CN106341426A - Method for defending APT attack and safety controller - Google Patents
Method for defending APT attack and safety controller Download PDFInfo
- Publication number
- CN106341426A CN106341426A CN201610998445.2A CN201610998445A CN106341426A CN 106341426 A CN106341426 A CN 106341426A CN 201610998445 A CN201610998445 A CN 201610998445A CN 106341426 A CN106341426 A CN 106341426A
- Authority
- CN
- China
- Prior art keywords
- safety
- knowledge base
- data stream
- data flow
- safety governor
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Alarm Systems (AREA)
Abstract
The invention discloses a method for defending an advanced persistent threat (APT) attack and a safety controller. The method comprises: a safety controller constructs a global data stream knowledge base according to flow table information obtained from a network device, wherein the data stream knowledge base includes flow directions of data streams in all network devices at all historical times in a global range; the safety controller directing an abnormal data stream in the data stream knowledge base to a safety device, so that the safety device can carry out depth detection on a data packet in the abnormal data stream conveniently; the safety controller receives warning information submitted by the safety device, wherein the warning information includes a suspected malicious behavior that is determined by the safety device during depth detection; and the safety controller carries out safety processing on the network devices based on the suspected malicious behavior in the warning information. The invention provides a novel method for defending an APT attack, so that an APT attack can be defended effectively.
Description
Technical field
The present invention relates to network safety filed, method and safety governor that more particularly, to a kind of defence apt attacks.
Background technology
Network security, especially internet internet security are facing unprecedented challenge, and this mostlys come from
In a organized way, there are specific objective, the duration extremely new attack of length and threat, referred to as apt (advanced in the world
Persistent threat) attack, domestic commonly referred to as " senior sustainability threat ".Threat be a kind of to particular system,
Tissue and its latency that damages of assets, reflection is to attack implementer according to its mission requirements to long by object of attack
Phase constantly imposes the process of various forms attack.The various aspects of security threat are constituted from macroscopic view, is to attack reality
A kind of annular closed structure centered on the person of applying.Change with other various conditions over time, these security threats are in closure
Circulus in ratio, influence degree be dynamically changeable;Accordingly, the design of the deployment of countermeasure and security architecture
Must be adapted with the circulus of this closure, elasticity can be adapted to according to the change of time, cluster and other conditions.
With " the aurora action " in January, 2010 as beginning, occur in succession for large enterprise and country's weight in countries in the world
The apt attack of large project, is announced the impact file about intellectual property in a large number of its hacker attack first by google
Stolen, subsequently have 20 scientific & technical corporation to find to suffer similar attack, its intellectual property faces serious threat, current network is attacked
Hit and be referred to as " aurora action "." aurora action " blank that just tool apt attacks, has clear and definite attack purpose and target.With
June in year finds the first apt attack stuxnet (shake net) attacking and being located at industrial control system in physical isolation Intranet, by dry
Disturb core and research and develop the program that equipment controls centrifuge speed, the successfully sluggish nuclear programme of Iran.Stuxnet has extremely strong hidden
Property, according on June 1st, 2012 New York Times, stuxnet is started by US President Bush, Jr before and after originating from 2006
" Olympic Games plan ", as long as successful lays dormant for years on network, up to after do great damage, ability is by defender for stuxnet
Find.Stuxnet virus hidden and permeated by long-term, precision strike hostile country target, has striven for huge political affairs for it
Control interests.2011 2 months, mcafee found a kind of attack for global energy giant company, and was named as " night dragon row
Dynamic ".Target of attack is multinational petroleum corporations, has stolen to success attack the extremely sensitive internal file of " GB ", has removed
Outside substantial amounts of sensitive document is stolen, the latent time of " night dragon action " equally merits attention, and its actual time of origin is very
Find its presence to early in 2007, there is no any malware detection instrument therebetween.In September, 2011 finds duqu disease for the first time
Poison, its target of attack is the linked groups such as the components and parts manufacturer of industrial control field, to collect its intelligence data and assets letter
For the purpose of breath.The close relation of duqu and stuxnet, it is directed to for the later stage by the internal confidential information obtaining particular organization
The attack of industrial control equipment is prepared.In May, 2012, this base of kappa be found that hide one kind ability be higher, harmfulness is bigger,
The more complicated supervirus of aggressive mechanism, referred to as flame (flame).Flame firing area it is important that Middle East, steal
The confidential information of a large amount of Middle East various countries.By analyzing the part sample of flame virus, find this virus in 2008 just
Exist, hidden in confidence 5 years as long as.
