CN112383573A - Security intrusion playback equipment based on multiple attack stages - Google Patents
Security intrusion playback equipment based on multiple attack stages Download PDFInfo
- Publication number
- CN112383573A CN112383573A CN202110059354.3A CN202110059354A CN112383573A CN 112383573 A CN112383573 A CN 112383573A CN 202110059354 A CN202110059354 A CN 202110059354A CN 112383573 A CN112383573 A CN 112383573A
- Authority
- CN
- China
- Prior art keywords
- stage
- phase
- fields
- attack
- aggregation field
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
The invention discloses a security intrusion playback device based on a plurality of attack phases. The device is applied to intrusion detection services provided by a security operation and maintenance service provider for an enterprise network, wherein the enterprise network comprises a firewall, an IDS (intrusion detection system), an endpoint operating system, a domain controller, malicious software checking and killing, a mail server, a Web server and a database server, the process of a hacker invading the enterprise network is divided into a reconnaissance stage, a delivery stage, an installation stage, a privilege elevation stage, a horizontal expansion stage, an attack object stage and a withdrawal stage, and alarm aggregation and association are carried out on aggregated fields provided by each stage to generate new alarms, discover an invasion path and realize the playback of security invasion.
Description
Technical Field
The invention relates to the technical field of computer network defense, in particular to a security intrusion playback device based on multiple attack stages.
Background
Today's information networks face increasingly complex and persistent threats, and new threat tools and vulnerabilities that can be exploited tend to outweigh the advances in intrusion detection systems. Current intrusion detection systems often generate too many alarms containing insufficient information to provide security operations and maintenance service personnel to locate the failure and root cause analysis. As a result, most alarms are ignored, resulting in security holes that could otherwise be avoided. SIEM (Security Information and Event Management) software is a recent trend aimed at improving the number of alarms and the drawbacks of the alarm content by correlating data from multiple sensors. However, the deficiencies of SIEM have so far limited the promise of SIEM software to improve intrusion detection.
The goal of any network security operation and maintenance monitoring solution is a timely, accurate and complainable network threat alert. This type of alarm is cited as an axiom of the mature security organization. Unfortunately, security alarms often generate false and false positives based on the location of sensors in the network, limitations in the ability to apply advanced rule logic, or the inability to represent complex organizational data hierarchies (e.g., user accounts, critical computing resources, enterprise network risk levels, and operating hours). Furthermore, individual security devices themselves may be readily available to sophisticated attackers, affecting the integrity of the data they provide. These limitations result in either a flood of alarms to safety operation and maintenance service personnel or a lack of alarms due to excessive enthusiasm alarm suppression/compression.
Recently, some information-safe event correlation software is on the market for aggregating data provided by different sensor sources, so that an overall analysis of all network data can be performed from a single centralized alarm. Analysis of the data from these devices may reveal patterns of activity that facilitate fingerprinting of individuals or threat groups based on data cues distributed throughout the sensor network. However, in the context of an attack ontology (attack ontology) based on multiple attack stages, the development of custom algorithms designed to analyze these data can really provide a high added value for threat detection and prevention.
In addition, there is a trend that the number of chatting data sources (e.g., firewall logs) greatly exceeds the number of more provable data sources (e.g., endpoint operating system logs). Observation of the Security operation and maintenance service personnel at the SOC (Security Operations Center) of a Security operation and maintenance service provider shows that most of the Security alarms are ignored by the Security operation and maintenance service personnel. Furthermore, many security experts consider it impractical to eliminate each alarm, often necessitating some form of automation of attack attribution (or attack attribution/or attack origination/attack replay). Unfortunately, merely collecting data from the sensors does not greatly improve the detection rate, nor does it reduce the false alarm rate.
Identifying significant security events from log data and performing timely remediation of the events is a difficult task if there is no active alert engine to properly filter, classify, and upgrade the security events. The security data must be normalized to a standard ontology framework, analyzed in the context of known attacker methodologies, and ultimately allow dynamic escalation of suspicion as threat activity progresses throughout the network to adequately achieve timely, accurate, and complainable alarms.
The high-level association software in the SIEM system is intended to alert potential security events in real time and enhance investigation and data retrieval functions related to these events. Due to the large number of alarms and high false alarm rate, data analysis of raw sensors is overwhelming for security operations and maintenance service personnel. Some studies have shown that in a SOC environment, only 29% of alarms are actually checked by the security operation and maintenance service personnel, with an average of 40% being determined as false alarms. The implementation of programmatic analysis can reduce false alarm rates and provide a mechanism to abstract human functions to a higher analysis plane through a unified GUI (Graphical User Interface). This in turn enables the establishment of a pool of security operations and maintenance service personnel resources that ultimately improves process efficiency and reduces the average time required to classify and respond to network security events.
