Search

CN-121984770-A - Internet of things attack tracing method, device, equipment, storage medium and product

CN121984770ACN 121984770 ACN121984770 ACN 121984770ACN-121984770-A

Abstract

The application provides an attack tracing method, device, equipment, storage medium and product of the Internet of things. The method comprises the steps of obtaining attacked Internet of things equipment and an attack time window according to an Internet of things equipment log, collecting multi-source communication data, judging whether a single-hop Internet of things attack link exists according to the multi-source communication data, if the single-hop Internet of things attack link does not exist, constructing a communication diagram of the attacked Internet of things equipment according to the multi-source communication data, obtaining a plurality of candidate multi-hop Internet of things attack links by taking the attacked Internet of things equipment as a starting point in the communication diagram, obtaining the reliability value of each candidate multi-hop Internet of things attack link, determining the candidate multi-hop Internet of things attack link with the highest reliability value as a final multi-hop Internet of things attack link, and wherein the end point in the final multi-hop Internet of things attack link is an Internet of things attack end. The method improves the accuracy of attack tracing in the environment of the Internet of things.

Inventors

  • LIU JINQUAN
  • LUO MENG
  • LI CHUAN
  • LEI JING
  • ZHANG JIANRONG
  • ZHOU KAI
  • WANG XINYAN
  • YU CHENG
  • WANG TIANXIANG
  • DU FEI
  • ZHANG HAIKUN
  • WANG ZHIMING

Assignees

  • 中国联合网络通信集团有限公司
  • 联通数字科技有限公司
  • 联通智慧安全科技有限公司

Dates

Publication Date
20260505
Application Date
20260225

Claims (12)

