CN-122027291-A - Operation type software defined wide area network attack tracing system and method

Abstract

The application discloses an operation type software defined wide area network attack tracing system and method, relating to the field of network security, wherein the system comprises an anchor point acquisition module, a data processing module and a data processing module, wherein the anchor point acquisition module is used for generating a three-dimensional tracing anchor point and rejecting normal service flow data; the system comprises a data transmission module for transmitting anchor attack audit data to an Orch for storage, a link aggregation and path restoration module for screening attack session data from the Orch according to attack warning information and extracting an attack path, a tenant-mechanism-CPE positioning module for carrying out attack positioning according to a full link aggregation data set, an attack path map and a tenant-mechanism-CPE mapping relation, and a verification module for calling corresponding anchor attack audit log and PC terminal information from the Orch according to an attack positioning result set and filtering and verifying IP to obtain a final tracing result. The application can trace back to the tenant CPE and the customer internal attack PC, and improves the tracing efficiency.

Inventors

• MA YUMING
• LI BINBIN
• ZHANG YONGSHENG
• CHEN XU
• HUA GUIBIN

Assignees

• 北京轻网科技股份有限公司

Dates

Publication Date

20260512

Application Date

20260212

Claims (10)

1. 1. An operation type software defined wide area network attack tracing system, wherein a core service link of the operation type software defined wide area network is PC-CPE-PoP1-PoP2-SaaS/Internet, the operation type software defined wide area network attack tracing system comprises: The system comprises an anchor point acquisition module, an anchor point acquisition module and a data processing module, wherein the anchor point acquisition module is used for generating a three-dimensional traceable anchor point according to an original acquisition data set, and removing normal service flow data in the original acquisition data set to obtain anchor point attack audit data; the data transmission module is used for transmitting the anchor attack audit data to an Orch storage; The link aggregation and path restoration module is used for screening out corresponding attack session data from the Orch according to the attack warning information of the SaaS/Internet, extracting an attack path and obtaining a full link aggregation data set and an attack path map; The tenant-mechanism-CPE positioning module is used for carrying out attack positioning according to the all-link aggregation data set, the attack path map and the tenant-mechanism-CPE mapping relation to obtain an attack positioning result set; And the verification module is used for calling the corresponding anchor attack audit log and PC terminal information from the Orch according to the attack positioning result set, filtering and verifying the IP to obtain a final tracing result, wherein the final tracing result comprises attack tenant information, attack branch office information, attack exclusive CPE information, attack terminal information, attack real source IP, attack path and attack key information.
2. 2. The system according to claim 1, wherein the original traffic data collected by the CPE device in real time includes a source IP port of the attack traffic, a destination IP port of the attack traffic, a protocol, a time stamp, and a security policy trigger record; The original flow data collected by the PoP1 equipment in real time comprises a PoP1 forwarding record and a tenant isolation flow identification; the original flow data collected by the PoP2 equipment in real time comprises a PoP2 forwarding record, tenant isolation flow identification and a PoP2 public network outlet IP; the device-specific information includes CPE device-specific information and PC terminal information.
3. 3. The system of claim 1, wherein the anchor point collection module comprises: the audit data acquisition unit is used for acquiring original flow data and equipment inherent information acquired by the CPE equipment, the PoP1 equipment and the PoP2 equipment in real time to obtain an original acquisition data set; the system comprises a three-dimensional anchor point generation unit, a three-dimensional source tracing anchor point generation unit and a three-dimensional source tracing unit, wherein the three-dimensional anchor point generation unit is used for extracting a fixed factor and a dynamic factor from the original acquisition data set, splicing the fixed factor and the dynamic factor to obtain a three-dimensional source tracing anchor point, and embedding the three-dimensional source tracing anchor point into the original acquisition data set to obtain an anchor point binding structured data set; And the attack data filtering unit is used for removing the normal service flow data in the anchor point binding structured data set based on a preset filtering rule to obtain anchor point attack audit data.
4. 4. The operational software defined wide area network attack traceability system of claim 1, the data transmission module is characterized by comprising: The incremental pushing unit is used for determining newly added attack data according to the anchor attack audit data; And the breakpoint continuous transmission unit is used for storing the newly added attack data into a local temporary cache database and transmitting the data in the local temporary cache database to an Orch storage.
