Security Center supports the attack awareness feature. The feature lists and analyzes the attacks against your assets. This topic describes the statistics provided by the attack analysis feature. The statistics include the total number of attacks, distribution of attack types, top 5 attack sources, top 5 attacked assets, and the attack list.

Limits

Only the Enterprise and Ultimate editions of Security Center support this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center.

Background information

The attack awareness feature provides basic attack detection and prevention based on the protection capabilities of Alibaba Cloud. After Security Center detects basic attacks, Security Center blocks and handles the attacks. The attack statistics are displayed on the Attack Awareness page. You do not need to handle the attacks. You can analyze or troubleshoot the attacks that may cause major risks based on the source addresses. We recommend that you develop a more refined and precise defense system to optimize your firewalls and enhance your business security.

You can log on to the Security Center console and choose Detection and Response > Attack Awareness to view the details about the attacks against your assets in the specified time range.

  • Attacks: the total number of attacks against your assets.
  • Attack Type Distribution: the attack types and the number of attacks of each type.
  • Top 5 Attack Sources: the top 5 IP addresses that are most frequently used to launch attacks.
  • Top 5 Attacked Assets: the top 5 assets that encountered the most attacks.
  • Attack list: the details about all attacks. The details include the attack time, source IP address, attacked asset, attack type, and attack status.

On the Attack Awareness page, you can specify a time range to view the attack details. You can view the attack analysis statistics of the current day, last 7 days, or last 30 days. You can also set Time Range to Custom to view the statistics of a time range within the last 30 days.

Note
  • After you purchase an Alibaba Cloud service, you must wait approximately 3 hours until the attack statistics of the Alibaba Cloud service are synchronized to Security Center. After the synchronization is complete, you can view the attack details.
  • The attack statistics that are analyzed by the attack awareness feature are collected by Security Center, Alibaba Cloud, and Web Application Firewall (WAF). You must activate WAF before WAF can collect the attack statistics.

Attacks

In the Attacks section, a graph displays the attack trend within the specified time range. You can view the peak and valley values of the graph. You can move the pointer over the graph to view the attack date, the attack time, and the number of attacks. Attacks

Attack Type Distribution

In the Attack Type Distribution section, you can view the attack types and the number of attacks of each type. Attack Type Distribution

Top 5 Attack Sources

In the Top 5 Attack Sources section, you can view the top 5 IP addresses that are most frequently used to launch attacks and the number of attacks that are initiated from each IP address. Top 5 Attack Sources

Top 5 Attacked Assets

In the Top 5 Attacked Assets section, you can view the public IP addresses of the top 5 assets that encountered the most attacks and the number of attacks against each asset. Top 5 Attacked Assets

Attack list

In the attack list, you can view the attack details including the attack time, source IP address, attacked asset, attack type, attack method, and attack status. Attack list
Note The list can display details about a maximum of 10,000 attacks. You can specify Time Range to view the attack details within the specified time range.

Parameters in the attack list

Parameter Description
Attacked At The time when the attack is detected.
Attack Source The source IP address and region from which the attack is initiated.
Attacked Asset The name, public IP address, and private IP address of the attacked asset.
Attack Method The HTTP request method that is used to initiate the attack. The methods include POST and GET.
Port The port that the attacked asset uses. This parameter is displayed only when the type of the attack is SSH brute-force attack.
Attack Type The type of the attack, such as SSH brute-force attack or code running.
Attack Status The status of the attack. Security Center uses the protection capabilities of Alibaba Cloud to block common attacks. The status of a blocked attack is Blocked. The intrusion events are displayed on the Alerts page.

In the attack list, you can perform the following operations:

  • Search for an attack
    To search for an attack and view the details about the attack, specify search conditions above the attack list. Search conditions include the attack type, attacked asset, source IP address, and port number. Search for an attack
  • View the details about an attacked asset
    To view the details about an attacked asset, move the pointer over the name of the attacked asset in the Attacked Asset column. Attacked asset details
  • Export the attack list

    To export and save the attack list to your computer, click the Export icon icon in the upper-left corner of the attack list. The exported file is in the Excel format.

  • Disable a defense rule

    To disable the defense rule that automatically blocks an attack of the AntSword Communication with Webshells, Chopper Communication with Webshells, or XISE Communication with Webshells type, perform the following operations: Move the pointer over the Icon icon in the Attack Type column. In the Are you sure that you want to disable the rule? dialog box, click Go to the Malicious behavior Defense page. On the Malicious behavior Defense page, disable the defense rule.

References

What is the source of the statistics that are displayed on the Attack Awareness page?