CN109951419A - A kind of APT intrusion detection method based on attack chain attack rule digging - Google Patents
A kind of APT intrusion detection method based on attack chain attack rule digging Download PDFInfo
- Publication number
- CN109951419A CN109951419A CN201711385025.8A CN201711385025A CN109951419A CN 109951419 A CN109951419 A CN 109951419A CN 201711385025 A CN201711385025 A CN 201711385025A CN 109951419 A CN109951419 A CN 109951419A
- Authority
- CN
- China
- Prior art keywords
- attack
- data
- rule
- flow
- apt
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention relates to a kind of APT intrusion detection methods based on attack chain attack rule digging, comprising the following steps: S1. pre-processes sample data;S2. classified using sorting algorithm to sample data, identify the application type of sample data;S3. the affairs for sorted data being merged, and the data after merging being handled as correlation rule;S4. attack rule base is established in the excavation that using association rule algorithm the data after merging are carried out with attack rule;S5. attack rule is analyzed, establishes corresponding solution collection;S6. attack rule base and solution collection are deployed in intruding detection system, are attacked for real-time monitoring.
Description
Technical field
The present invention relates to the technical fields of communication network private network, attack rule digging based on attack chain more particularly to one kind
APT intrusion detection method.
Background technique
Currently, the attack strategies of network attack person are also continuously improved with the rapid development of internet.It is bigger in order to obtain
Intrusion target is obtained individual privacy from attack individual PC and is transferred to attack Large core industrial system, political affairs by interests, attacker
On the internal private network of mansion and enterprise, currently, attack process is divided by more and more attackers according to attack chain technology
Multiple stages usually have biggish concealment in the attack that each stage takes, or even are no different with normal discharge, usually
This kind of attack is become APT to attack.The Network Intrusion Detection System of traditional " one attacks a report " form is difficult to find these attacks
Event, or even sometimes by normal discharge as abnormal flow processing, cause the accuracy rate of alarm lower, rate of false alarm is higher.It is existing
In technology, the relationship being not associated between the front and back attack traffic that attack chain knowledge considers that attacker initiates can be generated a large amount of useless
Rule, cause the waste of resource;Meanwhile can only be matched for single attack traffic, it can not identify multistage attack
Flow is not secondly, account for the feature based on attack chain attack, therefore can not detect multistage attack traffic.
Summary of the invention
The present invention is to overcome the shortcomings of described above, provides a kind of accuracy rate for improving real-time intrusion detection, identification tradition
Intruding detection system can not be found hidden, APT attack process that the duration is long based on attack chain attack rule digging
APT intrusion detection method.
In order to solve the above technical problems, the technical solution adopted by the present invention is that:
A kind of APT intrusion detection method based on attack chain attack rule digging, comprising the following steps:
S1. sample data is pre-processed;
S2. classified using sorting algorithm to sample data, identify the application type of sample data;
S3. the affairs for sorted data being merged, and the data after merging being handled as correlation rule;
S4. attack rule base is established in the excavation that using association rule algorithm the data after merging are carried out with attack rule;
S5. attack rule is analyzed, establishes corresponding solution collection;
S6. attack rule base and solution collection are deployed in intruding detection system, are attacked for real-time monitoring.
In the above scheme, firstly, being pre-processed to sample data;Then, using sorting algorithm to sample data into
Row classification, identifies the application type of sample data;Further, sorted data are merged, and will be after merging
The affairs that data are handled as correlation rule;Meanwhile attack rule is carried out to the data after merging using association rule algorithm
It excavates, establishes attack rule base;Then, attack rule is analyzed, establishes corresponding solution collection;Finally, will attack
Rule base and solution collection are deployed in intruding detection system, are attacked for real-time monitoring;In the technical scheme, by right
Sample data carries out and processing, is carrying out classification processing, sorted data are merged and carry out corresponding operation, after merging
Data are analyzed, and are eventually found corresponding solution, during whole operation, improve the accuracy rate of real-time intrusion detection,
Hidden, the APT attack process that the duration is long for identifying that traditional intruding detection system can not find.
