CN105376245A - Rule-based detection method of ATP attack behavior - Google Patents

Rule-based detection method of ATP attack behavior Download PDF

Info

Publication number
CN105376245A
CN105376245A CN201510854610.2A CN201510854610A CN105376245A CN 105376245 A CN105376245 A CN 105376245A CN 201510854610 A CN201510854610 A CN 201510854610A CN 105376245 A CN105376245 A CN 105376245A
Authority
CN
China
Prior art keywords
rule
attack
apt
alarm
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201510854610.2A
Other languages
Chinese (zh)
Other versions
CN105376245B (en
Inventor
李凯
范渊
程华才
史光庭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Dbappsecurity Technology Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN201510854610.2A priority Critical patent/CN105376245B/en
Publication of CN105376245A publication Critical patent/CN105376245A/en
Application granted granted Critical
Publication of CN105376245B publication Critical patent/CN105376245B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to the field of APT detection, and aims at providing a rule-based detection method of an ATP attack behavior. The rule-based detection method of the ATP attack behavior comprises the following steps: defining grammar used for creating an APT attack scene rule; creating the APT attack scene rule, and constituting an APT attack scene knowledge base; dispatching a rule analysis module to analyze and load the APT attack scene rule by an analysis module; collecting full flow of an application layer protocol by a collection module to obtain flow data; screening data; analyzing important alarm; identifying a behavior; and constituting processing of ATP attack behavior failure. With regard to the ATP attack behavior, multiple attach exposure points always exist in the entire attach process, backtracking association is carried out on related flow by the rule-based detection method provided by the invention on this basis, the traditional situation of matching features based on a single time point is changed, and association analysis is carried out on the data of a long time window to identify the complete attack intention of an attacker.