By comprehensive analysis above-mentioned typical case apt attack case, show that apt attacks and possesses following characteristics:
1) attack purpose is more and clearer and more definite, and firing area is more and more absorbed, and field of attacking is expanded from simple computer network
Open up industrial control system, be increasingly directed to large enterprise and national basis facility, key equipment.
2) attack form becomes increasingly complex.If flame virus is with worm, back door, wooden horse, Botnet, social work
The features such as Cheng Xue, the size of code of its program reaches 650,000 row, is 100 times of common spyware.
3) have extremely strong disguised and continue for a long time.Apt attacks and can be good at hiding defense installation before outburst
Detection, incubation period is more and more longer, collects a large amount of confidential information.Disguise based on it, it is understood that there may be other are undiscovered in a large number
Threat, seriously threaten national security and civil rights.
Based on this, needing a kind of method of new defence apt attack badly can be on the defensive to apt attack effectively.
Content of the invention
The embodiment of the present invention provides a kind of method of defence apt attack and safety governor, a kind of new anti-in order to provide
The method that imperial apt attacks effectively can be attacked to apt and is on the defensive.
The inventive method includes a kind of method that defence apt attacks, and the method includes:
Safety governor is according to the data flow knowledge base of the flow table information architecture overall situation obtaining on the network equipment, described number
According to the flow direction in each network equipment for the data flow comprising all historical junctures in global scope in stream knowledge base;
Abnormal data stream in described data flow knowledge base is drawn to safety means by described safety governor, so that described
Safety means carry out depth detection to the packet in described abnormal data stream;
Described safety governor receives the warning information that described safety means are submitted to, comprises described peace in described warning information
The doubtful malicious act that full equipment is determined in depth detection;
Described safety governor carries out safe handling according to malicious act doubtful in warning information to the network equipment.
Based on same inventive concept, the embodiment of the present invention a kind of safety governor is further provided it is characterised in that
Including:
Stream monitoring module, for the data flow knowledge base according to the flow table information architecture overall situation on Network Security Device, institute
State the flow direction in each Network Security Device for the data flow comprising all historical junctures in global scope in data flow knowledge base;
Event dispatching module, for the abnormal data stream in described data flow knowledge base is drawn to safety means, so that
Described safety means carry out depth detection to the packet in described abnormal data stream;
Transceiver module, for receiving the warning information that described safety means are submitted to, comprises described peace in described warning information
The doubtful malicious act that full equipment is determined in depth detection;
Secure processing module, for carrying out safe place according to malicious act doubtful in warning information to Network Security Device
Reason.
The method that defence apt provided in an embodiment of the present invention attacks is exactly that real-time use flows monitoring, the mode such as end point analysis,
Do various data analyses afterwards, then some abnormal streams are found by flow analysis, be then put into safety means again
On ids, safety means can do the detection of a file-level, if substantially safety means can propose report to the police it is possible to
It is malicious act.The main frame so again malicious act being infected does a scanning, and then which main frame is infected, then does
One reparation, is so achieved that the embodiment of the present invention can based on safety governor from protection is detected again to the process repaired
With safety means collaborative work, successively from global data stream, meet some stream packets of features and certain software action three
Aspect strengthens the detection to data and behavior step by step, and analysis global traffic can avoid the detection dead angle of equipment and improve detection effect
Rate, has screened out normal data flow in a large number using the mode one side that traditional detection and depth detection combine, has mitigated detecting system
Burden, on the other hand goes out unknown malicious act using the mode effective detection of Static Detection plus dynamic operation detection, greatly reduces
Rate of false alarm.