Preferably, specific step is as follows by the step S1:
S11. the sample information for the abnormal flow that alarm equipment identifies in cell phone network;
S12. mistake is removed to sample information, the data on flows of redundancy operates;
S13. data format is subjected to standardization processing;
S14. data that treated are stored in database.
Preferably, specific step is as follows by the step S2:
S21. classified using decision tree C4.5 algorithm to the data on flows of standardization;
S22. classifier, identification application type are established;
S23. the performance of testing classification device, if classifier performance is poor, repetitive operation step S21~S23 improves classification
Device performance.
Preferably, the step S3's is specific as follows:
Sorted data are merged according to IP address, and the data after merging are stored in database;The conjunction
And mode has three classes, is respectively:
(1) destination address and source address are all identical data traffics;
(2) the identical data on flows of destination address;
(3) source address of flow data on flows identical with another flow destination address.
Preferably, the step S4 is specific as follows:
Using the data after merging as coffin grin rule-based algorithm processing affairs, using Apriori algorithm to the number after merging
The excavation of rule is attacked according to APT is carried out, and establishes attack rule base, work real-time online intruding detection system uses.
Preferably, the step S5 is specific as follows:
Based on step S4, attack rule is analyzed, is analyzed according to following situation:
(1) the attack chain stage that the judgements such as expertise, historical experience attack rule is related to;
(2) according to the extent of the destruction of the signature analysis in attack chain each stage attack;
(3) attacker the measure taken and attack on last stage and traces to the source in next step;
According to above analysis, solution is provided for every attack rule, establishes solution collection, examined for real-time online
Examining system uses.
Preferably, the step S6 is specific as follows:
Attack rule base and solution collection are deployed in real-time online Network Intrusion Detection System, real-time monitoring APT
Attack;If this attack rule base fails to be matched to suspicious attack traffic, suspicious attack traffic is collected, returns to step
Rapid S1 continues the excavation of attack rule, guarantees that the timing of attack rule base updates.
Compared with prior art, the beneficial effects of the present invention are: the present invention by a large amount of history attack data traffic into
Row classification merges, association rule mining, establishes APT attack rule match library.The matching database is applied in crucial electricity
On net node, the APT that traditional intruding detection system can not be found for identification is attacked;During whole operation, raising enters in real time
Invade the accuracy rate of detection, hidden, the APT attack process that the duration is long for identifying that traditional intruding detection system can not find.
Detailed description of the invention
Fig. 1 is attack rule digging flow chart.
Fig. 2 is attack state transition diagram (flow A is identical as flow B source address and destination address).
Fig. 3 is attack schematic diagram (flow A is identical as flow B source address and destination address).
Fig. 4 is attack state transition diagram (flow A is identical as flow B destination address).
Fig. 5 is attack schematic diagram (flow A is identical as flow B destination address).
Fig. 6 is attack state transition diagram (destination address of flow A is identical as the source address of flow B).
Fig. 7 is attack schematic diagram (destination address of flow A is identical as the source address of flow B).
Fig. 8 is real-time detection flow chart.
Fig. 9 is attack process also original image.
Specific embodiment
The attached figures are only used for illustrative purposes and cannot be understood as limitating the patent;In order to better illustrate this embodiment, attached
Scheme certain components to have omission, zoom in or out, does not represent the size of actual product;To those skilled in the art,
The omitting of some known structures and their instructions in the attached drawings are understandable.With reference to the accompanying drawings and examples to of the invention
Technical solution is described further.
Embodiment 1:
A kind of APT intrusion detection method based on attack chain attack rule digging, the workflow of the present embodiment such as Fig. 1 institute
Show:
In the present embodiment,
The following steps are included:
S1. sample data is pre-processed;
S2. classified using sorting algorithm to sample data, identify the application type of sample data;
S3. the affairs for sorted data being merged, and the data after merging being handled as correlation rule;
S4. attack rule base is established in the excavation that using association rule algorithm the data after merging are carried out with attack rule;
S5. attack rule is analyzed, establishes corresponding solution collection;
S6. attack rule base and solution collection are deployed in intruding detection system, are attacked for real-time monitoring.
