WO2022088633A1 - Lateral penetration protection method and apparatus, device and storage medium - Google Patents

Lateral penetration protection method and apparatus, device and storage medium Download PDF

Info

Publication number
WO2022088633A1
WO2022088633A1 PCT/CN2021/090702 CN2021090702W WO2022088633A1 WO 2022088633 A1 WO2022088633 A1 WO 2022088633A1 CN 2021090702 W CN2021090702 W CN 2021090702W WO 2022088633 A1 WO2022088633 A1 WO 2022088633A1
Authority
WO
WIPO (PCT)
Prior art keywords
attack
penetration
lateral
information
lateral penetration
Prior art date
Application number
PCT/CN2021/090702
Other languages
French (fr)
Chinese (zh)
Inventor
何博
赵立洲
林岳川
闵真
田立闯
Original Assignee
北京奇虎科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京奇虎科技有限公司 filed Critical 北京奇虎科技有限公司
Publication of WO2022088633A1 publication Critical patent/WO2022088633A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Definitions

  • the present application relates to the technical field of network attacks, and in particular, to a lateral penetration protection method, apparatus, device, and storage medium.
  • Lateral penetration attack technology is a widely used technology in complex network attacks, especially in Advanced Persistent Threats (APT).
  • APT Advanced Persistent Threats
  • Attackers can use lateral penetration attack technology to use the compromised system as a springboard to access other hosts on the intranet to obtain sensitive information including mailboxes, shared folders or credential information. Attackers can use this sensitive information to further control other systems, escalate privileges or steal more valuable credentials, and ultimately gain control over key network nodes and management devices.
  • Traditional network attack detection methods cannot monitor these lateral penetration attacks, and network security monitoring has dead ends.
  • the main purpose of the present application is to provide a lateral penetration protection method, equipment, storage medium and device, aiming at solving the technical problem that the traditional network attack detection method in the prior art cannot monitor the lateral penetration attack, and network security monitoring has dead ends.
  • the application provides a lateral penetration protection method
  • the lateral penetration protection method comprises the following steps:
  • the attack information is a lateral penetration attack
  • the lateral penetration attack is blocked.
  • the step of identifying the attack type of the penetration attack when monitoring the penetration attack specifically includes:
  • the service process function is called to identify the attack type of the penetration attack.
  • the step of invoking a service process function to identify the attack type of the infiltration attack when an infiltration attack is detected specifically includes:
  • the service process function is called by the pointer address, and the service process information corresponding to the penetration attack is determined by the service process function;
  • the step of identifying the attack type of the penetration attack when monitoring the penetration attack specifically includes:
  • the operation process function is called to identify the attack type of the penetration attack.
  • the step of invoking an operation process function to identify the attack type of the infiltration attack when an infiltration attack is detected specifically includes:
  • the operation process function is called, and the registered HOOK point is set by the operation process function;
  • the step of identifying the attack type of the penetration attack when monitoring the penetration attack specifically includes:
  • the operation interface process function is called to identify the attack type of the penetration attack.
  • the step of invoking an operation interface process function to identify the attack type of the infiltration attack when an infiltration attack is detected specifically includes:
  • the present application also proposes a lateral penetration protection device, the lateral penetration protection device includes:
  • an identification module used for identifying the attack type of the penetration attack when the penetration attack is detected
  • a determining module configured to determine attack information according to the attack type
  • a judgment module configured to judge whether the attack information is a lateral penetration attack according to a preset engine judgment strategy
  • An execution module configured to block the lateral penetration attack when the attack information is a lateral penetration attack.
  • the present application also proposes a lateral penetration protection device, the lateral penetration protection device includes: a memory, a processor, and a lateral penetration protection stored on the memory and running on the processor A program for lateral penetration protection configured with steps to implement the lateral penetration protection method as described above.
  • the present application also proposes a storage medium, where a lateral penetration protection program is stored on the storage medium, and when the lateral penetration protection program is executed by a processor, the lateral penetration protection method as described above is implemented. step.
  • the attack type of the penetration attack is identified; the attack information is determined according to the attack type; whether the attack information is a lateral penetration attack is determined according to a preset engine determination strategy; When the attack information is a lateral penetration attack, the lateral penetration attack is blocked.
  • the attack information is a lateral penetration attack according to the captured attack information and the preset engine determination strategy, and when it is determined to be a lateral penetration attack, the lateral penetration attack is blocked, so as to realize real-time monitoring of the lateral penetration attack , preventing the spread of lateral penetration attacks, improving the monitoring of network security, and solving the technical problems that the traditional network attack detection methods in the prior art cannot monitor lateral penetration attacks, and network security monitoring has dead ends.
  • FIG. 1 is a schematic structural diagram of a lateral penetration protection device of a hardware operating environment according to an embodiment of the present application
  • FIG. 2 is a schematic flowchart of the first embodiment of the lateral penetration protection method of the present application
  • FIG. 3 is a schematic flowchart of a second embodiment of the lateral penetration protection method of the present application.
  • FIG. 4 is a schematic flowchart of a third embodiment of the lateral penetration protection method of the present application.
  • FIG. 5 is a schematic flowchart of a fourth embodiment of the lateral penetration protection method of the present application.
  • FIG. 6 is a schematic flowchart of a fifth embodiment of the lateral penetration protection method of the present application.
  • FIG. 7 is a schematic flowchart of a sixth embodiment of the lateral penetration protection method of the present application.
  • FIG. 8 is a schematic flowchart of a seventh embodiment of the lateral penetration protection method of the present application.
  • FIG. 9 is a schematic flowchart of an eighth embodiment of the lateral penetration protection method of the present application.
  • FIG. 10 is a schematic flowchart of a ninth embodiment of the lateral penetration protection method of the present application.
  • FIG. 11 is a structural block diagram of the first embodiment of the lateral penetration protection device of the present application.
  • FIG. 1 is a schematic structural diagram of a lateral penetration protection device of a hardware operating environment involved in the solution of the embodiment of the present application.
  • the lateral penetration protection device may include: a processor 1001 , such as a central processing unit (Central Processing Unit, CPU), a communication bus 1002 , a user interface 1003 , a network interface 1004 , and a memory 1005 .
  • the communication bus 1002 is used to realize the connection and communication between these components.
  • the user interface 1003 may include a display screen (Display), and the optional user interface 1003 may also include a standard wired interface and a wireless interface.
  • the wired interface of the user interface 1003 may be a USB interface in this application.
  • the network interface 1004 may include a standard wired interface and a wireless interface (eg, a wireless fidelity (WIreless-FIdelity, WI-FI) interface).
  • the memory 1005 may be a high-speed random access memory (Random Access Memory, RAM) memory, or may be a non-volatile memory (Non-volatile Memory, NVM), such as a disk memory.
  • the memory 1005 may also be a storage device independent of the aforementioned processor 1001 .
  • FIG. 1 does not constitute a limitation on the lateral penetration protection device, and may include more or less components than shown, or combine some components, or arrange different components.
  • the memory 1005 as a computer storage medium may include an operating system, a network communication module, a user interface module, and a lateral penetration protection program.
  • the network interface 1004 is mainly used to connect to a background server and perform data communication with the background server;
  • the user interface 1003 is mainly used to connect user equipment;
  • the lateral penetration protection device passes through the processor 1001 invokes the lateral penetration protection program stored in the memory 1005, and executes the lateral penetration protection method provided by the embodiment of the present application.
  • FIG. 2 is a schematic flowchart of the first embodiment of the lateral penetration protection method of the present application, and the first embodiment of the lateral penetration protection method of the present application is proposed.
  • the lateral penetration protection method includes the following steps:
  • Step S10 when the penetration attack is detected, identify the attack type of the penetration attack
  • the execution body of this embodiment is the lateral penetration protection device, and the lateral penetration protection device may be an electronic device such as a personal computer or a server, which is not limited in this embodiment.
  • the attack type of the infiltration attack can be identified in a variety of ways. The following four ways are used as examples for description. Of course, at least two ways can also be used in combination.
  • the manner of identifying the attack type of the penetration attack may also be other manners according to the actual situation, which is not limited in this embodiment.
  • the attacker searches for the target machine with vulnerabilities (weak passwords, improper permissions configuration, credential theft, etc.)
  • vulnerabilities weak passwords, improper permissions configuration, credential theft, etc.
  • the attacker will use various means to further infiltrate and control the target machine.
  • the most common ones are lateral penetration through remote service, remote scheduled task, remote WMI, and remote COM.
  • a preset HOOK engine can be used to identify the attack type of the penetration attack, and the preset HOOK engine can call a process function to identify the attack type of the penetration attack, and the process function can Including the service process function, the operation process function, the operation interface process function and the desktop process function;
  • the first method is: when the penetration attack is detected, the service process function is called through the preset HOOK engine to identify the attack type of the penetration attack for remote service.
  • the second method is: when a penetration attack is detected, the operation process function is called by a preset HOOK engine to identify the attack type of the penetration attack as a remote scheduled task method.
  • the third method is: when a penetration attack is detected, the operation interface process function is called by a preset HOOK engine to identify the attack type of the penetration attack as a remote WMI method.
  • the fourth method is: when a penetration attack is detected, the desktop process function is called by a preset HOOK engine to identify the attack type of the penetration attack as a remote COM method.
  • Step S20 Determine attack information according to the attack type
  • the step of determining the attack information according to the attack type may include: determining the attack source IP according to the attack type; obtaining an attack instruction corresponding to the attack source IP through a preset mapping relationship; The attack type, the attack source IP, and the attack instruction determine attack information.
  • the service process function is called by a preset HOOK engine to identify the attack type of the penetration attack as a remote service method, and the attack source IP is determined according to the penetration attack of the remote service method;
  • the attack instruction corresponding to the attack source IP is obtained through a preset mapping relationship; the attack information is determined according to the attack type, the attack source IP and the attack instruction.
  • the network data packets of the penetration attack corresponding to the remote service mode obtain the network data packets of the penetration attack corresponding to the remote service mode, perform layer-by-layer analysis according to the format of the network protocol in the network data packets, and extract the data packet content; perform correlation analysis and data packet reorganization on the data packet content, and restore the application Layer data packet content, so as to obtain the network address of the attacking host;
  • the network address of the attacking host can include MAC address and IP address, and the network address of the attacking host is used as the attack source IP.
  • the attack instruction corresponding to the attack source IP is obtained through a preset mapping relationship.
  • a preset mapping relationship needs to be established, and the preset mapping relationship is the attack source IP and the attack source IP obtained in advance according to the reverse analysis.
  • the corresponding relationship of the command is stored, and the corresponding relationship between the attack source IP and the attack command is stored as a preset mapping relationship.
  • the reverse analysis process of the attack source IP can be as follows: reversely disassemble and analyze the structure, process, algorithm and code of the attack source IP, and derive the source code, design principle, structure, algorithm, processing process, and operation method of the attack source IP. and documents, obtain the program structure, communication protocol and command format, generate monitoring configuration files, and obtain attack instructions according to the monitoring configuration files.
  • Step S30 Determine whether the attack information is a lateral penetration attack according to a preset engine determination policy.
  • whether the attack information is a lateral penetration attack is determined according to a preset engine determination policy.
  • a variety of preset engine determination strategies can be used to determine whether the attack information is a lateral penetration attack. The following three methods are used as examples for description. Of course, at least two methods can also be used in combination.
  • the preset engine determination strategy may also be other strategies that need to be adopted according to the actual situation, which is not limited in this embodiment.
  • the first method determine whether the attack information is a lateral penetration attack according to a preset lateral penetration engine determination strategy: extract attack event data packets from the attack information according to a preset lateral penetration engine determination strategy; The algorithm processes the attack event data packets to obtain attack mode information; and judges whether the attack information is a lateral penetration attack according to the attack mode information.
  • the host intrusion prevention system can identify the penetration attack type in the remote registry mode and the penetration attack type invoked by the remote system tool.
  • the third way combine the preset lateral penetration engine determination strategy and the preset cloud rule engine determination policy to determine whether the attack information is a lateral penetration attack: extract attack event data from the attack information according to the preset lateral penetration engine determination policy process the attack event data packets through a clustering algorithm to obtain attack mode information; obtain cloud rules according to a preset cloud rule engine decision policy; perform data analysis on the attack mode information according to the cloud rules to obtain cloud analysis information ; According to the attack mode information and the cloud analysis information, determine whether the attack information is a lateral penetration attack.
  • Step S40 When the attack information is a lateral penetration attack, block the lateral penetration attack.