Brief description
For the technical scheme being illustrated more clearly that in the embodiment of the present invention, will make to required in embodiment description below
Accompanying drawing briefly introduce it should be apparent that, drawings in the following description are only some embodiments of the present invention, for this
For the those of ordinary skill in field, on the premise of not paying creative work, other can also be obtained according to these accompanying drawings
Accompanying drawing.
Fig. 1 provides a kind of defence apt method flow schematic diagram attacked for the embodiment of the present invention;
Fig. 2 provides a kind of software definition security architecture schematic diagram based on safety control platform for the embodiment of the present invention;
Fig. 3 provides a kind of detection of the apt based on software definition and defence flow chart for the embodiment of the present invention;
Fig. 4 provides a kind of defence flow chart of the apt based on software definition for the embodiment of the present invention;
Fig. 5 provides a kind of safety governor configuration diagram for the embodiment of the present invention.
Specific embodiment
In order that the object, technical solutions and advantages of the present invention are clearer, below in conjunction with accompanying drawing the present invention is made into
One step ground describes in detail it is clear that described embodiment is only present invention some embodiments, rather than whole enforcement
Example.Based on the embodiment in the present invention, those of ordinary skill in the art are obtained under the premise of not making creative work
All other embodiment, broadly falls into the scope of protection of the invention.
Shown in Figure 1, the embodiment of the present invention provides the method flow schematic diagram that a kind of defence apt attacks, specifically real
Existing method includes:
Step s101, safety governor is according to the data flow knowledge of the flow table information architecture overall situation obtaining on the network equipment
Storehouse, comprises the flow direction in each network equipment for the data flow of all historical junctures in global scope in described data flow knowledge base.
Step s102, the abnormal data stream in described data flow knowledge base is drawn to safety and sets by described safety governor
Standby, so that described safety means carry out depth detection to the packet in described abnormal data stream.
Step s103, described safety governor receives the warning information that described safety means are submitted to, in described warning information
Comprise the doubtful malicious act that described safety means are determined in depth detection.
Step s104, described safety governor carries out safe place according to malicious act doubtful in warning information to the network equipment
Reason.
Use for reference control and the detached thought of secure data, devise the software definition safety servicing towards facility
System, as shown in Figure 2.Corresponding with software defined network, the core of software definition security system is safety governor, below
Introduce overall architecture and the main functional modules of platform, and these module coordination mechanisms.
The embodiment of the present invention be based on safety governor and safety means collaborative work, successively from global data stream, meet certain
The packet of a little stream features and three aspects of certain software action strengthen the detection to data and behavior step by step, and overall flow is as schemed
Shown in 3.Safety governor 201 according on the network equipment obtain flow table information architecture the overall situation data flow knowledge base, in addition,
Also include flow database and credit database, then safety governor 201 analyzes the detection dead angle that global traffic can avoid equipment
And improve detection efficiency, screen out normal data flow in a large number using the mode one side that traditional detection and depth detection combine,
Mitigate detecting system burden, on the other hand, safety governor 201 draws the abnormal data detecting stream to ids (intrusion detection
System) in 202, safety governor 201 dispatches the master that rsas (dispatch scanning device) 203 lookup is infected by doubtful malicious act simultaneously
Machine, and the main frame finding is repaired, in addition, safety governor 201 scheduling tac (file behavior testing equipment) 204 is right
Abnormal data stream does behavioral value further, to isolate doubtful malicious act.In said process, safety governor is using static inspection
Survey plus the mode effective detection of dynamic operation detection goes out unknown malicious act, greatly reduce rate of false alarm, safety governor passes through
Flow scheduling and safety means Dynamical Deployment, improve overall detection performance.
Wherein, safety governor is at least registered to safety means;Described safety governor is by described data flow
Abnormal data stream in knowledge base is drawn to safety means, comprising:
Abnormal data stream in described data flow knowledge base is drawn to the safety that completes of registration and sets by described safety governor
Standby.