  1. 1. The Internet of things attack tracing method is characterized by being applied to electronic equipment and comprising the following steps of: Acquiring an equipment log of the Internet of things; according to the log of the Internet of things equipment, the attacked Internet of things equipment and an attack time window are obtained; collecting communication data in the attack time window from different dimensions to obtain multi-source communication data; Judging whether a single-hop Internet of things attack link exists or not according to the multi-source communication data, wherein the single-hop Internet of things attack link refers to a link of the attacked Internet of things equipment directly controlled by an Internet of things attack end through an attack instruction; If the single-hop Internet of things attack link does not exist, constructing a communication diagram of the attacked Internet of things equipment according to the multi-source communication data; In the communication diagram, the attacked Internet of things equipment is taken as a starting point, and a plurality of candidate multi-hop Internet of things attack links are obtained, wherein the multi-hop Internet of things attack links refer to links in which an Internet of things attack end forwards an attack instruction through a relay springboard and indirectly controls the attacked Internet of things equipment; Acquiring the credibility value of each candidate multi-hop internet of things attack link; And determining the candidate multi-hop Internet of things attack link with the highest reliability value as a final multi-hop Internet of things attack link, wherein the end point in the final multi-hop Internet of things attack link is the Internet of things attack end.
  2. 2. The method of claim 1, wherein the obtaining the attacked internet of things device according to the internet of things device log comprises: Identifying an attack behavior in the log of the Internet of things equipment through a rule engine and a machine learning model; And determining the Internet of things equipment corresponding to the attack behavior as the attacked Internet of things equipment.
  3. 3. The method of claim 1, wherein the determining whether a single-hop internet of things attack link exists according to the multi-source communication data comprises: acquiring at least one external network IP address which is communicated with the attacked Internet of things equipment from the multi-source communication data; according to the multi-source communication data, obtaining session characteristic scores between the attacked Internet of things equipment and each external network IP address; if the session feature score exceeds the external network IP address of the preset session feature score threshold, judging that a single-hop Internet of things attack link exists; And if the external network IP address with the session feature score exceeding the preset session feature score threshold does not exist, judging that a single-hop Internet of things attack link does not exist.
  4. 4. The method of claim 3, wherein after determining whether a single-hop internet of things attack link exists, further comprising: if the single-hop Internet of things attack link exists, determining an external network IP address of which the session feature score exceeds a preset session feature score threshold as a candidate Internet of things attack end; acquiring a threat information database and a domain name system analysis log from the multi-source communication data, wherein a plurality of known malicious IP addresses are stored in the threat information database; Acquiring the domain name of the candidate internet of things attack end from the domain name system analysis log; If the session feature score exceeds the external network IP address of the preset session feature score threshold, the external network IP address exists in the threat information database, or the domain name is detected to be generated by using a domain name generation algorithm through a domain name generation algorithm detector, the candidate Internet of things attack end is determined to be the Internet of things attack end of the attacked Internet of things equipment.
  5. 5. The method of claim 1, wherein constructing a communication graph of the attacked internet of things device from the multi-source communication data comprises: Acquiring a network traffic log from the multi-source communication data; Acquiring a plurality of IP addresses communicated with the attacked Internet of things equipment from the network traffic log, wherein the IP addresses comprise IP addresses directly communicated with the attacked Internet of things equipment and IP addresses indirectly communicated with the attacked Internet of things equipment; Determining the plurality of IP addresses as a plurality of nodes; connecting any two IP addresses for communication with a directed edge, wherein the directed edge points to the IP address to be communicated from the IP address initiating communication; Acquiring communication data between any two IP addresses for communication; Determining the edge weight of each directed edge according to the communication data, wherein the edge weight is used for quantifying the suspicious degree of communication; And constructing a communication diagram of the attacked Internet of things device according to the directed edges of any two IP addresses of the plurality of nodes and the edge weights of the directed edges.
  6. 6. The method of claim 1, wherein the obtaining, in the communication graph, a plurality of candidate multi-hop internet of things attack links starting from the attacked internet of things device comprises: And traversing the communication graph by taking the attacked Internet of things equipment as a starting point and adopting a preset link screening strategy to acquire a plurality of candidate multi-hop Internet of things attack links.
  7. 7. The method of claim 1, wherein the obtaining the reliability value of each candidate multi-hop internet of things attack link comprises: Acquiring the link length of each candidate multi-hop Internet of things attack link; acquiring node anomaly scores of all nodes in each candidate multi-hop internet of things attack link through a graph neural network; acquiring the edge weight of each directed edge from each candidate multi-hop Internet of things attack link; And determining the credibility value of each candidate multi-hop Internet of things attack link according to the link length, the node anomaly score of each node and the edge weight of each directed edge by adopting a Bayesian algorithm.
  8. 8. The method according to claim 1, wherein the determining the candidate multi-hop internet of things attack link with the highest reliability value as the final multi-hop internet of things attack link further comprises: acquiring the link integrity of the final multi-hop Internet of things attack link according to a preset link integrity scoring rule; if the link integrity is lower than a preset link integrity threshold, iteratively executing the following steps until the link integrity is not lower than the preset link integrity threshold: The steps include: Expanding the attack time window to obtain an expanded attack time window; Collecting communication data in the enlarged attack time window from different dimensions to obtain new multi-source communication data; acquiring a new final multi-hop Internet of things attack link based on the new multi-source communication data; And acquiring the link integrity of the new final multi-hop Internet of things attack link according to the preset link integrity scoring rule.
  9. 9. The utility model provides an thing networking attack traceability device which characterized in that is applied to electronic equipment includes: The first acquisition module is used for acquiring the equipment log of the Internet of things; the second acquisition module is used for acquiring the attacked Internet of things equipment and an attack time window according to the Internet of things equipment log; The third acquisition module is used for acquiring communication data in the attack time window from different dimensions to obtain multi-source communication data; The judging module is used for judging whether a single-hop Internet of things attack link exists or not according to the multi-source communication data, wherein the single-hop Internet of things attack link refers to a link of the attacked Internet of things equipment directly controlled by an Internet of things attack end through an attack instruction; the construction module is used for constructing a communication diagram of the attacked Internet of things equipment according to the multi-source communication data if the single-hop Internet of things attack link does not exist; a fourth obtaining module, configured to obtain, in the communication graph, a plurality of candidate multi-hop internet of things attack links with the attacked internet of things device as a starting point, where the multi-hop internet of things attack link refers to a link in which an internet of things attack end forwards an attack instruction through a relay springboard, and indirectly controls the attacked internet of things device; A fifth obtaining module, configured to obtain reliability values of each candidate multi-hop internet of things attack link; The determining module is used for determining the candidate multi-hop Internet of things attack link with the highest reliability value as a final multi-hop Internet of things attack link, wherein the end point in the final multi-hop Internet of things attack link is the Internet of things attack end.
  10. 10. An electronic device, comprising: A memory for storing a computer program; A processor for implementing the method according to any of claims 1-8 when executing the computer program.
  11. 11. A computer readable storage medium having stored therein computer executable instructions which when executed by a processor are adapted to carry out the method of any one of claims 1-8.
  12. 12. A computer program product comprising a computer program which, when executed by a processor, implements the method of any of claims 1-8.

