CN106341426A - Method for defending APT attack and safety controller - Google Patents

Method for defending APT attack and safety controller Download PDF

Info

Publication number
CN106341426A
CN106341426A CN201610998445.2A CN201610998445A CN106341426A CN 106341426 A CN106341426 A CN 106341426A CN 201610998445 A CN201610998445 A CN 201610998445A CN 106341426 A CN106341426 A CN 106341426A
Authority
CN
China
Prior art keywords
safety
knowledge base
data stream
data flow
safety governor
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610998445.2A
Other languages
Chinese (zh)
Inventor
张思拓
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Southern Power Grid Co Ltd
Original Assignee
China Southern Power Grid Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Southern Power Grid Co Ltd filed Critical China Southern Power Grid Co Ltd
Priority to CN201610998445.2A priority Critical patent/CN106341426A/en
Publication of CN106341426A publication Critical patent/CN106341426A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Alarm Systems (AREA)

Abstract

The invention discloses a method for defending an advanced persistent threat (APT) attack and a safety controller. The method comprises: a safety controller constructs a global data stream knowledge base according to flow table information obtained from a network device, wherein the data stream knowledge base includes flow directions of data streams in all network devices at all historical times in a global range; the safety controller directing an abnormal data stream in the data stream knowledge base to a safety device, so that the safety device can carry out depth detection on a data packet in the abnormal data stream conveniently; the safety controller receives warning information submitted by the safety device, wherein the warning information includes a suspected malicious behavior that is determined by the safety device during depth detection; and the safety controller carries out safety processing on the network devices based on the suspected malicious behavior in the warning information. The invention provides a novel method for defending an APT attack, so that an APT attack can be defended effectively.