5. 5. The system according to claim 4, wherein the breakpoint resume unit transmits the data in the local temporary cache database to the Orch in real time when the network is normal, deletes the data in the local temporary cache database after the transmission is completed, pauses the data transmission when the network is interrupted, and transmits the data in the local temporary cache database to the Orch in time sequence after the network is restored.
6. 6. The system of claim 1, wherein the link aggregation and path restoration module comprises: the system comprises an anchor point analysis unit, an anchor point analysis unit and an analysis unit, wherein the anchor point analysis unit is used for extracting a core key field from an Orch, and binding the core key field with anchor point attack audit data to obtain an anchor point analysis data set, and the core key field comprises a three-dimensional tracing anchor point, a PoP2 export public network IP, PC terminal information, tenant codes, branch mechanism codes, tunnel link information and attack flow characteristics; the PoP2 IP-tenant matching unit is used for extracting a core matching factor from attack warning information of SaaS/Internet, and screening anchor attack audit data corresponding to the core matching factor from the anchor analysis data set to obtain a multi-tenant flow data set, wherein the core matching factor comprises a PoP2 shared public network IP and an attack time range; And the anchor point association engine unit is used for screening out attack session data matched with the attack alarm from the multi-tenant flow data set, extracting tunnel link information from the attack session data, and reversely associating all-link anchor point attack audit data in an Orch by taking the three-dimensional tracing anchor point as a global index to obtain an all-link aggregation data set and an attack path map.
7. 7. The system of claim 1, wherein the tenant-organization-CPE location module comprises: The tenant mapping unit is used for acquiring a tenant-branch office-CPE global mapping relation provided by the SD-WAN tenant management system to obtain a three-level mapping relation data set; The anchor point matching analysis unit is used for extracting a three-dimensional traceable anchor point from the all-link aggregation data set, matching tenant codes and branch mechanism codes in the three-dimensional traceable anchor point in the three-level mapping relation data set, determining corresponding attack tenant information, attack branch mechanism information and attack exclusive CPE information, and determining an attack positioning result set by combining the attack path map.
8. 8. The operational software defined wide area network attack traceability system of claim 1, the verification module is characterized by comprising: the anchor point log calling unit is used for calling a corresponding anchor point attack audit log in an Orch by taking CPE coding and a three-dimensional traceable anchor point as screening conditions according to the attack positioning result set to obtain a target CPE exclusive attack session log; The PC terminal information extraction unit is used for screening in the target CPE exclusive attack session log according to the three-dimensional tracing anchor point, only keeping log records matched with the attack session, and extracting PC terminal information from the screened log records to obtain a PC terminal information set; the real source IP verification unit is used for extracting an original source IP from the target CPE exclusive attack session log, analyzing the original source IP to obtain a real public network source IP, and carrying out effective public network IP verification on the real public network source to obtain a final tracing result.
9. 9. The system of claim 1, wherein the anchor point collection module is deployed in CPE, poP1 and PoP2 devices, and the link aggregation and path restoration module, the tenant-organization-CPE location module and the verification module are all deployed in an Orch orchestration local server.
10. 10. An operation type software defined wide area network attack tracing method, applying the operation type software defined wide area network attack tracing system according to any one of claims 1-9, characterized in that the operation type software defined wide area network attack tracing method comprises: generating a three-dimensional traceable anchor point according to an original acquisition data set, and removing normal business flow data in the original acquisition data set to obtain anchor attack audit data, wherein the original acquisition data set comprises original flow data and equipment inherent information acquired by CPE equipment, poP1 equipment and PoP2 equipment in real time; transmitting the anchor attack audit data to an Orch storage; according to the attack warning information of SaaS/Internet, corresponding attack session data are screened out from Orch, and an attack path is extracted, so that a full-link aggregation data set and an attack path map are obtained; carrying out attack positioning according to the all-link aggregation data set, the attack path map and the mapping relation of tenant-mechanism-CPE to obtain an attack positioning result set; And according to the attack positioning result set, the corresponding anchor attack audit log and PC terminal information are called from the Orch, and the IP is filtered and verified to obtain a final tracing result, wherein the final tracing result comprises attack tenant information, attack branch office information, attack exclusive CPE information, attack terminal information, attack real source IP, attack path and attack key information.