  • the step of blocking the lateral penetration attack when the attack information is a lateral penetration attack may include: when the attack information is a lateral penetration attack, judging whether the lateral penetration attack is a lateral penetration attack.
  • Target lateral penetration attack when the lateral penetration attack is the target lateral penetration attack, block the target lateral penetration attack according to a preset attack blocking method; when the lateral penetration attack is not the target lateral penetration attack when the lateral penetration attack is blocked according to the host intrusion prevention system.
  • the target lateral penetration attack may include: remote service mode, remote scheduled task mode, remote WMI mode, and remote COM mode;
  • the preset attack blocking mode may include: the attack source IP address of the lateral penetration attack At least one of adding a blacklist, ending the malicious process of the lateral penetration attack, and closing the compromised port of the lateral penetration attack.
  • the lateral penetration attack may be a remote registry method and a remote system tool calling method, and the remote registry method and remote system tool calling method are blocked according to the host intrusion prevention system Way.
  • the attack information when the attack information is a lateral penetration attack, after the step of blocking the lateral penetration attack, it may further include: generating an attack log file according to the lateral penetration attack; An analysis is performed to generate an analysis report; the analysis report is displayed.
  • the attack information is a lateral penetration attack, after the step of blocking the lateral penetration attack, the method may further include: prompting the user host to be subjected to a lateral penetration attack through a pop-up window.
  • the attack type of the penetration attack is identified; attack information is determined according to the attack type; whether the attack information is a lateral penetration attack is determined according to a preset engine determination strategy; When the attack information is a lateral penetration attack, the lateral penetration attack is blocked.
  • the attack information is a lateral penetration attack according to the captured attack information and the preset engine determination strategy, and when it is determined to be a lateral penetration attack, the lateral penetration attack is blocked, so as to realize real-time monitoring of the lateral penetration attack , preventing the spread of lateral penetration attacks, improving the monitoring of network security, and solving the technical problems that the traditional network attack detection methods in the prior art cannot monitor lateral penetration attacks, and network security monitoring has dead ends.
  • FIG. 3 is a schematic flowchart of the second embodiment of the lateral penetration protection method of the present application. Based on the first embodiment shown in FIG. 2 above, a second embodiment of the lateral penetration protection method of the present application is proposed.
  • step S10 includes:
  • Step S11 When a penetration attack is detected, a service process function is called to identify the attack type of the penetration attack.
  • the attacker searches for the target machine with vulnerabilities (weak password, improper permission configuration, credential theft, etc.) in the intranet environment.
  • vulnerabilities weak password, improper permission configuration, credential theft, etc.
  • the attacker will use various This means further penetration to control the target machine.
  • the most common is lateral penetration through remote services.
  • a preset HOOK engine can be used to identify the attack type of the penetration attack, and the preset HOOK engine can call a process function to identify the attack type of the penetration attack, and the process function can Including service process functions; the service process functions may be RCreateServiceW, RCreateServiceWOW64W, RChangeServiceConfigW, RChangeServiceConfig2W, RDeleteServiceW and RStartServiceW.
  • the service process function when the penetration attack is detected, the service process function is called to identify the attack type of the penetration attack.
  • the service process function is called to identify the attack type of the penetration attack, which is used to judge whether the penetration attack is a lateral penetration attack.
  • FIG. 4 is a schematic flowchart of the third embodiment of the lateral penetration protection method of the present application. Based on the second embodiment shown in FIG. 3 above, a third embodiment of the lateral penetration protection method of the present application is proposed.
  • step S11 specifically includes:
  • Step S110 When the penetration attack is detected, modify the pointer address in the system call table, so that the pointer address points to the service process function.
  • a related function can be called to initiate a system call request.
  • the system function can execute the int 0x80 soft interrupt instruction.
  • the execution of the soft interrupt instruction will cause the system to jump to a preset kernel.
  • Control address so that the program enters the operating system kernel state, and the pointer address in the system call table is modified to point to the custom service process function of this embodiment, and the service process function can be RCreateServiceW, RCreateServiceWOW64W, RChangeServiceConfigW, RChangeServiceConfig2W, RDeleteServiceW and RStartServiceW.
  • hooks can be performed for the calls of these service process functions. For example, modify sys_call_table[__NR_open] to point to the RCreateServiceW function.
  • Step S111 calling the service process function through the pointer address, and determining the service process information corresponding to the penetration attack through the service process function.
  • the service process function is called through the pointer address, and the service process function may be RCreateServiceW, RCreateServiceWOW64W, RChangeServiceConfigW, RChangeServiceConfig2W, RDeleteServiceW and RStartServiceW.
  • the service process information corresponding to the penetration attack is determined through the service process function.
  • the specified function can be searched according to sys_call_table[__NR_open].
  • the system will first call the service process function RCreateServiceW customized in this embodiment.
  • information such as the process id of the application and the read file type will be recorded, thereby recording
  • the attack behavior information of the penetration attack after the recording is completed, the service process information corresponding to the penetration attack is generated according to the attack behavior information.
  • Step S112 Identify the attack type of the penetration attack according to the service process information.
  • the attack type of the penetration attack is lateral penetration through a remote service method, and further, it is also necessary to determine the attack source IP according to the attack type;
  • the mapping relationship acquires the attack instruction corresponding to the attack source IP; the attack information is determined according to the attack type, the attack source IP and the attack instruction. Determine whether the attack information is a lateral penetration attack according to a preset engine determination policy; when the attack information is a lateral penetration attack, block the lateral penetration attack.
  • the pointer address in the system call table is modified, so that the pointer address points to the service process function; the service process function is called by the pointer address, and the service process function is determined by the service process function.
  • Service process information corresponding to the penetration attack identifying the attack type of the penetration attack according to the service process information.
  • the service process function is called to identify the attack type of the penetration attack, which is used to judge whether the penetration attack is a lateral penetration attack, and when it is determined to be a lateral penetration attack, the lateral penetration attack is blocked, so as to realize the horizontal penetration attack.
  • the real-time monitoring of penetration attacks prevents the spread of lateral penetration attacks, improves the monitoring of network security, and solves the technical problem that traditional network attack detection methods in the prior art cannot monitor horizontal penetration attacks, and network security monitoring has dead ends.
  • FIG. 5 is a schematic flowchart of the fourth embodiment of the lateral penetration protection method of the present application. Based on the first embodiment shown in FIG. 2 above, a fourth embodiment of the lateral penetration protection method of the present application is proposed. The present embodiment will be described based on the first embodiment.
  • step S10 includes:
  • Step S12 When an infiltration attack is detected, the operation process function is called to identify the attack type of the infiltration attack.
  • the attacker searches for the target machine with vulnerabilities (weak password, improper permission configuration, credential theft, etc.) in the intranet environment.
  • vulnerabilities weak password, improper permission configuration, credential theft, etc.
  • the attacker will use various This means further penetration to control the target machine.
  • the most common is to carry out lateral infiltration through remote planning tasks.
  • a preset HOOK engine can be used to identify the attack type of the penetration attack, and the preset HOOK engine can call a process function to identify the attack type of the penetration attack, and the process function can Including an operation process function, the operation process function may be SchRpcRegisterTask.
  • an operation process function is called to identify the attack type of the penetration attack.
  • the operation process function is called to identify the attack type of the penetration attack, which is used to judge whether the penetration attack is a lateral penetration attack.
  • FIG. 6 is a schematic flowchart of a fifth embodiment of the lateral penetration protection method of the present application. Based on the fourth embodiment shown in FIG. 5, a fifth embodiment of the lateral penetration protection method of the present application is proposed. The present embodiment will be described based on the fourth embodiment.
  • step S12 specifically includes:
  • Step S120 When the penetration attack is detected, the operation process function is called, and the registered HOOK point is set through the operation process function.
  • the monitoring of the penetration attack is started with the kernel module, and the operation process can be HOOK monitored through the process HOOK monitor.
  • the operation process function is called, and the operation process function can be SchRpcRegisterTask, and the registered HOOK point is set by the operation process function, for example, the registered HOOK point is set by the SchRpcRegisterTask function.
  • Step S121 Monitor the creation of the operation process of the penetration attack through the registered HOOK point.
  • Step S122 When the creation of the operation process of the infiltration attack is monitored, the operation process information corresponding to the infiltration attack is determined through the registered HOOK point.
  • the registration HOOK point is triggered to obtain the process behavior feature information of the penetration attack, and the pre-stored matching feature module can be called to match with the process behavior feature information, Monitor and discover attack behavior information based on command execution, store attack behavior information corresponding to the penetration attack, and use the attack behavior information as operation process information.
  • Step S123 Identify the attack type of the penetration attack according to the operation process information.
  • the attack type of the penetration attack is horizontal penetration through remote planning tasks. Further, it is also necessary to determine the attack source IP according to the attack type; A mapping relationship is set to obtain an attack instruction corresponding to the attack source IP; attack information is determined according to the attack type, the attack source IP and the attack instruction. Determine whether the attack information is a lateral penetration attack according to a preset engine determination policy; when the attack information is a lateral penetration attack, block the lateral penetration attack.
  • HOOK monitoring of the operation process can also be performed through the file HOOK.
  • the file HOOK can register HOOK points for the read() and write() functions.
  • the registered HOOK point is triggered to obtain the process behavior characteristic information of the penetration attack, and the pre-stored information can be called.
  • the matching feature module matches the process behavior feature information, monitors and discovers the attack behavior information of executing commands and illegal logins, stores the attack behavior information corresponding to the penetration attack, and uses the attack behavior information as the operation process information.
  • the process information identifies the attack type of the penetration attack.
  • an operation process function is called, and a registered HOOK point is set through the operation process function; the creation of the operation process of the penetration attack is monitored through the registered HOOK point;
  • the operation process information corresponding to the infiltration attack is determined through the registered HOOK point; the attack type of the infiltration attack is identified according to the operation process information.
  • the operation process function is called to identify the attack type of the penetration attack, which is used to judge whether the penetration attack is a lateral penetration attack.
  • FIG. 7 is a schematic flowchart of the sixth embodiment of the lateral penetration protection method of the present application. Based on the first embodiment shown in FIG. 2 above, a sixth embodiment of the lateral penetration protection method of the present application is proposed. The present embodiment will be described based on the first embodiment.
  • step S10 includes:
  • Step S13 When the penetration attack is detected, the operation interface process function is called to identify the attack type of the penetration attack.
  • the attacker searches for the target machine with vulnerabilities (weak password, improper permission configuration, credential theft, etc.) in the intranet environment.
  • vulnerabilities weak password, improper permission configuration, credential theft, etc.
  • the attacker will use various This means further penetration to control the target machine.
  • the most common one is lateral penetration through remote WMI.
  • a preset HOOK engine can be used to identify the attack type of the penetration attack, and the preset HOOK engine can call a process function to identify the attack type of the penetration attack, and the process function can Including an operation interface process function, the operation interface process function may be an IWbemServices interface function.
  • an operation interface process function is called to identify the attack type of the penetration attack.
  • the operation interface process function is called to identify the attack type of the penetration attack, which is used to determine whether the penetration attack is a lateral penetration attack, and when it is determined to be a lateral penetration attack, the lateral penetration attack is blocked, so as to realize the
  • the real-time monitoring of lateral penetration attacks prevents the spread of lateral penetration attacks, improves the monitoring of network security, and solves the technical problem that traditional network attack detection methods in the prior art cannot monitor lateral penetration attacks, and network security monitoring has dead ends.
  • FIG. 8 is a schematic flowchart of a seventh embodiment of the lateral penetration protection method of the present application. Based on the sixth embodiment shown in FIG. 7 , a seventh embodiment of the lateral penetration protection method of the present application is proposed. The present embodiment will be described based on the sixth embodiment.
  • the step S13 includes:
  • Step S130 When the penetration attack is detected, obtain the interface output parameter corresponding to the penetration attack.
  • the operation process can also be HOOK monitored through the network HOOK.
  • the network HOOK can register HOOK points in NF_IP_LOCAL_IN and NF_INET_LOCAL_IN, trigger the registration of HOOK points when the network is connected to the host, monitor the penetration attack, and obtain the interface output parameters corresponding to the penetration attack.
  • Step S131 calling an operation interface process function, and extracting interface process information from the interface output parameters through the operation interface process function.
  • the operation interface process function is called, and the operation interface process function may be the IWbemServices interface function.