Description

Method and safety governor that a kind of defence apt attacks
Technical field
The present invention relates to network safety filed, method and safety governor that more particularly, to a kind of defence apt attacks.
Background technology
Network security, especially internet internet security are facing unprecedented challenge, and this mostlys come from In a organized way, there are specific objective, the duration extremely new attack of length and threat, referred to as apt (advanced in the world Persistent threat) attack, domestic commonly referred to as " senior sustainability threat ".Threat be a kind of to particular system, Tissue and its latency that damages of assets, reflection is to attack implementer according to its mission requirements to long by object of attack Phase constantly imposes the process of various forms attack.The various aspects of security threat are constituted from macroscopic view, is to attack reality A kind of annular closed structure centered on the person of applying.Change with other various conditions over time, these security threats are in closure Circulus in ratio, influence degree be dynamically changeable;Accordingly, the design of the deployment of countermeasure and security architecture Must be adapted with the circulus of this closure, elasticity can be adapted to according to the change of time, cluster and other conditions.
With " the aurora action " in January, 2010 as beginning, occur in succession for large enterprise and country's weight in countries in the world The apt attack of large project, is announced the impact file about intellectual property in a large number of its hacker attack first by google Stolen, subsequently have 20 scientific & technical corporation to find to suffer similar attack, its intellectual property faces serious threat, current network is attacked Hit and be referred to as " aurora action "." aurora action " blank that just tool apt attacks, has clear and definite attack purpose and target.With June in year finds the first apt attack stuxnet (shake net) attacking and being located at industrial control system in physical isolation Intranet, by dry Disturb core and research and develop the program that equipment controls centrifuge speed, the successfully sluggish nuclear programme of Iran.Stuxnet has extremely strong hidden Property, according on June 1st, 2012 New York Times, stuxnet is started by US President Bush, Jr before and after originating from 2006 " Olympic Games plan ", as long as successful lays dormant for years on network, up to after do great damage, ability is by defender for stuxnet Find.Stuxnet virus hidden and permeated by long-term, precision strike hostile country target, has striven for huge political affairs for it Control interests.2011 2 months, mcafee found a kind of attack for global energy giant company, and was named as " night dragon row Dynamic ".Target of attack is multinational petroleum corporations, has stolen to success attack the extremely sensitive internal file of " GB ", has removed Outside substantial amounts of sensitive document is stolen, the latent time of " night dragon action " equally merits attention, and its actual time of origin is very Find its presence to early in 2007, there is no any malware detection instrument therebetween.In September, 2011 finds duqu disease for the first time Poison, its target of attack is the linked groups such as the components and parts manufacturer of industrial control field, to collect its intelligence data and assets letter For the purpose of breath.The close relation of duqu and stuxnet, it is directed to for the later stage by the internal confidential information obtaining particular organization The attack of industrial control equipment is prepared.In May, 2012, this base of kappa be found that hide one kind ability be higher, harmfulness is bigger, The more complicated supervirus of aggressive mechanism, referred to as flame (flame).Flame firing area it is important that Middle East, steal The confidential information of a large amount of Middle East various countries.By analyzing the part sample of flame virus, find this virus in 2008 just Exist, hidden in confidence 5 years as long as.
By comprehensive analysis above-mentioned typical case apt attack case, show that apt attacks and possesses following characteristics:
1) attack purpose is more and clearer and more definite, and firing area is more and more absorbed, and field of attacking is expanded from simple computer network Open up industrial control system, be increasingly directed to large enterprise and national basis facility, key equipment.
2) attack form becomes increasingly complex.If flame virus is with worm, back door, wooden horse, Botnet, social work The features such as Cheng Xue, the size of code of its program reaches 650,000 row, is 100 times of common spyware.
3) have extremely strong disguised and continue for a long time.Apt attacks and can be good at hiding defense installation before outburst Detection, incubation period is more and more longer, collects a large amount of confidential information.Disguise based on it, it is understood that there may be other are undiscovered in a large number Threat, seriously threaten national security and civil rights.
Based on this, needing a kind of method of new defence apt attack badly can be on the defensive to apt attack effectively.
Content of the invention
The embodiment of the present invention provides a kind of method of defence apt attack and safety governor, a kind of new anti-in order to provide The method that imperial apt attacks effectively can be attacked to apt and is on the defensive.
The inventive method includes a kind of method that defence apt attacks, and the method includes:
Safety governor is according to the data flow knowledge base of the flow table information architecture overall situation obtaining on the network equipment, described number According to the flow direction in each network equipment for the data flow comprising all historical junctures in global scope in stream knowledge base;
Abnormal data stream in described data flow knowledge base is drawn to safety means by described safety governor, so that described Safety means carry out depth detection to the packet in described abnormal data stream;
Described safety governor receives the warning information that described safety means are submitted to, comprises described peace in described warning information The doubtful malicious act that full equipment is determined in depth detection;
Described safety governor carries out safe handling according to malicious act doubtful in warning information to the network equipment.
Based on same inventive concept, the embodiment of the present invention a kind of safety governor is further provided it is characterised in that Including:
Stream monitoring module, for the data flow knowledge base according to the flow table information architecture overall situation on Network Security Device, institute State the flow direction in each Network Security Device for the data flow comprising all historical junctures in global scope in data flow knowledge base;
Event dispatching module, for the abnormal data stream in described data flow knowledge base is drawn to safety means, so that Described safety means carry out depth detection to the packet in described abnormal data stream;
Transceiver module, for receiving the warning information that described safety means are submitted to, comprises described peace in described warning information The doubtful malicious act that full equipment is determined in depth detection;
Secure processing module, for carrying out safe place according to malicious act doubtful in warning information to Network Security Device Reason.
The method that defence apt provided in an embodiment of the present invention attacks is exactly that real-time use flows monitoring, the mode such as end point analysis, Do various data analyses afterwards, then some abnormal streams are found by flow analysis, be then put into safety means again On ids, safety means can do the detection of a file-level, if substantially safety means can propose report to the police it is possible to It is malicious act.The main frame so again malicious act being infected does a scanning, and then which main frame is infected, then does One reparation, is so achieved that the embodiment of the present invention can based on safety governor from protection is detected again to the process repaired With safety means collaborative work, successively from global data stream, meet some stream packets of features and certain software action three Aspect strengthens the detection to data and behavior step by step, and analysis global traffic can avoid the detection dead angle of equipment and improve detection effect Rate, has screened out normal data flow in a large number using the mode one side that traditional detection and depth detection combine, has mitigated detecting system Burden, on the other hand goes out unknown malicious act using the mode effective detection of Static Detection plus dynamic operation detection, greatly reduces Rate of false alarm.
Brief description
For the technical scheme being illustrated more clearly that in the embodiment of the present invention, will make to required in embodiment description below Accompanying drawing briefly introduce it should be apparent that, drawings in the following description are only some embodiments of the present invention, for this For the those of ordinary skill in field, on the premise of not paying creative work, other can also be obtained according to these accompanying drawings Accompanying drawing.
Fig. 1 provides a kind of defence apt method flow schematic diagram attacked for the embodiment of the present invention;
Fig. 2 provides a kind of software definition security architecture schematic diagram based on safety control platform for the embodiment of the present invention;
Fig. 3 provides a kind of detection of the apt based on software definition and defence flow chart for the embodiment of the present invention;
Fig. 4 provides a kind of defence flow chart of the apt based on software definition for the embodiment of the present invention;
Fig. 5 provides a kind of safety governor configuration diagram for the embodiment of the present invention.
Specific embodiment
In order that the object, technical solutions and advantages of the present invention are clearer, below in conjunction with accompanying drawing the present invention is made into One step ground describes in detail it is clear that described embodiment is only present invention some embodiments, rather than whole enforcement Example.Based on the embodiment in the present invention, those of ordinary skill in the art are obtained under the premise of not making creative work All other embodiment, broadly falls into the scope of protection of the invention.
Shown in Figure 1, the embodiment of the present invention provides the method flow schematic diagram that a kind of defence apt attacks, specifically real Existing method includes:
Step s101, safety governor is according to the data flow knowledge of the flow table information architecture overall situation obtaining on the network equipment Storehouse, comprises the flow direction in each network equipment for the data flow of all historical junctures in global scope in described data flow knowledge base.
Step s102, the abnormal data stream in described data flow knowledge base is drawn to safety and sets by described safety governor Standby, so that described safety means carry out depth detection to the packet in described abnormal data stream.
Step s103, described safety governor receives the warning information that described safety means are submitted to, in described warning information Comprise the doubtful malicious act that described safety means are determined in depth detection.
Step s104, described safety governor carries out safe place according to malicious act doubtful in warning information to the network equipment Reason.
Use for reference control and the detached thought of secure data, devise the software definition safety servicing towards facility System, as shown in Figure 2.Corresponding with software defined network, the core of software definition security system is safety governor, below Introduce overall architecture and the main functional modules of platform, and these module coordination mechanisms.
The embodiment of the present invention be based on safety governor and safety means collaborative work, successively from global data stream, meet certain The packet of a little stream features and three aspects of certain software action strengthen the detection to data and behavior step by step, and overall flow is as schemed Shown in 3.Safety governor 201 according on the network equipment obtain flow table information architecture the overall situation data flow knowledge base, in addition, Also include flow database and credit database, then safety governor 201 analyzes the detection dead angle that global traffic can avoid equipment And improve detection efficiency, screen out normal data flow in a large number using the mode one side that traditional detection and depth detection combine, Mitigate detecting system burden, on the other hand, safety governor 201 draws the abnormal data detecting stream to ids (intrusion detection System) in 202, safety governor 201 dispatches the master that rsas (dispatch scanning device) 203 lookup is infected by doubtful malicious act simultaneously Machine, and the main frame finding is repaired, in addition, safety governor 201 scheduling tac (file behavior testing equipment) 204 is right Abnormal data stream does behavioral value further, to isolate doubtful malicious act.In said process, safety governor is using static inspection Survey plus the mode effective detection of dynamic operation detection goes out unknown malicious act, greatly reduce rate of false alarm, safety governor passes through Flow scheduling and safety means Dynamical Deployment, improve overall detection performance.