Because the safety applications registering can send subscription request, subscribe to the suspicious data flow in safety governor.This
Sample, the abnormal data stream in described data flow knowledge base just can be drawn to the safety means that registration completes by safety governor,
Meanwhile, because the safety means registering are through safety governor certification, it is further ensured that the available of safety means
Property.
Further, described safety governor carries out global traffic analysis according to described data flow knowledge base, and sets up and go through
The overall flow table in history moment and the security baseline of access module;
Described safety governor utilizes the overall flow table set up and security baseline, to the exception in described data flow knowledge base
Data flow is detected.
Specifically, safety governor can be in conjunction with sdn and virtualization cloud platform, to exception under detailed global knowledge view
Flow and abnormal behaviour are detected and decision-making, can accurately be disposed, the history alarm further combined with equipment and daily record
Carry out malicious act to internal virtual user that is outside and being broken to review.Specifically, the module of safety governor can be according to office
The data flow knowledge base of the flow table information architecture overall situation on portion's network equipment, you can grasp all historical junctures in global scope
Data flow is in the flow direction of each network equipment.Once some time carves existing abnormal stream (accessing suspicious destination, Traffic Anomaly etc.),
Suspicious flow can be drawn to the depth detection doing packet on ids equipment, doubtful malicious act occur and can submit announcement upwards to
Alert, so that safety governor dispatches other secure resources, such as file behavior testing equipment tac does behavioral value, or scanner is looked into
Look for all affected main frames, and do and isolate or apply virtual patch etc..
It can be seen that, after finding security threat, which kind of operation of concrete execution, be entirely by safety governor on safety
Application, according to the demand for security of client, or the particular type threatening, on demand elasticity carry out decision-making, whole process is all to lead to
Cross software definition.The detection protectiving scheme that such as Fig. 4 is given is the global flow setting up the historical juncture by global traffic analysis
Table, sets up the security baseline of access module, when detecting anomalous mode, flow lead is protected to ips equipment.Here it is
One strengthening stream detection, simplifies the scheme of processing data packets, can equally be well applied to a lot of scenes.
Based on identical technology design, the embodiment of the present invention also provides a kind of safety governor, and this safety governor can be held
Row said method embodiment.Safety governor provided in an embodiment of the present invention is as shown in figure 5, it includes a log management module
19th, an event dispatching module 11, first-class poller module 13 and first-class monitoring module 14.Log management module 19 provides at least one peace
Full equipment 4 or at least one safety applications 3 are registered.Event dispatching module 11 is given birth to according to this registered at least one safety applications
Become a subscription trigger condition.Stream poller module 13 poll, one network controller 2 obtains data flow.Stream monitoring module 14 is ordered according to this
Read the data flow that trigger condition detection obtains.According to the testing result of data flow, (such as discovery has suspicious event dispatching module 11
Data flow) generate an implementation strategy event, wherein:
Stream monitoring module 14, for the data flow knowledge base according to the flow table information architecture overall situation on Network Security Device,
The flow direction in each Network Security Device for the data flow of all historical junctures in global scope is comprised in described data flow knowledge base;
Event dispatching module 11, for the abnormal data stream in described data flow knowledge base is drawn to safety means, with
Toilet is stated safety means and is carried out depth detection to the packet in described abnormal data stream;
Transceiver module 18, for receiving the warning information that described safety means are submitted to, comprises described in described warning information
The doubtful malicious act that safety means are determined in depth detection;
Secure processing module 20 includes strategy analyzing module 15 and instruction pushing module 16, for doubting according in warning information
Like malicious act, safe handling is carried out to Network Security Device.
Further, described secure processing module 20 specifically for: dispatch scanning device search all by doubtful malicious act
The main frame of infection, and the main frame finding is repaired;Or, schedule file behavioral value equipment tac is to abnormal data stream
Do behavioral value further, to isolate doubtful malicious act.