Description

A kind of detection method of rule-based APT attack
Technical field
The invention relates to APT (AdvancedPersistentThreat, senior continuation threatens) detection field, the detection method of particularly a kind of rule-based APT attack.
Background technology
APT attack be a kind of in a organized way, have specific objective, the novel attack that disguised strong, destructive power is large, the duration is long and threat, its main feature is:
The hidden ability in single attack source is strong: in order to hide traditional detection system, and APT focuses on the disguise of dynamic behaviour and static file more.Such as avoid network behavior to be detected by convert channel, encrypted tunnel, or avoid malicious code file itself to be identified by the mode of forging legitimate signature, this brings very large difficulty with regard to giving tradition based on the detection of signing.
Attack means is many, the attack duration is long: APT attacks and is divided into multiple step, from initial information search, obtains entrance, implement Long-distance Control to significant data discovery, information stealth unofficial biography etc., often will experience some months, 1 year even longer time.And traditional detection mode is the real-time detection based on single time point, the attack be difficult to span is so grown effectively is followed the tracks of, the true intention of None-identified assailant, occurred before, failed the alarm that causes analyst to note, likely under cover calculated attack intention.Therefore only have and long suspicious actions are carried out effective detection that association analysis could realize APT.
Attack the These characteristics embodied based on APT, make tradition to detect in real time, the defense mechanism of real-time blocking is difficult to effectively play a role.Therefore effectively to identify, resist APT, new detection method must be taked.
Summary of the invention
Main purpose of the present invention is to overcome deficiency of the prior art, provides a kind of detection method and system thereof of rule-based APT attack.For solving the problems of the technologies described above, solution of the present invention is:
There is provided a kind of detection method of rule-based APT attack, for carrying out analyzing to APT behavior and detecting, the detection method of described rule-based APT attack comprises the steps:
Step one: definition creates the grammer that APT Attack Scenarios rule uses:
(1) attribute relevant to attack is arranged, for definition rule; The common attribute relevant to attack comprises benchmark alarm type (alarm that detection accuracy is high or very important alarm type), reviews time range, associated alarm type, IP positional information that alarm is relevant;
(2) information that uses of arrangement rule self, comprises rule ID, rule name, rule description, new regulation starts mark;
(3) information (1) and (2) arranged as configurable item, agreement configuration item title, and specify each configuration item collocation method, can span;
Step 2: create APT Attack Scenarios rule, builds APT Attack Scenarios knowledge base:
(4) according to the attack means that (typically) the APT attack occurred and assailant are commonly used, carry out concluding and sum up, definition APT Attack Scenarios rule (APT Attack Scenarios rule, thing, case and development trend is attacked exactly according to the typical APT occurred in the past, sum up and refine the APT that obtains and attack the method and step that use), and the APT Attack Scenarios rule of the definition APT comprised based on WEB attacks, attack based on the APT of mail social worker, the APT of file transfer and access attacks;
(5) syntactic representation using step one to arrange the APT Attack Scenarios of definition in (4) rule out, is saved in configuration file, reads for follow-up rule parsing module, resolves, loads;
Step 3: analysis module calling rule parsing module, resolves, loads APT Attack Scenarios rule;
Step 4: acquisition module gathers (common) application layer protocol full flow, obtains data on flows;
Step 5: data screening:
Detection module (using multiple testing tool and the method) data on flows to step 4 collection carries out complete detection, is arranged to short time storage, carries out deletion action after expired for the data irrelevant with attack; Carry out retaining for the relevant risk data (or suspicious data) of attack and carry out longer-term storage in platform;
Step 6: analyze significant alarm:
Analysis module circulation does further in-depth analysis to the alarm data produced and suspicious data, successively to each warning information, each APT Attack Scenarios rule carried out to detection and judges, determine whether benchmark alarm or the associated alarm of current APT Attack Scenarios rule, if belong to benchmark alarm, then initialization record, be saved in benchmark warning information table (database table), the information of preserving comprises IP value, APT scene rule ID, alarm type, current alarm ID, enters step 7; If belong to the associated alarm type of current APT Attack Scenarios rule, enter step 8;
Step 7: identify behavior: identify the attack layer semantic relation between alarm, set up complete Attack Scenarios according to benchmark alarm;
Analysis module is according to APT Attack Scenarios rule, when benchmark alarm produces, trigger scenario is analyzed, review historical data, by all kinds of attack alarms relevant to benchmark alarm, suspicious data (associated alarm) associates, if the associated data of finding that there is, then the main information of associated alarm is saved in associated alarm information table (database table), the main information preserved comprises associated alarm ID, alarm type, benchmark warning information table record ID, association IP value, upgrade benchmark warning information table nearest alarm time by analysis simultaneously, and according to APT Attack Scenarios rule judgment, by whether having formed APT attack to current association results, if so, then terminate for the analysis of this IP and current rule, upgrade benchmark warning information table, the state that arranges, for completing, represents and has formed APT attack, if not then judge whether that exceeding history reviews scope, if exceed history to review scope, then the state that arranges is for forming the failure of APT scene,
Step 8: according to IP value and alarm type inquiry benchmark warning information table, if can record be inquired, then add a record to associated alarm information table, the main information preserved comprises associated alarm ID, alarm type, benchmark warning information table record ID, association IP value, upgrade benchmark warning information table nearest alarm time by analysis simultaneously, and according to rule judgment, whether current association results has formed APT Attack Scenarios; If so, then terminate for the analysis of this IP value and current rule, upgrade benchmark warning information table, the state that arranges, for completing, represents and has formed APT attack; If not then judge whether that exceeding history reviews scope, if exceed history to review scope, then the state that arranges is for forming the failure of APT scene;
Step 9: the process building APT attack failure:
Reviewing for because exceeding the associated alarm data that time range does not form APT attack, positioning suspicious actions by analyst.
In the present invention, in described step 9, Water demand personnel conclude repeatedly building failed event, sum up, and adjust existing rule or create new rule, avoid because inaccurate APT Attack Scenarios rule causes building unsuccessfully; If rule configuration information has variation, enter step 2.
In the present invention, the described APT attack to having built, also needs the participation of manual analysis, whether accurately analyze the APT attack identified, for identifying correct attack, take intervening measure further, defence, blocking-up attack, important information is avoided to reveal, reduce under fire scope, for the attack of identification error, in conjunction with practical risk, a situation arises, rule before deleting, re-creates new rule; If rule configuration information has variation, enter step 2.
APT behavioral value system based on described detection method is provided, comprises acquisition module, detection module, analysis module, rule parsing module;
Described acquisition module is used for network traffics collection, directly from image data network interface card, also can directly can receive the program of the data on flows that other system sends over;
Described detection module is made up of detection sub-module, and detection sub-module comprises Malicious Code Detection submodule, Webshell detection sub-module, sender's fraud detection submodule, mail head's fraud detection submodule, mail fishing detection sub-module, mail malicious link detection sub-module, Email attachment Malicious Code Detection submodule, Web feature detection sub-module, abnormal access detection sub-module, C & CIP/URL detection sub-module, malice wooden horse return and connect detection sub-module, transmit invalid data detection sub-module, Web behavioural analysis submodule; Wherein, Malicious Code Detection submodule comprises the submodule being respectively used to Viral diagnosis, Static Detection and detection of dynamic;
Described analysis module is used for realizing APT behavioral value function, comprises and identify benchmark alarm data, associated alarm data from the alarm data produced, and attempts building APT Attack Scenarios;
Described rule parsing module is for reading the configuration file of APT Attack Scenarios rule, and to each rule wherein resolve (judge grammer configuration whether wrong, whether the title of configuration item is legal, and whether the value of configuration item is in span), be loaded in internal memory for the correct rule of parsing, for analysis module, for resolving the rule occurring mistake, be considered as invalid rule.
Operation principle of the present invention: refine and sum up typical APT Attack Scenarios, be abstracted into corresponding APT attack rule, some important key alarms are set in rule as benchmark alarm, when detection module detects risk, according to IP and risk classifications association analysis historical data, attempt building complete attack path figure.