Wherein, safety governor is at least registered to safety means;Described safety governor is by described data flow Abnormal data stream in knowledge base is drawn to safety means, comprising:
Abnormal data stream in described data flow knowledge base is drawn to the safety that completes of registration and sets by described safety governor Standby.
Because the safety applications registering can send subscription request, subscribe to the suspicious data flow in safety governor.This Sample, the abnormal data stream in described data flow knowledge base just can be drawn to the safety means that registration completes by safety governor, Meanwhile, because the safety means registering are through safety governor certification, it is further ensured that the available of safety means Property.
Further, described safety governor carries out global traffic analysis according to described data flow knowledge base, and sets up and go through The overall flow table in history moment and the security baseline of access module;
Described safety governor utilizes the overall flow table set up and security baseline, to the exception in described data flow knowledge base Data flow is detected.
Specifically, safety governor can be in conjunction with sdn and virtualization cloud platform, to exception under detailed global knowledge view Flow and abnormal behaviour are detected and decision-making, can accurately be disposed, the history alarm further combined with equipment and daily record Carry out malicious act to internal virtual user that is outside and being broken to review.Specifically, the module of safety governor can be according to office The data flow knowledge base of the flow table information architecture overall situation on portion's network equipment, you can grasp all historical junctures in global scope Data flow is in the flow direction of each network equipment.Once some time carves existing abnormal stream (accessing suspicious destination, Traffic Anomaly etc.), Suspicious flow can be drawn to the depth detection doing packet on ids equipment, doubtful malicious act occur and can submit announcement upwards to Alert, so that safety governor dispatches other secure resources, such as file behavior testing equipment tac does behavioral value, or scanner is looked into Look for all affected main frames, and do and isolate or apply virtual patch etc..
It can be seen that, after finding security threat, which kind of operation of concrete execution, be entirely by safety governor on safety Application, according to the demand for security of client, or the particular type threatening, on demand elasticity carry out decision-making, whole process is all to lead to Cross software definition.The detection protectiving scheme that such as Fig. 4 is given is the global flow setting up the historical juncture by global traffic analysis Table, sets up the security baseline of access module, when detecting anomalous mode, flow lead is protected to ips equipment.Here it is One strengthening stream detection, simplifies the scheme of processing data packets, can equally be well applied to a lot of scenes.
Based on identical technology design, the embodiment of the present invention also provides a kind of safety governor, and this safety governor can be held Row said method embodiment.Safety governor provided in an embodiment of the present invention is as shown in figure 5, it includes a log management module 19th, an event dispatching module 11, first-class poller module 13 and first-class monitoring module 14.Log management module 19 provides at least one peace Full equipment 4 or at least one safety applications 3 are registered.Event dispatching module 11 is given birth to according to this registered at least one safety applications Become a subscription trigger condition.Stream poller module 13 poll, one network controller 2 obtains data flow.Stream monitoring module 14 is ordered according to this Read the data flow that trigger condition detection obtains.According to the testing result of data flow, (such as discovery has suspicious event dispatching module 11 Data flow) generate an implementation strategy event, wherein:
Stream monitoring module 14, for the data flow knowledge base according to the flow table information architecture overall situation on Network Security Device, The flow direction in each Network Security Device for the data flow of all historical junctures in global scope is comprised in described data flow knowledge base;
Event dispatching module 11, for the abnormal data stream in described data flow knowledge base is drawn to safety means, with Toilet is stated safety means and is carried out depth detection to the packet in described abnormal data stream;
Transceiver module 18, for receiving the warning information that described safety means are submitted to, comprises described in described warning information The doubtful malicious act that safety means are determined in depth detection;
Secure processing module 20 includes strategy analyzing module 15 and instruction pushing module 16, for doubting according in warning information Like malicious act, safe handling is carried out to Network Security Device.
Further, described secure processing module 20 specifically for: dispatch scanning device search all by doubtful malicious act The main frame of infection, and the main frame finding is repaired;Or, schedule file behavioral value equipment tac is to abnormal data stream Do behavioral value further, to isolate doubtful malicious act.
Further, described stream monitoring module 14, is additionally operable to by carrying out global traffic according to described data flow knowledge base Analysis, and set up the overall flow table of historical juncture and the security baseline of access module;Using the overall flow table of foundation and security baseline, Detect the abnormal data stream in described data flow knowledge base.
Further, device management module 17, at least registering to safety means;
Described event dispatching module 11 specifically for: the abnormal data stream in described data flow knowledge base is drawn to registration The safety means completing.