However, currently available software solutions for data normalization and threat behavior modeling in security operation and maintenance management platforms and SIEM software are limited. These solutions provide only a framework for specifying different data sources and performing logical comparisons on the metadata contained therein.
Disclosure of Invention
The invention aims to provide a security intrusion playback device based on a plurality of attack phases aiming at the defects of the prior art.
To achieve the above object, the present invention provides a secure intrusion playback device based on multiple attack phases, which is applied in a service for intrusion detection provided by a secure operation and maintenance service provider for an enterprise network, and divides a process of a hacker intruding the enterprise network into a spy phase, a delivery phase, an installation phase, a privilege elevation phase, a horizontal expansion phase, an attack object phase and a withdrawal phase, the device comprising:
the data acquisition module comprises a plurality of protocol agents, a scheduler and a plurality of application agents, wherein the protocol agents are used for acquiring original log messages from an enterprise network and sending the original log messages to the scheduler, the scheduler is used for determining the type of the protocol agents sending the original log messages to the scheduler and forwarding the original log messages to the corresponding application agents, and the application agents are used for receiving the original log messages forwarded by the scheduler, analyzing the original log messages into formatted messages of standard fields and sending the formatted messages of the standard fields to a database;
the system comprises a database, a database table is created and used for storing formatted messages of all stages, the database table sequentially comprises a reconnaissance table, a delivery table, an installation table, a privilege elevation table, a horizontal expansion table, an attack object table and a withdrawal table, the reconnaissance table at least comprises 4 fields of a source IP, a source port, a target IP and a target port in the reconnaissance stage, the delivery table at least comprises 4 fields of a source IP, a source port, a target IP and a target port in the delivery stage, the installation table at least comprises 2 fields of a computer name and a file name in the installation stage, the privilege elevation table at least comprises 4 fields of a user account, a computer name, an IP address and a directory security modification in the privilege elevation stage, the horizontal expansion table at least comprises 4 fields of a user account, a computer name, an IP address and a directory authentication in the horizontal expansion stage, and the attack object table at least comprises 4 fields of a user account, a computer name, an IP address and a directory authentication, Computer name, IP address, folder access, folder path, modification type, and permission 7 fields, the retirement table including at least 5 fields of source IP, source port, target IP, target port, and transmitted Mb in the retirement phase;
and the safety intrusion playback module is used for acquiring the formatted messages of each stage stored in the database table, sequentially acquiring a reconnaissance event, a delivery event, an installation event, a privilege elevation event, a horizontal expansion event, an attack object event and a withdrawal event which are generated by an intruder initiating an attack according to the formatted messages of each stage, and aggregating and associating each event through aggregation fields according to the sequence of the events, thereby realizing the playback of the safety intrusion.
Further, the aggregation fields include a scout phase aggregation field, a delivery phase aggregation field, an installation phase aggregation field, a privilege elevation phase aggregation field, a horizontal expansion phase aggregation field, an attack object phase aggregation field, and a withdrawal phase aggregation field;
the scout phase aggregation field comprises a source IP of a scout phase;
the delivery phase aggregation field comprises a target IP of the delivery phase;
the installation phase aggregation field comprises a computer name of an installation phase;
the privilege elevation phase aggregation field comprises an account name of the privilege elevation phase;
the horizontal expansion phase aggregation field comprises a log name of a horizontal expansion phase;
the attack object phase aggregation field comprises a computer name of an attack object phase;
the retirement phase aggregation field includes a target IP of the retirement phase.
Further, the protocol agent includes syslog, SNMP, SMTP, and Http/xml.
Further, the application agents include Windows, Linux, Apache, IIS, Oracle, Firewall, Router, ISS, IDS, and WMI.
Further, the enterprise network includes a firewall, an IDS, an endpoint operating system, a domain controller, a scanning and killing malware, a mail server, a Web server, and a database server.
Has the advantages that: the invention divides the process of hacker invading enterprise network into detecting stage, delivering stage, installing stage, privilege promoting stage, horizontal expanding stage, attacking object stage and withdrawing stage, and carries out alarm aggregation and association from the aggregation field provided by each stage, generates new alarm, discovers invading path and realizes playback of safe invasion.
Drawings
FIG. 1 is a schematic diagram of event aggregation and event correlation;
FIG. 2 is a schematic diagram of 7 stages and related data sources;
FIG. 3 is a schematic diagram of data acquisition and event classification storage;
FIG. 4 is a schematic illustration of event classification;
FIG. 5 is a schematic diagram of a data acquisition process.