Description

Operation type software defined wide area network attack tracing system and method Technical Field The application relates to the field of network security, in particular to an operation type software defined wide area network attack tracing system and method. Background The core Service link of the operation type Software defined wide area Network (SD-WAN) is a personal computer (Personal Computer, PC) -customer edge equipment (Customer Premises Equipment, CPE) -PoP 1-PoP 2-Software as a Service (SaaS)/Internet, wherein the link characteristics are that 1.PC to CPE are customer internal networks, CPE is a exclusive tenant and used for receiving PC terminal flow. Cpe to PoP2 isolates traffic through dedicated tunneling tenants, poP1 being responsible for traffic forwarding only. And 3, poP2 to SaaS/Internet are Internet links, and the public network IP of PoP2 is shared by multiple tenants, so that the PoP2 is the only visible node identifier after the SaaS/Internet side is attacked. With the popularization of SD-WAN multi-tenant service, attack tracing becomes a core pain point, and the current attack tracing mainly adopts the following two methods: (1) The SD-WAN distributed log tracing scheme is characterized in that CPE/PoP equipment generates audit logs according to a custom format and periodically uploads the audit logs to an Orch log server, an administrator manually screens the logs according to source IP and time range through an Orch log retrieval function after attack occurs, and the tenant IP section table is combined to manually splice attack paths to locate tenants to which an attack source belongs. The scheme has the defects that ① multi-tenant confusion rate is high due to the lack of unified multi-tenant flow distinguishing identification and cross-device data association mechanism, flows of different tenants can not be distinguished only through an IP segment table when the IP segments of the PoP2 public network are shared by the multi-tenant, attack responsibility misjudgment rate is high when the IP segments of the tenant private network are overlapped, ② attack chains are broken, upstream PoP1, tenant CPE and client internal PC can not be traced through the shared IP of the PoP2, tracing can only reach PoP2 nodes, real attack sources can not be positioned, ③ tracing efficiency is extremely low, the whole process depends on manual screening logs, an attack path is spliced, tracing cost is high, efficiency is low, and emergency response requirements can not be met. (2) The SD-WAN tenant isolation tracing scheme is characterized in that an Orch allocates independent log storage partitions for each tenant, a tenant ID label is carried when a CPE/PoP uploads a log, the log is automatically stored in a corresponding tenant partition, after attack occurs, the Orch screens the log according to the tenant ID, the tracing range is reduced, and then source IP is manually extracted. According to the scheme, only a single identity of a tenant ID is introduced, session and terminal information are not associated, so that the defects that ① lacks branch office (Site) level and PC level positioning, only the tenant can be positioned, site to which an attack source belongs and a client internal PC terminal cannot be further locked, ② cannot distinguish different attack events of the same tenant, namely, the ID of the unassociated session, multiple attack logs in the same tenant are mixed, attack sessions cannot be accurately matched, ③ still needs manual intervention, namely, tenant log partition only reduces the range, source IP and PC terminal information still needs manual screening, and efficiency improvement is limited. Therefore, when the SaaS/Internet side is attacked, only the common public network IP of the PoP2 can be obtained, the specific tenants corresponding to the IP cannot be distinguished in the prior art, and the specific tenants cannot be traced back to the CPE of the tenant and the attack PC inside the client along the tunnel link. Disclosure of Invention The application aims to provide an operation type software defined wide area network attack tracing system and method, which can trace back to specific tenants, branch institutions, exclusive CPEs and client internal PC terminals through a PoP2 shared public network IP and acquire an attack real public network source IP and a complete attack path. In order to achieve the above object, the present application provides the following solutions: In a first aspect, the present application provides an operational software defined wide area network attack tracing system, including: The system comprises an anchor point acquisition module, an anchor point acquisition module and a data processing module, wherein the anchor point acquisition module is used for generating a three-dimensional traceable anchor point according to an original acquisition data set, and removing normal service flow data in the original acquisition data set to obtain