Further, log management module 19, for being set by described safety when corresponding attack of described doubtful malicious act During standby defence, generate the alarm log with regard to described defence event, and preserve described alarm log.
The function that safety governor is realized is that the cooperation having above-mentioned some modules completes, and basic workflow is received for data Collection module obtains network data from East and West direction, and data monitoring module can according to the subscription condition searching coarse-grain of safety applications Doubtful data, is pushed to safety applications by safety applications management module;The latter carries out decision-making according to fine-grained algorithm, will order Strategy analyzing module is handed down to by safety applications management module, the latter is parsed into network controller or safety means according to semanteme Intelligible order, is finally issued to controller or safety means by data-pushing module.
In concrete scene, may there is extra security module, such as log recording and analysis etc., workflow also may be used Can there are some differences.But each module realizes the function of oneself, relatively independent, this module be designed with following characteristics: (1) Each module is provided which open, the web apt of standard, and such as app manager and device manager etc. can pass through Restful interface conducts interviews, and supports crud operation, thus realizing applying the functions such as increase, renewal and the deletion with equipment. (2) it is loose coupling between module, dispose more convenient keeper and some assemblies can be enabled or disabled with calling interface, safety is controlled Device processed also can call corresponding module according to corresponding application scenarios;Safety officer can also be easy to write as needed New module is extended to security function.
Due to whole security system it is emphasised that in the system of loose coupling, simple resource operation primitive is provided so that As soon as the far call that safety officer can be related by designing group, a series of conforming operations can be completed, realize complicated Security function.
Whole system is characterized by Cooperation controlling, and it has run through between safety governor internal module, and safety governor Interaction design with safety applications, equipment room.Below we first introduce the equipment in north-south and application how with safety governor Interact, then analyze the policy resolution mechanism that the policy resolution issuing safety applications becomes the corresponding command.
In sum, the method that defence apt provided in an embodiment of the present invention attacks is exactly that real-time use flows monitoring, and end points divides The modes such as analysis, do various data analyses afterwards, then find some abnormal streams by flow analysis, be then put into again On safety means such as ids, safety means can do the detection of a file-level, if substantially safety means can propose to report Police is it is possible to be malicious act.The main frame so again malicious act being infected does a scanning, and then which main frame is felt Contaminate, then do a reparation, be so achieved that the embodiment of the present invention is based on safety from protection is detected again to the process repaired Controller can with safety means collaborative work, successively from global data stream, meet some stream packets of features and certain software Three aspects of behavior strengthen the detection to data and behavior step by step, and analysis global traffic can avoid the detection dead angle of equipment and improve Detection efficiency, has screened out normal data flow in a large number using the mode one side that traditional detection and depth detection combine, has mitigated inspection Examining system is born, and on the other hand goes out unknown malicious act using the mode effective detection of Static Detection plus dynamic operation detection, greatly Decrease greatly rate of false alarm.
The present invention is the flow process with reference to method according to embodiments of the present invention, equipment (system) and computer program Figure and/or block diagram are describing.It should be understood that can be by each stream in computer program instructions flowchart and/or block diagram Flow process in journey and/or square frame and flow chart and/or block diagram and/or the combination of square frame.These computer programs can be provided The processor instructing all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing device is to produce A raw machine is so that produced for reality by the instruction of computer or the computing device of other programmable data processing device The device of the function of specifying in present one flow process of flow chart or multiple flow process and/or one square frame of block diagram or multiple square frame.
These computer program instructions may be alternatively stored in and can guide computer or other programmable data processing device with spy Determine in the computer-readable memory that mode works so that the instruction generation inclusion being stored in this computer-readable memory refers to Make the manufacture of device, this command device realize in one flow process of flow chart or multiple flow process and/or one square frame of block diagram or The function of specifying in multiple square frames.
These computer program instructions also can be loaded in computer or other programmable data processing device so that counting On calculation machine or other programmable devices, execution series of operation steps to be to produce computer implemented process, thus in computer or On other programmable devices, the instruction of execution is provided for realizing in one flow process of flow chart or multiple flow process and/or block diagram one The step of the function of specifying in individual square frame or multiple square frame.
Although preferred embodiments of the present invention have been described, but those skilled in the art once know basic creation Property concept, then can make other change and modification to these embodiments.So, claims are intended to be construed to including excellent Select embodiment and fall into being had altered and changing of the scope of the invention.
Obviously, those skilled in the art can carry out the various changes and modification essence without deviating from the present invention to the present invention God and scope.So, if these modifications of the present invention and modification belong to the scope of the claims in the present invention and its equivalent technologies Within, then the present invention is also intended to comprise these changes and modification.