  • the interface process information is extracted from the interface output parameters through the operation interface process function. Obtain the interface output parameters of the penetration attack, call the operation interface process function to HOOK the interface output parameters, monitor and discover the attack behavior information based on unauthorized access of various network protocols and abnormal access data of specific network protocols, and store The attack behavior information corresponding to the penetration attack is used as the interface process information.
  • Step S132 Identify the attack type of the penetration attack according to the interface process information.
  • the attack type of the penetration attack is horizontal penetration through remote WMI. Further, it is also necessary to determine the attack source IP according to the attack type; The mapping relationship acquires the attack instruction corresponding to the attack source IP; the attack information is determined according to the attack type, the attack source IP and the attack instruction. Determine whether the attack information is a lateral penetration attack according to a preset engine determination policy; when the attack information is a lateral penetration attack, block the lateral penetration attack.
  • the interface output parameters corresponding to the penetration attack are obtained; the operation interface process function is called, and the interface process information is extracted from the interface output parameters through the operation interface process function; according to The interface process information identifies the attack type of the penetration attack.
  • the operation interface process function is called to identify the attack type of the penetration attack, which is used to determine whether the penetration attack is a lateral penetration attack, and when it is determined to be a lateral penetration attack, the lateral penetration attack is blocked, so as to realize the
  • the real-time monitoring of lateral penetration attacks prevents the spread of lateral penetration attacks, improves the monitoring of network security, and solves the technical problem that traditional network attack detection methods in the prior art cannot monitor lateral penetration attacks, and network security monitoring has dead ends.
  • FIG. 9 is a schematic flowchart of an eighth embodiment of the lateral penetration protection method of the present application. Based on the first embodiment shown in FIG. 2 above, an eighth embodiment of the lateral penetration protection method of the present application is proposed. The present embodiment will be described based on the first embodiment.
  • step S10 includes:
  • Step S14 When an infiltration attack is detected, the desktop process function is called to identify the attack type of the infiltration attack.
  • the attacker searches for the target machine with vulnerabilities (weak password, improper permission configuration, credential theft, etc.) in the intranet environment.
  • vulnerabilities weak password, improper permission configuration, credential theft, etc.
  • the attacker will use various This means further penetration to control the target machine.
  • the most common is lateral penetration through remote COM.
  • a preset HOOK engine can be used to identify the attack type of the penetration attack, and the preset HOOK engine can call a process function to identify the attack type of the penetration attack, and the process function can Including desktop process functions, the desktop process functions can be shell32!ShellExecuteExW and CreateProcessInternalW.
  • a desktop process function is called to identify the attack type of the penetration attack.
  • the desktop process function is called to identify the attack type of the penetration attack, which is used to judge whether the penetration attack is a lateral penetration attack, and when it is determined to be a lateral penetration attack, the lateral penetration attack is blocked, so as to realize the horizontal penetration attack.
  • the real-time monitoring of penetration attacks prevents the spread of lateral penetration attacks, improves the monitoring of network security, and solves the technical problem that traditional network attack detection methods in the prior art cannot monitor horizontal penetration attacks, and network security monitoring has dead ends.
  • FIG. 10 is a schematic flowchart of the ninth embodiment of the lateral penetration protection method of the present application. Based on the eighth embodiment shown in FIG. 9 above, a ninth embodiment of the lateral penetration protection method of the present application is proposed. This embodiment will be described based on the eighth embodiment.
  • the step S14 includes:
  • Step S140 When an infiltration attack is detected, obtain a remote desktop control behavior function corresponding to the infiltration attack.
  • the HOOK-related remote desktop control behavior function determines whether the current device has remote desktop control behavior according to the remote desktop control behavior function.
  • Step S141 calling a desktop process function, and performing HOOK on the remote desktop control behavior function according to the desktop process function to obtain an operation function and a communication function of the remote desktop control behavior function.
  • the desktop process function can be shell32!ShellExecuteExW and CreateProcessInternalW, and HOOK the remote desktop control behavior function according to the desktop process function, so as to obtain the value of the remote desktop control behavior function. Operation functions and communication functions.
  • Step S142 Identify the attack type of the penetration attack according to the operation function and the communication function.
  • the operation function and the communication function of the remote desktop control behavior function are obtained, and it can be determined whether the above operation function and communication function are called.
  • Operation for example, to determine whether SendInput, keybd_event, mouse_event functions are called, if so, it is determined that the message sending operation of the soft keyboard and soft mouse has occurred; or, for example, to determine whether the CreateCompatibleBitmap function has been called, if so, it is determined that a screen capture has occurred. operation; for another example, it is judged whether the Send and Recv functions are called, and if so, it is determined that a network communication behavior has occurred, and the attack type of the penetration attack can be identified according to the operation function and the communication function.
  • the attack type of the penetration attack can be identified according to the operation function and the communication function as lateral penetration through the remote COM method, and further, the attack source IP address needs to be determined according to the attack type. obtaining the attack instruction corresponding to the attack source IP through a preset mapping relationship; determining the attack information according to the attack type, the attack source IP and the attack instruction. Determine whether the attack information is a lateral penetration attack according to a preset engine determination policy; when the attack information is a lateral penetration attack, block the lateral penetration attack.
  • the remote desktop control behavior function corresponding to the infiltration attack is obtained; the desktop process function is called, and the remote desktop control behavior function is hooked according to the desktop process function to obtain The operation function and the communication function of the remote desktop control behavior function; the attack type of the penetration attack is identified according to the operation function and the communication function.
  • the desktop process function is called to identify the attack type of the penetration attack, which is used to judge whether the penetration attack is a lateral penetration attack, and when it is determined to be a lateral penetration attack, the lateral penetration attack is blocked, so as to realize the horizontal penetration attack.
  • the real-time monitoring of penetration attacks prevents the spread of lateral penetration attacks, improves the monitoring of network security, and solves the technical problem that traditional network attack detection methods in the prior art cannot monitor horizontal penetration attacks, and network security monitoring has dead ends.
  • an embodiment of the present application further provides a storage medium, where a lateral penetration protection program is stored thereon, and when the lateral penetration protection program is executed by a processor, the steps of the lateral penetration protection method as described above are implemented.
  • the storage medium adopts all the technical solutions of all the above-mentioned embodiments, it has at least all the beneficial effects brought by the technical solutions of the above-mentioned embodiments, which will not be repeated here.
  • an embodiment of the present application further proposes a lateral penetration protection device, and the lateral penetration protection device includes:
  • the identification module 10 is configured to identify the attack type of the penetration attack when the penetration attack is detected.
  • the determining module 20 is configured to determine attack information according to the attack type.
  • the judgment module 30 is configured to judge whether the attack information is a lateral penetration attack according to a preset engine judgment strategy.
  • the execution module 40 is configured to block the lateral penetration attack when the attack information is a lateral penetration attack.
  • the lateral penetration protection device includes an identification module 10 for identifying an attack type of the penetration attack when a penetration attack is detected; a determination module 20 for identifying the attack type according to the attack The type determines attack information; the judgment module 30 is used to judge whether the attack information is a lateral penetration attack according to a preset engine judgment strategy; the execution module 40 is used to block the lateral penetration attack when the attack information is a lateral penetration attack Penetration attack.
  • the attack information is a lateral penetration attack according to the captured attack information and the preset engine determination strategy, and when it is determined to be a lateral penetration attack, the lateral penetration attack is blocked, so as to realize real-time monitoring of the lateral penetration attack , preventing the spread of lateral penetration attacks, improving the monitoring of network security, and solving the technical problems that the traditional network attack detection methods in the prior art cannot monitor lateral penetration attacks, and network security monitoring has dead ends.

Abstract

The present application relates to the technical field of network attacks, and discloses a lateral penetration protection method and apparatus, a device and a storage medium. The method comprises: when a penetration attack is detected, identifying the attack type of the penetration attack; determining attack information according to the attack type; according to a preset engine decision strategy, determining whether the attack information is a lateral penetration attack; and when the attack information is a lateral penetration attack, blocking the lateral penetration attack.

Description

横向渗透防护方法、装置、设备及存储介质Horizontal penetration protection method, device, equipment and storage medium
本申请要求2020年10月28日申请的,申请号为202011176011.7,名称为“横向渗透防护方法、装置、设备及存储介质”的中国专利申请的优先权,在此将其全文引入作为参考。This application claims the priority of the Chinese patent application filed on October 28, 2020, the application number is 202011176011.7, and the title is "Transverse Penetration Protection Method, Apparatus, Equipment and Storage Medium", which is hereby incorporated by reference in its entirety.
技术领域technical field
本申请涉及网络攻击技术领域,尤其涉及一种横向渗透防护方法、装置、设备及存储介质。The present application relates to the technical field of network attacks, and in particular, to a lateral penetration protection method, apparatus, device, and storage medium.
背景技术Background technique
横向渗透攻击技术是复杂网络攻击中广泛使用的一种技术,特别是在高级持续威胁(Advanced Persistent Threats,APT)中更加热衷于使用这种攻击方法。攻击者可以利用横向渗透攻击技术,以被攻陷的系统为跳板,访问内网其他主机,获取包括邮箱、共享文件夹或者凭证信息在内的敏感信息。攻击者可以利用这些敏感信息,进一步控制其他系统、提升权限或窃取更多有价值的凭证,最终获取关键网络节点和管理设备的控制权限。传统的网络攻击检测方法无法监控这些横向渗透攻击,网络安全监控存在死角。Lateral penetration attack technology is a widely used technology in complex network attacks, especially in Advanced Persistent Threats (APT). Attackers can use lateral penetration attack technology to use the compromised system as a springboard to access other hosts on the intranet to obtain sensitive information including mailboxes, shared folders or credential information. Attackers can use this sensitive information to further control other systems, escalate privileges or steal more valuable credentials, and ultimately gain control over key network nodes and management devices. Traditional network attack detection methods cannot monitor these lateral penetration attacks, and network security monitoring has dead ends.
上述内容仅用于辅助理解本申请的技术方案,并不代表承认上述内容是现有技术。The above content is only used to assist the understanding of the technical solutions of the present application, and does not mean that the above content is the prior art.
技术问题technical problem
本申请的主要目的在于提供一种横向渗透防护方法、设备、存储介质及装置,旨在解决现有技术中传统的网络攻击检测方法无法监控横向渗透攻击,网络安全监控存在死角的技术问题。The main purpose of the present application is to provide a lateral penetration protection method, equipment, storage medium and device, aiming at solving the technical problem that the traditional network attack detection method in the prior art cannot monitor the lateral penetration attack, and network security monitoring has dead ends.
技术解决方案technical solutions
为实现上述目的,本申请提供一种横向渗透防护方法,所述横向渗透防护方法包括以下步骤:In order to achieve the above object, the application provides a lateral penetration protection method, the lateral penetration protection method comprises the following steps:
在监测到渗透攻击时,识别所述渗透攻击的攻击类型;When an infiltration attack is detected, identifying the attack type of the infiltration attack;
根据所述攻击类型确定攻击信息;Determine attack information according to the attack type;
根据预设引擎判定策略判断所述攻击信息是否为横向渗透攻击;Determine whether the attack information is a lateral penetration attack according to a preset engine determination strategy;
在所述攻击信息为横向渗透攻击时,阻断所述横向渗透攻击。When the attack information is a lateral penetration attack, the lateral penetration attack is blocked.
可选地,所述在监测到渗透攻击时,识别所述渗透攻击的攻击类型的步骤,具体包括:Optionally, the step of identifying the attack type of the penetration attack when monitoring the penetration attack specifically includes:
在监测到渗透攻击时,调用服务进程函数,以识别所述渗透攻击的攻击类型。When the penetration attack is detected, the service process function is called to identify the attack type of the penetration attack.
可选地,所述在监测到渗透攻击时,调用服务进程函数,以识别所述渗透攻击的攻击类型的步骤,具体包括:Optionally, the step of invoking a service process function to identify the attack type of the infiltration attack when an infiltration attack is detected, specifically includes:
在监测到渗透攻击时,修改系统调用表中的指针地址,以使所述指针地址指向服务进程函数;When the penetration attack is detected, modify the pointer address in the system call table, so that the pointer address points to the service process function;
通过所述指针地址调用所述服务进程函数,通过所述服务进程函数确定所述渗透攻击对应的服务进程信息;The service process function is called by the pointer address, and the service process information corresponding to the penetration attack is determined by the service process function;
根据所述服务进程信息识别所述渗透攻击的攻击类型。Identify the attack type of the penetration attack according to the service process information.
