CN108462714A - A kind of APT systems of defense and its defence method based on system resilience - Google Patents

A kind of APT systems of defense and its defence method based on system resilience Download PDF

Info

Publication number
CN108462714A
CN108462714A CN201810243347.7A CN201810243347A CN108462714A CN 108462714 A CN108462714 A CN 108462714A CN 201810243347 A CN201810243347 A CN 201810243347A CN 108462714 A CN108462714 A CN 108462714A
Authority
CN
China
Prior art keywords
attack
data
module
critical
defense
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810243347.7A
Other languages
Chinese (zh)
Inventor
张玉臣
刘小虎
范钰丹
程相然
张恒巍
鲁晓彬
董书琴
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information Engineering University of PLA Strategic Support Force
Original Assignee
Information Engineering University of PLA Strategic Support Force
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information Engineering University of PLA Strategic Support Force filed Critical Information Engineering University of PLA Strategic Support Force
Priority to CN201810243347.7A priority Critical patent/CN108462714A/en
Publication of CN108462714A publication Critical patent/CN108462714A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation
    • G06F11/1402Saving, restoring, recovering or retrying
    • G06F11/1446Point-in-time backing up or restoration of persistent data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Quality & Reliability (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present invention relates to technical field of network security, and in particular to the data in database are divided into critical data and non-critical data by a kind of APT systems of defense and its defence method based on system resilience, the defence method;The critical data is assigned to multiple physical locations, while the critical data being backed up and is encrypted to form Backup Data, and the Backup Data is physically separated storage;When system detectio is to when having attack, then to the integrality of system progress complete detection, when system integrity detection is obstructed out-of-date, reduction is decrypted in the Backup Data that will be physically isolated storage;And carry out system isomery recombination using the Backup Data of decryption reduction.The present invention can weaken the advantage of attacker when system meets with and attacks by System reorganization, ensure that system normally can smoothly be run after meeting with attack to greatest extent.