Claims (10)

1. a kind of method that defence apt attacks is it is characterised in that the method includes:
Safety governor is according to the data flow knowledge base of the flow table information architecture overall situation obtaining on the network equipment, described data flow The flow direction in each network equipment for the data flow of all historical junctures in global scope is comprised in knowledge base;
Abnormal data stream in described data flow knowledge base is drawn to safety means by described safety governor, so that described safety Equipment carries out depth detection to the packet in described abnormal data stream;
Described safety governor receives the warning information that described safety means are submitted to, comprises described safety and set in described warning information The standby doubtful malicious act determined in depth detection;
Described safety governor carries out safe handling according to malicious act doubtful in warning information to the network equipment.
2. the method for claim 1 is it is characterised in that described safety governor is according to malice row doubtful in warning information It is that safe handling is carried out to the network equipment, comprising:
The main frame that described safety governor dispatch scanning device lookup is infected by doubtful malicious act, and the main frame finding is carried out Repair;
Or, described safety governor schedule file behavioral value equipment tac does behavioral value further to abnormal data stream, with Isolate doubtful malicious act.
3. the method for claim 1 is it is characterised in that described safety governor will be different in described data flow knowledge base Before regular data stream is drawn to safety means, also include:
Described safety governor carries out global traffic analysis according to described data flow knowledge base, and sets up the global flow of historical juncture Table and the security baseline of access module;
Described safety governor utilizes the overall flow table set up and security baseline, to the abnormal data in described data flow knowledge base Stream is detected.
4. the method for claim 1 is it is characterised in that in described safety governor by described data flow knowledge base Before abnormal data stream is drawn to safety means, also include:
At least safety means are registered;
Abnormal data stream in described data flow knowledge base is drawn to safety means by described safety governor, comprising:
Abnormal data stream in described data flow knowledge base is drawn to the safety means that registration completes by described safety governor.
5. the method for claim 1 is it is characterised in that in described safety governor according to malice doubtful in warning information After behavior carries out safe handling to the network equipment, also include:
When described doubtful malicious act is corresponding attack defend by described safety means when, described safety governor generation is with regard to institute State the alarm log of defence event, and preserve described alarm log.
6. a kind of safety governor is it is characterised in that include:
Stream monitoring module, for the data flow knowledge base according to the flow table information architecture overall situation on Network Security Device, described number According to the flow direction in each Network Security Device for the data flow comprising all historical junctures in global scope in stream knowledge base;
Event dispatching module, for the abnormal data stream in described data flow knowledge base is drawn to safety means, so that described Safety means carry out depth detection to the packet in described abnormal data stream;
Transceiver module, for receiving the warning information that described safety means are submitted to, comprises described safety and sets in described warning information The standby doubtful malicious act determined in depth detection;
Secure processing module, for carrying out safe handling according to malicious act doubtful in warning information to Network Security Device.
7. safety governor as claimed in claim 6 it is characterised in that described secure processing module specifically for:
All main frames being infected by doubtful malicious act searched by dispatch scanning device, and the main frame finding is repaired;Or, Schedule file behavioral value equipment tac does behavioral value to abnormal data stream, further to isolate doubtful malicious act.
8. safety governor as claimed in claim 6, it is characterised in that described stream monitoring module, is additionally operable to by according to institute State data flow knowledge base and carry out global traffic analysis, and set up the overall flow table of historical juncture and the security baseline of access module; Using setting up overall flow table and security baseline, detect the abnormal data stream in described data flow knowledge base.
9. safety governor as claimed in claim 6 is it is characterised in that also include:
Device management module, at least registering to safety means;
Described event dispatching module specifically for: abnormal data stream in described data flow knowledge base is drawn to registration and completes Safety means.
10. safety governor as claimed in claim 6 is it is characterised in that also include:
Log management module, for when described doubtful malicious act is corresponding attack defend by described safety means when, generate pass In the alarm log of described defence event, and preserve described alarm log.
CN201610998445.2A 2016-11-11 2016-11-11 Method for defending APT attack and safety controller Pending CN106341426A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610998445.2A CN106341426A (en) 2016-11-11 2016-11-11 Method for defending APT attack and safety controller