可选地,所述在监测到渗透攻击时,识别所述渗透攻击的攻击类型的步骤,具体包括:Optionally, the step of identifying the attack type of the penetration attack when monitoring the penetration attack specifically includes:
在监测到渗透攻击时,调用操作进程函数,以识别所述渗透攻击的攻击类型。When the penetration attack is detected, the operation process function is called to identify the attack type of the penetration attack.
可选地,所述在监测到渗透攻击时,调用操作进程函数,以识别所述渗透攻击的攻击类型的步骤,具体包括:Optionally, the step of invoking an operation process function to identify the attack type of the infiltration attack when an infiltration attack is detected, specifically includes:
在监测到渗透攻击时,调用操作进程函数,并通过所述操作进程函数设置注册HOOK点;When the penetration attack is detected, the operation process function is called, and the registered HOOK point is set by the operation process function;
通过所述注册HOOK点监测所述渗透攻击的操作进程创建;Monitoring the creation of the operation process of the penetration attack through the registered HOOK point;
当监测到所述渗透攻击的操作进程创建时,通过所述注册HOOK点确定所述渗透攻击对应的操作进程信息;When monitoring the creation of the operation process of the infiltration attack, determine the operation process information corresponding to the infiltration attack through the registered HOOK point;
根据所述操作进程信息识别所述渗透攻击的攻击类型。Identify the attack type of the penetration attack according to the operation process information.
可选地,所述在监测到渗透攻击时,识别所述渗透攻击的攻击类型的步骤,具体包括:Optionally, the step of identifying the attack type of the penetration attack when monitoring the penetration attack specifically includes:
在监测到渗透攻击时,调用操作接口进程函数,以识别所述渗透攻击的攻击类型。When the penetration attack is detected, the operation interface process function is called to identify the attack type of the penetration attack.
可选地,所述在监测到渗透攻击时,调用操作接口进程函数,以识别所述渗透攻击的攻击类型的步骤,具体包括:Optionally, the step of invoking an operation interface process function to identify the attack type of the infiltration attack when an infiltration attack is detected, specifically includes:
在监测到渗透攻击时,获取所述渗透攻击对应的接口输出参数;When the penetration attack is detected, obtain the interface output parameter corresponding to the penetration attack;
调用操作接口进程函数,通过所述操作接口进程函数从所述接口输出参数中提取接口进程信息;calling the operation interface process function, and extracting interface process information from the interface output parameter through the operation interface process function;
根据所述接口进程信息识别所述渗透攻击的攻击类型。Identify the attack type of the penetration attack according to the interface process information.
此外,为实现上述目的,本申请还提出一种横向渗透防护装置,所述横向渗透防护装置包括:In addition, in order to achieve the above purpose, the present application also proposes a lateral penetration protection device, the lateral penetration protection device includes:
识别模块,用于在监测到渗透攻击时,识别所述渗透攻击的攻击类型;an identification module, used for identifying the attack type of the penetration attack when the penetration attack is detected;
确定模块,用于根据所述攻击类型确定攻击信息;a determining module, configured to determine attack information according to the attack type;
判断模块,用于根据预设引擎判定策略判断所述攻击信息是否为横向渗透攻击;a judgment module, configured to judge whether the attack information is a lateral penetration attack according to a preset engine judgment strategy;
执行模块,用于在所述攻击信息为横向渗透攻击时,阻断所述横向渗透攻击。An execution module, configured to block the lateral penetration attack when the attack information is a lateral penetration attack.
此外,为实现上述目的,本申请还提出一种横向渗透防护设备,所述横向渗透防护设备包括:存储器、处理器及存储在所述存储器上并可在所述处理器上运行的横向渗透防护程序,所述横向渗透防护程序配置有实现如上文所述的横向渗透防护方法的步骤。In addition, in order to achieve the above object, the present application also proposes a lateral penetration protection device, the lateral penetration protection device includes: a memory, a processor, and a lateral penetration protection stored on the memory and running on the processor A program for lateral penetration protection configured with steps to implement the lateral penetration protection method as described above.
此外,为实现上述目的,本申请还提出一种存储介质,所述存储介质上存储有横向渗透防护程序,所述横向渗透防护程序被处理器执行时实现如上文所述的横向渗透防护方法的步骤。In addition, in order to achieve the above object, the present application also proposes a storage medium, where a lateral penetration protection program is stored on the storage medium, and when the lateral penetration protection program is executed by a processor, the lateral penetration protection method as described above is implemented. step.
有益效果beneficial effect
本申请中,通过在监测到渗透攻击时,识别所述渗透攻击的攻击类型;根据所述攻击类型确定攻击信息;根据预设引擎判定策略判断所述攻击信息是否为横向渗透攻击;在所述攻击信息为横向渗透攻击时,阻断所述横向渗透攻击。通过上述方式,根据捕获到的攻击信息及预设引擎判定策略判断攻击信息是否为横向渗透攻击,在确定为横向渗透攻击时,阻断所述横向渗透攻击,从而实现对横向渗透攻击的实时监控,阻止横向渗透攻击扩散,提高对网络安全的监控,解决了现有技术中传统的网络攻击检测方法无法监控横向渗透攻击,网络安全监控存在死角的技术问题。In this application, when a penetration attack is detected, the attack type of the penetration attack is identified; the attack information is determined according to the attack type; whether the attack information is a lateral penetration attack is determined according to a preset engine determination strategy; When the attack information is a lateral penetration attack, the lateral penetration attack is blocked. Through the above method, it is determined whether the attack information is a lateral penetration attack according to the captured attack information and the preset engine determination strategy, and when it is determined to be a lateral penetration attack, the lateral penetration attack is blocked, so as to realize real-time monitoring of the lateral penetration attack , preventing the spread of lateral penetration attacks, improving the monitoring of network security, and solving the technical problems that the traditional network attack detection methods in the prior art cannot monitor lateral penetration attacks, and network security monitoring has dead ends.
附图说明Description of drawings
图1是本申请实施例方案涉及的硬件运行环境的横向渗透防护设备的结构示意图;FIG. 1 is a schematic structural diagram of a lateral penetration protection device of a hardware operating environment according to an embodiment of the present application;
图2为本申请横向渗透防护方法第一实施例的流程示意图;FIG. 2 is a schematic flowchart of the first embodiment of the lateral penetration protection method of the present application;
图3为本申请横向渗透防护方法第二实施例的流程示意图;3 is a schematic flowchart of a second embodiment of the lateral penetration protection method of the present application;
图4为本申请横向渗透防护方法第三实施例的流程示意图;4 is a schematic flowchart of a third embodiment of the lateral penetration protection method of the present application;
图5为本申请横向渗透防护方法第四实施例的流程示意图;5 is a schematic flowchart of a fourth embodiment of the lateral penetration protection method of the present application;
图6为本申请横向渗透防护方法第五实施例的流程示意图;6 is a schematic flowchart of a fifth embodiment of the lateral penetration protection method of the present application;
图7为本申请横向渗透防护方法第六实施例的流程示意图;7 is a schematic flowchart of a sixth embodiment of the lateral penetration protection method of the present application;
图8为本申请横向渗透防护方法第七实施例的流程示意图;8 is a schematic flowchart of a seventh embodiment of the lateral penetration protection method of the present application;
图9为本申请横向渗透防护方法第八实施例的流程示意图;9 is a schematic flowchart of an eighth embodiment of the lateral penetration protection method of the present application;
图10为本申请横向渗透防护方法第九实施例的流程示意图;10 is a schematic flowchart of a ninth embodiment of the lateral penetration protection method of the present application;
图11为本申请横向渗透防护装置第一实施例的结构框图。FIG. 11 is a structural block diagram of the first embodiment of the lateral penetration protection device of the present application.
本申请目的的实现、功能特点及优点将结合实施例,参照附图做进一步说明。The realization, functional characteristics and advantages of the purpose of the present application will be further described with reference to the accompanying drawings in conjunction with the embodiments.
本发明的实施方式Embodiments of the present invention
应当理解,此处所描述的具体实施例仅仅用以解释本申请,并不用于限定本申请。It should be understood that the specific embodiments described herein are only used to explain the present application, but not to limit the present application.
参照图1,图1为本申请实施例方案涉及的硬件运行环境的横向渗透防护设备结构示意图。Referring to FIG. 1 , FIG. 1 is a schematic structural diagram of a lateral penetration protection device of a hardware operating environment involved in the solution of the embodiment of the present application.
如图1所示,该横向渗透防护设备可以包括:处理器1001,例如中央处理器(Central Processing Unit,CPU),通信总线1002、用户接口1003,网络接口1004,存储器1005。其中,通信总线1002用于实现这些组件之间的连接通信。用户接口1003可以包括显示屏(Display),可选用户接口1003还可以包括标准的有线接口、无线接口,对于用户接口1003的有线接口在本申请中可为USB接口。网络接口1004可选的可以包括标准的有线接口、无线接口(如无线保真(WIreless-FIdelity,WI-FI)接口)。存储器1005可以是高速的随机存取存储器(Random Access Memory,RAM)存储器,也可以是稳定的存储器(Non-volatile Memory,NVM),例如磁盘存储器。存储器1005可选的还可以是独立于前述处理器1001的存储装置。As shown in FIG. 1 , the lateral penetration protection device may include: a processor 1001 , such as a central processing unit (Central Processing Unit, CPU), a communication bus 1002 , a user interface 1003 , a network interface 1004 , and a memory 1005 . Among them, the communication bus 1002 is used to realize the connection and communication between these components. The user interface 1003 may include a display screen (Display), and the optional user interface 1003 may also include a standard wired interface and a wireless interface. The wired interface of the user interface 1003 may be a USB interface in this application. Optionally, the network interface 1004 may include a standard wired interface and a wireless interface (eg, a wireless fidelity (WIreless-FIdelity, WI-FI) interface). The memory 1005 may be a high-speed random access memory (Random Access Memory, RAM) memory, or may be a non-volatile memory (Non-volatile Memory, NVM), such as a disk memory. Optionally, the memory 1005 may also be a storage device independent of the aforementioned processor 1001 .
本领域技术人员可以理解,图1中示出的结构并不构成对横向渗透防护设备的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置。Those skilled in the art can understand that the structure shown in FIG. 1 does not constitute a limitation on the lateral penetration protection device, and may include more or less components than shown, or combine some components, or arrange different components.
如图1所示,作为一种计算机存储介质的存储器1005中可以包括操作系统、网络通信模块、用户接口模块以及横向渗透防护程序。As shown in FIG. 1 , the memory 1005 as a computer storage medium may include an operating system, a network communication module, a user interface module, and a lateral penetration protection program.
在图1所示的横向渗透防护设备中,网络接口1004主要用于连接后台服务器,与所述后台服务器进行数据通信;用户接口1003主要用于连接用户设备;所述横向渗透防护设备通过处理器1001调用存储器1005中存储的横向渗透防护程序,并执行本申请实施例提供的横向渗透防护方法。In the lateral penetration protection device shown in FIG. 1 , the network interface 1004 is mainly used to connect to a background server and perform data communication with the background server; the user interface 1003 is mainly used to connect user equipment; the lateral penetration protection device passes through the processor 1001 invokes the lateral penetration protection program stored in the memory 1005, and executes the lateral penetration protection method provided by the embodiment of the present application.
基于上述硬件结构,提出本申请横向渗透防护方法的实施例。Based on the above hardware structure, an embodiment of the lateral penetration protection method of the present application is proposed.
参照图2,图2为本申请横向渗透防护方法第一实施例的流程示意图,提出本申请横向渗透防护方法第一实施例。Referring to FIG. 2 , FIG. 2 is a schematic flowchart of the first embodiment of the lateral penetration protection method of the present application, and the first embodiment of the lateral penetration protection method of the present application is proposed.
在第一实施例中,所述横向渗透防护方法包括以下步骤:In a first embodiment, the lateral penetration protection method includes the following steps:
步骤S10:在监测到渗透攻击时,识别所述渗透攻击的攻击类型;Step S10: when the penetration attack is detected, identify the attack type of the penetration attack;
需要说明的是,本实施例的执行主体是所述横向渗透防护设备,所述横向渗透防护设备可以是个人计算机或服务器等电子设备,本实施例对此不加以限制。在监测到渗透攻击时,可采用多种方式识别所述渗透攻击的攻击类型,下面以四种方式为例来进行说明,当然,还可以采用至少两种方式来组合实现。此外,识别所述渗透攻击的攻击类型的方式还可以为根据实际情况需要采取其他方式,本实施例对此不加以限制。It should be noted that the execution body of this embodiment is the lateral penetration protection device, and the lateral penetration protection device may be an electronic device such as a personal computer or a server, which is not limited in this embodiment. When an infiltration attack is detected, the attack type of the infiltration attack can be identified in a variety of ways. The following four ways are used as examples for description. Of course, at least two ways can also be used in combination. In addition, the manner of identifying the attack type of the penetration attack may also be other manners according to the actual situation, which is not limited in this embodiment.