Detailed Description
The present invention will be further illustrated with reference to the accompanying drawings and specific examples, which are carried out on the premise of the technical solution of the present invention, and it should be understood that these examples are only for illustrating the present invention and are not intended to limit the scope of the present invention.
As shown in fig. 1 to 5, the embodiment of the present invention provides a secure intrusion playback device based on multiple attack phases, which is applied in the service of intrusion detection provided by a security operation and maintenance service provider for an enterprise network, wherein the enterprise network comprises a firewall, an IDS, an endpoint operating system, a domain controller, a searching and killing malware, a mail server, a Web server and a database server. The process of the hacker invading the enterprise network is divided into a scouting phase, a delivering phase, an installing phase, a privilege raising phase, a horizontal expanding phase, an attack object phase and an evacuating phase.
The method comprises a scouting stage, a delivering stage, a horizontal expanding stage and an object attacking stage, wherein the scouting stage is the beginning of hacker intrusion, the delivering stage is the stage of beginning to distribute hacker intrusion tools to a target machine, the installing stage comprises the stage of events related to system change, software installation or state information, the privilege improving stage is the stage of improving the local authority of a hacker user account, the horizontal expanding stage is the stage of improving the authority of network access of an enterprise network of the hacker user account, the object attacking stage is the stage of carrying out illegal operation and damage on a target, and the withdrawing stage comprises the step of transmitting stolen data out of the enterprise network and other events related to hacker escape.
The above 7 stages of the present application are included in the whole process of hacker intrusion in an enterprise network, and the security operation and maintenance service provider provides the security operation and maintenance service of the enterprise network. The enterprise network comprises a firewall, an IDS, an endpoint operating system, a domain controller, malware, a mail server, a Web server and a database server. And in the 7 stages, log data of related equipment is collected according to the task target of the stage, event correlation analysis is carried out, and an alarm is generated. The data acquisition modules at all stages support transmission protocols such as syslog, snmp, smtp, html and the like and acquire data from heterogeneous sources.
The security intrusion playback device of the embodiment of the invention comprises: the system comprises a data acquisition module, a database and a security intrusion playback module.
As shown in fig. 3, the data collection module includes a plurality of protocol agents (protocol agents), a scheduler (dispatcher), and a plurality of application agents (protocol agents). The protocol agent collects information from the sensors and the application agent parses the information for storage in a "pseudo-standard" format. The two modules are connected by a scheduler. This architecture allows for a plug and play implementation with high availability and load balancing systems at any level of the architecture.
Specifically, the protocol agents include syslog, SNMP, SMTP, and Http/xml. The protocol agents are used for acquiring raw log messages of a specific transmission protocol, such as syslog, snmp and the like, from the enterprise network and sending the raw log messages to the dispatcher, and the plurality of protocol agents serve as server-side application programs with the sole purpose of monitoring input connections from the sensors and providing collected data to the dispatcher. The simplicity of such protocol proxies makes them easy to implement and maintain.
The raw format store is typically a simple file, although direct transfer to the scheduler via named pipes, sockets, or shared memory may ensure better performance. From a security perspective, it is most important to ensure the integrity of the data collected by the agent. Thus, the data is encapsulated in a secure tunnel.
The dispatcher is used for determining the type of the protocol agent to which the original log message is sent, and forwarding the original log message to the corresponding application agent. Also, once a particular pattern is found for each possible source type of data collected, implementation is relatively simple. The following are autonomous operations performed by the scheduler:
1. listening for incoming channels from the protocol agent, such as sockets, named pipes, systemv message queues, etc.
2. The original message is sent to the application proxy through any suitable output channel.
3. The pattern matching is checked against a pattern database, which should be preloaded into memory for performance considerations.
Application agents include Windows, Linux, Apache, IIS, Oracle, Firewall, Router, ISS, IDS, and WMI. The application agent is used for receiving the original log message forwarded by the dispatcher, analyzing the original log message into a formatted message of a standard field, and sending the formatted message of the standard field to the database. So that they match the generic model of the database. The autonomous operations performed by the application agent include the following:
1. listening for incoming channels from the scheduler, such as sockets, named pipes, systemv message queues, etc.