Description

Internet of things attack tracing method, device, equipment, storage medium and product Technical Field The application relates to the technical field of computers, in particular to an attack tracing method, device, equipment, storage medium and product of the Internet of things. Background With the rapid development of the internet of things technology, internet of things equipment with limited mass resources and weak safety base line is widely connected to a network. These devices typically employ default credentials, lack security update mechanisms, and are limited in computing power to install host-level security agents, making them a high-risk target for malware attacks. Currently, in the prior art, analysis is mainly performed by relying on a single log source, and relying on static rules or simple association strategies. However, on one hand, a single log source causes less analysis data and single data dimension, and on the other hand, static rules or simple association strategies are difficult to accurately identify hidden attack behaviors of an attack end of the Internet of things from massive modeling traffic. Therefore, the accuracy of attack tracing in the environment of the internet of things cannot be guaranteed. Disclosure of Invention The embodiment of the application provides an attack tracing method, device, equipment, storage medium and product of the Internet of things, which are used for achieving the effect of improving the accuracy of attack tracing in the environment of the Internet of things. According to the method, an Internet of things attack tracing method is applied to electronic equipment, the method comprises the steps of obtaining logs of the Internet of things equipment, obtaining the attacked Internet of things equipment and an attack time window according to the logs of the Internet of things equipment, collecting communication data in the attack time window from different dimensionalities to obtain multi-source communication data, judging whether a single-hop Internet of things attack link exists according to the multi-source communication data, wherein the single-hop Internet of things attack link is a link of the attacked Internet of things equipment directly controlled by the Internet of things attack end through an attack instruction, if the fact that the single-hop Internet of things attack link does not exist is judged, constructing a communication diagram of the attacked Internet of things equipment according to the multi-source communication data, in the communication diagram, taking the attacked Internet of things equipment as a starting point, obtaining a plurality of candidate multi-hop Internet of things attack links, wherein the multi-hop Internet of things attack links refer to the links of the attacked Internet of things through relay hop boards, indirectly controlling the links of the attacked Internet of things equipment, obtaining the reliability value of the candidate multi-hop Internet of things attack links, and determining the multi-hop Internet of things attack links with highest reliability value as final multi-hop Internet of things attack links of things, wherein the links of things attack links of the candidate Internet of things are the final end-hop Internet of things attack links. In a possible implementation mode, the method comprises the steps of obtaining the attacked Internet of things equipment according to the Internet of things equipment log, identifying the attack behaviors in the Internet of things equipment log through a rule engine and a machine learning model, and determining the Internet of things equipment corresponding to the attack behaviors as the attacked Internet of things equipment. In a possible implementation manner, whether a single-hop Internet of things attack link exists is judged according to multi-source communication data, and the method comprises the steps of obtaining at least one external network IP address which is communicated with attacked Internet of things equipment from the multi-source communication data, obtaining session feature scores between the attacked Internet of things equipment and all external network IP addresses according to the multi-source communication data, judging that the single-hop Internet of things attack link exists if the session feature scores exceed the external network IP address of a preset session feature score threshold, and judging that the single-hop Internet of things attack link does not exist if the session feature scores do not exceed the external network IP address of the preset session feature score threshold. In a possible implementation manner, after judging whether a single-hop Internet of things attack link exists, determining an external network IP address with a session feature score exceeding a preset session feature score threshold value as a candidate Internet of things attack end if judging that the single-hop Internet of things attack link exists, acquiri