Further, described stream monitoring module 14, is additionally operable to by carrying out global traffic according to described data flow knowledge base
Analysis, and set up the overall flow table of historical juncture and the security baseline of access module;Using the overall flow table of foundation and security baseline,
Detect the abnormal data stream in described data flow knowledge base.
Further, device management module 17, at least registering to safety means;
Described event dispatching module 11 specifically for: the abnormal data stream in described data flow knowledge base is drawn to registration
The safety means completing.
Further, log management module 19, for being set by described safety when corresponding attack of described doubtful malicious act
During standby defence, generate the alarm log with regard to described defence event, and preserve described alarm log.
The function that safety governor is realized is that the cooperation having above-mentioned some modules completes, and basic workflow is received for data
Collection module obtains network data from East and West direction, and data monitoring module can according to the subscription condition searching coarse-grain of safety applications
Doubtful data, is pushed to safety applications by safety applications management module;The latter carries out decision-making according to fine-grained algorithm, will order
Strategy analyzing module is handed down to by safety applications management module, the latter is parsed into network controller or safety means according to semanteme
Intelligible order, is finally issued to controller or safety means by data-pushing module.
In concrete scene, may there is extra security module, such as log recording and analysis etc., workflow also may be used
Can there are some differences.But each module realizes the function of oneself, relatively independent, this module be designed with following characteristics: (1)
Each module is provided which open, the web apt of standard, and such as app manager and device manager etc. can pass through
Restful interface conducts interviews, and supports crud operation, thus realizing applying the functions such as increase, renewal and the deletion with equipment.
(2) it is loose coupling between module, dispose more convenient keeper and some assemblies can be enabled or disabled with calling interface, safety is controlled
Device processed also can call corresponding module according to corresponding application scenarios;Safety officer can also be easy to write as needed
New module is extended to security function.
Due to whole security system it is emphasised that in the system of loose coupling, simple resource operation primitive is provided so that
As soon as the far call that safety officer can be related by designing group, a series of conforming operations can be completed, realize complicated
Security function.
Whole system is characterized by Cooperation controlling, and it has run through between safety governor internal module, and safety governor
Interaction design with safety applications, equipment room.Below we first introduce the equipment in north-south and application how with safety governor
Interact, then analyze the policy resolution mechanism that the policy resolution issuing safety applications becomes the corresponding command.
In sum, the method that defence apt provided in an embodiment of the present invention attacks is exactly that real-time use flows monitoring, and end points divides
The modes such as analysis, do various data analyses afterwards, then find some abnormal streams by flow analysis, be then put into again
On safety means such as ids, safety means can do the detection of a file-level, if substantially safety means can propose to report
Police is it is possible to be malicious act.The main frame so again malicious act being infected does a scanning, and then which main frame is felt
Contaminate, then do a reparation, be so achieved that the embodiment of the present invention is based on safety from protection is detected again to the process repaired
Controller can with safety means collaborative work, successively from global data stream, meet some stream packets of features and certain software
Three aspects of behavior strengthen the detection to data and behavior step by step, and analysis global traffic can avoid the detection dead angle of equipment and improve
Detection efficiency, has screened out normal data flow in a large number using the mode one side that traditional detection and depth detection combine, has mitigated inspection
Examining system is born, and on the other hand goes out unknown malicious act using the mode effective detection of Static Detection plus dynamic operation detection, greatly
Decrease greatly rate of false alarm.
The present invention is the flow process with reference to method according to embodiments of the present invention, equipment (system) and computer program
Figure and/or block diagram are describing.It should be understood that can be by each stream in computer program instructions flowchart and/or block diagram
Flow process in journey and/or square frame and flow chart and/or block diagram and/or the combination of square frame.These computer programs can be provided
The processor instructing all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing device is to produce
A raw machine is so that produced for reality by the instruction of computer or the computing device of other programmable data processing device
The device of the function of specifying in present one flow process of flow chart or multiple flow process and/or one square frame of block diagram or multiple square frame.