2. The original message is parsed into standard fields.
3. The formatted message that has been parsed into the standard fields is transmitted to a database.
The processing of the above messages requires a "standard" format for the data generated by the different types of devices and transmitted via the different transmission protocols. Although efforts have been made to define a global standard with IDMEF (Intrusion Detection Message Exchange Format), it seems that the XML bus used is too heavy and resource consuming, mainly for event correlation. However, a separate conversion process must be implemented to conform to the IDMEF. The database structure of the present application is shown in fig. 3.
A database table for storing formatted messages of each stage is created in the database, as shown in fig. 3, the data storage also supports a distributed architecture, supports creation of an index server, and the like, and the data acquisition and storage conditions of these 7 stages are as follows:
1. a reconnaissance stage: firewall logs and IDS logs are collected, and relevant protocol agents of the data collection module receive the firewall logs and the IDS logs, forward the firewall logs and the IDS logs to relevant application agents through a scheduler and then send the firewall logs and the IDS logs to a reconnaissance table in a database for storage. Where the "source IP" of the firewall log and IDS log are the source of the intrusion, the reconnaissance phase contains events related to scanning and other techniques for identifying network resources, and the reconnaissance table includes at least 4 fields for source IP, source port, destination IP, and destination port in the reconnaissance phase.
2. A delivery stage: and the related protocol agent of the data acquisition module receives and acquires the IDS log, the domain controller log and the endpoint operating system log, forwards the IDS log, the domain controller log and the endpoint operating system log to the related application agent through the scheduler and then sends the IDS log, the domain controller log and the endpoint operating system log to a delivery table in a database for storage. The delivery stage is to start distributing the hacking tool to the target machine, the 'target IP' of the log is the machine receiving the hacking tool, the delivery stage contains the relevant events that the hacking tool is illegally distributed to the enterprise network, and the delivery table at least comprises 4 fields of the source IP, the source port, the target IP and the target port in the delivery stage.
3. And (3) an installation stage: and collecting domain controller logs, end point operating system logs and malware log searching and killing logs, wherein relevant protocol agents of the data collection module receive and collect the domain controller logs, the end point operating system logs and the malware log searching and killing logs, and transmit the collected domain controller logs, the end point operating system logs and the malware log searching and killing logs to relevant application agents through a scheduler and then transmit the relevant application agents to an installation table in a database for storage. The installation phase contains events related to system changes, software installation or status messages, the log of the installation phase is based on the computer name of the machine, contains various types of metadata from network data (IP and MAC addresses) to user information (account name, authority level, security group), and the installation table contains at least 2 fields of computer name and file name in the installation phase.
4. And a privilege elevation stage: and collecting the domain controller log and the endpoint operating system log, wherein the related protocol agent of the data collection module receives the domain controller log and the endpoint operating system log, forwards the domain controller log and the endpoint operating system log to the related application agent through the scheduler, and then sends the domain controller log and the endpoint operating system log to a privilege elevation table in a database for storage. The privilege elevation phase refers to the elevation of local authority of a hacker user account, the log of the privilege elevation phase is based on the user account, the privilege elevation phase comprises events related to authentication, conversation and monitoring of access control of users on a network, and the privilege elevation table at least comprises 4 fields for modifying user accounts, computer names, IP addresses and directory security groups in the privilege elevation phase.
5. And (3) a transverse expansion stage: and the related protocol agent of the data acquisition module receives the IDS log, the domain controller log and the endpoint operating system log, and transmits the IDS log, the domain controller log and the endpoint operating system log to the related application agent through the scheduler and then transmits the log to a transverse expansion table in the database for storage. The horizontal expansion phase is used for promoting the network access authority of the enterprise network of the hacker user account, the log of the horizontal expansion phase is based on the user account, the horizontal expansion phase contains events for monitoring the authentication and the access control of the enterprise network, and the horizontal expansion table at least comprises 4 fields of the user account, the computer name, the IP address and the directory authentication in the horizontal expansion phase.
6. And an object attack stage: and related protocol agents of the data acquisition module receive the IDS logs, the domain controller logs, the end point operating system logs, the mail server logs, the Web server logs and the database server logs, and transmit the IDS logs, the domain controller logs, the end point operating system logs, the mail server logs, the Web server logs and the database server logs to related application agents through a scheduler and then transmit the IDS logs, the domain controller logs, the end point operating system logs, the mail server logs, the Web server logs and the database server logs to an attack object table in a database for storage. The attack object stage is to carry out illegal operation and destruction on the target, the log of the attack object stage is based on the computer name of the machine, the attack object stage comprises events of communication or access attack, and the attack object table at least comprises 7 fields of user account, computer name, IP address, folder access, folder path, modification type and permission in the attack object stage.