Description

A kind of APT systems of defense and its defence method based on system resilience
Technical field
The present invention relates to technical field of network security, and in particular to a kind of APT systems of defense based on system resilience and its Defence method.
Background technology
Advanced duration threatens APT(Advanced Persistent Threat)Be using advanced, complicated method and Technology carries out long-term, duration network attack to specific objective, to steal the critical data of target of attack.APT attacks are general " shake net " virus attack for being put forward for the first time the Iranian nuclear facilities derived from 2010 and meeting with read, also having for subsequently exposing therewith are a large amount of Government department, mechanism, tissue.These events have the everyways such as national security, commercial operation, social life different shadows It rings, to information security field, for the defence of traditional network security, this is a huge threat.
Advanced duration threatens(Advanced Persistent Threat), wherein A-Advanced:Advanced refers to attacking The person's of hitting attack means are advanced, and attack technology is advanced, attack team is advanced, or even has powerful fund group or tissue to support. P-Persistent:Duration refers to that attacker is lasting may be up to even number of several moons to target of attack progress attack time Year.T-Threat:Threat refers to that this attack attack consequence caused by system is quite serious, is threatened quite big.
APT attack cases are had been found that currently, combining, and APT attacks mainly there are following seven kinds of features:
1, it is cheated using social activity.Attacker uses social engineering method, a large amount of sensitive informations for collecting target of attack to form mesh Characteristic is marked, trap and attacker are targetedly designed.
2,0day loopholes are utilized.0day loopholes are that APT attacks a kind of breach being frequently utilized that.According to the 0day leakages found Hole, attacker design according to the special triggering attack code of establishment and had not only met oneself target of attack but also can have mercy on existing anti- The extraordinary wooden horse of shield person's detection architecture.
3, advanced Malware is developed.APT attack tissues, which can put into a large amount of manpower and materials, to be come for target of attack customization specially Door Malware, this software can avoidance system Host Detection, to channel of the critical data based on various remote controls into It commits theft and takes and capture.By P2P seed traps, the wireless network of malice, spear type phishing mail can lay this Malware.
4, it is good at escaping detection.It on the basis of perceiving target network environment, is attacked comprehensively utilizing various intelligence tools Person can be to avoid being found.The advanced technologies such as Virus compression, encryption core code, code injection are integrated and are used, it can be with The effective probability for reducing attack code and being detected.
5, authorized user and credible link are utilized.Pretend to be authorized user or using it is credible link be that attacker is usually used A kind of strategy, it can overcome the Trusted channel between user and system, accurately to be attacked.Attacker has the ability It decomposes certificate and generates key, to create a trusted certificate.
6, hidden C&C communications.Attacker establishes transmission channel to receive using the Malware and system backdoor that lay The instruction of attacker simultaneously passes the critical data of acquisition back, and attacker can use dynamic territory analyzing to realize commander under normal circumstances With control (C&C), communication channel is encrypted and transmits instruction and returned data with hiding information technology.Just because of this spy Sign, hiding C&C communication patterns are also the important component of APT detection and evidence obtaining.
7, systematism, modularization and intelligence.APT attacks are height systematism, modularization and intelligentized product, are being passed through After crossing long-term organization planning, attacker can be broken through with means the most usual, and target of attack progress modularization is set Meter, using intelligentized correlation analysis system constantly close to target.
In terms of the target of attack of APT, life cycle and specific attack process, uses for reference existing research theory and summarize 4 property below:
1, specific aim.There is very strong specific aim, attacker can design special attack for special target of attack for APT attacks Plan, attacker can widely collect various information, using various advanced techniques combination various attacks methods, be counted for an attack It draws and carries out lasting attack.
2, duration.APT attackers can constantly seek to seek the critical data of system the latent infiltration some time Ask attack opportunity.Some cases of discovered in recent years show that APT attackers can plan and permeate several to once attack Year, some attacks can continue 1 year to 3 years, or even be still to hide 50 to ten years after success.
3, interim.APT attacks have 7 stages.It is locked first with social engineering to gathering around privileged individual, And collect information;Attacker can send the Email of forgery and the link of malice, induce target person download of malware, sense Contaminate its machine;After Malware is downloaded on a machine in system, begins to extend and penetrate into other system units;One After denier attacker can enter system, keystone resources are found, and constantly locking is close;It is then lifted out permission, is accessed additional Resource;The software of malice is installed come the system of kidnapping, establishes information back channel;Command console is activated, starts to return from target Communication ceases.
What is generally accepted at present is that the life cycle of APT utilizes social work there are five the stage first in the information acquisition stage Cheng Xue, lock onto target are collected target into row information using various attack patterns, the breach of searching system.Secondly defence line is prominent The broken stage continues with social engineering attack means, mostly uses 0day loopholes, trojan horse etc., and goal systems is infected in invasion, Breakthrough system defence line.Then Path Setup and horizontal infiltration stage constantly promote own right to the system of infection and establish information time Channel is passed, the other parts of system are further infected.Last information is collected and the unofficial biography stage, using the channel having built up, by Console sends instruction, and returning or assign instruction by the key message of the system of invasion breaks loop system.
4, indirect.APT attackers can be gained knowledge using social engineering, attack with target it is related anyone, it is any Mechanism and mechanism member.By attack and the associated indirect mechanisms of target or personnel, attacker can utilize between them Contact, gradually infection invasion final goal, finally reaches target of attack.