In the above scheme, firstly, being pre-processed to sample data;Then, using sorting algorithm to sample data into
Row classification, identifies the application type of sample data;Further, sorted data are merged, and will be after merging
The affairs that data are handled as correlation rule;Meanwhile attack rule is carried out to the data after merging using association rule algorithm
It excavates, establishes attack rule base;Then, attack rule is analyzed, establishes corresponding solution collection;Finally, will attack
Rule base and solution collection are deployed in intruding detection system, are attacked for real-time monitoring;In the technical scheme, by right
Sample data carries out and processing, is carrying out classification processing, sorted data are merged and carry out corresponding operation, after merging
Data are analyzed, and are eventually found corresponding solution, during whole operation, improve the accuracy rate of real-time intrusion detection,
Hidden, the APT attack process that the duration is long for identifying that traditional intruding detection system can not find.
In the present embodiment, specific step is as follows by step S1:
S11. the sample information for the abnormal flow that alarm equipment identifies in cell phone network;
S12. mistake is removed to sample information, the data on flows of redundancy operates;
S13. data format is subjected to standardization processing;
S14. data that treated are stored in database.
In the present embodiment, specific step is as follows by step S2:
S21. classified using decision tree C4.5 algorithm to the data on flows of standardization;
S22. classifier, identification application type are established;
S23. the performance of testing classification device, if classifier performance is poor, repetitive operation step S21~S23 improves classification
Device performance.
In the present embodiment, step S3's is specific as follows:
Sorted data are merged according to IP address, and the data after merging are stored in database;The conjunction
And mode has three classes, is respectively:
(1) destination address and source address are all identical data traffics;
(2) the identical data on flows of destination address;
(3) source address of flow data on flows identical with another flow destination address.
In the present embodiment, step S4 is specific as follows:
Using the data after merging as coffin grin rule-based algorithm processing affairs, using Apriori algorithm to the number after merging
The excavation of rule is attacked according to APT is carried out, and establishes attack rule base, work real-time online intruding detection system uses.
In the present embodiment, step S5 is specific as follows:
Based on step S4, attack rule is analyzed, is analyzed according to following situation:
(1) the attack chain stage that the judgements such as expertise, historical experience attack rule is related to;
(2) according to the extent of the destruction of the signature analysis in attack chain each stage attack;
(3) attacker the measure taken and attack on last stage and traces to the source in next step;
According to above analysis, solution is provided for every attack rule, establishes solution collection, examined for real-time online
Examining system uses.
In the present embodiment, step S6 is specific as follows:
Attack rule base and solution collection are deployed in real-time online Network Intrusion Detection System, real-time monitoring APT
Attack;If this attack rule base fails to be matched to suspicious attack traffic, suspicious attack traffic is collected, returns to step
Rapid S1 continues the excavation of attack rule, guarantees that the timing of attack rule base updates.
Wherein, in the present embodiment, the present invention is by classifying to a large amount of history attack data traffic, merging, be associated with
Rule digging establishes APT attack rule match library.The matching database is applied in crucial power communication network node,
The APT attack that traditional intruding detection system can not be found for identification.Wherein, application effect is as follows: the flow of real-time online is first
First judge that the flow for suspected attack flow or non-attack flow, is known using classifier using traditional intrusion detection method
Other application type attacks the matching that rule match database carries out attack rule according to APT.For not being matched to attack rule
Flow is divided into the suspected attack of non-attack flow and not confirmed according to the judgement into traditional intruding detection system before the system
Flow.For meeting the flow of attack rule, by itself and correlation attack regular record.Since the attack traffic based on attack chain exists
After the strike mission for completing certain stage, the task of next stage can be just opened, by the regular hour in order to not influence network
It works normally, real-time detecting system can judge whether that the flow need to be blocked according to the breakdown strength of the flow, when necessary can be artificial
Judgement, if the flow is blocked, deletes this flow in record, is no longer waiting for the arrival of next stage flow.If
It is not blocked, needs to wait the arrival of other stage attack traffics, if meeting the stream of other phase of the attack of attack rule
Amount is detected, then judges these flows for APT attack traffic.Because the time that attacker starts next stage to attack cannot be true
It is fixed, so the record of the flow and its attack rule need to be always maintained at, wait the arrival of other phase of the attack flows.
