows.

1. The user enters the type of IOC, the approximate time period of the invasion, and the attacker's device address (optional).

2. Search from the security event database and traffic log database according to the type of IOC, and group them according to the event type and the address of the suspected victim device.

3. Integrate a list of suspected victim devices.

4. If the user enters the attacker's device address, the program will further associate the retrieved log information with the attacker, determine whether the attacker in the log is the same as the one entered by the user, and enrich the result to the list of suspected victims.

In addition, the system has a built-in cybersecurity incident knowledge base, which includes a summary of cybersecurity incidents that have occurred, and provides case support for users to find IOCs, identify attackers and attack methods.

FIG6 is a flow chart of a complete embodiment of the present application. As shown in FIG6 , the flow chart of the present embodiment integrates the implementation steps of the above-mentioned embodiments.

Figure 7 is a structural diagram of an IOC-based attack path restoration device provided in an embodiment of the present application. As shown in Figure 7, the IOC-based attack path restoration device 700 of this embodiment includes: a victim determination module 701, a candidate attack means determination module 702, an attack means determination module 703, a peer victim determination module 704, and an attack source determination module 705.

The victim determination module 701 is used to determine the victim's device information and threat intrusion indicators (IOCs);

A candidate attack means determination module 702 is used to determine candidate attack means and corresponding reliability scores based on the device information and IOC in combination with a preset database; the preset database stores log data;

An attack means determination module 703, configured to determine an attack means and a corresponding direct attacker from the candidate attack means according to the type of the IOC and the reliability score;

A peer victim determination module 704, configured to determine peer victims of the victim based on device information of the victim's direct attacker in combination with a preset database;

The attack source determination module 705 is used to determine whether the direct attacker of the victim is the final attack source; if not, the direct attacker of the victim is taken as the victim and the above steps are repeated until the final attack source is determined.

Optionally, the victim determination module 701 is specifically configured to:

Determine the victim’s device information and IOC based on the content uploaded by the user;

or,

Determine the victim’s device information and the time range of the intrusion based on the content uploaded by the user;

According to the device information and the time range of the intrusion, combined with the preset database, the related logs are searched, and the related logs are merged according to the event type;

For each type of associated log, the IOC corresponding to the associated log is determined as a candidate IOC according to the correspondence between the event type and the IOC type; the reliability score of the candidate IOC corresponding to the associated log is calculated according to the degree of correlation between the vulnerability information of the victim and the event type, the threat level of the associated log, and the number of occurrences of the associated log.

Optionally, the apparatus further includes a candidate direct attacker module 706, configured to:

According to the time range of the intrusion, in combination with the preset database, a communication baseline of the victim is established;

According to the victim's communication baseline, the victim's communication status is counted at a set period, wherein the communication status includes the number of communication objects, the communication object list, the number of accesses, and the accessed port list;

For the statistical data corresponding to each communication situation, the amount of data whose deviation from the median is greater than the set amount is calculated; if the proportion of the data amount in the statistical data is greater than the set ratio, the median is regarded as abnormal data; if the proportion of the data amount in the statistical data is less than or equal to the set ratio, the data whose deviation from the median is greater than the set amount is regarded as abnormal data;

According to the abnormal data, a corresponding candidate direct attacker is determined.

Optionally, the device further includes an IOC determination module 707, configured to:

For each of the candidate IOCs, determine a candidate attack method and a corresponding reliability score according to the device information, the candidate IOC, and a preset database; determine an attack method and a corresponding candidate direct attacker from the candidate attack methods according to the type of the candidate IOC and the reliability score of the candidate IOC;

If the content uploaded by the user includes attacker information, determining the IOC from the candidate IOCs according to the attacker information and the candidate direct attackers corresponding to the candidate IOCs;

If the content uploaded by the user does not include attacker information, for each candidate IOC, the suspected victim corresponding to the candidate direct attacker and the IOC corresponding to each suspected victim are determined based on the device information of the candidate direct attacker and combined with a preset database; the IOC is determined from the candidate IOCs based on the similarity between each candidate IOC and the IOC corresponding to the suspected victim.

Optionally, the candidate attack means determination module 702 is specifically configured to:

Determine the type of security incident based on the IOC and the correspondence between IOC and security incident type;

Searching for a log corresponding to the security event type in a preset log database;

Classify and merge the logs according to the preset log types, and determine the attack means corresponding to each type of log;

For each type of log, the reliability of this type of log is calculated based on the relevance of the security event corresponding to this type of log, the threat level of this type of log, and the number of occurrences of this type of log.

Optionally, when calculating the reliability of the log according to the security event correlation degree corresponding to the log, the threat level of the log, and the number of occurrences of the log, the candidate attack means determination module 702 is specifically used to:

The reliability of this type of log is calculated according to the following formula:

The security event relevance level of this type of log * 0.7 + the threat level of this type of log * 0.2 + the number of occurrences of this type of log / the total number of related logs * 100 * 0.1.