These computer program instructions may be alternatively stored in and can guide computer or other programmable data processing device with spy
Determine in the computer-readable memory that mode works so that the instruction generation inclusion being stored in this computer-readable memory refers to
Make the manufacture of device, this command device realize in one flow process of flow chart or multiple flow process and/or one square frame of block diagram or
The function of specifying in multiple square frames.
These computer program instructions also can be loaded in computer or other programmable data processing device so that counting
On calculation machine or other programmable devices, execution series of operation steps to be to produce computer implemented process, thus in computer or
On other programmable devices, the instruction of execution is provided for realizing in one flow process of flow chart or multiple flow process and/or block diagram one
The step of the function of specifying in individual square frame or multiple square frame.
Although preferred embodiments of the present invention have been described, but those skilled in the art once know basic creation
Property concept, then can make other change and modification to these embodiments.So, claims are intended to be construed to including excellent
Select embodiment and fall into being had altered and changing of the scope of the invention.
Obviously, those skilled in the art can carry out the various changes and modification essence without deviating from the present invention to the present invention
God and scope.So, if these modifications of the present invention and modification belong to the scope of the claims in the present invention and its equivalent technologies
Within, then the present invention is also intended to comprise these changes and modification.
Claims (10)
1. a kind of method that defence apt attacks is it is characterised in that the method includes:
Safety governor is according to the data flow knowledge base of the flow table information architecture overall situation obtaining on the network equipment, described data flow
The flow direction in each network equipment for the data flow of all historical junctures in global scope is comprised in knowledge base;
Abnormal data stream in described data flow knowledge base is drawn to safety means by described safety governor, so that described safety
Equipment carries out depth detection to the packet in described abnormal data stream;
Described safety governor receives the warning information that described safety means are submitted to, comprises described safety and set in described warning information
The standby doubtful malicious act determined in depth detection;
Described safety governor carries out safe handling according to malicious act doubtful in warning information to the network equipment.
2. the method for claim 1 is it is characterised in that described safety governor is according to malice row doubtful in warning information
It is that safe handling is carried out to the network equipment, comprising:
The main frame that described safety governor dispatch scanning device lookup is infected by doubtful malicious act, and the main frame finding is carried out
Repair;
Or, described safety governor schedule file behavioral value equipment tac does behavioral value further to abnormal data stream, with
Isolate doubtful malicious act.
3. the method for claim 1 is it is characterised in that described safety governor will be different in described data flow knowledge base
Before regular data stream is drawn to safety means, also include:
Described safety governor carries out global traffic analysis according to described data flow knowledge base, and sets up the global flow of historical juncture
Table and the security baseline of access module;
Described safety governor utilizes the overall flow table set up and security baseline, to the abnormal data in described data flow knowledge base
Stream is detected.
4. the method for claim 1 is it is characterised in that in described safety governor by described data flow knowledge base
Before abnormal data stream is drawn to safety means, also include:
At least safety means are registered;
Abnormal data stream in described data flow knowledge base is drawn to safety means by described safety governor, comprising:
Abnormal data stream in described data flow knowledge base is drawn to the safety means that registration completes by described safety governor.
5. the method for claim 1 is it is characterised in that in described safety governor according to malice doubtful in warning information
After behavior carries out safe handling to the network equipment, also include:
When described doubtful malicious act is corresponding attack defend by described safety means when, described safety governor generation is with regard to institute
State the alarm log of defence event, and preserve described alarm log.
6. a kind of safety governor is it is characterised in that include:
Stream monitoring module, for the data flow knowledge base according to the flow table information architecture overall situation on Network Security Device, described number
According to the flow direction in each Network Security Device for the data flow comprising all historical junctures in global scope in stream knowledge base;
Event dispatching module, for the abnormal data stream in described data flow knowledge base is drawn to safety means, so that described
Safety means carry out depth detection to the packet in described abnormal data stream;
Transceiver module, for receiving the warning information that described safety means are submitted to, comprises described safety and sets in described warning information
The standby doubtful malicious act determined in depth detection;
Secure processing module, for carrying out safe handling according to malicious act doubtful in warning information to Network Security Device.