Embodiment 2:
In order to effectively detect lasting, hidden attack process, the present invention proposes the base in attack chain technology
Data mining technology is utilized on plinth, and a large amount of history attack traffic data are analyzed.According to Decision Tree Algorithm, by net
Alarm flux classification in network recycles association rule algorithm discovery to attack between each stage flow of chain according to its type is identified
Correlation rule.Previous attack is prepared for the attack of next step, by the correlation rule of analysis front and back flow to send out
The process of existing attacker's target of attack network.
Before being associated rule digging, if untreated to the attributive character of sample flow, directly carried out using algorithm
Correlation rule generates, then can generate a large amount of useless rules.In order to avoid generating a large amount of useless rule, it is being associated rule
Data set is handled according to the IP address attribute of flow before generating.According to attack chain technology it is found that attacker is capturing
When a certain host in network, other attack operations can be carried out in a network using the host, therefore, analysis is with identical IP
Correlation rule between the flow of location can find a large amount of APT attack rules, effectively detect that APT is attacked.The present invention propose: into
Before row correlation rule generates, two flows in network are merged according to IP address, the data conduct after merging
The affairs of Apriori algorithm processing.
In the present embodiment, the rule merged to three kinds is illustrated:
(1) source address and destination address of flow A and flow B are all identical
According to attack chain technology it is found that flow A occurred in the spot stage, flow B occurs in transmission attack tool rank
Section, attack state transition diagram is as shown in Figure 2, attack schematic diagram is as shown in Figure 3:
Assuming that alarm equipment detects following suspicious traffic in network.Flow A is shown in 8 points of June 29 in 2017, IP
The host that the host that location is 106.120.206.219 is 192.168.5.90 to IP address carries out TCP port scanning.Flow B table
It is shown in 10 points of July 1 in 2017, the master that the host that IP address is 106.120.206.219 is 192.168.5.90 to IP address
Machine sends mail.
Flow A:
Flow B:
| Source IP address | Purpose IP address | Timestamp | Protocol | Flag | Classification |
| 106.120.206.219 | 192.168.5.90 | 201707011000 | TCP | SF | Send mail |
Data after merging are expressed as:
| Identical source IP address | Identical purpose IP address | TCP | SF | TCP port scanning | Send mail |
By being associated rule digging to a large amount of data samples with the identical destination address of same source, produce
Following attack rule:
Assuming that classification results belong to port scan type after the categorized device of a flow, subsequent one have same source with
And the application type of the flow of identical destination address belongs to transmission mail, then may determine that the destination is subject to attack can
Energy property is very high.
(2) flow A is identical as the destination address of flow B
Attack state transition diagram is as shown in Figure 4, attack schematic diagram is as shown in Figure 5:
Attacker can forge IP address to pretend oneself, be communicated using different source IP address to a destination host,
Therefore, by excavating there is the correlation rule between identical destination address flow to can be found that the attack in network.Assuming that network
In there are following suspicious traffics.Flow A is shown in 24 points of June 28 in 2017, and IP address is the host of 106.120.206.219
TCP port scanning is carried out to the host that IP address is 192.168.5.90.Flow B is shown in 11 points of July 2 in 2017, IP
The login password for the host that the host that location is 106.120.206.180 is 192.168.5.90 to IP address carries out Brute Force.