The situation is tense for APT threat, and is constantly aggravating, and target of attack has no longer been single Small object, is often threatened Some enterprises, national lifeblood.APT attacks form is constantly complicated, and resists the safety that attack is unpractical, false completely Sense can only cause the risk of bigger.The elasticity that system must be improved can also normally run after meeting with attack, guarantee to hold Continuous offer service, enhances the redundancy of system, and the appearance aggressiveness for improving system is to face to attack more pragmatic way now, Attacking the influence brought reduces.
Invention content
The present invention provides a kind of APT systems of defense and its defence method based on system resilience, can meet in system Weaken the advantage of attacker when attack by System reorganization, ensures that system can normally be put down after meeting with attack to greatest extent Steady operation reduces the influence caused by attack.
In order to reach above-mentioned technical purpose, the technology used in the present invention method is as follows:
A kind of APT defence methods based on system resilience, which is characterized in that including:
Data in database are divided into critical data and non-critical data;
The critical data is assigned to multiple physical locations, while the critical data being backed up and is encrypted to form backup Data, and the Backup Data is physically separated storage;
When system detectio is to when having attack, then complete detection is carried out to the integrality of system, when system integrity detection not By when, will physical isolation storage Backup Data reduction is decrypted;
And carry out system isomery recombination using the Backup Data of decryption reduction.
Further, the data in database further include:
Have the false data of similar features as trapping data with the critical data;
When system detectio is attacked to the trapping data, then the attack means of analytical attack person, mode and intention, and judge The true identity of the attacker, while early warning real system.
Further, the identification of the attack includes:
By system detectio to attack data and critical data be converted to attack and critical event accordingly;
The attack and critical event are subjected to reachable path matching using attack network, and analyze and determine whether There are attacks;
If in the presence of complete detection is carried out to the integrality of system;
If being not present, this all attack is subjected to node path and is connected at random, judges whether reachable path; If in the presence of complete detection is carried out to the integrality of system, and the new attack event is stored to attack network In.
Further, the acquisition methods of the attack data include:
The complete data packet of whole snapshot and acquisition link of interception database, and with the spy of the attack case stored in database Sign details is compared;
If analysis result is that there are attacks, the snapshot and data packet to interception carry out playback analysis, determine attack when Between and path, the undiscovered security risk of analytical attack process Buddhist monk and system vulnerability.
Further, the critical data is weighed by the call request of the dominating pair of vertices system terminal of each physical storage locations Limit examines.
A kind of system of defense of the APT defence methods based on system resilience, which is characterized in that the system of defense includes can The database server defense module and TERMINAL DEFENSE module of mutual response cooperation;
The database server defense module includes:
Data safety isolation module, for detaching the critical data with non-critical data;
Data distribution formula stores defense module, for the critical data to be assigned to multiple physical locations, while by the pass Key data is backed up and encrypts to form Backup Data, and the Backup Data is physically separated storage;
The TERMINAL DEFENSE module includes:
Abnormal data monitoring modular:Safe condition for monitoring system, and abnormal data is converted into attack data;
Attack determination module:The attack data and critical data are separately converted to attack and crucial thing Part, and reachable path matching is carried out using attack network, or this all attack is subjected to node path Random series connection, if there are the logical path that one can reach the critical data from the attack, is determined to have Attack simultaneously triggers system integrity detection module;
System integrity detection module works as system integrity for carrying out complete detection to the integrality of system in a triggered It is obstructed out-of-date to detect, and reduction is decrypted in the Backup Data being isolated in security isolation module;
Adaptive isomery recombination module, for carrying out system isomery recombination using the Backup Data of decryption reduction.
Further, the attack determination module includes:
Event generator for receiving the attack data and corresponding critical data, and is respectively converted into attack Event and critical event;
Event analyser, for the attack and the critical event to be carried out reachable path using attack network Matching, and analyze and determine and whether there is attack, and if it exists, then trigger integrity detection and adaptive isomery recombination module; If being not present, this all attack is subjected to node path and is connected at random, judges whether new attack behavior, If in the presence of the new attack event being stored into attack network by event database, and update the data library, together When triggering integrity detection and adaptive isomery recombination module.
Further, which further includes attack mousetrap cell, and the attack mousetrap cell includes:
There are the trapping data of similar features with the critical data;
Attack means, mode and the intention of analytical attack person, and judge the true identity of the attacker, while early warning is really Module is traped in the attack of system.
Further, abnormal data monitoring modular includes:
Probe detecting real-time monitoring module, the safe condition for monitoring system and gathered data will if finding data exception Abnormal data is reported to terminal attack detection module;
Terminal attack detection module, for the abnormal data to be formed attack number after data conversion and data filtering According to.
Further, the attack determination module is event correlation analysis module, the event correlation analysis module packet Event generator is included, and event database, event analyser and the response unit being connected respectively with the event generator; The corresponding units are used for carrying out system response triggering system integrity detection module.
It is had the beneficial effect that caused by the present invention:
1, the present invention can make system have higher elasticity and automated response ability.The present invention is recombinated by the isomery of system With distributed data storage etc., the higher elasticity of system ensure that.It, can be with automatic checkout system integrality, certainly when meeting with attack Adaptive response heterogeneous system has higher automated response ability.
2, the present invention can ensure that system remains to normal operation after meeting with attack, provide the service of duration.It is general anti- Imperial model is simple defensive attack, and the present invention can ensure that system meets with attack by adaptive isomery recombination system The offer service that duration can also be provided afterwards, ensure that the continuity of system.
3, the present invention can ensure to carry out safer isomery recombination after system is attacked.The present invention is in System reorganization The initial back-up of critical data is used, and Backup Data uses the encrypted method of physical isolation and stored, and ensure that The safety of system isomery recombination.
4, the present invention makes system have stronger redundancy and fascination.The present invention is added to attack trapping module, trapping As a kind of data that inducing immune attack person attacks it, be a kind of and true system-critical data has in feature data The false data of similitude.The addition of this trapping data, has greatly reinforced the concealment of system truthful data so that attacker exists True target can not be locked when attack, and more uncertain and fascination is caused to attacker, substantially reduces attacker's lock Determine the success rate of real goal, strives for more redundancies for system.
Description of the drawings
Fig. 1 is the structure diagram of the present invention.
Specific implementation mode
Further details of illustrate the present invention, but protection scope of the present invention with specific embodiment below in conjunction with the accompanying drawings It is not limited to this.
As shown in Figure 1, the present invention utilizes the mutual response between database server defense module and TERMINAL DEFENSE module Cooperation, from data distribution formula storage defense module, data safety isolation module, probe detecting real-time monitoring module, terminal attack Detection and the detection of event correlation analysis module and system integrity and the mutually coordinated cooperation of adaptive isomery recombination module come The redundancy of lifting system meets with the advantage that can weaken attacker when attack by System reorganization in system, to greatest extent Guarantee system meet with attack after normally can smoothly run, reduce attack influence.
A kind of APT systems of defense based on system resilience, the system of defense include database server defense module and end Hold defense module;The database server defense module includes data distribution formula storage defense module, data safety isolation mode Block;The TERMINAL DEFENSE module includes probe detecting real-time monitoring module, terminal attack detection module, event correlation analysis mould Block, system integrity detection and adaptive isomery recombination module;
By data safety isolation module by the data in database with critical data and non-critical data, frequently-used data with seldom It is detached with not trusted data with data, trusted data, it is possible to reduce attack of the attacker to critical data.This Sample, which is done, can also effectively prevent attacker when attack is a part of or a bit, cause to involve effect, related broken ring has therewith The system other parts of pass, range caused by reduce attack, reducing influences.
The data distribution formula storage defense module stores non-critical data normal management, and non-critical data is not attack The target of person's attack.Critical data is data most sensitive in system, is attacker most want the data for obtaining or destroying, be by The data of system normal operation are seriously affected after attack, can even cause it is a kind of or more in the data of systemic breakdown Kind.Critical data is assigned to multiple physical storage locations, attacker needs to destroy the control point ability of these associated physical locations It can carry out key operation.And system terminal is when calling critical data, it is necessary to carry out stringent permission by each control point and examine After could call, and record the sensitive operation formation operation daily record in real time.System backs up after also critical data is encrypted And be physically separated storage, and system integrity detection it is obstructed it is out-of-date be decrypted, adaptive isomery recombination module carries out The isomery of system recombinates, and guarantee system can also continue to provide to be serviced after attacking by APT.
The database server defense module, further includes attack mousetrap cell, and the attack mousetrap cell includes attack Trap module and trapping data, the trapping data add in the database, therefore the data in database include critical data, it is non- Critical data and trapping data.The trapping data are as a kind of data that inducing immune attack person attacks it, the trapping Data are the false datas for having similitude in feature with true system-critical data, even if being acquired or breaking by attack It will not have any impact to system when ring.The addition of the trapping data has greatly reinforced the concealment of system truthful data, So that attacker can not lock true target in attack, more uncertain and fascination is caused to attacker, significantly The success rate that attacker locks real goal is reduced, strives for more redundancies for system.Attacker is lured by traping data It is attacked, analyzes its attack process, and to system early warning.When trap data by unauthorized access when, illustrate system by APT attacks.Trace analysis, the attack means of analytical attack person, mode are carried out by attack action to attacker and path And intention, judge the true identity of attacker.System with trapping module can hide real goal, and attacker's difficulty distinguishes true Vacation can indirectly protect critical data.
The probe detecting real-time monitoring module based on the state of system, by monitor security incident, assets information, The behaviors such as fragility event, event of failure, process daily record, performance data, permission change carry out data to detecting monitored results and adopt Collection forms attack data after data conversion and data filtering.The entirety of interception database server can also be passed through Snapshot and the complete data packet of acquisition link.This method is collected evidence to current system description, by with event data Attack feature in library is compared.If analysis result has attack, snapshot and data packet to interception, which reset, to be divided Analysis determines time and the path of attack, analytical attack process and has resulted in but without the hidden danger or loophole being found.