7. Withdrawal phase: firewall logs and IDS logs are collected, and relevant protocol agents of the data collection module receive the firewall logs and the IDS logs, transmit the firewall logs and the IDS logs to relevant application agents through a scheduler, and then send the firewall logs and the IDS logs to a withdrawal table in a database for storage. The evacuation phase contains the transmission of stolen data out of the enterprise network and other hacker escape related events, the evacuation phase log is based on the target IP of the evacuation phase, and the evacuation table includes at least 5 fields of source IP, source port, target IP, target port and transmitted Mb in the evacuation phase.
It should be noted that, since the spy phase, the delivery phase, the installation phase, the privilege elevation phase, the horizontal expansion phase, the attack object phase, and the withdrawal phase are sequentially divided according to the intrusion process, the destination IP and the destination port of the spy phase are actually the source IP and the source port of the delivery phase. Similarly, the target IP and the target port in the delivery phase are the computer IP and the port in the installation phase, and so on.
The safety invasion playback module is used for acquiring the formatted messages of each stage stored in the database table, sequentially obtaining a reconnaissance event, a delivery event, an installation event, a privilege elevation event, a horizontal expansion event, an attack object event and a withdrawal event which are generated by an invader initiating an attack according to the formatted messages of each stage, and aggregating and associating each event through aggregation fields according to the sequence of the events, thereby realizing the playback of the safety invasion.
Post-hoc analysis of known security events has shown that specific metadata fields need to be used in each phase in order to correlate between log sources and generate an accurate description of suspicious malicious operations. This observation forms the development of a new model of the present application, where each new design phase has a natural "aggregate" metadata field, i.e., the above-mentioned aggregate field.
Specifically, as shown in FIG. 1, for example, the "scout" phase naturally aligns with the network data (i.e., source IP address) of the source machine, while the "commit" naturally aligns with the network data (i.e., destination IP address) of the destination machine. These fields (source IP and target IP) are normalized by SIEM during log ingestion. The latter stages, such as "install," may contain various types of metadata, from network data (IP and MAC addresses) to user information (account name, privilege level, security group). Thus, the stages are isolated according to which metadata fields are most relevant to detecting and describing operations therein, rather than according to where the detection occurred.
A single data source or event may have an impact on multiple phases, such as "install" and "privilege elevation" events. Both phases may be observed in the endpoint operating system log. However, knowing that the "install" log is device-based (e.g., aggregation is done on a computer name or other computer identifier) and that the "privilege elevation" event is account-based (e.g., aggregation is done on an account name/or user name) provides insight into how to best combine data in their respective phases.
Ideally, different metadata from multiple different data sources could be automatically combined by the SIEM using these natural metadata. The present application was originally designed to include metadata fields for each phase that are needed to perform automatic event combining. FIG. 1 depicts natural metadata fields that help to aggregate logs or events from different sources at the same stage. The motivation for this relational database approach is that SIEM uses SQL queries to perform the correlation functions. However, phase tagging may prove beneficial to other systems that do not use the SQL language.
As shown in fig. 2, it illustrates the task objectives at various stages in the intrusion process:
1. a reconnaissance stage: the task target is detection and enumeration; resources that traverse all target enterprise networks, such as databases, Web servers, mail servers, and operating systems, are probed or scanned.
2. A delivery stage: the task targets are network delivery and host access; a distribution strategy is designed, for example, a timed distribution is performed, and according to the distribution strategy, an attacker distributes hacker tool software to a target enterprise Network (or a non-target enterprise Network), similar to a CDN (Content Delivery Network), and the IPTV adopts the CDN technology.
3. And (3) an installation stage: the task target is host delivery and software modification; and distributing the hacker tool software to the host according to the distribution strategy, and installing, wherein the configuration parameters and the like of the host may be modified in the installation process.
4. And a privilege elevation stage: its task targets are privilege elevation and privilege usage.
5. And (3) a transverse expansion stage: the task targets are internal reconnaissance and transverse expansion; the privileges may be extended to the entire target enterprise network.
6. And an object attack stage: the task of the method is data operation and confusion; illegally accessing the target enterprise network without leaving any traces.
7. Withdrawal phase: the task target is external data transmission; and the hacker transmits the important data of the target enterprise network to the external network.
The data acquisition module supports a distributed architecture, and when sensors located in the network part work under high working load, the installation of a plurality of data acquisition devices on the same network segment is not excluded. At quieter sites, only one data collector may be used to collect data from all sensors. The present application also enables different types of data collectors to be defined for a network intrusion detection system. However, in addition to the purely technical aspects involved in these implementations, IT is necessary to view the supervision of the IT infrastructure as a complete operational project.