Flow A:
Flow B:
Data after merging are expressed as:
| Identical purpose IP address | TCP | TCP port scanning | Num_faile_login=5 | Solution is guessed in violence |
By being associated rule digging to the data sample for largely having identical destination address, following attack rule are produced
Then:
By attack chain technological know-how it is found that flow A occurred in the spot stage, flow B occurs in transmission attack tool
Stage, attacker guess the login password of solution destination host by violence to transmit malicious file to destination host.
(3) destination address of flow A is identical as the source address of flow B
Attack state transition diagram is as shown in Figure 6, attack schematic diagram is as shown in Figure 7:
Assuming that there are following suspicious traffics in network.Flow A is shown in 22 points of July 12 in 2017, and IP address is
106.120.206.219 host to IP address be 192.16.5.90 host remotely controlled.Flow B is shown in 2017
23 points of on July 12, of, the host that IP address is 192.168.5.90 initiate to connect to the server that IP address is 192.168.5.1
It connects.Flow C is shown in 14 points of July 13 in 2017, and the server that IP address is 192.168.5.1 is to IP address
192.168.5.70 host send mail.Flow A:
| Source IP address | Purpose IP address | Timestamp | Protocol | Flag | Classification |
| 106.120.206.219 | 192.168.5.90 | 201707122200 | TCP | SF | Long-range control |
Flow B:
Flow C:
| Source IP address | Purpose IP address | Timestamp | Protocol | Flag | Classification |
| 192.168.5.1 | 192.168.5.70 | 201707131400 | TCP | SF | Send mail |
Data after flow A merges with flow B are expressed as:
| Flow source address is identical as another flow destination address | TCP | SF | Long-range control | Foundation is connect with server |
Data after flow B merges with flow C are expressed as:
| Flow source address is identical as another flow destination address | TCP | SF | Foundation is connect with server | Send mail |
By being associated rule digging to the data sample for largely meeting the situation, following two attacks rule are produced
Then:
According to the basic knowledge of attack chain technology it is found that flow A occurs to attack phase of the attack in installation, flow B occurs
Access phase is established, flow C occurs executing phase of the attack.
Embodiment 3:
Illustrate the effect of APT attack detecting and the attack process of reduction in conjunction with example.
There are flows as shown in the table in network, and wherein traffic classes attribute is determined by decision tree classifier.
| Flow | Timestamp | Source IP address | Purpose IP address | Traffic classes |
| Flow A | 201707190800 | 106.120.206.219 | 192.168.5.100 | TCP port scanning |
| Flow B | 201707192200 | 106.120.206.200 | 192.168.5.100 | Solution is guessed in violence |
| Flow C | 201707192300 | 106.120.206.111 | 192.168.5.100 | Telnet |
| Flow D | 201707230800 | 106.120.206.100 | 192.168.5.100 | Long-range control |
| Flow E | 201707241200 | 192.168.5.100 | 192.168.5.1 | Establish connection request |
| Flow F | 201708021400 | 192.168.5.1 | 192.168.5.80 | File transmission |
| Flow G | 201708031300 | 192.168.5.1 | 192.168.5.88 | File transmission |
The above flow is as shown in the table by the matching result in APT attack rule match library:
According to the matched attack rule of upper table, attack process can be restored, the APT attack process such as Fig. 9 institute detected
Show, abscissa indicates each stage of attack chain, and ordinate indicates the time point that each stage attack traffic starts.
Obviously, the above embodiment of the present invention be only to clearly illustrate example of the present invention, and not be pair
The restriction of embodiments of the present invention.For those of ordinary skill in the art, may be used also on the basis of the above description
To make other variations or changes in different ways.There is no necessity and possibility to exhaust all the enbodiments.It is all this
Made any modifications, equivalent replacements, and improvements etc., should be included in the claims in the present invention within the spirit and principle of invention
Protection scope within.