Terminal attack detection module and event correlation analysis module, the terminal attack detection module are attacked based on APT Path detection.Determine that attacker wants the target of attack, that is, the critical data in system first.Pass through the spy to system Needle detecting real-time monitors, Collection Events data, attack data is converted by filtering, by attack data and key Data are input to event correlation analysis module, and the event correlation analysis module includes event generator, and respectively with event Event database, event analyser and the response unit that generator is connected.Event database is using attack as later Attack case is stored, and is deposited in the database.Event generator for receive attack data and critical data and by its It is generated as attack and critical event respectively.Critical event and attack are carried out reachable path detection by event analyser, And analyze and determine that with the presence or absence of a paths be the physical node that critical data can be reached by the attack, and if it exists, then Illustrate there are attack, result is fed back into response unit, response unit provides response according to analysis result, for system.
Different tissue, unit, company and the critical datas of national structure will be different.It will be conscientiously in combing system Critical data carries out comprehensively careful information and checks, and difference classification finds out the target source in system, i.e. attacker most thinks brokenly ring Or the data taken away, it is established that the target source of APT attacks.All attack and target source are built according to event database Erect attack network.Each attack is a node in the attack network, and all nodes are logical Forward-backward correlation relationship is crossed, critical data is finally all pointed to.Pass through the attack acquired to probe real-time monitoring module and attack Event network carries out route matching, judges whether that a paths can reach critical data section from attack data Point.If being not present, then this all attacks are subjected to node path and are connected at random, judges whether a paths The physical node of critical data can be reached from attack data, and if it exists, then store this paths to attack net In network figure, library is updated the data.If there are the physical node that a paths can reach critical data from attack data, explanation There are attacks.If judging there are attack, system response is carried out by response unit, and trigger integrity detection module With adaptive isomery recombination module.
System integrity detection module and adaptive isomery recombination module are analyzed in terminal attack detecting and event correlation After module responds attack, system integrity detection module is triggered, system integrity detection module is to the complete of system Whether whole property progress complete detection, including the function of system are complete, and whether service provides and lack, and whether data are destroyed or steal It takes, operating that can be routinely etc..When system integrity detect it is obstructed out-of-date, data safety isolation module is isolated standby Reduction is decrypted in part data, carries out system isomery recombination by adaptive isomery recombination module, it is ensured that the steady and continuous of system is transported Row reduces APT attacks influence caused by system, the elasticity of enhancing system attack APT attacks to the maximum extent.
A kind of defence method of the APT systems of defense based on system resilience, which is characterized in that include the following steps:
Step 1:Backup critical data;Using data safety isolation module by the data separating in database be critical data and Non-critical data, the critical data are assigned to multiple physical storage locations by the way of distributed storage, and simultaneously to institute Storage is physically separated as Backup Data after stating encryption key data backup;
Preferably, trapping data are additionally provided in the database, the trapping data are the phases having with critical data in feature Like the false data of property, when the trapping data are by unauthorized access, then trigger attack trapping module attacker is monitored and Analysis, and early warning is carried out to system.
Preferably, the critical data is weighed by the call request of the dominating pair of vertices system terminal of each physical storage locations Limit examines.
Step 2:Monitoring system simultaneously generates attack data;TERMINAL DEFENSE module monitors mould by probe detecting real-time Block monitors the safe condition of system in real time, and gathered data, if the data exception of acquisition, which is passed through Data convert and form attack data after data filtering;
Preferably, the acquisition methods of the attack data are complete for the whole snapshot and acquisition link of interception database server Whole data packet, and be compared with the characteristic details of the attack case stored in database, if analysis result is to exist Attack then carries out playback analysis to the snapshot of interception and data packet, determines time and the path of attack, and analytical attack mistake The undiscovered security risk of journey Buddhist monk and system vulnerability.
Step 3:It analyzes and determines and whether there is attack;Attack data in the step 2 and the step Then critical data in one utilizes attack net by generating attack and critical event after event generator respectively Network figure carries out reachable path matching to attack and critical event, is analyzed and determined with the presence or absence of attack row by event analyser For, and if it exists, system response is then carried out by response unit, and then triggers system integrity detection and adaptive isomery recombination mould Block executes step 4;If being not present, this all attack is subjected to node path and is connected at random, judges whether to deposit In new attack behavior, and if it exists, then store into attack network the path, update the data library, and single by response First carry out system response, and then system integrity detection and adaptive isomery recombination module are triggered, it is performed simultaneously step 4;
Step 4:Attack triggers the recombination of system isomery;System integrity detects and adaptive isomery recombination module is triggered Afterwards, the integrality of complete detection system, when system integrity detect it is obstructed out-of-date, by the step 1 Backup Data carry out System isomery recombination is carried out after decryption reduction.
It is noted that above-described embodiment is to the illustrative and not limiting of technical solution of the present invention, technical field is general The equivalent replacement of logical technical staff or the other modifications made according to the prior art, as long as not exceeding technical solution of the present invention Thinking and range should be included within interest field of the presently claimed invention.