The aggregation fields of the present application include a scout phase aggregation field, a delivery phase aggregation field, an installation phase aggregation field, a privilege elevation phase aggregation field, a lateral expansion phase aggregation field, an attack object phase aggregation field, and a retirement phase aggregation field. Wherein the scout phase aggregation field comprises a source IP of the scout phase; the delivery phase aggregation field comprises a target IP of the delivery phase; the installation phase aggregation field comprises a computer name of an installation phase; the privilege elevation phase aggregation field comprises an account name of the privilege elevation phase; the horizontal expansion phase aggregation field comprises a log name of the horizontal expansion phase; the attack object phase aggregation field comprises a computer name of the attack object phase; the retirement phase aggregation field includes the target IP of the retirement phase.
As shown in FIG. 5, the present application monitors the security of the linux2.6 system of the apache2.0web server. When a user performs an attack on a web server (e.g., target identification), the attack-related events are forwarded by syslog (acting as a transport agent) to the protocol agent of the data collection module of the present application. When this proxy receives the messages, it forwards them to the dispatcher, which verifies their source numbers and sees that they come from the apache2.0 server. The dispatcher then forwards the message to the apache2.0 application proxy, which parses the message and normalizes it to the message format of the application. This format is particularly important for the association operation. All secure messages from the linux2.6 system will be forwarded by the dispatcher to the linux2.6 application proxy. This agent will be responsible for converting the message to the message format of the application.
The data collector collects and analyzes the Linux2.6 system of the Apache2.0 server, but the message must adopt the standard format of the application.
Examples of Snort 1.8 alarms in syslog format are shown in the following rows:
based on the regular expression of the script in Perl, the scheduler of the present application performs the following operations to identify Snort 1.8.x alarms in syslog format.
The send _ to _ snort _1.8_ application _ agent of the application agent will perform the following to place the snort 1.8 alarm in the standard message format of the present application:
through the evaluation of the MSSP security operation and maintenance service personnel to the application, the implementation method of the security intrusion playback based on multiple attack stages provided by the application has the following beneficial effects:
1. the application improves communication between security operation and maintenance service personnel, SIEM engineers and stakeholders. The multiple phase rules provided herein provide a mechanism for describing and contextualizing alarms generated by a SIEM that is shared among the entire group of SIEM users (security operation and maintenance service personnel, SIEM engineers, and customers). In addition, the present application also allows predictive analysis of potential previous or anticipated future events based on observed alarms.
2. The method and the device improve the efficiency of the operation process due to the reduction of redundant query. The more descriptive alarm names and aggregated data contained in the alarms provide the security operation and maintenance service personnel with a high amount of additional information useful in making recommendations for the customer. Furthermore, the customer is less likely to require more information from the security operation and maintenance personnel, thereby reducing the need for manual queries or surveys.
3. False negatives may occur due to SIEM association logic errors or data misses, however, this is not the case with the multiple phase rules of the present application.
4. The method and the device greatly reduce the number of alarms, greatly improve the data information amount provided by each alarm, and reduce the management workload of maintaining the SIEM system.
5. The application reduces the average time required by the safety operation and maintenance service personnel to locate the safety event, for example:
(1) the total number of alarms is reduced.
(2) Visibility during network security attacks is improved by increasing the detection rate.
(3) The number of metadata fields contained in the generated alert increases.
(4) The workload required by the safety operation and maintenance service personnel to deploy the detection rules is reduced.
(5) Reducing system resource requirements and preventing potential processing bottlenecks.
6. The data acquisition realizes modularization and plug-in, and is plug and play, so that the flexibility of system deployment is improved.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that other parts not specifically described are within the prior art or common general knowledge to those of ordinary skill in the art. Without departing from the principle of the invention, several improvements and modifications can be made, and these improvements and modifications should also be construed as the scope of the invention.