易于理解的是,攻击者在进入内网后,在内网环境中搜寻存在漏洞(弱口令,权限配置不当,凭据窃取等)的目标机器或是能够通过远程访问(一般机器默认开启),当能够访问到目标机器时,攻击者会使用各种手段进一步的渗透控制目标机器。目前最常见的是通过远程服务方式、远程计划任务方式、远程WMI方式以及远程COM方式等进行横向渗透。It is easy to understand that after entering the intranet, the attacker searches for the target machine with vulnerabilities (weak passwords, improper permissions configuration, credential theft, etc.) When the target machine can be accessed, the attacker will use various means to further infiltrate and control the target machine. At present, the most common ones are lateral penetration through remote service, remote scheduled task, remote WMI, and remote COM.
具体地,在监测到渗透攻击时,可以通过预设HOOK引擎识别所述渗透攻击的攻击类型,所述预设HOOK引擎可以调用进程函数来识别所述渗透攻击的攻击类型,所述进程函数可以包括服务进程函数、操作进程函数、操作接口进程函数以及桌面进程函数;第一种方式为:在监测到渗透攻击时,通过预设HOOK引擎调用服务进程函数,以识别所述渗透攻击的攻击类型为远程服务方式。第二种方式为:在监测到渗透攻击时,通过预设HOOK引擎调用操作进程函数,以识别所述渗透攻击的攻击类型为远程计划任务方式。第三种方式为:在监测到渗透攻击时,通过预设HOOK引擎调用操作接口进程函数,以识别所述渗透攻击的攻击类型为远程WMI方式。第四种方式为:在监测到渗透攻击时,通过预设HOOK引擎调用桌面进程函数,以识别所述渗透攻击的攻击类型为远程COM方式。Specifically, when a penetration attack is detected, a preset HOOK engine can be used to identify the attack type of the penetration attack, and the preset HOOK engine can call a process function to identify the attack type of the penetration attack, and the process function can Including the service process function, the operation process function, the operation interface process function and the desktop process function; the first method is: when the penetration attack is detected, the service process function is called through the preset HOOK engine to identify the attack type of the penetration attack for remote service. The second method is: when a penetration attack is detected, the operation process function is called by a preset HOOK engine to identify the attack type of the penetration attack as a remote scheduled task method. The third method is: when a penetration attack is detected, the operation interface process function is called by a preset HOOK engine to identify the attack type of the penetration attack as a remote WMI method. The fourth method is: when a penetration attack is detected, the desktop process function is called by a preset HOOK engine to identify the attack type of the penetration attack as a remote COM method.
步骤S20:根据所述攻击类型确定攻击信息;Step S20: Determine attack information according to the attack type;
易于理解的是,所述根据所述攻击类型确定攻击信息的步骤,可以包括:根据所述攻击类型确定攻击来源IP;通过预设映射关系获取所述攻击来源IP对应的攻击指令;根据所述攻击类型、所述攻击来源IP以及所述攻击指令确定攻击信息。It is easy to understand that the step of determining the attack information according to the attack type may include: determining the attack source IP according to the attack type; obtaining an attack instruction corresponding to the attack source IP through a preset mapping relationship; The attack type, the attack source IP, and the attack instruction determine attack information.
需要说明的是,例如,在监测到渗透攻击时,通过预设HOOK引擎调用服务进程函数,以识别所述渗透攻击的攻击类型为远程服务方式,根据远程服务方式的渗透攻击确定攻击来源IP;通过预设映射关系获取所述攻击来源IP对应的攻击指令;根据所述攻击类型、所述攻击来源IP以及所述攻击指令确定攻击信息。It should be noted that, for example, when a penetration attack is detected, the service process function is called by a preset HOOK engine to identify the attack type of the penetration attack as a remote service method, and the attack source IP is determined according to the penetration attack of the remote service method; The attack instruction corresponding to the attack source IP is obtained through a preset mapping relationship; the attack information is determined according to the attack type, the attack source IP and the attack instruction.
具体地,获取远程服务方式对应的渗透攻击的网络数据包,根据网络数据包中的网络协议的格式进行逐层解析,提取数据包内容;对数据包内容进行关联分析和数据包重组,还原应用层数据包内容,从而获取攻击主机的网络地址;获取攻击主机的网络地址可以包括MAC地址和IP地址,将攻击主机的网络地址作为攻击来源IP。Specifically, obtain the network data packets of the penetration attack corresponding to the remote service mode, perform layer-by-layer analysis according to the format of the network protocol in the network data packets, and extract the data packet content; perform correlation analysis and data packet reorganization on the data packet content, and restore the application Layer data packet content, so as to obtain the network address of the attacking host; the network address of the attacking host can include MAC address and IP address, and the network address of the attacking host is used as the attack source IP.
具体地,通过预设映射关系获取所述攻击来源IP对应的攻击指令,在本实施例步骤S10之前,需要建立预设映射关系,预设映射关系为事先根据逆向分析获得的攻击来源IP和攻击指令的对应关系,并将攻击来源IP和攻击指令的对应关系存储为预设映射关系。对攻击来源IP的逆向分析过程可以为:对攻击来源IP的结构、流程、算法、代码进行逆向拆解和分析,导出攻击来源IP的源代码、设计原理、结构、算法、处理过程、运行方法及文档,获取程序构架、通信协议和命令格式,生成监控配置文件,根据监控配置文件获取攻击指令。Specifically, the attack instruction corresponding to the attack source IP is obtained through a preset mapping relationship. Before step S10 in this embodiment, a preset mapping relationship needs to be established, and the preset mapping relationship is the attack source IP and the attack source IP obtained in advance according to the reverse analysis. The corresponding relationship of the command is stored, and the corresponding relationship between the attack source IP and the attack command is stored as a preset mapping relationship. The reverse analysis process of the attack source IP can be as follows: reversely disassemble and analyze the structure, process, algorithm and code of the attack source IP, and derive the source code, design principle, structure, algorithm, processing process, and operation method of the attack source IP. and documents, obtain the program structure, communication protocol and command format, generate monitoring configuration files, and obtain attack instructions according to the monitoring configuration files.
步骤S30:根据预设引擎判定策略判断所述攻击信息是否为横向渗透攻击。Step S30: Determine whether the attack information is a lateral penetration attack according to a preset engine determination policy.
需要说明的是,根据预设引擎判定策略判断所述攻击信息是否为横向渗透攻击。可采用多种预设引擎判定策略判断所述攻击信息是否为横向渗透攻击,下面以三种方式为例来进行说明,当然,还可以采用至少两种方式来组合实现。此外,预设引擎判定策略还可以为根据实际情况需要采取其他策略,本实施例对此不加以限制。It should be noted that whether the attack information is a lateral penetration attack is determined according to a preset engine determination policy. A variety of preset engine determination strategies can be used to determine whether the attack information is a lateral penetration attack. The following three methods are used as examples for description. Of course, at least two methods can also be used in combination. In addition, the preset engine determination strategy may also be other strategies that need to be adopted according to the actual situation, which is not limited in this embodiment.
具体地,第一种方式:根据预设横向渗透引擎判定策略判断所述攻击信息是否为横向渗透攻击:根据预设横向渗透引擎判定策略从所述攻击信息中提取攻击事件数据包;通过聚类算法对所述攻击事件数据包进行处理,获得攻击模式信息;根据所述攻击模式信息判断所述攻击信息是否为横向渗透攻击。Specifically, the first method: determine whether the attack information is a lateral penetration attack according to a preset lateral penetration engine determination strategy: extract attack event data packets from the attack information according to a preset lateral penetration engine determination strategy; The algorithm processes the attack event data packets to obtain attack mode information; and judges whether the attack information is a lateral penetration attack according to the attack mode information.
第二种方式:结合预设横向渗透引擎判定策略以及预设HIPS引擎判定策略判断所述攻击信息是否为横向渗透攻击:根据预设横向渗透引擎判定策略从所述攻击信息中提取攻击事件数据包;通过聚类算法对所述攻击事件数据包进行处理,获得攻击模式信息;根据时间序列分析所述攻击模式信息,获得还原攻击场景信息;根据所述还原攻击场景信息以及所述攻击信息构建目标攻击链;根据预设HIPS引擎判定策略获取主机入侵防御系统;根据所述攻击模式信息和所述目标攻击链通过主机入侵防御系统判断所述攻击信息是否为横向渗透攻击。其中,主机入侵防御系统可以识别远程注册表方式的渗透攻击类型以及远程系统工具调用的渗透攻击类型。The second way: combine the preset lateral penetration engine determination strategy and the preset HIPS engine determination policy to determine whether the attack information is a lateral penetration attack: extract attack event data packets from the attack information according to the preset lateral penetration engine determination policy Process the attack event data packets through a clustering algorithm to obtain attack pattern information; analyze the attack pattern information according to the time series to obtain restoration attack scene information; construct a target according to the restoration attack scene information and the attack information attack chain; obtain the host intrusion prevention system according to the preset HIPS engine determination strategy; determine whether the attack information is a lateral penetration attack according to the attack mode information and the target attack chain through the host intrusion prevention system. Among them, the host intrusion prevention system can identify the penetration attack type in the remote registry mode and the penetration attack type invoked by the remote system tool.
第三种方式:结合预设横向渗透引擎判定策略以及预设云规则引擎判定策略判断所述攻击信息是否为横向渗透攻击:根据预设横向渗透引擎判定策略从所述攻击信息中提取攻击事件数据包;通过聚类算法对所述攻击事件数据包进行处理,获得攻击模式信息;根据预设云规则引擎判定策略获取云规则;根据云规则对所述攻击模式信息进行数据分析,获得云端分析信息;根据所述攻击模式信息以及云端分析信息判断所述攻击信息是否为横向渗透攻击。The third way: combine the preset lateral penetration engine determination strategy and the preset cloud rule engine determination policy to determine whether the attack information is a lateral penetration attack: extract attack event data from the attack information according to the preset lateral penetration engine determination policy process the attack event data packets through a clustering algorithm to obtain attack mode information; obtain cloud rules according to a preset cloud rule engine decision policy; perform data analysis on the attack mode information according to the cloud rules to obtain cloud analysis information ; According to the attack mode information and the cloud analysis information, determine whether the attack information is a lateral penetration attack.
步骤S40:在所述攻击信息为横向渗透攻击时,阻断所述横向渗透攻击。Step S40: When the attack information is a lateral penetration attack, block the lateral penetration attack.
易于理解的是,所述在所述攻击信息为横向渗透攻击时,阻断所述横向渗透攻击的步骤,可以包括:在所述攻击信息为横向渗透攻击时,判断所述横向渗透攻击是否为目标横向渗透攻击;在所述横向渗透攻击为所述目标横向渗透攻击时,根据预设攻击阻断方式阻断所述目标横向渗透攻击;在所述横向渗透攻击不为所述目标横向渗透攻击时,根据主机入侵防御系统阻断所述横向渗透攻击。It is easy to understand that the step of blocking the lateral penetration attack when the attack information is a lateral penetration attack may include: when the attack information is a lateral penetration attack, judging whether the lateral penetration attack is a lateral penetration attack. Target lateral penetration attack; when the lateral penetration attack is the target lateral penetration attack, block the target lateral penetration attack according to a preset attack blocking method; when the lateral penetration attack is not the target lateral penetration attack when the lateral penetration attack is blocked according to the host intrusion prevention system.
具体地,所述目标横向渗透攻击可以包括:远程服务方式、远程计划任务方式、远程WMI方式以及远程COM方式;所述预设攻击阻断方式可以包括:将所述横向渗透攻击的攻击来源IP加入黑名单、结束所述横向渗透攻击的恶意进程、关闭所述横向渗透攻击的被入侵端口中的至少一种。在所述横向渗透攻击不为所述目标横向渗透攻击时,所述横向渗透攻击可以为远程注册表方式以及远程系统工具调用方式,根据主机入侵防御系统阻断远程注册表方式以及远程系统工具调用方式。Specifically, the target lateral penetration attack may include: remote service mode, remote scheduled task mode, remote WMI mode, and remote COM mode; the preset attack blocking mode may include: the attack source IP address of the lateral penetration attack At least one of adding a blacklist, ending the malicious process of the lateral penetration attack, and closing the compromised port of the lateral penetration attack. When the lateral penetration attack is not the target lateral penetration attack, the lateral penetration attack may be a remote registry method and a remote system tool calling method, and the remote registry method and remote system tool calling method are blocked according to the host intrusion prevention system Way.