Compared with prior art, the invention has the beneficial effects as follows:
The attack that the time span such for APT is long, target of attack is clear and definite, in whole attack process, always there are several attack exposed point, the present invention carries out backtracking association to relevant flow based on this, change tradition carries out characteristic matching situation based on single time point, association analysis is carried out to the data of long-time window, realizes the identification to the complete attack intension of assailant.
Accompanying drawing explanation
Fig. 1 is analysis APT attack main process figure of the present invention.
Fig. 2 be of the present invention improve APT attack rule flow chart.
Embodiment
First it should be noted that, the APT attack detection method that the present invention relates to, is that computer technology is applied in the one of field of information security technology.In implementation procedure of the present invention, the application of multiple software function module can be related to.Applicant thinks, as reading over application documents, accurate understanding is of the present invention realize principle and goal of the invention after, when in conjunction with existing known technology, those skilled in the art can use its software programming technical ability grasped to realize the present invention completely, there is not the possibility cannot understood and maybe cannot reproduce.Aforementioned software functional module comprises but is not limited to: acquisition module, detection module, rule parsing module, analysis module etc., its specific implementation can have a variety of, this category of all genus that all the present patent application files are mentioned, applicant will not enumerate.
Below in conjunction with accompanying drawing and embodiment, the present invention is described in further detail, the database adopted in the present invention can adopt the Relational DBMSs such as MySQL, Oracle (RDBMS) or the distributed computing framework based on NoSQL, in order to preserve BlueDrama Audit data, alarm data, analysis result in concrete enforcement.
As shown in Figure 1 and Figure 2, a kind of detection method of rule-based APT attack, for carrying out association analysis to the alarm of certain hour scope, identifies APT attack.Detection method specifically comprises the steps:
Step one: definition creates the grammatical and semantic that APT rule of conduct uses.
Conclude the Event element that typical APT attack relates to, form configurable item, specify the span of each configuration item, collocation method simultaneously.
1, arrange the attribute relevant to attack, for definition rule, the common attribute relevant to attack comprises following part: benchmark alarm type (alarm that testing result accuracy is high or very important alarm type), review time range (namely when there being new risk to occur, to review the relevant risk in the time period, supporting chronomere's year, month, day, hour), associated alarm type, benchmark alarm IP (namely source IP or Target IP use source IP or Target IP to go association history alarm information), associated alarm IP (source IP or Target IP), benchmark alarm sequence requirement (when a rule configuration benchmark alarm number is more than one, whether requiring that the time of the alarm occurred is according to the sequencing configured in rule), associated alarm sequence requirement (when a rule configuration associated alarm number is more than one, whether requiring that the time that alarm occurs is according to the sequencing configured in rule), benchmark alarm source IP position (belonging to monitoring unit Intranet IP or remote server outer net IP), benchmark alarm object IP position, IP position, associated alarm source, associated alarm object IP position, multiple alarm whether in same session (benchmark alarm or associated alarm number of types more than one time, whether require that these alarms must occur in network and connect in same session).
2, the information of rule self use: rule ID, rule name, rule description, new regulation start mark.
3, the information the 1st step and the 2nd step arranged as configurable item, agreement configuration item title, and specify the collocation method of each configuration item, if need assignment, then specified configuration item can span.
Step 2: create APT Attack Scenarios rule, builds APT Attack Scenarios knowledge base.
Conclude affair character that typical APT attack relates to (in an APT attack successively contingent several alarm type or suspicious actions, attack time scope, IP position, the alarm type etc. that successively occurs), create corresponding APT attack rule.
APT Attack Scenarios rule, attacks thing, case and development trend according to the typical APT occurred in the past exactly, and summary is refined the APT obtained and attacked the method and step that use.Create the grammer that rule is relevant, in a particular application, according to the actual needs, new configuration item can be increased completely, arrange grammer and the collocation method of other establishment rule, can with reference to following demonstration:
Such as, the RSASecurID occurred in 2011 steals attack, following (the note: following attack process information source is in the Internet of attack process roughly, typical APT attack also has, the attack of Google aurora, dragon attack at night, super factory virus attack (attack of shake net) etc.):
A, assailant have sent two groups of malious emails to 4 employees of the parent company EMC of RSA, and annex is called " 2011Recruitmentplan.xls ";
It is taken out reading by b, wherein one employee from spam, is hit by the 0day leak (CVE-2011-0609) of AdobeFlash up-to-date at that time;
C, the implanted wooden horse of this employee's computer, start to execute the task from the C & C server download instruction of BotNet;
D, user not " powerful " personage be injured in the first batch, it is in succession black that the personage be and then associated comprises the server administrators such as IT and non-IT;
E, RSA find that staging server (Stagingserver) is invaded, and attacker withdraws immediately, encrypts and compresses all data and be sent to distance host with FTP, remove invasion vestige subsequently;
F, after taking SecurID information, assailant starts using the company of SecurID to launch to attack further.
According to attack process described above, we can define such APT Attack Scenarios rule:
Mail social worker attack+malicious code is attacked+Web behavioural analysis/wooden horse Hui Lian/C & Cip/url (Target IP initiation)=successful mail APT and is attacked
Wherein, mail social worker attacks and comprises following several types: sender's deception, mail head's deception, mail fishing, mail malicious link.Malicious code mainly refers to that deliberately work out or arrange, can produce threat or potential threat to network or system computer code.Modal malicious code has computer virus (being called for short virus), Trojan Horse (abbreviation wooden horse), computer worm (being called for short worm), back door, logic bomb, spyware (spyware), malicious shareware (maliciousshareware) etc.They are generally disguise oneself as common mounting software, office documents etc.
WEB behavioural analysis, it is the statistical alarm based on multiple dimension, on the dimension basis of specifying, the WEB behavior occurred in fixed time (can be generic access behavior, also can be Web feature attack etc.) number of times is when reaching predetermined number of times, carry out alarm, such as: to certain Web server in 10 minutes to same list (such as, the username and password of user's login page) perform submission (http protocol POST method) more than 1000 times, WEB behavioural analysis function is after statistics, think that this class behavior constitutes as Web list Brute Force, like this also has, multiple client ip carries out a large amount of CC to same Web server in a period of time and attacks (ChallengeCollapsar, that assailant controls some main frame and ceaselessly sends out mass data bag and cause server resource to exhaust to the other side's server, the machine collapse until delay), WEB behavioural analysis function is after statistical analysis, think that this class behavior constitutes WEBCC and attacks, etc..The statistics latitude of WEB behavioural analysis can by following aspect: attack source IP number, the behavior of http generic access or certain web attack, measurement period time, access times, access file type etc.
Wooden horse Hui Lian, refer to that malicious code operationally, connect a certain remote server, utilize certain method (such as, utilizing http agreement 80 port to transmit the data of non-http agreement) significant data in the network of place to be sent to the behavior of remote server.
C & Cip/url, C & C server is remote command and Control Server, and target machine can receive the order from server, thus reaches the object of server controls target machine.The method is usually used in viral wooden horse and controls infected machine.
To APT Attack Scenarios rule defined above, " WEB behavioural analysis/wooden horse Hui Lian/C & Cip/url " of runic mark, can be regarded as benchmark alarm, WEB behavioural analysis alarm or wooden horse return and connect alarm or C & Cip/url alarm, such alarm is a step very crucial in APT attack process, the trigger scenario analysis immediately when finding the type alarm, historical data is reviewed, by the IP address relevant to there is alarm, port, the elements such as alarm type go correlation inquiry history alarm data, and the follow-up relevant alarm data again occurred, if the result of association analysis meets certain APT Attack Scenarios rule, then think that reality there occurs APT attack.
In concrete enforcement, grammer below can be used to describe rule defined above, be convenient to program and resolve:
$ NEW_APT_RULE# identifies a new rule to start
$ RULE_ID=1# rule numbers
$ RULE_NAME=mail social worker APT attacks # rule name
$ RULE_DESCRIPTION=mail social worker APT attacks the detailed description of # rule
$ TRIGGER_RISK=TROJAN_RECONNECT|MALICIOUS_CODE|WEB_BEHAVIO R_ANALYZE# benchmark alarm type can be wooden horse Hui Lian, benchmark alarm type can be malicious code or WEB behavioural analysis, uses Connection operator between multiple alarm type