7. safety governor as claimed in claim 6 it is characterised in that described secure processing module specifically for:
All main frames being infected by doubtful malicious act searched by dispatch scanning device, and the main frame finding is repaired;Or,
Schedule file behavioral value equipment tac does behavioral value to abnormal data stream, further to isolate doubtful malicious act.
8. safety governor as claimed in claim 6, it is characterised in that described stream monitoring module, is additionally operable to by according to institute
State data flow knowledge base and carry out global traffic analysis, and set up the overall flow table of historical juncture and the security baseline of access module;
Using setting up overall flow table and security baseline, detect the abnormal data stream in described data flow knowledge base.
9. safety governor as claimed in claim 6 is it is characterised in that also include:
Device management module, at least registering to safety means;
Described event dispatching module specifically for: abnormal data stream in described data flow knowledge base is drawn to registration and completes
Safety means.
10. safety governor as claimed in claim 6 is it is characterised in that also include:
Log management module, for when described doubtful malicious act is corresponding attack defend by described safety means when, generate pass
In the alarm log of described defence event, and preserve described alarm log.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610998445.2A CN106341426A (en) | 2016-11-11 | 2016-11-11 | Method for defending APT attack and safety controller |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610998445.2A CN106341426A (en) | 2016-11-11 | 2016-11-11 | Method for defending APT attack and safety controller |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106341426A true CN106341426A (en) | 2017-01-18 |
Family
ID=57841277
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610998445.2A Pending CN106341426A (en) | 2016-11-11 | 2016-11-11 | Method for defending APT attack and safety controller |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106341426A (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107172050A (en) * | 2017-05-19 | 2017-09-15 | 北京安数云信息技术有限公司 | The detection method and detecting system of APT attacks |
CN107483502A (en) * | 2017-09-28 | 2017-12-15 | 深信服科技股份有限公司 | A kind of method and device for detecting remaining attack |
CN108810018A (en) * | 2018-07-12 | 2018-11-13 | 南方电网科学研究院有限责任公司 | A kind of mobile application detection cloud platform |
CN109088869A (en) * | 2018-08-14 | 2018-12-25 | 北京科东电力控制系统有限责任公司 | APT attack detection method and device |
CN109586282A (en) * | 2018-11-29 | 2019-04-05 | 安徽继远软件有限公司 | A kind of unknown threat detection system of power grid and method |
CN109617873A (en) * | 2018-12-06 | 2019-04-12 | 中山大学 | A kind of flow attacking system of defense based on SDN cloud security function services tree-model |
CN112765603A (en) * | 2021-01-28 | 2021-05-07 | 电子科技大学 | Abnormity tracing method combining system log and origin graph |
CN113098847A (en) * | 2021-03-16 | 2021-07-09 | 四块科技(天津)有限公司 | Supply chain management method, system, storage medium and electronic device |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103905418A (en) * | 2013-11-12 | 2014-07-02 | 北京安天电子设备有限公司 | APT multi-dimensional detection and defense system and method |
CN104753946A (en) * | 2015-04-01 | 2015-07-01 | 浪潮电子信息产业股份有限公司 | Security analysis framework based on network traffic meta data |
CN105227559A (en) * | 2015-10-13 | 2016-01-06 | 南京联成科技发展有限公司 | The information security management framework that a kind of automatic detection HTTP actively attacks |
CN105553958A (en) * | 2015-12-10 | 2016-05-04 | 国网四川省电力公司信息通信公司 | Novel network security linkage system and method |
-
2016
- 2016-11-11 CN CN201610998445.2A patent/CN106341426A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103905418A (en) * | 2013-11-12 | 2014-07-02 | 北京安天电子设备有限公司 | APT multi-dimensional detection and defense system and method |
