The Enterprise edition of Security Center supports the attack awareness feature. This feature lists and analyzes the attacks against your assets. This topic describes the statistics that are provided by the attack awareness feature. These statistics include the total number of attacks, distribution of attack types, top 5 attack sources, top 5 attacked assets, and attack list.

Background information

The attack awareness feature provides basic attack detection and prevention based on the protection capabilities of Alibaba Cloud. We recommend that you develop a more refined and precise defense system by optimizing firewalls and enhancing business security.

You can log on to the Security Center console and choose Detection > Attack Awareness to view details about the attacks against your assets in the specified time range.

Attack Awareness page
  • Attacks: the total number of attacks against your assets.
  • Attack Type Distribution: the attack types and the number of attacks of each type.
  • Top 5 Attack Sources: the top 5 IP addresses from which most attacks are initiated.
  • Top 5 Attacked Assets: the top 5 assets that have encountered the most attacks.
  • Attack list: details about all attacks. The details include the attack time, source IP address, attacked asset, attack type, and attack status.

On the Attack Awareness page, you can specify a time range to view these attack details. You can view the attack analysis statistics of the current day, last 7 days, or last 30 days. You can also select Custom to view the statistics of a time range within the last 30 days.

Note
  • Only the Enterprise edition supports the attack awareness feature. If you are using Security Center of the Basic, Basic Anti-Virus, or Advanced edition, you must upgrade it to the Enterprise edition before you can use the attack awareness feature.
  • After you purchase an Alibaba Cloud service, you must wait until the data of the Alibaba Cloud service is synchronized to Security Center before you can view the attack statistics.
  • The data that is analyzed by the attack awareness feature is collected by Security Center, Alibaba Cloud, and Web Application Firewall (WAF). You must activate WAF before WAF can collect data.

Attacks

In the Attacks section, a graph displays the attack trend within the specified time range. You can view the peak and valley values of the graph. You can move the pointer over the graph to view the attack date, attack time, and number of attacks.

Attacks

Attack Type Distribution

In the Attack Type Distribution section, you can view the attack names and the number of attacks of each type.

Attack Type Distribution

Top 5 Attack Sources

In the Top 5 Attack Sources section, you can view the top 5 IP addresses from which most attacks are initiated and the number of attacks that are initiated from each IP address.

Top 5 Attack Sources

Top 5 Attacked Assets

In the Top 5 Attacked Assets section, you can view the public IP addresses of the top five assets that have encountered the most attacks and the number of attacks against each asset.

Top 5 Attacked Assets

Attack list

In the attack list, you can view the attack details including the attack time, source IP address, attacked asset, attack type, attack method, and attack status.

Attack list
Note The list can display details about a maximum of 10,000 attacks. You can specify the Time Range to view the attack details within a specified time range.

Parameters of the attack details

Parameter Description
Attacked At The time when the attack is detected.
Attack Source The source IP address and region from which the attack is initiated.
Attacked Asset The name, public IP address, and private IP address of the attacked asset.
Attack Method The HTTP request method that is used to initiate the attack, including POST and GET.
Attack Type The type of the attack, such as SSH brute-force cracking or code running.
Attack Status The status of the attack. Security Center uses the protection capabilities of Alibaba Cloud to block common attacks. The status of a blocked attack is Blocked. The intrusion events are displayed on the Alerts page.

In the attack list, you can perform the following operations:

  • Search for an attack event

    To view the details about a specific attack, you can specify search conditions in the search box above the attack list. Search conditions include the attack type, attacked asset, and source IP address.

    Search for an attack event
  • View the details about an attacked asset

    To view the details about an attacked asset, you can move the pointer over the name of the Attacked Asset.

    Asset details
  • Export the attack list

    To export and save the attack list to a local machine, you can click Export icon in the upper-left corner of the attack list. The attack list is exported to an Excel file.

    Export the attack list