Claims (5)
1. A secure intrusion playback device based on multiple attack phases, which is applied to a service for intrusion detection provided by a secure operation and maintenance service provider for an enterprise network and divides a process of intrusion of a hacker into a reconnaissance phase, a delivery phase, an installation phase, a privilege elevation phase, a lateral expansion phase, an attack object phase and a withdrawal phase, the device comprising:
the data acquisition module comprises a plurality of protocol agents, a scheduler and a plurality of application agents, wherein the protocol agents are used for acquiring original log messages from an enterprise network and sending the original log messages to the scheduler, the scheduler is used for determining the type of the protocol agents sending the original log messages to the scheduler and forwarding the original log messages to the corresponding application agents, and the application agents are used for receiving the original log messages forwarded by the scheduler, analyzing the original log messages into formatted messages of standard fields and sending the formatted messages of the standard fields to a database;
the system comprises a database, a database table is created and used for storing formatted messages of all stages, the database table sequentially comprises a reconnaissance table, a delivery table, an installation table, a privilege elevation table, a horizontal expansion table, an attack object table and a withdrawal table, the reconnaissance table at least comprises 4 fields of a source IP, a source port, a target IP and a target port in the reconnaissance stage, the delivery table at least comprises 4 fields of a source IP, a source port, a target IP and a target port in the delivery stage, the installation table at least comprises 2 fields of a computer name and a file name in the installation stage, the privilege elevation table at least comprises 4 fields of a user account, a computer name, an IP address and a directory security modification in the privilege elevation stage, the horizontal expansion table at least comprises 4 fields of a user account, a computer name, an IP address and a directory authentication in the horizontal expansion stage, and the attack object table at least comprises 4 fields of a user account, a computer name, an IP address and a directory authentication, Computer name, IP address, folder access, folder path, modification type, and permission 7 fields, the retirement table including at least 5 fields of source IP, source port, target IP, target port, and transmitted Mb in the retirement phase;
and the safety intrusion playback module is used for acquiring the formatted messages of each stage stored in the database table, sequentially acquiring a reconnaissance event, a delivery event, an installation event, a privilege elevation event, a horizontal expansion event, an attack object event and a withdrawal event which are generated by an intruder initiating an attack according to the formatted messages of each stage, and aggregating and associating each event through aggregation fields according to the sequence of the events, thereby realizing the playback of the safety intrusion.
2. The multiple attack stage based secure intrusion playback device of claim 1, wherein the aggregation fields include a scout stage aggregation field, a delivery stage aggregation field, an installation stage aggregation field, a privilege elevation stage aggregation field, a horizontal expansion stage aggregation field, an attack object stage aggregation field, and a retirement stage aggregation field;
the scout phase aggregation field comprises a source IP of a scout phase;
the delivery phase aggregation field comprises a target IP of the delivery phase;
the installation phase aggregation field comprises a computer name of an installation phase;
the privilege elevation phase aggregation field comprises an account name of the privilege elevation phase;
the horizontal expansion phase aggregation field comprises a log name of a horizontal expansion phase;
the attack object phase aggregation field comprises a computer name of an attack object phase;
the retirement phase aggregation field includes a target IP of the retirement phase.
3. The multi-attack-stage-based secure intrusion playback device of claim 1, wherein the protocol agents include syslog, SNMP, SMTP, and Http/xml.
4. The multi-attack-stage-based secure intrusion playback device of claim 3, wherein the application agents include Windows, Linux, Apache, IIS, Oracle, Firewall, Router, ISS, IDS, and WMI.
5. The multiple attack stage-based secure intrusion playback device of claim 1, wherein the enterprise network includes a firewall, an IDS, an endpoint operating system, a domain controller, a antivirus, a mail server, a Web server, and a database server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110059354.3A CN112383573B (en) | 2021-01-18 | 2021-01-18 | Security intrusion playback equipment based on multiple attack stages |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110059354.3A CN112383573B (en) | 2021-01-18 | 2021-01-18 | Security intrusion playback equipment based on multiple attack stages |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112383573A true CN112383573A (en) | 2021-02-19 |
| CN112383573B CN112383573B (en) | 2021-04-06 |
Family
ID=74581938
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110059354.3A Active CN112383573B (en) | 2021-01-18 | 2021-01-18 | Security intrusion playback equipment based on multiple attack stages |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112383573B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113890821A (en) * | 2021-09-24 | 2022-01-04 | 绿盟科技集团股份有限公司 | Log association method and device and electronic equipment |