It is 1 year that $ TRACE_BACK_TIME=1Y# reviews the time, also can be configured to 12M, represents 12 months
$ TRIGGER_IP=TARGET# use the attack source IP of current base alarm still under fire IP go associated historical, SOURCE (attack source IP) can be configured to, TARGET (under fire IP), configure SOURCE and TARGET simultaneously, represent the historical data simultaneously going to associate attack source IP or under fire IP.
The IP position, source of $ TRIGGER_SOUCRCE_LOC=INNER# benchmark alarm, attack source IP position attribution is set, Intranet IP (monitoring internal institution) or outer net IP (remote server), can be configured to INNER or OUTER, if do not configured, or configure INNER and OUTER simultaneously, not think and distinguish
$TRIGGER_SOUCRCE_LOC=OUTER
$ TRIGGER_TARGET_LOC=INNER# benchmark alarm under fire IP position, collocation method is with the IP position, attack source of benchmark alarm
$TRIGGER_TARGET_LOC=OUTER
Whether $ TRIGGER_LINED=false#, when the alarm of a rule configuration benchmark class is more than 1, requires that the time of the alarm occurred is according to the sequencing configured in rule, can be configured to true or false, not configure, be defaulted as false
$ RELATED_RISK=MAIL_CHEAT|MALICIOUS_CODE# associated alarm type can be mail social worker or malicious code, and collocation method is identical with trigger alerts type
$ RAELATED_LINED=false# implication and collocation method are with $ TRIGGER_LINED
$ RELATED_IP=TARGET# collocation method is identical with $ TRIGGER_IP, is configured to TARGET, represents the under fire IP of Main Analysis associated alarm
IP position, $ RELATED_SOURCE_LOC=OUTER# associated alarm attack source
$ RELATED_TARGET_LOC=INNER# associated alarm under fire IP position
If the network environment of user there occurs similar RSASecurID mentioned above and steals attack, when there is the attack of c step, routine analyzer is thought and be there occurs benchmark alarm, and then analyze, if the behavior (i.e. associated alarm, the alarm event relevant with some benchmark alarms) that relevant a walks and b walks can be there occurs in association analysis former some time periods according to rule.Then think this time to analyze and successfully identify APT attack, carry out alarm.
Because the under fire diversity of network environment, it is also various for cause APT to attack collecting information in the elementary step, obtain the method for entrance, final enforcement is attacked, the means of steal confidential information are also various, therefore need to configure multiple rule, in different rules, the type of benchmark alarm and associated alarm also may be different, benchmark alarm in a rule may be the associated alarm in another rule, and the benchmark alarm in a rule and associated alarm can be configured to one or more.
Usually at least following a few rule-like of definition: the APT based on WEB attacks, attack based on the APT of mail social worker, the APT of file transfer and access attacks.
Step 3: analysis module calling rule parsing module, resolves, loads APT Attack Scenarios rule.
Step 4: flow collection modules acquiring data: can to the parsing comprising the various protocols such as HTTP, FTP, SMTP, POP3, IMAP and SMB, can be as required, increase the collection to other agreements, or select to gather certain IP, IP section or port numbers.
Step 5: detection module detects data on flows:
1, different testing tools and method are used to different agreement:
1), to POP3, SMTP, IMAP mail related protocol, detection risk comprises: sender's deception, mail head's deception, mail fishing, mail malicious link, Email attachment malicious code;
2), Malicious Code Detection is carried out to the file of FTP, SMB protocol transmission;
3), http protocol detection risk is comprised: WEB feature, abnormal access, C & CIP/URL, Webshell, malice wooden horse Hui Lian, transmission invalid data, WEB behavioural analysis (detection of Brute Force, automatic scan, catalogue, CC attack), malicious code;
4), in 1,2 and 3 steps, virus base detection, Static Detection, dynamic behaviour detection are comprised to Malicious Code Detection.The file type detected is divided into PE class (exe, dll etc.) and non-PE class (office, pdf, flash, chm, html etc.);
5), when specifically implementing, other testing tool and detection method can be increased as required.
2, by detailed session information, risk data table is saved in the risk data found, session critical information is saved in risk summary info table (risk identification ID, protocol type, risk classifications and grade, session request IP and port, conversational response IP and port) simultaneously, wherein include session time of origin in risk identification ID, and can correlation inquiry risk data table according to risk ID, inquire detailed session information, comprise source IP request content, object IP response contents, response message, protocol type etc.
Step 6: analysis module analyzes alarm.
Whether analysis module circular test risk summary info table has new risk data, if there is not new risk, then waits for a period of time, again checks, if having:
Judge the benchmark alarm of the whether current APT rule of this alarm record according to risk classifications, if belong to benchmark alarm, use IP and alarm type querying triggering class benchmark warning information table.Initialization record, be saved in benchmark warning information table, the information of preserving comprises IP value, APT scene rule ID, alarm type, current alarm ID, APT event id (when building scene success, for identifying an APT attack) etc., if find existing benchmark alarm record at benchmark warning information table, then the APT event id of initialized record uses the event id (in whole APT behavior, the triggering class alarm of the same type to same IP may occur repeatedly) that there is record.Enter step 7; If belong to associated alarm type, enter step 8.
After checking out current rule, reexamine next rule, after having detected strictly all rules, then judge whether that new APT rule needs to resolve, if having, then enter step 3, call parsing module and resolve new rule, then enter step 6, otherwise, directly enter step 6, process new warning information.
Step 7: identify behavior.Identify the attack layer semantic relation between alarm, set up complete Attack Scenarios according to isolated alarm.
Analysis module is according to APT Attack Scenarios rule, when benchmark alarm produces, trigger scenario is analyzed, review historical data, by all kinds of attack alarms relevant to benchmark alarm, suspicious data associates, if find that there is associated alarm, then the main information of associated alarm is saved in associated alarm information table, the main information preserved comprises associated alarm ID, alarm type, benchmark warning information table record ID, benchmark warning information list event ID, association IP value, upgrade corresponding benchmark warning information table record nearest alarm time by analysis (next circulation simultaneously, analyze from the risk data after this time point), and according to rule judgment, by whether having formed APT attack to current association results, if, analysis then for this IP and current rule terminates, upgrade benchmark warning information table, the state that arranges is for completing, represent and formed APT attack.
Step 8: analysis module is according to IP value and alarm type inquiry benchmark warning information table, if can record be inquired, then add a record (representing that the attack path relevant to this benchmark alarm has had new risk information node) to associated alarm information table, the main information preserved comprises associated alarm ID, alarm type, benchmark warning information table record ID, benchmark warning information list event ID, association IP value, upgrade corresponding benchmark warning information table record nearest alarm time by analysis (in next circulation simultaneously, to this benchmark alarm record, analyze from the risk data after this time point).And according to rule judgment, whether current association results has formed APT Attack Scenarios, if so, then terminates for the analysis of this IP value and current rule, upgrade benchmark warning information table, the state that arranges, for completing, represents and has formed APT attack.
Step 9: analysis module inspection has exceeded the benchmark warning information reviewing time range.
1, the process of APT attack failure is built.Due to the complexity of APT attack means, often because the reasons such as the disappearance of acquisition module lost data packets, alarm event cause the coupling cannot carrying out complete attack path figure in actual environment, and then cause building the failure of APT Attack Scenarios, the Attack Scenarios matching problem based on imperfect attack path will be solved for this reason.Exceed and review the associated alarm data that time range does not form APT attack, Water demand personnel position suspicious actions.In addition, the inaccurate or assailant for rule of conduct establishment employs new attack method and also can cause building unsuccessfully, and this is concluded with regard to Water demand personnel repeatedly building failed event, sum up, and adjusts existing rule or creates new rule.If rule configuration information has variation, enter step 2.
2, the APT Attack Scenarios built is checked.To the APT attack built, also need the participation of manual analysis, whether the APT attack that sampling analysis has identified is accurate, for identifying correct attack, take intervening measure further, defence, blocking-up attack, avoid important information to reveal, reduce under fire scope, for the attack of identification error, in conjunction with practical risk, a situation arises, the rule before deleting, re-create new rule, enter step 2.
Finally, it should be noted that above what enumerate is only specific embodiments of the invention.Obviously, the invention is not restricted to above embodiment, a lot of distortion can also be had.All distortion that those of ordinary skill in the art can directly derive or associate from content disclosed by the invention, all should think protection scope of the present invention.