Optionally, when the victim determination module 701 calculates the reliability score of the candidate IOC corresponding to the type of associated log according to the degree of association between the vulnerability information of the victim and the event type, the threat level of the type of associated log, and the number of occurrences of the type of associated log, it is specifically used to:

The reliability of the candidate IOC corresponding to this type of associated log is calculated according to the following formula:

The correlation degree between vulnerability and security incident*0.5+the threat level of the associated log*0.3+the number of occurrences of the associated log/the total number of related logs*100*0.2.

The device of this embodiment can be used to execute the method of any of the above embodiments. Its implementation principle and technical effects are similar and will not be described in detail here.

FIG8 is a schematic diagram of the structure of an electronic device provided in an embodiment of the present application. As shown in FIG8 , the electronic device 800 of this embodiment may include: a memory 801 and a processor 802 .

The memory 801 stores a computer program that can be loaded by the processor 802 and execute the method in the above embodiment.

The processor 802 and the memory 801 are connected, for example, via a bus.

Optionally, the electronic device 800 may further include a transceiver. It should be noted that in actual applications, the number of transceivers is not limited to one, and the structure of the electronic device 800 does not constitute a limitation on the embodiments of the present application.

The processor 802 may be a CPU (Central Processing Unit), a general-purpose processor, a DSP (Digital Signal Processor), an ASIC (Application Specific Integrated Circuit), an FPGA (Field Programmable Gate Array), or other programmable logic devices, transistor logic devices, hardware components, or any combination thereof. It may implement or execute various exemplary logic blocks, modules, and circuits described in conjunction with the disclosure of this application. The processor 802 may also be a combination that implements computing functions, such as a combination of one or more microprocessors, a combination of a DSP and a microprocessor, and the like.

The bus may include a path to transmit information between the above components. The bus may be a PCI (Peripheral Component Interconnect) bus or an EISA (Extended Industry Standard Architecture) bus. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of representation, only one thick line is used in the figure, but it does not mean that there is only one bus or one type of bus.

The memory 801 can be a ROM (Read Only Memory) or other types of static storage devices that can store static information and instructions, a RAM (Random Access Memory) or other types of dynamic storage devices that can store information and instructions, or an EEPROM (Electrically Erasable Programmable Read Only Memory), a CD-ROM (Compact Disc Read Only Memory) or other optical disk storage, optical disk storage (including compressed optical disk, laser disk, optical disk, digital versatile disk, Blu-ray disk, etc.), a magnetic disk storage medium or other magnetic storage device, or any other medium that can be used to carry or store the desired program code in the form of instructions or data structures and can be accessed by a computer, but is not limited to these.

The memory 801 is used to store the application code for executing the solution of the present application, and the execution is controlled by the processor 802. The processor 802 is used to execute the application code stored in the memory 801 to implement the content shown in the above method embodiment.

The electronic devices include, but are not limited to, mobile phones, laptop computers, digital broadcast receivers, PDAs (personal digital assistants), PADs (tablet computers), PMPs (portable multimedia players), vehicle-mounted terminals (such as vehicle-mounted navigation terminals), etc., and fixed terminals such as digital TVs, desktop computers, etc. It can also be a server, etc. The electronic device shown in FIG8 is only an example and should not bring any limitation to the functions and scope of use of the embodiments of the present application.

The electronic device of this embodiment can be used to execute the method of any of the above embodiments. The implementation principles and technical effects are similar and will not be described in detail here.

The present application also provides a computer-readable storage medium storing a computer program that can be loaded by a processor and execute the method in the above embodiment.

Those skilled in the art can understand that all or part of the steps of implementing the above-mentioned method embodiments can be completed by hardware related to program instructions. The aforementioned program can be stored in a computer-readable storage medium. When the program is executed, the steps of the above-mentioned method embodiments are executed; and the aforementioned storage medium includes: ROM, RAM, disk or optical disk and other media that can store program codes.

Claims (10)