Claims (9)

1. a kind of APT defence methods based on system resilience, which is characterized in that including:
Data in database are divided into critical data and non-critical data;
The critical data is assigned to multiple physical locations, while the critical data being backed up and is encrypted to form backup Data, and the Backup Data is physically separated storage;
When system detectio is to when having attack, then complete detection is carried out to the integrality of system, when system integrity detection not By when, will physical isolation storage Backup Data reduction is decrypted;
And carry out system isomery recombination using the Backup Data of decryption reduction.
2. a kind of APT defence methods based on system resilience according to claim 1, which is characterized in that the database In data further include:
Have the false data of similar features as trapping data with the critical data;
When system detectio is attacked to the trapping data, then the attack means of analytical attack person, mode and intention, and judge The true identity of the attacker, while early warning real system.
3. a kind of APT defence methods based on system resilience according to claim 1, which is characterized in that the attack row For identification include:
By system detectio to attack data and critical data be converted to attack and critical event accordingly;
The attack and critical event are subjected to reachable path matching using attack network, and analyze and determine whether There are attacks;
If in the presence of complete detection is carried out to the integrality of system;
If being not present, this all attack is subjected to node path and is connected at random, judges whether reachable path; If in the presence of complete detection is carried out to the integrality of system, and the new attack event is stored to attack network In.
4. a kind of APT defence methods based on system resilience, which is characterized in that the acquisition methods packet of the attack data It includes:
The complete data packet of whole snapshot and acquisition link of interception database, and with the spy of the attack case stored in database Sign details is compared;
If analysis result is that there are attacks, the snapshot and data packet to interception carry out playback analysis, determine attack when Between and path, the undiscovered security risk of analytical attack process Buddhist monk and system vulnerability.
5. a kind of APT defence methods based on system resilience, which is characterized in that the critical data is by each physical storage locations The call request of dominating pair of vertices system terminal do permission examination.
6. a kind of system of defense of the APT defence methods based on system resilience, which is characterized in that the system of defense includes being capable of phase The mutually database server defense module and TERMINAL DEFENSE module of response cooperation;
The database server defense module includes:
Data safety isolation module, for detaching the critical data with non-critical data;
Data distribution formula stores defense module, for the critical data to be assigned to multiple physical locations, while by the pass Key data is backed up and encrypts to form Backup Data, and the Backup Data is physically separated storage;
The TERMINAL DEFENSE module includes:
Abnormal data monitoring modular:Safe condition for monitoring system, and abnormal data is converted into attack data;
Attack determination module:The attack data and critical data are separately converted to attack and crucial thing Part, and reachable path matching is carried out using attack network, or this all attack is subjected to node path Random series connection, if there are the logical path that one can reach the critical data from the attack, is determined to have Attack simultaneously triggers system integrity detection module;
System integrity detection module works as system integrity for carrying out complete detection to the integrality of system in a triggered It is obstructed out-of-date to detect, and reduction is decrypted in the Backup Data being isolated in security isolation module;
Adaptive isomery recombination module, for carrying out system isomery recombination using the Backup Data of decryption reduction.
7. a kind of system of defense of the APT defence methods based on system resilience, which is characterized in that the attack determination module Including:
Event generator for receiving the attack data and corresponding critical data, and is respectively converted into attack Event and critical event;
Event analyser, for the attack and the critical event to be carried out reachable path using attack network Matching, and analyze and determine and whether there is attack, and if it exists, then trigger integrity detection and adaptive isomery recombination module; If being not present, this all attack is subjected to node path and is connected at random, judges whether new attack behavior, If in the presence of the new attack event being stored into attack network by event database, and update the data library, together When triggering integrity detection and adaptive isomery recombination module.
8. a kind of system of defense of the APT defence methods based on system resilience, which is characterized in that the system of defense further includes attack Mousetrap cell, the attack mousetrap cell include:
There are the trapping data of similar features with the critical data;
Attack means, mode and the intention of analytical attack person, and judge the true identity of the attacker, while early warning is really Module is traped in the attack of system.
9. a kind of system of defense of the APT defence methods based on system resilience, which is characterized in that the abnormal data monitoring modular Including:
Probe detecting real-time monitoring module, the safe condition for monitoring system and gathered data will if finding data exception Abnormal data is reported to terminal attack detection module;
Terminal attack detection module, for the abnormal data to be formed attack number after data conversion and data filtering According to.
CN201810243347.7A 2018-03-23 2018-03-23 A kind of APT systems of defense and its defence method based on system resilience Pending CN108462714A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810243347.7A CN108462714A (en) 2018-03-23 2018-03-23 A kind of APT systems of defense and its defence method based on system resilience

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810243347.7A CN108462714A (en) 2018-03-23 2018-03-23 A kind of APT systems of defense and its defence method based on system resilience

Publications (1)

Publication Number Publication Date
CN108462714A true CN108462714A (en) 2018-08-28

Family

ID=63237240

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810243347.7A Pending CN108462714A (en) 2018-03-23 2018-03-23 A kind of APT systems of defense and its defence method based on system resilience

Country Status (1)

Country Link
CN (1) CN108462714A (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109547504A (en) * 2019-01-25 2019-03-29 黑龙江大学 A kind of mobile sensor network intrusion detection and automated response method
CN110677415A (en) * 2019-09-29 2020-01-10 信阳农林学院 Network information safety protection system
CN112131052A (en) * 2020-10-23 2020-12-25 北京安石科技有限公司 Quick recovery method and system for operating system
CN112395619A (en) * 2020-11-18 2021-02-23 中国信息安全测评中心 Vulnerability scanning method and device
CN112506699A (en) * 2020-11-25 2021-03-16 江苏恒信和安电子科技有限公司 Data security backup method, equipment and system
CN112615842A (en) * 2020-12-11 2021-04-06 黑龙江亿林网络股份有限公司 Network security implementation system and method based on big data platform
CN112800422A (en) * 2021-01-19 2021-05-14 东北大学 Networked motor system remote state estimation method under hidden attack
CN113268734A (en) * 2021-04-27 2021-08-17 中国科学院信息工程研究所 Key host event identification method based on information flow analysis
CN113612779A (en) * 2021-08-05 2021-11-05 杭州中尔网络科技有限公司 Advanced sustainable attack behavior detection method based on flow information
CN114760095A (en) * 2022-03-09 2022-07-15 西安电子科技大学 Intention-driven network defense strategy generation method, system and application

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010030169A2 (en) * 2008-09-12 2010-03-18 Mimos Bhd. A honeypot host
CN104794143A (en) * 2014-07-30 2015-07-22 北京中科同向信息技术有限公司 Agent-free backup technology
CN105488389A (en) * 2014-12-08 2016-04-13 哈尔滨安天科技股份有限公司 Update and reduction method and system of honeypot database
CN106534195A (en) * 2016-12-19 2017-03-22 杭州信雅达数码科技有限公司 Network attacker behavior analyzing method based on attack graph
CN106961442A (en) * 2017-04-20 2017-07-18 中国电子技术标准化研究院 A kind of network method for entrapping based on honey jar
CN107347079A (en) * 2017-09-05 2017-11-14 合肥丹朋科技有限公司 Computer network means of defence