Claims (4)

1. a detection method for rule-based APT attack, for carrying out analyzing to APT behavior and detecting, it is characterized in that, the detection method of described rule-based APT attack comprises the steps:
Step one: definition creates the grammer that APT Attack Scenarios rule uses:
(1) attribute relevant to attack is arranged, for definition rule; The common attribute relevant to attack comprises benchmark alarm type, reviews time range, associated alarm type, IP positional information that alarm is relevant;
(2) information that uses of arrangement rule self, comprises rule ID, rule name, rule description, new regulation starts mark;
(3) information (1) and (2) arranged as configurable item, agreement configuration item title, and specify each configuration item collocation method, can span;
Step 2: create APT Attack Scenarios rule, builds APT Attack Scenarios knowledge base:
(4) according to the attack means that the APT attack occurred and assailant are commonly used, carry out concluding and sum up, definition APT Attack Scenarios rule, and the APT Attack Scenarios rule of the definition APT comprised based on WEB attacks, attack based on the APT of mail social worker, the APT of file transfer and access attacks;
(5) syntactic representation using step one to arrange the APT Attack Scenarios of definition in (4) rule out, is saved in configuration file, reads for follow-up rule parsing module, resolves, loads;
Step 3: analysis module calling rule parsing module, resolves, loads APT Attack Scenarios rule;
Step 4: acquisition module gathers application layer protocol full flow, obtains data on flows;
Step 5: data screening:
Detection module carries out complete detection to the data on flows of step 4 collection, is arranged to short time storage, carries out deletion action after expired for the data irrelevant with attack; Carry out retaining for the relevant risk data of attack and carry out longer-term storage in platform;
Step 6: analyze significant alarm:
Analysis module circulation does further in-depth analysis to the alarm data produced and suspicious data, successively to each warning information, each APT Attack Scenarios rule carried out to detection and judges, determine whether benchmark alarm or the associated alarm of current APT Attack Scenarios rule, if belong to benchmark alarm, then initialization record, be saved in benchmark warning information table, the information of preservation comprises IP value, APT scene rule ID, alarm type, current alarm ID, enters step 7; If belong to the associated alarm type of current APT Attack Scenarios rule, enter step 8;
Step 7: identify behavior: identify the attack layer semantic relation between alarm, set up complete Attack Scenarios according to benchmark alarm;
Analysis module is according to APT Attack Scenarios rule, when benchmark alarm produces, trigger scenario is analyzed, review historical data, by all kinds of attack alarms relevant to benchmark alarm, suspicious data associates, if the associated data of finding that there is, then the main information of associated alarm is saved in associated alarm information table, the main information preserved comprises associated alarm ID, alarm type, benchmark warning information table record ID, association IP value, upgrade benchmark warning information table nearest alarm time by analysis simultaneously, and according to APT Attack Scenarios rule judgment, by whether having formed APT attack to current association results, if so, then terminate for the analysis of this IP and current rule, upgrade benchmark warning information table, the state that arranges, for completing, represents and has formed APT attack, if not then judge whether that exceeding history reviews scope, if exceed history to review scope, then the state that arranges is for forming the failure of APT scene,
Step 8: according to IP value and alarm type inquiry benchmark warning information table, if can record be inquired, then add a record to associated alarm information table, the main information preserved comprises associated alarm ID, alarm type, benchmark warning information table record ID, association IP value, upgrade benchmark warning information table nearest alarm time by analysis simultaneously, and according to rule judgment, whether current association results has formed APT Attack Scenarios; If so, then terminate for the analysis of this IP value and current rule, upgrade benchmark warning information table, the state that arranges, for completing, represents and has formed APT attack; If not then judge whether that exceeding history reviews scope, if exceed history to review scope, then the state that arranges is for forming the failure of APT scene;
Step 9: the process building APT attack failure:
Reviewing for because exceeding the associated alarm data that time range does not form APT attack, positioning suspicious actions by analyst.
2. the detection method of a kind of rule-based APT attack according to claim 1, it is characterized in that, in described step 9, Water demand personnel conclude repeatedly building failed event, sum up, adjust existing rule or create new rule, avoiding because inaccurate APT Attack Scenarios rule causes building unsuccessfully; If rule configuration information has variation, enter step 2.
3. the detection method of a kind of rule-based APT attack according to claim 1, it is characterized in that, the described APT attack to having built, also the participation of manual analysis is needed, whether accurately analyze the APT attack identified, for identifying correct attack, take intervening measure further, defence, blocking-up attack, avoid important information to reveal, reduce under fire scope, for the attack of identification error, in conjunction with practical risk, a situation arises, and the rule before deleting, re-creates new rule; If rule configuration information has variation, enter step 2.
4. based on the APT behavioral value system of detection method described in claim 1, it is characterized in that, comprise acquisition module, detection module, analysis module, rule parsing module;
Described acquisition module is used for network traffics collection, directly from image data network interface card, also can directly can receive the program of the data on flows that other system sends over;
Described detection module is made up of detection sub-module, and detection sub-module comprises Malicious Code Detection submodule, Webshell detection sub-module, sender's fraud detection submodule, mail head's fraud detection submodule, mail fishing detection sub-module, mail malicious link detection sub-module, Email attachment Malicious Code Detection submodule, Web feature detection sub-module, abnormal access detection sub-module, C & CIP/URL detection sub-module, malice wooden horse return and connect detection sub-module, transmit invalid data detection sub-module, Web behavioural analysis submodule; Wherein, Malicious Code Detection submodule comprises the submodule being respectively used to Viral diagnosis, Static Detection and detection of dynamic;
Described analysis module is used for realizing APT behavioral value function, comprises and identify benchmark alarm data, associated alarm data from the alarm data produced, and attempts building APT Attack Scenarios;
Described rule parsing module is for reading the configuration file of APT Attack Scenarios rule, and each rule is wherein resolved, be loaded in internal memory, for analysis module for the correct rule of parsing, for resolving the rule occurring mistake, be considered as invalid rule.
CN201510854610.2A 2015-11-27 2015-11-27 A kind of detection method of rule-based APT attacks Active CN105376245B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510854610.2A CN105376245B (en) 2015-11-27 2015-11-27 A kind of detection method of rule-based APT attacks

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510854610.2A CN105376245B (en) 2015-11-27 2015-11-27 A kind of detection method of rule-based APT attacks

Publications (2)

Publication Number Publication Date
CN105376245A true CN105376245A (en) 2016-03-02
CN105376245B CN105376245B (en) 2018-10-30

Family

ID=55378050

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510854610.2A Active CN105376245B (en) 2015-11-27 2015-11-27 A kind of detection method of rule-based APT attacks

Country Status (1)

Country Link
CN (1) CN105376245B (en)

Cited By (37)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106022115A (en) * 2016-07-20 2016-10-12 浪潮电子信息产业股份有限公司 Method for tracing risk program
CN106341282A (en) * 2016-11-10 2017-01-18 广东电网有限责任公司电力科学研究院 Malicious code behavior analyzer
CN106506507A (en) * 2016-11-16 2017-03-15 杭州华三通信技术有限公司 A kind of generation method of flow detection rule and device
CN106789944A (en) * 2016-11-29 2017-05-31 神州网云(北京)信息技术有限公司 Attack main body in attack determines method and device
CN106878340A (en) * 2017-04-01 2017-06-20 中国人民解放军61660部队 A kind of comprehensive safety monitoring analysis system based on network traffics
CN107370755A (en) * 2017-08-23 2017-11-21 杭州安恒信息技术有限公司 A kind of method of the profound detection APT attacks of various dimensions
CN107454103A (en) * 2017-09-07 2017-12-08 杭州安恒信息技术有限公司 Network safety event process analysis method and system based on timeline
CN107483425A (en) * 2017-08-08 2017-12-15 北京盛华安信息技术有限公司 Composite attack detection method based on attack chain
CN108134761A (en) * 2016-12-01 2018-06-08 中兴通讯股份有限公司 A kind of APT detection methods, system and device
CN108234400A (en) * 2016-12-15 2018-06-29 北京金山云网络技术有限公司 A kind of attack determines method, apparatus and Situation Awareness System
CN108632224A (en) * 2017-03-23 2018-10-09 中兴通讯股份有限公司 A kind of APT attack detection methods and device
CN109005175A (en) * 2018-08-07 2018-12-14 腾讯科技(深圳)有限公司 Network protection method, apparatus, server and storage medium
CN109194605A (en) * 2018-07-02 2019-01-11 中国科学院信息工程研究所 A kind of suspected threat index Proactive authentication method and system based on open source information
CN109696892A (en) * 2018-12-21 2019-04-30 上海瀚之友信息技术服务有限公司 A kind of Safety Automation System and its control method
CN109902176A (en) * 2019-02-26 2019-06-18 北京微步在线科技有限公司 A kind of computer instruction storage medium of data correlation expanding method and non-transitory
CN110022288A (en) * 2018-01-10 2019-07-16 贵州电网有限责任公司遵义供电局 A kind of APT threat recognition methods
CN110247906A (en) * 2019-06-10 2019-09-17 平安科技(深圳)有限公司 A kind of method for monitoring network and device, equipment, storage medium
CN110311930A (en) * 2019-08-01 2019-10-08 杭州安恒信息技术股份有限公司 Far control back recognition methods, device and the electronic equipment of even behavior
CN110324354A (en) * 2019-07-11 2019-10-11 武汉思普崚技术有限公司 A kind of methods, devices and systems of network trace reel chain attack
CN110324353A (en) * 2019-07-11 2019-10-11 武汉思普崚技术有限公司 A kind of methods, devices and systems of network trace reel chain attack
CN110365714A (en) * 2019-08-23 2019-10-22 深圳前海微众银行股份有限公司 Host-based intrusion detection method, apparatus, equipment and computer storage medium
CN110474837A (en) * 2019-08-19 2019-11-19 赛尔网络有限公司 A kind of Junk mail processing method, device, electronic equipment and storage medium
CN110489611A (en) * 2019-08-23 2019-11-22 杭州安恒信息技术股份有限公司 A kind of intelligent clue analysis method and system
CN110602042A (en) * 2019-08-07 2019-12-20 中国人民解放军战略支援部队信息工程大学 APT attack behavior analysis and detection method and device based on cascade attack chain model
CN110826069A (en) * 2019-11-05 2020-02-21 深信服科技股份有限公司 Virus processing method, device, equipment and storage medium
CN111400075A (en) * 2019-12-31 2020-07-10 南京联成科技发展股份有限公司 Real-time alarm correlation method applied to industrial control system
CN111641951A (en) * 2020-04-30 2020-09-08 中国移动通信集团有限公司 5G network APT attack tracing method and system based on SA architecture
CN111818097A (en) * 2020-09-01 2020-10-23 北京安帝科技有限公司 Traffic monitoring method and device based on behaviors
CN112165445A (en) * 2020-08-13 2021-01-01 杭州数梦工场科技有限公司 Method, device, storage medium and computer equipment for detecting network attack
CN112398793A (en) * 2019-08-16 2021-02-23 北京邮电大学 Social engineering interaction method and device and storage medium
CN112468347A (en) * 2020-12-14 2021-03-09 中国科学院信息工程研究所 Security management method and device for cloud platform, electronic equipment and storage medium
CN113596037A (en) * 2021-07-31 2021-11-02 南京云利来软件科技有限公司 APT attack detection method based on event relation directed graph in network full flow
CN114257447A (en) * 2021-12-20 2022-03-29 国汽(北京)智能网联汽车研究院有限公司 Vehicle-mounted network IDPS joint defense linkage system
CN114500038A (en) * 2022-01-24 2022-05-13 深信服科技股份有限公司 Network security detection method and device, electronic equipment and readable storage medium
CN114553580A (en) * 2022-02-28 2022-05-27 国网新疆电力有限公司博尔塔拉供电公司 Network attack detection method and device based on rule generalization and attack reconstruction
CN114826705A (en) * 2022-04-12 2022-07-29 国网湖北省电力有限公司信息通信公司 APT attack determination method and system based on independent component analysis method and storage medium
CN110365714B (en) * 2019-08-23 2024-05-31 深圳前海微众银行股份有限公司 Host intrusion detection method, device, equipment and computer storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101272286A (en) * 2008-05-15 2008-09-24 上海交通大学 Network inbreak event association detecting method
CN103312679A (en) * 2012-03-15 2013-09-18 北京启明星辰信息技术股份有限公司 APT (advanced persistent threat) detection method and system
CN104811447A (en) * 2015-04-21 2015-07-29 深信服网络科技(深圳)有限公司 Security detection method and system based on attack association
WO2015120752A1 (en) * 2014-02-17 2015-08-20 北京奇虎科技有限公司 Method and device for handling network threats
CN105024976A (en) * 2014-04-24 2015-11-04 中国移动通信集团山西有限公司 Advanced persistent threat attack recognition method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101272286A (en) * 2008-05-15 2008-09-24 上海交通大学 Network inbreak event association detecting method
CN103312679A (en) * 2012-03-15 2013-09-18 北京启明星辰信息技术股份有限公司 APT (advanced persistent threat) detection method and system
WO2015120752A1 (en) * 2014-02-17 2015-08-20 北京奇虎科技有限公司 Method and device for handling network threats
CN105024976A (en) * 2014-04-24 2015-11-04 中国移动通信集团山西有限公司 Advanced persistent threat attack recognition method and device
CN104811447A (en) * 2015-04-21 2015-07-29 深信服网络科技(深圳)有限公司 Security detection method and system based on attack association