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610998445.2A CN106341426A (en) 2016-11-11 2016-11-11 Method for defending APT attack and safety controller

Publications (1)

Publication Number Publication Date
CN106341426A true CN106341426A (en) 2017-01-18

Family

ID=57841277

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610998445.2A Pending CN106341426A (en) 2016-11-11 2016-11-11 Method for defending APT attack and safety controller

Country Status (1)

Country Link
CN (1) CN106341426A (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107172050A (en) * 2017-05-19 2017-09-15 北京安数云信息技术有限公司 The detection method and detecting system of APT attacks
CN107483502A (en) * 2017-09-28 2017-12-15 深信服科技股份有限公司 A kind of method and device for detecting remaining attack
CN108810018A (en) * 2018-07-12 2018-11-13 南方电网科学研究院有限责任公司 A kind of mobile application detection cloud platform
CN109088869A (en) * 2018-08-14 2018-12-25 北京科东电力控制系统有限责任公司 APT attack detection method and device
CN109586282A (en) * 2018-11-29 2019-04-05 安徽继远软件有限公司 A kind of unknown threat detection system of power grid and method
CN109617873A (en) * 2018-12-06 2019-04-12 中山大学 A kind of flow attacking system of defense based on SDN cloud security function services tree-model
CN112765603A (en) * 2021-01-28 2021-05-07 电子科技大学 Abnormity tracing method combining system log and origin graph
CN113098847A (en) * 2021-03-16 2021-07-09 四块科技(天津)有限公司 Supply chain management method, system, storage medium and electronic device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103905418A (en) * 2013-11-12 2014-07-02 北京安天电子设备有限公司 APT multi-dimensional detection and defense system and method
CN104753946A (en) * 2015-04-01 2015-07-01 浪潮电子信息产业股份有限公司 Security analysis framework based on network traffic meta data
CN105227559A (en) * 2015-10-13 2016-01-06 南京联成科技发展有限公司 The information security management framework that a kind of automatic detection HTTP actively attacks
CN105553958A (en) * 2015-12-10 2016-05-04 国网四川省电力公司信息通信公司 Novel network security linkage system and method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103905418A (en) * 2013-11-12 2014-07-02 北京安天电子设备有限公司 APT multi-dimensional detection and defense system and method
CN104753946A (en) * 2015-04-01 2015-07-01 浪潮电子信息产业股份有限公司 Security analysis framework based on network traffic meta data
CN105227559A (en) * 2015-10-13 2016-01-06 南京联成科技发展有限公司 The information security management framework that a kind of automatic detection HTTP actively attacks
CN105553958A (en) * 2015-12-10 2016-05-04 国网四川省电力公司信息通信公司 Novel network security linkage system and method