Claims (7)
1. a kind of APT intrusion detection method based on attack chain attack rule digging, it is characterised in that: the following steps are included:
S1. sample data is pre-processed;
S2. classified using sorting algorithm to sample data, identify the application type of sample data;
S3. the affairs for sorted data being merged, and the data after merging being handled as correlation rule;
S4. attack rule base is established in the excavation that using association rule algorithm the data after merging are carried out with attack rule;
S5. attack rule is analyzed, establishes corresponding solution collection;
S6. attack rule base and solution collection are deployed in intruding detection system, are attacked for real-time monitoring.
2. the APT intrusion detection method according to claim 1 based on attack chain attack rule digging, it is characterised in that:
Specific step is as follows by the step S1:
S11. the sample information for the abnormal flow that alarm equipment identifies in cell phone network;
S12. mistake is removed to sample information, the data on flows of redundancy operates;
S13. data format is subjected to standardization processing;
S14. data that treated are stored in database.
3. the APT intrusion detection method according to claim 1 based on attack chain attack rule digging, it is characterised in that:
Specific step is as follows by the step S2:
S21. classified using decision tree C4.5 algorithm to the data on flows of standardization;
S22. classifier, identification application type are established;
S23. the performance of testing classification device, if classifier performance is poor, repetitive operation step S21~S23 improves classifier
Energy.
4. the APT intrusion detection method according to claim 1 based on attack chain attack rule digging, it is characterised in that:
The step S3's is specific as follows:
Sorted data are merged according to IP address, and the data after merging are stored in database;The merging side
Formula has three classes, is respectively:
(1) destination address and source address are all identical data traffics;
(2) the identical data on flows of destination address;
(3) source address of flow data on flows identical with another flow destination address.
5. the APT intrusion detection method according to claim 1 based on attack chain attack rule digging, it is characterised in that:
The step S4 is specific as follows:
Using the data after merging as coffin grin rule-based algorithm processing affairs, using Apriori algorithm to the data after merging into
The excavation of row APT attack rule, and attack rule base is established, work real-time online intruding detection system uses.
6. the APT intrusion detection method according to claim 1 based on attack chain attack rule digging, it is characterised in that:
The step S5 is specific as follows:
Based on step S4, attack rule is analyzed, is analyzed according to following situation:
(1) the attack chain stage that the judgements such as expertise, historical experience attack rule is related to;
(2) according to the extent of the destruction of the signature analysis in attack chain each stage attack;
(3) attacker the measure taken and attack on last stage and traces to the source in next step;
According to above analysis, solution is provided for every attack rule, solution collection is established, for real-time online detection system
System uses.
7. the APT intrusion detection method according to claim 1 based on attack chain attack rule digging, it is characterised in that:
The step S6 is specific as follows:
Attack rule base and solution collection are deployed in real-time online Network Intrusion Detection System, real-time monitoring APT attack;
If this attack rule base fails to be matched to suspicious attack traffic, suspicious attack traffic is collected, return step S1
Continue the excavation of attack rule, guarantees that the timing of attack rule base updates.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711385025.8A CN109951419A (en) | 2017-12-20 | 2017-12-20 | A kind of APT intrusion detection method based on attack chain attack rule digging |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711385025.8A CN109951419A (en) | 2017-12-20 | 2017-12-20 | A kind of APT intrusion detection method based on attack chain attack rule digging |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109951419A true CN109951419A (en) | 2019-06-28 |