Cited By (55)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106022115A (en) * 2016-07-20 2016-10-12 浪潮电子信息产业股份有限公司 Method for tracing risk program
CN106341282A (en) * 2016-11-10 2017-01-18 广东电网有限责任公司电力科学研究院 Malicious code behavior analyzer
CN106506507A (en) * 2016-11-16 2017-03-15 杭州华三通信技术有限公司 A kind of generation method of flow detection rule and device
CN106506507B (en) * 2016-11-16 2020-08-14 新华三技术有限公司 Method and device for generating flow detection rule
CN106789944A (en) * 2016-11-29 2017-05-31 神州网云(北京)信息技术有限公司 Attack main body in attack determines method and device
CN108134761A (en) * 2016-12-01 2018-06-08 中兴通讯股份有限公司 A kind of APT detection methods, system and device
CN108234400A (en) * 2016-12-15 2018-06-29 北京金山云网络技术有限公司 A kind of attack determines method, apparatus and Situation Awareness System
CN108234400B (en) * 2016-12-15 2021-01-22 北京金山云网络技术有限公司 Attack behavior determination method and device and situation awareness system
CN108632224A (en) * 2017-03-23 2018-10-09 中兴通讯股份有限公司 A kind of APT attack detection methods and device
CN108632224B (en) * 2017-03-23 2022-03-15 中兴通讯股份有限公司 APT attack detection method and device
CN106878340B (en) * 2017-04-01 2023-09-01 中国人民解放军61660部队 Comprehensive safety monitoring analysis system based on network flow
CN106878340A (en) * 2017-04-01 2017-06-20 中国人民解放军61660部队 A kind of comprehensive safety monitoring analysis system based on network traffics
CN107483425A (en) * 2017-08-08 2017-12-15 北京盛华安信息技术有限公司 Composite attack detection method based on attack chain
CN107483425B (en) * 2017-08-08 2020-12-18 北京盛华安信息技术有限公司 Composite attack detection method based on attack chain
CN107370755A (en) * 2017-08-23 2017-11-21 杭州安恒信息技术有限公司 A kind of method of the profound detection APT attacks of various dimensions
CN107370755B (en) * 2017-08-23 2020-03-03 杭州安恒信息技术股份有限公司 Method for multi-dimensional deep detection of APT (active Power test) attack
CN107454103A (en) * 2017-09-07 2017-12-08 杭州安恒信息技术有限公司 Network safety event process analysis method and system based on timeline
CN110022288A (en) * 2018-01-10 2019-07-16 贵州电网有限责任公司遵义供电局 A kind of APT threat recognition methods
CN109194605A (en) * 2018-07-02 2019-01-11 中国科学院信息工程研究所 A kind of suspected threat index Proactive authentication method and system based on open source information
CN109194605B (en) * 2018-07-02 2020-08-25 中国科学院信息工程研究所 Active verification method and system for suspicious threat indexes based on open source information
CN109005175A (en) * 2018-08-07 2018-12-14 腾讯科技(深圳)有限公司 Network protection method, apparatus, server and storage medium
CN109696892A (en) * 2018-12-21 2019-04-30 上海瀚之友信息技术服务有限公司 A kind of Safety Automation System and its control method
CN109902176A (en) * 2019-02-26 2019-06-18 北京微步在线科技有限公司 A kind of computer instruction storage medium of data correlation expanding method and non-transitory
CN109902176B (en) * 2019-02-26 2021-07-13 北京微步在线科技有限公司 Data association expansion method and non-transitory computer instruction storage medium
CN110247906A (en) * 2019-06-10 2019-09-17 平安科技(深圳)有限公司 A kind of method for monitoring network and device, equipment, storage medium
CN110324354A (en) * 2019-07-11 2019-10-11 武汉思普崚技术有限公司 A kind of methods, devices and systems of network trace reel chain attack
CN110324353B (en) * 2019-07-11 2022-02-25 武汉思普崚技术有限公司 Method, device and system for network tracking long chain attack
CN110324353A (en) * 2019-07-11 2019-10-11 武汉思普崚技术有限公司 A kind of methods, devices and systems of network trace reel chain attack
CN110324354B (en) * 2019-07-11 2022-02-25 武汉思普崚技术有限公司 Method, device and system for network tracking long chain attack
CN110311930B (en) * 2019-08-01 2021-09-28 杭州安恒信息技术股份有限公司 Identification method and device for remote control loop connection behavior and electronic equipment
CN110311930A (en) * 2019-08-01 2019-10-08 杭州安恒信息技术股份有限公司 Far control back recognition methods, device and the electronic equipment of even behavior
CN110602042A (en) * 2019-08-07 2019-12-20 中国人民解放军战略支援部队信息工程大学 APT attack behavior analysis and detection method and device based on cascade attack chain model
CN112398793B (en) * 2019-08-16 2021-08-31 北京邮电大学 Social engineering interaction method and device and storage medium
CN112398793A (en) * 2019-08-16 2021-02-23 北京邮电大学 Social engineering interaction method and device and storage medium
CN110474837A (en) * 2019-08-19 2019-11-19 赛尔网络有限公司 A kind of Junk mail processing method, device, electronic equipment and storage medium
CN110365714A (en) * 2019-08-23 2019-10-22 深圳前海微众银行股份有限公司 Host-based intrusion detection method, apparatus, equipment and computer storage medium
CN110365714B (en) * 2019-08-23 2024-05-31 深圳前海微众银行股份有限公司 Host intrusion detection method, device, equipment and computer storage medium
CN110489611A (en) * 2019-08-23 2019-11-22 杭州安恒信息技术股份有限公司 A kind of intelligent clue analysis method and system
CN110489611B (en) * 2019-08-23 2022-12-30 杭州安恒信息技术股份有限公司 Intelligent clue analysis method and system
CN110826069B (en) * 2019-11-05 2022-09-30 深信服科技股份有限公司 Virus processing method, device, equipment and storage medium
CN110826069A (en) * 2019-11-05 2020-02-21 深信服科技股份有限公司 Virus processing method, device, equipment and storage medium
CN111400075A (en) * 2019-12-31 2020-07-10 南京联成科技发展股份有限公司 Real-time alarm correlation method applied to industrial control system
CN111641951B (en) * 2020-04-30 2023-10-24 中国移动通信集团有限公司 5G network APT attack tracing method and system based on SA architecture
CN111641951A (en) * 2020-04-30 2020-09-08 中国移动通信集团有限公司 5G network APT attack tracing method and system based on SA architecture
CN112165445A (en) * 2020-08-13 2021-01-01 杭州数梦工场科技有限公司 Method, device, storage medium and computer equipment for detecting network attack
CN111818097A (en) * 2020-09-01 2020-10-23 北京安帝科技有限公司 Traffic monitoring method and device based on behaviors
CN112468347B (en) * 2020-12-14 2022-02-25 中国科学院信息工程研究所 Security management method and device for cloud platform, electronic equipment and storage medium
CN112468347A (en) * 2020-12-14 2021-03-09 中国科学院信息工程研究所 Security management method and device for cloud platform, electronic equipment and storage medium
CN113596037B (en) * 2021-07-31 2023-04-14 广州广电研究院有限公司 APT attack detection method based on event relation directed graph in network full flow
CN113596037A (en) * 2021-07-31 2021-11-02 南京云利来软件科技有限公司 APT attack detection method based on event relation directed graph in network full flow
CN114257447A (en) * 2021-12-20 2022-03-29 国汽(北京)智能网联汽车研究院有限公司 Vehicle-mounted network IDPS joint defense linkage system
CN114500038A (en) * 2022-01-24 2022-05-13 深信服科技股份有限公司 Network security detection method and device, electronic equipment and readable storage medium
CN114553580A (en) * 2022-02-28 2022-05-27 国网新疆电力有限公司博尔塔拉供电公司 Network attack detection method and device based on rule generalization and attack reconstruction
CN114553580B (en) * 2022-02-28 2024-04-09 国网新疆电力有限公司博尔塔拉供电公司 Network attack detection method and device based on rule generalization and attack reconstruction
CN114826705A (en) * 2022-04-12 2022-07-29 国网湖北省电力有限公司信息通信公司 APT attack determination method and system based on independent component analysis method and storage medium