| CN114513400A (en) * | 2021-12-30 | 2022-05-17 | 上海川源信息科技有限公司 | Log aggregation system and method for improving availability of log aggregation system |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107733941A (en) * | 2016-08-11 | 2018-02-23 | 南京联成科技发展股份有限公司 | A kind of realization method and system of the data acquisition platform based on big data |
| CN108696473A (en) * | 2017-04-05 | 2018-10-23 | 中国移动通信集团广东有限公司 | Attack path restoring method and device |
| CN110602042A (en) * | 2019-08-07 | 2019-12-20 | 中国人民解放军战略支援部队信息工程大学 | APT attack behavior analysis and detection method and device based on cascade attack chain model |
| CN111917705A (en) * | 2019-05-10 | 2020-11-10 | 波音公司 | System and method for automatic intrusion detection |
| CN112087420A (en) * | 2020-07-24 | 2020-12-15 | 西安电子科技大学 | Network killing chain detection method, prediction method and system |
| CN112187825A (en) * | 2020-10-13 | 2021-01-05 | 网络通信与安全紫金山实验室 | Honeypot defense method, system, equipment and medium based on mimicry defense |
| CN112217777A (en) * | 2019-07-12 | 2021-01-12 | 上海云盾信息技术有限公司 | Attack backtracking method and equipment |
-
2021
- 2021-01-18 CN CN202110059354.3A patent/CN112383573B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107733941A (en) * | 2016-08-11 | 2018-02-23 | 南京联成科技发展股份有限公司 | A kind of realization method and system of the data acquisition platform based on big data |
| CN108696473A (en) * | 2017-04-05 | 2018-10-23 | 中国移动通信集团广东有限公司 | Attack path restoring method and device |
| CN111917705A (en) * | 2019-05-10 | 2020-11-10 | 波音公司 | System and method for automatic intrusion detection |
| CN112217777A (en) * | 2019-07-12 | 2021-01-12 | 上海云盾信息技术有限公司 | Attack backtracking method and equipment |
| CN110602042A (en) * | 2019-08-07 | 2019-12-20 | 中国人民解放军战略支援部队信息工程大学 | APT attack behavior analysis and detection method and device based on cascade attack chain model |
| CN112087420A (en) * | 2020-07-24 | 2020-12-15 | 西安电子科技大学 | Network killing chain detection method, prediction method and system |
| CN112187825A (en) * | 2020-10-13 | 2021-01-05 | 网络通信与安全紫金山实验室 | Honeypot defense method, system, equipment and medium based on mimicry defense |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113890821A (en) * | 2021-09-24 | 2022-01-04 | 绿盟科技集团股份有限公司 | Log association method and device and electronic equipment |
| CN113890821B (en) * | 2021-09-24 | 2023-11-17 | 绿盟科技集团股份有限公司 | Log association method and device and electronic equipment |
| CN114513400A (en) * | 2021-12-30 | 2022-05-17 | 上海川源信息科技有限公司 | Log aggregation system and method for improving availability of log aggregation system |
| WO2023123801A1 (en) * | 2021-12-30 | 2023-07-06 | 上海川源信息科技有限公司 | Log aggregation system, and method for improving availability of log aggregation system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112383573B (en) | 2021-04-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7444679B2 (en) | Network, method and computer readable medium for distributing security updates to select nodes on a network | |
| US7197762B2 (en) | Method, computer readable medium, and node for a three-layered intrusion prevention system for detecting network exploits | |
| Kholidy et al. | CIDS: A framework for intrusion detection in cloud systems | |
| EP2777226B1 (en) | A streaming method and system for processing network metadata | |
| KR100942456B1 (en) | Method for detecting and protecting ddos attack by using cloud computing and server thereof | |
| KR101010302B1 (en) | Security management system and method of irc and http botnet | |
| Ganame et al. | A global security architecture for intrusion detection on computer networks | |
| CN111193719A (en) | Network intrusion protection system | |
| US20030084321A1 (en) | Node and mobile device for a mobile telecommunications network providing intrusion detection | |
| US20030084326A1 (en) | Method, node and computer readable medium for identifying data in a network exploit | |
| US20150347751A1 (en) | System and method for monitoring data in a client environment | |
| US20030084328A1 (en) | Method and computer-readable medium for integrating a decode engine with an intrusion detection system | |
| CN112383573B (en) | Security intrusion playback equipment based on multiple attack stages | |
| CN111930886A (en) | Log processing method, system, storage medium and computer equipment | |
| Wang et al. | A centralized HIDS framework for private cloud | |
| CN114553537A (en) | Abnormal flow monitoring method and system for industrial Internet | |
| WO2002027443A2 (en) | Global computer network intrusion detection system | |
| Teng et al. | A cooperative intrusion detection model for cloud computing networks | |
| Vaarandi et al. | Simple event correlator-best practices for creating scalable configurations | |
| Hwoij et al. | SIEM architecture for the Internet of Things and smart city | |
| CN114268457A (en) | Multi-protocol multi-service public network security access method | |
| CN117240526A (en) | Network attack automatic defending system based on artificial intelligence | |
| Ning et al. | Design and implementation of a decentralized prototype system for detecting distributed attacks | |
| CN115208690A (en) | Screening processing system based on data classification and classification | |
| KR100933986B1 (en) | Integrated Signature Management and Distribution System and Method for Network Attack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |