| CPC H04L 63/1425 (2013.01) [H04L 63/1441 (2013.01)] | 17 Claims |
|
1. A method for identifying attack infrastructure, performed by a computing system, the method comprising:
collecting network traffic data of a host device that is the target of a security incident;
acquiring, from the network traffic data, first data regarding port numbers recorded in the network traffic data, second data regarding protocols recorded in the network traffic data, and third data regarding textual information included in network packets recorded in the network traffic data or category information provided by network equipment;
automatically identifying attack infrastructure corresponding to the first data, the second data, and the third data by using a predefined classification model; and
blocking network access of an Internet Protocol (IP) address associated with the attack infrastructure,
wherein the attack infrastructure corresponds to resources utilized by an attacker during the security incident,
wherein the predefined classification model includes first attack infrastructure used to attack a network and second attack infrastructure compromised by the attacker,
wherein each of the first attack infrastructure and the second attack infrastructure includes a plurality of attack infrastructures corresponding to different data, and
wherein the automatically identifying the attack infrastructure comprises: identifying the first attack infrastructure or the second attack infrastructure; and identifying third attack infrastructure corresponding to the first data, the second data, and the third data among the plurality of attack infrastructures included in the identified attack infrastructure.
|