Family
ID=67004140
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711385025.8A Pending CN109951419A (en) | 2017-12-20 | 2017-12-20 | A kind of APT intrusion detection method based on attack chain attack rule digging |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109951419A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110602042A (en) * | 2019-08-07 | 2019-12-20 | 中国人民解放军战略支援部队信息工程大学 | APT attack behavior analysis and detection method and device based on cascade attack chain model |
| CN110830519A (en) * | 2020-01-08 | 2020-02-21 | 浙江乾冠信息安全研究院有限公司 | Attack tracing method and device, electronic equipment and storage medium |
| CN111756762A (en) * | 2020-06-29 | 2020-10-09 | 北京百度网讯科技有限公司 | Vehicle safety analysis method and device, electronic equipment and storage medium |
| CN112187720A (en) * | 2020-09-01 | 2021-01-05 | 杭州安恒信息技术股份有限公司 | Method and device for generating secondary attack chain, electronic device and storage medium |
| CN112738115A (en) * | 2020-12-31 | 2021-04-30 | 北京天融信网络安全技术有限公司 | Advanced persistent attack detection method, apparatus, computer device and medium |
| CN113612779A (en) * | 2021-08-05 | 2021-11-05 | 杭州中尔网络科技有限公司 | Advanced sustainable attack behavior detection method based on flow information |
| CN114124587A (en) * | 2022-01-29 | 2022-03-01 | 北京安帝科技有限公司 | Attack chain processing method and system and electronic equipment |
| CN115051870A (en) * | 2022-06-30 | 2022-09-13 | 浙江网安信创电子技术有限公司 | Method for detecting unknown network attack based on causal discovery |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104753946A (en) * | 2015-04-01 | 2015-07-01 | 浪潮电子信息产业股份有限公司 | Security analysis framework based on network traffic meta data |
| CN106452955A (en) * | 2016-09-29 | 2017-02-22 | 北京赛博兴安科技有限公司 | Abnormal network connection detection method and system |
| CN106778253A (en) * | 2016-11-24 | 2017-05-31 | 国家电网公司 | Threat context aware information security Initiative Defense model based on big data |
| CN107172022A (en) * | 2017-05-03 | 2017-09-15 | 成都国腾实业集团有限公司 | APT threat detection method and system based on intrusion feature |
| CN107248975A (en) * | 2017-05-03 | 2017-10-13 | 成都国腾实业集团有限公司 | System of defense is monitored based on the APT that big data is analyzed |
| CN107248976A (en) * | 2017-05-03 | 2017-10-13 | 成都国腾实业集团有限公司 | The APT monitoring defence platforms analyzed based on big data |
| CN107426159A (en) * | 2017-05-03 | 2017-12-01 | 成都国腾实业集团有限公司 | APT based on big data analysis monitors defence method |
| US9843596B1 (en) * | 2007-11-02 | 2017-12-12 | ThetaRay Ltd. | Anomaly detection in dynamically evolving data and systems |
-
2017
- 2017-12-20 CN CN201711385025.8A patent/CN109951419A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9843596B1 (en) * | 2007-11-02 | 2017-12-12 | ThetaRay Ltd. | Anomaly detection in dynamically evolving data and systems |
| CN104753946A (en) * | 2015-04-01 | 2015-07-01 | 浪潮电子信息产业股份有限公司 | Security analysis framework based on network traffic meta data |
| CN106452955A (en) * | 2016-09-29 | 2017-02-22 | 北京赛博兴安科技有限公司 | Abnormal network connection detection method and system |
| CN106778253A (en) * | 2016-11-24 | 2017-05-31 | 国家电网公司 | Threat context aware information security Initiative Defense model based on big data |
| CN107172022A (en) * | 2017-05-03 | 2017-09-15 | 成都国腾实业集团有限公司 | APT threat detection method and system based on intrusion feature |
| CN107248975A (en) * | 2017-05-03 | 2017-10-13 | 成都国腾实业集团有限公司 | System of defense is monitored based on the APT that big data is analyzed |
| CN107248976A (en) * | 2017-05-03 | 2017-10-13 | 成都国腾实业集团有限公司 | The APT monitoring defence platforms analyzed based on big data |
| CN107426159A (en) * | 2017-05-03 | 2017-12-01 | 成都国腾实业集团有限公司 | APT based on big data analysis monitors defence method |
Non-Patent Citations (2)
| Title |
|---|
| WANG JIA: ""Study on Network Information Security Based on Big Data"", 《2017 9TH INTERNATIONAL CONFERENCE ON MEASURING TECHNOLOGY AND MECHATRONICS AUTOMATION (ICMTMA)》 * |