1. An IOC-based attack path restoration method, characterized by comprising: In the intranet environment, determine the victim's device information and threat intrusion indicators (IOCs); Determine candidate attack methods and corresponding reliability scores based on the device information and IOC in combination with a preset database; the preset database stores log data; Determine an attack method and a corresponding direct attacker from the candidate attack methods according to the type of IOC and the reliability score; Determine whether the victim's direct attacker is the final attack source; if the victim's direct attacker is an external network IP, determine the victim's direct attacker as the final attack source; If the victim's direct attacker is an intranet IP, determine the victim's peer victims based on the victim's direct attacker's device information and a preset database; the peer victims are other hosts that are attacked by the victim's direct attacker and have the same IOC; If the victim has no victims at the same level, and the intranet IP does not generate suspicious network communications or command execution, the victim's direct attacker is determined as the final attack source; otherwise, the victim's direct attacker is taken as the victim, and the above judgment steps are repeated until the final attack source is determined. 2. The IOC-based attack path restoration method according to claim 1, wherein determining the victim's device information and threat intrusion indicator IOC comprises: Determine the victim’s device information and IOC based on the content uploaded by the user; or, Determine the victim’s device information and the time range of the intrusion based on the content uploaded by the user; According to the device information and the time range of the intrusion, combined with the preset database, the related logs are searched, and the related logs are merged according to the event type; For each type of associated log, the IOC corresponding to the associated log is determined as a candidate IOC according to the correspondence between the event type and the IOC type; the reliability score of the candidate IOC corresponding to the associated log is calculated according to the degree of correlation between the vulnerability information of the victim and the event type, the threat level of the associated log, and the number of occurrences of the associated log. 3. The IOC-based attack path restoration method according to claim 2, further comprising: According to the time range of the intrusion, in combination with the preset database, a communication baseline of the victim is established; According to the victim's communication baseline, the victim's communication status is counted at a set period, wherein the communication status includes the number of communication objects, the communication object list, the number of accesses, and the accessed port list; For the statistical data corresponding to each communication situation, the amount of data whose deviation from the median is greater than the set amount is calculated; if the proportion of the data amount in the statistical data is greater than the set ratio, the median is regarded as abnormal data; if the proportion of the data amount in the statistical data is less than or equal to the set ratio, the data whose deviation from the median is greater than the set amount is regarded as abnormal data; According to the abnormal data, a corresponding candidate direct attacker is determined. 4. The IOC-based attack path restoration method according to claim 2, further comprising: For each of the candidate IOCs, determine a candidate attack method and a corresponding reliability score according to the device information, the candidate IOC, and a preset database; determine an attack method and a corresponding candidate direct attacker from the candidate attack methods according to the type of the candidate IOC and the reliability score of the candidate IOC; If the content uploaded by the user includes attacker information, determining the IOC from the candidate IOCs according to the attacker information and the candidate direct attackers corresponding to the candidate IOCs; If the content uploaded by the user does not include attacker information, for each candidate IOC, the suspected victim corresponding to the candidate direct attacker and the IOC corresponding to each suspected victim are determined based on the device information of the candidate direct attacker and combined with a preset database; the IOC is determined from the candidate IOCs based on the similarity between each candidate IOC and the IOC corresponding to the suspected victim. 5. The IOC-based attack path restoration method according to any one of claims 1 to 4, characterized in that the candidate attack means and the corresponding reliability score are determined based on the device information and IOC in combination with a preset database; the preset database stores log data, including: Determine the type of security incident based on the IOC and the correspondence between IOC and security incident type; Searching for a log corresponding to the security event type in a preset log database; Classify and merge the logs according to the preset log types, and determine the attack means corresponding to each type of log; For each type of log, the reliability of this type of log is calculated based on the relevance of the security event corresponding to this type of log, the threat level of this type of log, and the number of occurrences of this type of log. 6. The IOC-based attack path restoration method according to claim 5 is characterized in that the reliability of the log type is calculated according to the security event correlation degree corresponding to the log type, the threat level of the log type, and the number of occurrences of the log type, including: The reliability of this type of log is calculated according to the following formula: The security event relevance level of this type of log * 0.7 + the threat level of this type of log * 0.2 + the number of occurrences of this type of log / the total number of related logs * 100 * 0.1. 7. The IOC-based attack path restoration method according to any one of claims 2 to 4, characterized in that the reliability score of the candidate IOC corresponding to the type of associated log is calculated according to the degree of association between the vulnerability information of the victim and the event type, the threat level of the type of associated log, and the number of occurrences of the type of associated log, including: The reliability of the candidate IOC corresponding to this type of associated log is calculated according to the following formula: The correlation degree between vulnerability and security incident*0.5+the threat level of the associated log*0.3+the number of occurrences of the associated log/the total number of related logs*100*0.2. 8. An IOC-based attack path restoration device, comprising: The victim identification module is used to determine the victim's device information and threat intrusion indicators (IOCs) in the intranet environment; A candidate attack means determination module, used to determine candidate attack means and corresponding reliability scores based on the device information and IOC in combination with a preset database; the preset database stores log data; An attack means determination module, used to determine an attack means and a corresponding direct attacker from the candidate attack means according to the type of IOC and the reliability score; The attack source determination module is used to determine whether the direct attacker of the victim is the final attack source; if the direct attacker of the victim is an external network IP, the direct attacker of the victim is determined as the final attack source; if the direct attacker of the victim is an internal network IP, the victim's peer victims are determined based on the device information of the direct attacker of the victim in combination with a preset database; the peer victims are other hosts that are attacked by the direct attacker of the victim and have the same IOC; if the victim has no peer victims and the internal network IP does not generate suspicious network communication or command execution, the direct attacker of the victim is determined as the final attack source; otherwise, the direct attacker of the victim is taken as the victim, and the above-mentioned determination steps are repeated until the final attack source is determined. 9. An electronic device, comprising: a memory and a processor; The memory is used to store program instructions; The processor is used to call and execute the program instructions in the memory to perform the method according to any one of claims 1-7. 10. A computer-readable storage medium, characterized in that a computer program is stored in the computer-readable storage medium; when the computer program is executed by a processor, the method according to any one of claims 1 to 7 is implemented.