Also Published As

Publication number Publication date
CN105376245B (en) 2018-10-30

Similar Documents

Publication Publication Date Title
CN105376245A (en) Rule-based detection method of ATP attack behavior
Allodi et al. Security events and vulnerability data for cybersecurity risk estimation
US9832213B2 (en) System and method for network intrusion detection of covert channels based on off-line network traffic
US20150096024A1 (en) Advanced persistent threat (apt) detection center
Punithavathani et al. Surveillance of anomaly and misuse in critical networks to counter insider threats using computational intelligence
CN106650436A (en) Safety detecting method and device based on local area network
Mirjalili et al. A survey on web penetration test
US11777961B2 (en) Asset remediation trend map generation and utilization for threat mitigation
CN104363240A (en) Unknown threat comprehensive detection method based on information flow behavior validity detection
US20230418938A1 (en) Attack kill chain generation and utilization for threat analysis
Bollinger et al. Crafting the InfoSec playbook: security monitoring and incident response master plan
Caesarano et al. Network forensics for detecting SQL injection attacks using NIST method
Yermalovich et al. Formalization of attack prediction problem
US20150163238A1 (en) Systems and methods for testing and managing defensive network devices
Zeinali Analysis of security information and event management (SIEM) evasion and detection methods
Huang Human-centric training and assessment for cyber situation awareness
Nikolaienko et al. Application of the Threat Intelligence platformto increase the security of governmentinformation resources
Bouafia et al. Automatic Protection of Web Applications Against SQL Injections: An Approach Based On Acunetix, Burp Suite and SQLMAP
Jayakrishnan et al. Internet of things forensics honeynetcloud investigation model
KR102330404B1 (en) Method And Apparatus for Diagnosing Integrated Security
István Possible Classification of Cybersecurity Penetration Test
Ziro et al. Improved Method for Penetration Testing of Web Applications.
Mittal A review of machine learning techniques in cybersecurity and research opportunities
Sanchez et al. Security Threats and Security Testing for Chatbots
Erola et al. Control effectiveness: A capture-the-flag study

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder

Address after: 310051 15-storey Zhongcai Building, Tonghe Road, Binjiang District, Hangzhou City, Zhejiang Province

Patentee after: Hangzhou Annan information technology Limited by Share Ltd

Address before: 310051 15-storey Zhongcai Building, Tonghe Road, Binjiang District, Hangzhou City, Zhejiang Province

Patentee before: Dbappsecurity Co.,ltd.

CP01 Change in the name or title of a patent holder