| 刘怡文 等: ""APT安全检测体系架构及关键技术研究"", 《安防技术》 * |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110602042A (en) * | 2019-08-07 | 2019-12-20 | 中国人民解放军战略支援部队信息工程大学 | APT attack behavior analysis and detection method and device based on cascade attack chain model |
| CN110830519A (en) * | 2020-01-08 | 2020-02-21 | 浙江乾冠信息安全研究院有限公司 | Attack tracing method and device, electronic equipment and storage medium |
| CN111756762A (en) * | 2020-06-29 | 2020-10-09 | 北京百度网讯科技有限公司 | Vehicle safety analysis method and device, electronic equipment and storage medium |
| CN112187720A (en) * | 2020-09-01 | 2021-01-05 | 杭州安恒信息技术股份有限公司 | Method and device for generating secondary attack chain, electronic device and storage medium |
| CN112187720B (en) * | 2020-09-01 | 2022-11-15 | 杭州安恒信息技术股份有限公司 | Method and device for generating secondary attack chain, electronic device and storage medium |
| CN112738115A (en) * | 2020-12-31 | 2021-04-30 | 北京天融信网络安全技术有限公司 | Advanced persistent attack detection method, apparatus, computer device and medium |
| CN113612779A (en) * | 2021-08-05 | 2021-11-05 | 杭州中尔网络科技有限公司 | Advanced sustainable attack behavior detection method based on flow information |
| CN114124587A (en) * | 2022-01-29 | 2022-03-01 | 北京安帝科技有限公司 | Attack chain processing method and system and electronic equipment |
| CN115051870A (en) * | 2022-06-30 | 2022-09-13 | 浙江网安信创电子技术有限公司 | Method for detecting unknown network attack based on causal discovery |
| CN115051870B (en) * | 2022-06-30 | 2024-02-06 | 浙江网安信创电子技术有限公司 | Method for detecting unknown network attack based on causal discovery |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109951419A (en) | A kind of APT intrusion detection method based on attack chain attack rule digging | |
| CN106027559B (en) | Large scale network scanning detection method based on network session statistical nature | |
| CN106790186B (en) | Multi-step attack detection method based on multi-source abnormal event correlation analysis | |
| CN105264861B (en) | Method and apparatus for detecting multistage event | |
| KR100800370B1 (en) | Network attack signature generation | |
| CN103368979B (en) | Network security verifying device based on improved K-means algorithm | |
| Saxena et al. | General study of intrusion detection system and survey of agent based intrusion detection system | |
| CN105915532B (en) | A kind of recognition methods of host of falling and device | |
| Jalili et al. | Detection of distributed denial of service attacks using statistical pre-processor and unsupervised neural networks | |
| CN106411562A (en) | Electric power information network safety linkage defense method and system | |
| CN113691566B (en) | Mail server secret stealing detection method based on space mapping and network flow statistics | |
| CN106973047A (en) | A kind of anomalous traffic detection method and device | |
| CN106302450A (en) | A kind of based on the malice detection method of address and device in DDOS attack | |
| CN110460611B (en) | Machine learning-based full-flow attack detection technology | |
| CN111555988A (en) | Big data-based network asset mapping and discovering method and device | |
| CN102130920A (en) | Botnet discovery method and system thereof | |
| Labib et al. | Detecting and visualizing denialof-service and network probe attacks using principal component analysis | |
| Ibrahim et al. | Performance comparison of intrusion detection system using three different machine learning algorithms | |
| Sukhwani et al. | A survey of anomaly detection techniques and hidden markov model | |
| CN106973051A (en) | Set up method, device, storage medium and the processor of detection Cyberthreat model | |
| CN108040075B (en) | APT attack detection system | |
| Kumar et al. | Intrusion detection system-false positive alert reduction technique | |
| Abouabdalla et al. | False positive reduction in intrusion detection system: A survey | |
| Song et al. | A comprehensive approach to detect unknown attacks via intrusion detection alerts | |
| Phutane et al. | A survey of intrusion detection system using different data mining techniques |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190628 |
|
| RJ01 | Rejection of invention patent application after publication |