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010030169A2 (en) * 2008-09-12 2010-03-18 Mimos Bhd. A honeypot host
CN104794143A (en) * 2014-07-30 2015-07-22 北京中科同向信息技术有限公司 Agent-free backup technology
CN105488389A (en) * 2014-12-08 2016-04-13 哈尔滨安天科技股份有限公司 Update and reduction method and system of honeypot database
CN106534195A (en) * 2016-12-19 2017-03-22 杭州信雅达数码科技有限公司 Network attacker behavior analyzing method based on attack graph
CN106961442A (en) * 2017-04-20 2017-07-18 中国电子技术标准化研究院 A kind of network method for entrapping based on honey jar
CN107347079A (en) * 2017-09-05 2017-11-14 合肥丹朋科技有限公司 Computer network means of defence

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109547504A (en) * 2019-01-25 2019-03-29 黑龙江大学 A kind of mobile sensor network intrusion detection and automated response method
CN109547504B (en) * 2019-01-25 2021-05-25 黑龙江大学 Network intrusion detection and adaptive response method for mobile sensor
CN110677415A (en) * 2019-09-29 2020-01-10 信阳农林学院 Network information safety protection system
CN112131052B (en) * 2020-10-23 2024-02-09 北京安石科技有限公司 Method and system for quickly recovering operating system
CN112131052A (en) * 2020-10-23 2020-12-25 北京安石科技有限公司 Quick recovery method and system for operating system
CN112395619A (en) * 2020-11-18 2021-02-23 中国信息安全测评中心 Vulnerability scanning method and device
CN112506699A (en) * 2020-11-25 2021-03-16 江苏恒信和安电子科技有限公司 Data security backup method, equipment and system
CN112615842A (en) * 2020-12-11 2021-04-06 黑龙江亿林网络股份有限公司 Network security implementation system and method based on big data platform
CN112800422A (en) * 2021-01-19 2021-05-14 东北大学 Networked motor system remote state estimation method under hidden attack
CN112800422B (en) * 2021-01-19 2023-09-01 东北大学 Remote state estimation method for networked motor system under hidden attack
CN113268734B (en) * 2021-04-27 2023-11-24 中国科学院信息工程研究所 Key host event identification method based on information flow analysis
CN113268734A (en) * 2021-04-27 2021-08-17 中国科学院信息工程研究所 Key host event identification method based on information flow analysis
CN113612779A (en) * 2021-08-05 2021-11-05 杭州中尔网络科技有限公司 Advanced sustainable attack behavior detection method based on flow information
CN114760095A (en) * 2022-03-09 2022-07-15 西安电子科技大学 Intention-driven network defense strategy generation method, system and application
CN114760095B (en) * 2022-03-09 2023-04-07 西安电子科技大学 Intention-driven network defense strategy generation method, system and application

Similar Documents

Publication Publication Date Title
CN108462714A (en) A kind of APT systems of defense and its defence method based on system resilience
Ashoor et al. Importance of intrusion detection system (IDS)
CN104283889B (en) APT attack detectings and early warning system inside electric system based on the network architecture
Bernardes Implementation of an intrusion detection system based on mobile agents
Salem et al. A survey of insider attack detection research
US6405318B1 (en) Intrusion detection system
CN101803337B (en) Intrusion detection method and system
CN104811447B (en) One kind is based on the associated safety detection method of attack and system
CN107888607A (en) A kind of Cyberthreat detection method, device and network management device
Sandhu et al. A survey of intrusion detection & prevention techniques
KR100910761B1 (en) Anomaly Malicious Code Detection Method using Process Behavior Prediction Technique
Sherif et al. Intrusion detection: systems and models
Wani et al. Ransomware protection in loT using software defined networking
Thamer et al. A survey of ransomware attacks for healthcare systems: Risks, challenges, solutions and opportunity of research
CN106411562A (en) Electric power information network safety linkage defense method and system
CN102222194A (en) Module and method for LINUX host computing environment safety protection
CN104144063A (en) Website security monitoring and alarming system based on log analysis and firewall security matrixes
CN111628981B (en) Network security system and method capable of being linked with application system
CN108234419A (en) A kind of network attack monitoring method and device based on big data
CN110213226A (en) Associated cyber attack scenarios method for reconstructing and system are recognized based on risk total factor
Ramachandran et al. A P2P intrusion detection system based on mobile agents
Suo et al. Research on the application of honeypot technology in intrusion detection system
CN116094817A (en) Network security detection system and method
Thu Integrated intrusion detection and prevention system with honeypot on cloud computing environment
CN107277070A (en) A kind of computer network instrument system of defense and intrusion prevention method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20180828