CN104753946A (en) * | 2015-04-01 | 2015-07-01 | 浪潮电子信息产业股份有限公司 | Security analysis framework based on network traffic meta data |
CN105227559A (en) * | 2015-10-13 | 2016-01-06 | 南京联成科技发展有限公司 | The information security management framework that a kind of automatic detection HTTP actively attacks |
CN105553958A (en) * | 2015-12-10 | 2016-05-04 | 国网四川省电力公司信息通信公司 | Novel network security linkage system and method |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107172050A (en) * | 2017-05-19 | 2017-09-15 | 北京安数云信息技术有限公司 | The detection method and detecting system of APT attacks |
CN107483502A (en) * | 2017-09-28 | 2017-12-15 | 深信服科技股份有限公司 | A kind of method and device for detecting remaining attack |
CN108810018A (en) * | 2018-07-12 | 2018-11-13 | 南方电网科学研究院有限责任公司 | A kind of mobile application detection cloud platform |
CN109088869A (en) * | 2018-08-14 | 2018-12-25 | 北京科东电力控制系统有限责任公司 | APT attack detection method and device |
CN109586282A (en) * | 2018-11-29 | 2019-04-05 | 安徽继远软件有限公司 | A kind of unknown threat detection system of power grid and method |
CN109617873A (en) * | 2018-12-06 | 2019-04-12 | 中山大学 | A kind of flow attacking system of defense based on SDN cloud security function services tree-model |
CN112765603A (en) * | 2021-01-28 | 2021-05-07 | 电子科技大学 | Abnormity tracing method combining system log and origin graph |
CN112765603B (en) * | 2021-01-28 | 2022-04-05 | 电子科技大学 | Abnormity tracing method combining system log and origin graph |
CN113098847A (en) * | 2021-03-16 | 2021-07-09 | 四块科技(天津)有限公司 | Supply chain management method, system, storage medium and electronic device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106341426A (en) | Method for defending APT attack and safety controller | |
CN108259449B (en) | Method and system for defending against APT (android packet) attack | |
CN103685575B (en) | A kind of web portal security monitoring method based on cloud framework | |
Moustafa et al. | Data analytics-enabled intrusion detection: Evaluations of ToN_IoT linux datasets | |
CN104283889A (en) | Electric power system interior APT attack detection and pre-warning system based on network architecture | |
CN110213226A (en) | Associated cyber attack scenarios method for reconstructing and system are recognized based on risk total factor | |
CN107612924A (en) | Attacker's localization method and device based on wireless network invasion | |
Cao et al. | JShield: Towards real-time and vulnerability-based detection of polluted drive-by download attacks | |
CN103986706A (en) | Security structure design method dealing with APT attacks | |
Riaz et al. | Intrusion detection systems in cloud computing: A contemporary review of techniques and solutions | |
Mishra et al. | PSI-NetVisor: Program semantic aware intrusion detection at network and hypervisor layer in cloud | |
CN107509200A (en) | Equipment localization method and device based on wireless network invasion | |
Qin et al. | Hybrid cyber defense strategies using Honey-X: A survey | |
Kara | Cyber-espionage malware attacks detection and analysis: A case study | |
CN115208679B (en) | Attacker IP defending method and defending system based on honey array cooperation | |
Zhao et al. | Network security model based on active defense and passive defense hybrid strategy | |
CN116260628A (en) | Active tracing method based on honey network | |
Hussain et al. | Efficient working of signature based intrusion detection technique in computer networks | |
Hong et al. | Shock Trap: An active defense architecture based on trap vulnerabilities | |
Polyakov et al. | Architecture of the Honeypot System for Studying Targeted Attacks | |
Bilar et al. | Using a novel behavioral stimuli-response framework to defend against adversarial cyberspace participants | |
CN109561102A (en) | Dynamic security method is virtualized for the URL of automation attack | |
Jaiswal et al. | Database intrusion prevention cum detection system with appropriate response | |
CN116074114B (en) | Network target range defense efficiency evaluation method, device, equipment and storage medium | |
Wang | A rule-based approach for rootkit detection |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170118 |