Research On Network Attack Tracing Technology Based On Multi-Dimensional Information

With the popularity of the Internet,network attacks are increasingly rampant,and technological means are increasingly hidden.However,passive attack defense methods similar to intrusion detection systems cannot effectively reduce the harm of attacks in time.And we must adopt more targeted active defense measures to deal with emerging and complex network attacks.Therefore,the research on the active determination of the source of attacks based on traceability is very important at present.In this paper,aiming at the current development of network attack defense technology,a multi-dimensional information-based network attack source tracing method is proposed.This method analyzes and deals with multiple types of attack information detected by the attack,and obtains multi-dimensional features such as attack type,attacker's geographical location,host information,attack tool fingerprints,and attack status to achieve the purpose of constructing an attacker's portrait.(1)In view of the alarm content redundancy in attack information,this paper uses hierarchical clustering-based alarm content clustering method and alarm content deduplication method based on time window.The processing results are arranged in time axis,which directly shows the relationship between attack time and attack type.(2)For the attacker's geographical location and host information detection,using the IP information in the attack information,this paper uses the B-Tree algorithm to search the IP address database to locate the geographic location and call the Nmap library to detect attack host information.For the detection of attack tools,this paper identifies the fingerprint of the attacker by filtering the alarm information generated by the custom tool detection rules.According to the judgment of the attack status,this paper determines the attack by matching the HTTP status code in the packet content information to judge the attack status.(3)Using the multi-dimensional information-based network attack source tracing method,fourteen types of attack data packets of three attackers were tested to verify the correctness of the method.First,the experiment statistically analyzes the attack information of the sameorigin IP to understand the attack profile at a macro level;then clustering processing for the alert content,the alert clustering rate reaches 98.6%,and the attack type accounts for 100%,which greatly reduces the number of alerts.It shows the correspondence between time and attack type.Finally,analyze the experimental results and prove that the method can correctly trace the attacker's geographical location,host information,attack tools and attack status.