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107172050A (en) * 2017-05-19 2017-09-15 北京安数云信息技术有限公司 The detection method and detecting system of APT attacks
CN107483502A (en) * 2017-09-28 2017-12-15 深信服科技股份有限公司 A kind of method and device for detecting remaining attack
CN108810018A (en) * 2018-07-12 2018-11-13 南方电网科学研究院有限责任公司 A kind of mobile application detection cloud platform
CN109088869A (en) * 2018-08-14 2018-12-25 北京科东电力控制系统有限责任公司 APT attack detection method and device
CN109586282A (en) * 2018-11-29 2019-04-05 安徽继远软件有限公司 A kind of unknown threat detection system of power grid and method
CN109617873A (en) * 2018-12-06 2019-04-12 中山大学 A kind of flow attacking system of defense based on SDN cloud security function services tree-model
CN112765603A (en) * 2021-01-28 2021-05-07 电子科技大学 Abnormity tracing method combining system log and origin graph
CN112765603B (en) * 2021-01-28 2022-04-05 电子科技大学 Abnormity tracing method combining system log and origin graph
CN113098847A (en) * 2021-03-16 2021-07-09 四块科技(天津)有限公司 Supply chain management method, system, storage medium and electronic device

Similar Documents

Publication Publication Date Title
CN106341426A (en) Method for defending APT attack and safety controller
CN108259449B (en) Method and system for defending against APT (android packet) attack
CN103685575B (en) A kind of web portal security monitoring method based on cloud framework
Moustafa et al. Data analytics-enabled intrusion detection: Evaluations of ToN_IoT linux datasets
CN104283889A (en) Electric power system interior APT attack detection and pre-warning system based on network architecture
CN110213226A (en) Associated cyber attack scenarios method for reconstructing and system are recognized based on risk total factor
CN107612924A (en) Attacker's localization method and device based on wireless network invasion
Cao et al. JShield: Towards real-time and vulnerability-based detection of polluted drive-by download attacks
CN103986706A (en) Security structure design method dealing with APT attacks
Riaz et al. Intrusion detection systems in cloud computing: A contemporary review of techniques and solutions
Mishra et al. PSI-NetVisor: Program semantic aware intrusion detection at network and hypervisor layer in cloud
CN107509200A (en) Equipment localization method and device based on wireless network invasion
Qin et al. Hybrid cyber defense strategies using Honey-X: A survey
Kara Cyber-espionage malware attacks detection and analysis: A case study
CN115208679B (en) Attacker IP defending method and defending system based on honey array cooperation
Zhao et al. Network security model based on active defense and passive defense hybrid strategy
CN116260628A (en) Active tracing method based on honey network
Hussain et al. Efficient working of signature based intrusion detection technique in computer networks
Hong et al. Shock Trap: An active defense architecture based on trap vulnerabilities
Polyakov et al. Architecture of the Honeypot System for Studying Targeted Attacks
Bilar et al. Using a novel behavioral stimuli-response framework to defend against adversarial cyberspace participants
CN109561102A (en) Dynamic security method is virtualized for the URL of automation attack
Jaiswal et al. Database intrusion prevention cum detection system with appropriate response
CN116074114B (en) Network target range defense efficiency evaluation method, device, equipment and storage medium
Wang A rule-based approach for rootkit detection

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20170118