需要说明的是,所述在所述攻击信息为横向渗透攻击时,阻断所述横向渗透攻击的步骤之后,还可以包括:根据所述横向渗透攻击生成攻击日志文件;对所述攻击日志文件进行分析,以生成分析报告;将所述分析报告进行显示。所述在所述攻击信息为横向渗透攻击时,阻断所述横向渗透攻击的步骤之后,还可以包括:通过弹窗提示用户主机遭受横向渗透攻击。It should be noted that, when the attack information is a lateral penetration attack, after the step of blocking the lateral penetration attack, it may further include: generating an attack log file according to the lateral penetration attack; An analysis is performed to generate an analysis report; the analysis report is displayed. When the attack information is a lateral penetration attack, after the step of blocking the lateral penetration attack, the method may further include: prompting the user host to be subjected to a lateral penetration attack through a pop-up window.
本实施例中,在监测到渗透攻击时,识别所述渗透攻击的攻击类型;根据所述攻击类型确定攻击信息;根据预设引擎判定策略判断所述攻击信息是否为横向渗透攻击;在所述攻击信息为横向渗透攻击时,阻断所述横向渗透攻击。通过上述方式,根据捕获到的攻击信息及预设引擎判定策略判断攻击信息是否为横向渗透攻击,在确定为横向渗透攻击时,阻断所述横向渗透攻击,从而实现对横向渗透攻击的实时监控,阻止横向渗透攻击扩散,提高对网络安全的监控,解决了现有技术中传统的网络攻击检测方法无法监控横向渗透攻击,网络安全监控存在死角的技术问题。In this embodiment, when a penetration attack is monitored, the attack type of the penetration attack is identified; attack information is determined according to the attack type; whether the attack information is a lateral penetration attack is determined according to a preset engine determination strategy; When the attack information is a lateral penetration attack, the lateral penetration attack is blocked. Through the above method, it is determined whether the attack information is a lateral penetration attack according to the captured attack information and the preset engine determination strategy, and when it is determined to be a lateral penetration attack, the lateral penetration attack is blocked, so as to realize real-time monitoring of the lateral penetration attack , preventing the spread of lateral penetration attacks, improving the monitoring of network security, and solving the technical problems that the traditional network attack detection methods in the prior art cannot monitor lateral penetration attacks, and network security monitoring has dead ends.
参照图3,图3为本申请横向渗透防护方法第二实施例的流程示意图,基于上述图2所示的第一实施例,提出本申请横向渗透防护方法的第二实施例。Referring to FIG. 3 , FIG. 3 is a schematic flowchart of the second embodiment of the lateral penetration protection method of the present application. Based on the first embodiment shown in FIG. 2 above, a second embodiment of the lateral penetration protection method of the present application is proposed.
在第二实施例中,所述步骤S10,包括:In the second embodiment, the step S10 includes:
步骤S11:在监测到渗透攻击时,调用服务进程函数,以识别所述渗透攻击的攻击类型。Step S11: When a penetration attack is detected, a service process function is called to identify the attack type of the penetration attack.
需要说明的是,攻击者在进入内网后,在内网环境中搜寻存在漏洞(弱口令,权限配置不当,凭据窃取等)的目标机器,当能够访问到目标机器时,攻击者会使用各种手段进一步的渗透控制目标机器。目前最常见的是可以通过远程服务方式进行横向渗透。It should be noted that after entering the intranet, the attacker searches for the target machine with vulnerabilities (weak password, improper permission configuration, credential theft, etc.) in the intranet environment. When the target machine can be accessed, the attacker will use various This means further penetration to control the target machine. At present, the most common is lateral penetration through remote services.
具体地,在监测到渗透攻击时,可以通过预设HOOK引擎识别所述渗透攻击的攻击类型,所述预设HOOK引擎可以调用进程函数来识别所述渗透攻击的攻击类型,所述进程函数可以包括服务进程函数;所述服务进程函数可以为RCreateServiceW、RCreateServiceWOW64W、RChangeServiceConfigW、RChangeServiceConfig2W、RDeleteServiceW以及RStartServiceW。Specifically, when a penetration attack is detected, a preset HOOK engine can be used to identify the attack type of the penetration attack, and the preset HOOK engine can call a process function to identify the attack type of the penetration attack, and the process function can Including service process functions; the service process functions may be RCreateServiceW, RCreateServiceWOW64W, RChangeServiceConfigW, RChangeServiceConfig2W, RDeleteServiceW and RStartServiceW.
本实施例通过在监测到渗透攻击时,调用服务进程函数,以识别所述渗透攻击的攻击类型。通过上述方式,调用服务进程函数识别所述渗透攻击的攻击类型,用于判断所述渗透攻击是否为横向渗透攻击,在确定为横向渗透攻击时,阻断所述横向渗透攻击,从而实现对横向渗透攻击的实时监控,阻止横向渗透攻击扩散,提高对网络安全的监控,解决了现有技术中传统的网络攻击检测方法无法监控横向渗透攻击,网络安全监控存在死角的技术问题。In this embodiment, when the penetration attack is detected, the service process function is called to identify the attack type of the penetration attack. Through the above method, the service process function is called to identify the attack type of the penetration attack, which is used to judge whether the penetration attack is a lateral penetration attack. The real-time monitoring of penetration attacks prevents the spread of lateral penetration attacks, improves the monitoring of network security, and solves the technical problem that traditional network attack detection methods in the prior art cannot monitor horizontal penetration attacks, and network security monitoring has dead ends.
参照图4,图4为本申请横向渗透防护方法第三实施例的流程示意图,基于上述图3所示的第二实施例,提出本申请横向渗透防护方法的第三实施例。Referring to FIG. 4 , FIG. 4 is a schematic flowchart of the third embodiment of the lateral penetration protection method of the present application. Based on the second embodiment shown in FIG. 3 above, a third embodiment of the lateral penetration protection method of the present application is proposed.
在第三实施例中,所述步骤S11,具体包括:In the third embodiment, the step S11 specifically includes:
步骤S110:在监测到渗透攻击时,修改系统调用表中的指针地址,以使所述指针地址指向服务进程函数。Step S110: When the penetration attack is detected, modify the pointer address in the system call table, so that the pointer address points to the service process function.
需要说明的是,在监测到渗透攻击时,可以调用相关函数发起系统调用请求,此时系统函数可以执行int 0x80软中断指令,该软中断指令的执行会让系统跳转到一个预设的内核控件地址,从而使程序进入操作系统内核状态,修改系统调用表中的指针地址,使其指向本实施例自定义的服务进程函数,所述服务进程函数可以为RCreateServiceW、RCreateServiceWOW64W、RChangeServiceConfigW、RChangeServiceConfig2W、RDeleteServiceW以及RStartServiceW。其中,可以针对这些服务进程函数的调用进行hook。例如修改sys_call_table[__NR_open],使其指向RCreateServiceW函数。It should be noted that when a penetration attack is detected, a related function can be called to initiate a system call request. At this time, the system function can execute the int 0x80 soft interrupt instruction. The execution of the soft interrupt instruction will cause the system to jump to a preset kernel. Control address, so that the program enters the operating system kernel state, and the pointer address in the system call table is modified to point to the custom service process function of this embodiment, and the service process function can be RCreateServiceW, RCreateServiceWOW64W, RChangeServiceConfigW, RChangeServiceConfig2W, RDeleteServiceW and RStartServiceW. Among them, hooks can be performed for the calls of these service process functions. For example, modify sys_call_table[__NR_open] to point to the RCreateServiceW function.
步骤S111:通过所述指针地址调用所述服务进程函数,通过所述服务进程函数确定所述渗透攻击对应的服务进程信息。Step S111 : calling the service process function through the pointer address, and determining the service process information corresponding to the penetration attack through the service process function.
易于理解的是,通过所述指针地址调用所述服务进程函数,所述服务进程函数可以为RCreateServiceW、RCreateServiceWOW64W、RChangeServiceConfigW、RChangeServiceConfig2W、RDeleteServiceW以及RStartServiceW。通过所述服务进程函数确定所述渗透攻击对应的服务进程信息。It is easy to understand that the service process function is called through the pointer address, and the service process function may be RCreateServiceW, RCreateServiceWOW64W, RChangeServiceConfigW, RChangeServiceConfig2W, RDeleteServiceW and RStartServiceW. The service process information corresponding to the penetration attack is determined through the service process function.
具体地,例如修改sys_call_table[__NR_open],使其指向RCreateServiceW函数。可以根据sys_call_table[__NR_open]查找指定函数,此时系统会先调用本实施例自定义的服务进程函数RCreateServiceW,通过该服务进程函数RCreateServiceW会记录应用程序的进程id、读取文件类型等信息,从而记录渗透攻击的攻击行为信息,记录完毕之后根据攻击行为信息生成所述渗透攻击对应的服务进程信息。Specifically, for example, modify sys_call_table[__NR_open] to point to the RCreateServiceW function. The specified function can be searched according to sys_call_table[__NR_open]. At this time, the system will first call the service process function RCreateServiceW customized in this embodiment. Through the service process function RCreateServiceW, information such as the process id of the application and the read file type will be recorded, thereby recording The attack behavior information of the penetration attack, after the recording is completed, the service process information corresponding to the penetration attack is generated according to the attack behavior information.
步骤S112:根据所述服务进程信息识别所述渗透攻击的攻击类型。Step S112: Identify the attack type of the penetration attack according to the service process information.
需要说明的是,根据所述服务进程信息可以识别所述渗透攻击的攻击类型的大类为通过远程服务方式进行横向渗透,进一步地,还需要根据所述攻击类型确定攻击来源IP;通过预设映射关系获取所述攻击来源IP对应的攻击指令;根据所述攻击类型、所述攻击来源IP以及所述攻击指令确定攻击信息。根据预设引擎判定策略判断所述攻击信息是否为横向渗透攻击;在所述攻击信息为横向渗透攻击时,阻断所述横向渗透攻击。It should be noted that, according to the service process information, it can be identified that the attack type of the penetration attack is lateral penetration through a remote service method, and further, it is also necessary to determine the attack source IP according to the attack type; The mapping relationship acquires the attack instruction corresponding to the attack source IP; the attack information is determined according to the attack type, the attack source IP and the attack instruction. Determine whether the attack information is a lateral penetration attack according to a preset engine determination policy; when the attack information is a lateral penetration attack, block the lateral penetration attack.
本实施例通过在监测到渗透攻击时,修改系统调用表中的指针地址,以使所述指针地址指向服务进程函数;通过所述指针地址调用所述服务进程函数,通过所述服务进程函数确定所述渗透攻击对应的服务进程信息;根据所述服务进程信息识别所述渗透攻击的攻击类型。通过上述方式,调用服务进程函数识别所述渗透攻击的攻击类型,用于判断所述渗透攻击是否为横向渗透攻击,在确定为横向渗透攻击时,阻断所述横向渗透攻击,从而实现对横向渗透攻击的实时监控,阻止横向渗透攻击扩散,提高对网络安全的监控,解决了现有技术中传统的网络攻击检测方法无法监控横向渗透攻击,网络安全监控存在死角的技术问题。In this embodiment, when a penetration attack is detected, the pointer address in the system call table is modified, so that the pointer address points to the service process function; the service process function is called by the pointer address, and the service process function is determined by the service process function. Service process information corresponding to the penetration attack; identifying the attack type of the penetration attack according to the service process information. Through the above method, the service process function is called to identify the attack type of the penetration attack, which is used to judge whether the penetration attack is a lateral penetration attack, and when it is determined to be a lateral penetration attack, the lateral penetration attack is blocked, so as to realize the horizontal penetration attack. The real-time monitoring of penetration attacks prevents the spread of lateral penetration attacks, improves the monitoring of network security, and solves the technical problem that traditional network attack detection methods in the prior art cannot monitor horizontal penetration attacks, and network security monitoring has dead ends.
参照图5,图5为本申请横向渗透防护方法第四实施例的流程示意图,基于上述图2所示的第一实施例,提出本申请横向渗透防护方法的第四实施例。本实施例基于第一实施例进行说明。Referring to FIG. 5 , FIG. 5 is a schematic flowchart of the fourth embodiment of the lateral penetration protection method of the present application. Based on the first embodiment shown in FIG. 2 above, a fourth embodiment of the lateral penetration protection method of the present application is proposed. The present embodiment will be described based on the first embodiment.
在第四实施例中,所述步骤S10,包括:In the fourth embodiment, the step S10 includes:
步骤S12:在监测到渗透攻击时,调用操作进程函数,以识别所述渗透攻击的攻击类型。Step S12: When an infiltration attack is detected, the operation process function is called to identify the attack type of the infiltration attack.
需要说明的是,攻击者在进入内网后,在内网环境中搜寻存在漏洞(弱口令,权限配置不当,凭据窃取等)的目标机器,当能够访问到目标机器时,攻击者会使用各种手段进一步的渗透控制目标机器。目前最常见的是可以通过远程计划任务方式进行横向渗透。It should be noted that after entering the intranet, the attacker searches for the target machine with vulnerabilities (weak password, improper permission configuration, credential theft, etc.) in the intranet environment. When the target machine can be accessed, the attacker will use various This means further penetration to control the target machine. At present, the most common is to carry out lateral infiltration through remote planning tasks.
具体地,在监测到渗透攻击时,可以通过预设HOOK引擎识别所述渗透攻击的攻击类型,所述预设HOOK引擎可以调用进程函数来识别所述渗透攻击的攻击类型,所述进程函数可以包括操作进程函数,所述操作进程函数可以为SchRpcRegisterTask。Specifically, when a penetration attack is detected, a preset HOOK engine can be used to identify the attack type of the penetration attack, and the preset HOOK engine can call a process function to identify the attack type of the penetration attack, and the process function can Including an operation process function, the operation process function may be SchRpcRegisterTask.
在本实施例中,在监测到渗透攻击时,调用操作进程函数,以识别所述渗透攻击的攻击类型。通过上述方式,调用操作进程函数识别所述渗透攻击的攻击类型,用于判断所述渗透攻击是否为横向渗透攻击,在确定为横向渗透攻击时,阻断所述横向渗透攻击,从而实现对横向渗透攻击的实时监控,阻止横向渗透攻击扩散,提高对网络安全的监控,解决了现有技术中传统的网络攻击检测方法无法监控横向渗透攻击,网络安全监控存在死角的技术问题。In this embodiment, when a penetration attack is detected, an operation process function is called to identify the attack type of the penetration attack. Through the above method, the operation process function is called to identify the attack type of the penetration attack, which is used to judge whether the penetration attack is a lateral penetration attack. The real-time monitoring of penetration attacks prevents the spread of lateral penetration attacks, improves the monitoring of network security, and solves the technical problem that traditional network attack detection methods in the prior art cannot monitor horizontal penetration attacks, and network security monitoring has dead ends.
参照图6,图6为本申请横向渗透防护方法第五实施例的流程示意图,基于上述图5所示的第四实施例,提出本申请横向渗透防护方法的第五实施例。本实施例基于第四实施例进行说明。Referring to FIG. 6, FIG. 6 is a schematic flowchart of a fifth embodiment of the lateral penetration protection method of the present application. Based on the fourth embodiment shown in FIG. 5, a fifth embodiment of the lateral penetration protection method of the present application is proposed. The present embodiment will be described based on the fourth embodiment.
在第五实施例中,所述步骤S12,具体包括:In the fifth embodiment, the step S12 specifically includes:
步骤S120:在监测到渗透攻击时,调用操作进程函数,并通过所述操作进程函数设置注册HOOK点。Step S120: When the penetration attack is detected, the operation process function is called, and the registered HOOK point is set through the operation process function.
需要说明的是,windows主机启动时,随内核模块启动对渗透攻击的监测,可以通过进程HOOK监视器对操作进程进行HOOK监视。在监测到渗透攻击时,调用操作进程函数,所述操作进程函数可以为SchRpcRegisterTask,并通过所述操作进程函数设置注册HOOK点,例如通过SchRpcRegisterTask函数设置注册HOOK点。It should be noted that when the Windows host starts, the monitoring of the penetration attack is started with the kernel module, and the operation process can be HOOK monitored through the process HOOK monitor. When the penetration attack is detected, the operation process function is called, and the operation process function can be SchRpcRegisterTask, and the registered HOOK point is set by the operation process function, for example, the registered HOOK point is set by the SchRpcRegisterTask function.
步骤S121:通过所述注册HOOK点监测所述渗透攻击的操作进程创建。Step S121: Monitor the creation of the operation process of the penetration attack through the registered HOOK point.
易于理解的是,当监测到所述渗透攻击的操作进程创建时,触发注册HOOK点,可以通过所述注册HOOK点监测所述渗透攻击的操作进程创建。It is easy to understand that, when the creation of the operation process of the penetration attack is monitored, a registered HOOK point is triggered, and the creation of the operation process of the penetration attack can be monitored through the registered HOOK point.
步骤S122:当监测到所述渗透攻击的操作进程创建时,通过所述注册HOOK点确定所述渗透攻击对应的操作进程信息。Step S122: When the creation of the operation process of the infiltration attack is monitored, the operation process information corresponding to the infiltration attack is determined through the registered HOOK point.
需要说明的是,当监测到所述渗透攻击的操作进程创建时,触发注册HOOK点,获取所述渗透攻击的进程行为特征信息,可以调用预先存储的匹配特征模块跟进程行为特征信息进行匹配,监测并发现基于命令执行的攻击行为信息,存储所述渗透攻击对应的攻击行为信息,将该攻击行为信息作为操作进程信息。It should be noted that when the creation of the operation process of the penetration attack is monitored, the registration HOOK point is triggered to obtain the process behavior feature information of the penetration attack, and the pre-stored matching feature module can be called to match with the process behavior feature information, Monitor and discover attack behavior information based on command execution, store attack behavior information corresponding to the penetration attack, and use the attack behavior information as operation process information.
步骤S123:根据所述操作进程信息识别所述渗透攻击的攻击类型。Step S123: Identify the attack type of the penetration attack according to the operation process information.
易于理解的是,根据所述操作进程信息可以识别所述渗透攻击的攻击类型的大类为通过远程计划任务方式进行横向渗透,进一步地,还需要根据所述攻击类型确定攻击来源IP;通过预设映射关系获取所述攻击来源IP对应的攻击指令;根据所述攻击类型、所述攻击来源IP以及所述攻击指令确定攻击信息。根据预设引擎判定策略判断所述攻击信息是否为横向渗透攻击;在所述攻击信息为横向渗透攻击时,阻断所述横向渗透攻击。It is easy to understand that, according to the operation process information, it can be identified that the attack type of the penetration attack is horizontal penetration through remote planning tasks. Further, it is also necessary to determine the attack source IP according to the attack type; A mapping relationship is set to obtain an attack instruction corresponding to the attack source IP; attack information is determined according to the attack type, the attack source IP and the attack instruction. Determine whether the attack information is a lateral penetration attack according to a preset engine determination policy; when the attack information is a lateral penetration attack, block the lateral penetration attack.
需要说明的是,还可以通过文件HOOK对操作进程进行HOOK监视。文件HOOK可以对read()、write()函数进行注册HOOK点,当在主机上有文件读取、修改文件行为时触发注册HOOK点,获取所述渗透攻击的进程行为特征信息,可以调用预先存储的匹配特征模块跟进程行为特征信息进行匹配,监测并发现执行命令、非法登录的攻击行为信息,存储所述渗透攻击对应的攻击行为信息,将该攻击行为信息作为操作进程信息,根据所述操作进程信息识别所述渗透攻击的攻击类型。It should be noted that HOOK monitoring of the operation process can also be performed through the file HOOK. The file HOOK can register HOOK points for the read() and write() functions. When there is a file read or modified file behavior on the host, the registered HOOK point is triggered to obtain the process behavior characteristic information of the penetration attack, and the pre-stored information can be called. The matching feature module matches the process behavior feature information, monitors and discovers the attack behavior information of executing commands and illegal logins, stores the attack behavior information corresponding to the penetration attack, and uses the attack behavior information as the operation process information. The process information identifies the attack type of the penetration attack.
在本实施例中,在监测到渗透攻击时,调用操作进程函数,并通过所述操作进程函数设置注册HOOK点;通过所述注册HOOK点监测所述渗透攻击的操作进程创建;当监测到所述渗透攻击的操作进程创建时,通过所述注册HOOK点确定所述渗透攻击对应的操作进程信息;根据所述操作进程信息识别所述渗透攻击的攻击类型。通过上述方式,调用操作进程函数识别所述渗透攻击的攻击类型,用于判断所述渗透攻击是否为横向渗透攻击,在确定为横向渗透攻击时,阻断所述横向渗透攻击,从而实现对横向渗透攻击的实时监控,阻止横向渗透攻击扩散,提高对网络安全的监控,解决了现有技术中传统的网络攻击检测方法无法监控横向渗透攻击,网络安全监控存在死角的技术问题。In this embodiment, when a penetration attack is detected, an operation process function is called, and a registered HOOK point is set through the operation process function; the creation of the operation process of the penetration attack is monitored through the registered HOOK point; When the operation process of the infiltration attack is created, the operation process information corresponding to the infiltration attack is determined through the registered HOOK point; the attack type of the infiltration attack is identified according to the operation process information. Through the above method, the operation process function is called to identify the attack type of the penetration attack, which is used to judge whether the penetration attack is a lateral penetration attack. The real-time monitoring of penetration attacks prevents the spread of lateral penetration attacks, improves the monitoring of network security, and solves the technical problem that traditional network attack detection methods in the prior art cannot monitor horizontal penetration attacks, and network security monitoring has dead ends.
参照图7,图7为本申请横向渗透防护方法第六实施例的流程示意图,基于上述图2所示的第一实施例,提出本申请横向渗透防护方法的第六实施例。本实施例基于第一实施例进行说明。Referring to FIG. 7 , FIG. 7 is a schematic flowchart of the sixth embodiment of the lateral penetration protection method of the present application. Based on the first embodiment shown in FIG. 2 above, a sixth embodiment of the lateral penetration protection method of the present application is proposed. The present embodiment will be described based on the first embodiment.
在第六实施例中,所述步骤S10,包括:In the sixth embodiment, the step S10 includes:
步骤S13:在监测到渗透攻击时,调用操作接口进程函数,以识别所述渗透攻击的攻击类型。Step S13: When the penetration attack is detected, the operation interface process function is called to identify the attack type of the penetration attack.
需要说明的是,攻击者在进入内网后,在内网环境中搜寻存在漏洞(弱口令,权限配置不当,凭据窃取等)的目标机器,当能够访问到目标机器时,攻击者会使用各种手段进一步的渗透控制目标机器。目前最常见的是可以通过远程WMI方式进行横向渗透。It should be noted that after entering the intranet, the attacker searches for the target machine with vulnerabilities (weak password, improper permission configuration, credential theft, etc.) in the intranet environment. When the target machine can be accessed, the attacker will use various This means further penetration to control the target machine. At present, the most common one is lateral penetration through remote WMI.
具体地,在监测到渗透攻击时,可以通过预设HOOK引擎识别所述渗透攻击的攻击类型,所述预设HOOK引擎可以调用进程函数来识别所述渗透攻击的攻击类型,所述进程函数可以包括操作接口进程函数,所述操作接口进程函数可以为IWbemServices接口函数。Specifically, when a penetration attack is detected, a preset HOOK engine can be used to identify the attack type of the penetration attack, and the preset HOOK engine can call a process function to identify the attack type of the penetration attack, and the process function can Including an operation interface process function, the operation interface process function may be an IWbemServices interface function.
在本实施例中,在监测到渗透攻击时,调用操作接口进程函数,以识别所述渗透攻击的攻击类型。通过上述方式,调用操作接口进程函数识别所述渗透攻击的攻击类型,用于判断所述渗透攻击是否为横向渗透攻击,在确定为横向渗透攻击时,阻断所述横向渗透攻击,从而实现对横向渗透攻击的实时监控,阻止横向渗透攻击扩散,提高对网络安全的监控,解决了现有技术中传统的网络攻击检测方法无法监控横向渗透攻击,网络安全监控存在死角的技术问题。In this embodiment, when a penetration attack is detected, an operation interface process function is called to identify the attack type of the penetration attack. Through the above method, the operation interface process function is called to identify the attack type of the penetration attack, which is used to determine whether the penetration attack is a lateral penetration attack, and when it is determined to be a lateral penetration attack, the lateral penetration attack is blocked, so as to realize the The real-time monitoring of lateral penetration attacks prevents the spread of lateral penetration attacks, improves the monitoring of network security, and solves the technical problem that traditional network attack detection methods in the prior art cannot monitor lateral penetration attacks, and network security monitoring has dead ends.
参照图8,图8为本申请横向渗透防护方法第七实施例的流程示意图,基于上述图7所示的第六实施例,提出本申请横向渗透防护方法的第七实施例。本实施例基于第六实施例进行说明。Referring to FIG. 8 , FIG. 8 is a schematic flowchart of a seventh embodiment of the lateral penetration protection method of the present application. Based on the sixth embodiment shown in FIG. 7 , a seventh embodiment of the lateral penetration protection method of the present application is proposed. The present embodiment will be described based on the sixth embodiment.
在第七实施例中,所述步骤S13,包括:In the seventh embodiment, the step S13 includes:
步骤S130:在监测到渗透攻击时,获取所述渗透攻击对应的接口输出参数。Step S130: When the penetration attack is detected, obtain the interface output parameter corresponding to the penetration attack.
需要说明的是,还可以通过网络HOOK对操作进程进行HOOK监视。网络HOOK可以在NF_IP_LOCAL_IN和NF_INET_LOCAL_IN注册HOOK点,当网络连接到主机时触发注册HOOK点,监测到渗透攻击,获取所述渗透攻击对应的接口输出参数。It should be noted that the operation process can also be HOOK monitored through the network HOOK. The network HOOK can register HOOK points in NF_IP_LOCAL_IN and NF_INET_LOCAL_IN, trigger the registration of HOOK points when the network is connected to the host, monitor the penetration attack, and obtain the interface output parameters corresponding to the penetration attack.
步骤S131:调用操作接口进程函数,通过所述操作接口进程函数从所述接口输出参数中提取接口进程信息。Step S131 : calling an operation interface process function, and extracting interface process information from the interface output parameters through the operation interface process function.
易于理解的是,调用操作接口进程函数,所述操作接口进程函数可以为IWbemServices接口函数。通过所述操作接口进程函数从所述接口输出参数中提取接口进程信息。获取所述渗透攻击的接口输出参数,可以调用所述操作接口进程函数对接口输出参数进行HOOK,监测并发现基于各网络协议的未授权访问和特定网络协议的异常访问数据的攻击行为信息,存储所述渗透攻击对应的攻击行为信息,将该攻击行为信息作为接口进程信息。It is easy to understand that the operation interface process function is called, and the operation interface process function may be the IWbemServices interface function. The interface process information is extracted from the interface output parameters through the operation interface process function. Obtain the interface output parameters of the penetration attack, call the operation interface process function to HOOK the interface output parameters, monitor and discover the attack behavior information based on unauthorized access of various network protocols and abnormal access data of specific network protocols, and store The attack behavior information corresponding to the penetration attack is used as the interface process information.
步骤S132:根据所述接口进程信息识别所述渗透攻击的攻击类型。Step S132: Identify the attack type of the penetration attack according to the interface process information.
需要说明的是,根据所述接口进程信息可以识别所述渗透攻击的攻击类型的大类为通过远程WMI方式进行横向渗透,进一步地,还需要根据所述攻击类型确定攻击来源IP;通过预设映射关系获取所述攻击来源IP对应的攻击指令;根据所述攻击类型、所述攻击来源IP以及所述攻击指令确定攻击信息。根据预设引擎判定策略判断所述攻击信息是否为横向渗透攻击;在所述攻击信息为横向渗透攻击时,阻断所述横向渗透攻击。It should be noted that, according to the interface process information, it can be identified that the attack type of the penetration attack is horizontal penetration through remote WMI. Further, it is also necessary to determine the attack source IP according to the attack type; The mapping relationship acquires the attack instruction corresponding to the attack source IP; the attack information is determined according to the attack type, the attack source IP and the attack instruction. Determine whether the attack information is a lateral penetration attack according to a preset engine determination policy; when the attack information is a lateral penetration attack, block the lateral penetration attack.
在本实施例中,在监测到渗透攻击时,获取所述渗透攻击对应的接口输出参数;调用操作接口进程函数,通过所述操作接口进程函数从所述接口输出参数中提取接口进程信息;根据所述接口进程信息识别所述渗透攻击的攻击类型。通过上述方式,调用操作接口进程函数识别所述渗透攻击的攻击类型,用于判断所述渗透攻击是否为横向渗透攻击,在确定为横向渗透攻击时,阻断所述横向渗透攻击,从而实现对横向渗透攻击的实时监控,阻止横向渗透攻击扩散,提高对网络安全的监控,解决了现有技术中传统的网络攻击检测方法无法监控横向渗透攻击,网络安全监控存在死角的技术问题。In this embodiment, when a penetration attack is detected, the interface output parameters corresponding to the penetration attack are obtained; the operation interface process function is called, and the interface process information is extracted from the interface output parameters through the operation interface process function; according to The interface process information identifies the attack type of the penetration attack. Through the above method, the operation interface process function is called to identify the attack type of the penetration attack, which is used to determine whether the penetration attack is a lateral penetration attack, and when it is determined to be a lateral penetration attack, the lateral penetration attack is blocked, so as to realize the The real-time monitoring of lateral penetration attacks prevents the spread of lateral penetration attacks, improves the monitoring of network security, and solves the technical problem that traditional network attack detection methods in the prior art cannot monitor lateral penetration attacks, and network security monitoring has dead ends.
参照图9,图9为本申请横向渗透防护方法第八实施例的流程示意图,基于上述图2所示的第一实施例,提出本申请横向渗透防护方法的第八实施例。本实施例基于第一实施例进行说明。Referring to FIG. 9 , FIG. 9 is a schematic flowchart of an eighth embodiment of the lateral penetration protection method of the present application. Based on the first embodiment shown in FIG. 2 above, an eighth embodiment of the lateral penetration protection method of the present application is proposed. The present embodiment will be described based on the first embodiment.
在第八实施例中,所述步骤S10,包括:In the eighth embodiment, the step S10 includes:
步骤S14:在监测到渗透攻击时,调用桌面进程函数,以识别所述渗透攻击的攻击类型。Step S14: When an infiltration attack is detected, the desktop process function is called to identify the attack type of the infiltration attack.
需要说明的是,攻击者在进入内网后,在内网环境中搜寻存在漏洞(弱口令,权限配置不当,凭据窃取等)的目标机器,当能够访问到目标机器时,攻击者会使用各种手段进一步的渗透控制目标机器。目前最常见的是可以通过远程COM方式进行横向渗透。It should be noted that after entering the intranet, the attacker searches for the target machine with vulnerabilities (weak password, improper permission configuration, credential theft, etc.) in the intranet environment. When the target machine can be accessed, the attacker will use various This means further penetration to control the target machine. At present, the most common is lateral penetration through remote COM.
具体地,在监测到渗透攻击时,可以通过预设HOOK引擎识别所述渗透攻击的攻击类型,所述预设HOOK引擎可以调用进程函数来识别所述渗透攻击的攻击类型,所述进程函数可以包括桌面进程函数,所述桌面进程函数可以为shell32!ShellExecuteExW以及CreateProcessInternalW。Specifically, when a penetration attack is detected, a preset HOOK engine can be used to identify the attack type of the penetration attack, and the preset HOOK engine can call a process function to identify the attack type of the penetration attack, and the process function can Including desktop process functions, the desktop process functions can be shell32!ShellExecuteExW and CreateProcessInternalW.
本实施例中,在监测到渗透攻击时,调用桌面进程函数,以识别所述渗透攻击的攻击类型。通过上述方式,调用桌面进程函数识别所述渗透攻击的攻击类型,用于判断所述渗透攻击是否为横向渗透攻击,在确定为横向渗透攻击时,阻断所述横向渗透攻击,从而实现对横向渗透攻击的实时监控,阻止横向渗透攻击扩散,提高对网络安全的监控,解决了现有技术中传统的网络攻击检测方法无法监控横向渗透攻击,网络安全监控存在死角的技术问题。In this embodiment, when a penetration attack is detected, a desktop process function is called to identify the attack type of the penetration attack. Through the above method, the desktop process function is called to identify the attack type of the penetration attack, which is used to judge whether the penetration attack is a lateral penetration attack, and when it is determined to be a lateral penetration attack, the lateral penetration attack is blocked, so as to realize the horizontal penetration attack. The real-time monitoring of penetration attacks prevents the spread of lateral penetration attacks, improves the monitoring of network security, and solves the technical problem that traditional network attack detection methods in the prior art cannot monitor horizontal penetration attacks, and network security monitoring has dead ends.
参照图10,图10为本申请横向渗透防护方法第九实施例的流程示意图,基于上述图9所示的第八实施例,提出本申请横向渗透防护方法的第九实施例。本实施例基于第八实施例进行说明。Referring to FIG. 10 , FIG. 10 is a schematic flowchart of the ninth embodiment of the lateral penetration protection method of the present application. Based on the eighth embodiment shown in FIG. 9 above, a ninth embodiment of the lateral penetration protection method of the present application is proposed. This embodiment will be described based on the eighth embodiment.
在第九实施例中,所述步骤S14,包括:In the ninth embodiment, the step S14 includes:
步骤S140:在监测到渗透攻击时,获取所述渗透攻击对应的的远程桌面控制行为函数。Step S140: When an infiltration attack is detected, obtain a remote desktop control behavior function corresponding to the infiltration attack.
需要说明的是,在监测到渗透攻击时,基于远程桌面控制的工作原理,HOOK相关的远程桌面控制行为函数,根据远程桌面控制行为函数判断当前设备是否存在远程桌面控制行为。It should be noted that when an infiltration attack is detected, based on the working principle of remote desktop control, the HOOK-related remote desktop control behavior function determines whether the current device has remote desktop control behavior according to the remote desktop control behavior function.
步骤S141:调用桌面进程函数,根据所述桌面进程函数对所述远程桌面控制行为函数进行HOOK,以获得所述远程桌面控制行为函数的操作函数和通信函数。Step S141 : calling a desktop process function, and performing HOOK on the remote desktop control behavior function according to the desktop process function to obtain an operation function and a communication function of the remote desktop control behavior function.
易于理解的是,调用桌面进程函数,所述桌面进程函数可以为shell32!ShellExecuteExW以及CreateProcessInternalW,根据所述桌面进程函数对所述远程桌面控制行为函数进行HOOK,以获得所述远程桌面控制行为函数的操作函数和通信函数。It is easy to understand that when calling the desktop process function, the desktop process function can be shell32!ShellExecuteExW and CreateProcessInternalW, and HOOK the remote desktop control behavior function according to the desktop process function, so as to obtain the value of the remote desktop control behavior function. Operation functions and communication functions.
步骤S142:根据所述操作函数和所述通信函数识别所述渗透攻击的攻击类型。Step S142: Identify the attack type of the penetration attack according to the operation function and the communication function.
需要说明的是,通过调用桌面进程函数HOOK到远程桌面控制行为函数,获得所述远程桌面控制行为函数的操作函数和通信函数,判断上述操作函数和通信函数是否调用,即可确定是否发生相应的操作,例如,判断是否调用了SendInput、keybd_event、mouse_event函数,若是,则确定发生了软键盘、软鼠标的消息发送操作;或如,判断是否调用了CreateCompatibleBitmap函数,若是,则确定发生了屏幕抓取操作;又如,判断是否调用了Send和Recv函数,若是,则确定发生了网络通信行为,可以根据所述操作函数和所述通信函数识别所述渗透攻击的攻击类型。It should be noted that, by calling the desktop process function HOOK to the remote desktop control behavior function, the operation function and the communication function of the remote desktop control behavior function are obtained, and it can be determined whether the above operation function and communication function are called. Operation, for example, to determine whether SendInput, keybd_event, mouse_event functions are called, if so, it is determined that the message sending operation of the soft keyboard and soft mouse has occurred; or, for example, to determine whether the CreateCompatibleBitmap function has been called, if so, it is determined that a screen capture has occurred. operation; for another example, it is judged whether the Send and Recv functions are called, and if so, it is determined that a network communication behavior has occurred, and the attack type of the penetration attack can be identified according to the operation function and the communication function.
易于理解的是,可以根据所述操作函数和所述通信函数识别所述渗透攻击的攻击类型的大类为通过远程COM方式进行横向渗透,进一步地,还需要根据所述攻击类型确定攻击来源IP;通过预设映射关系获取所述攻击来源IP对应的攻击指令;根据所述攻击类型、所述攻击来源IP以及所述攻击指令确定攻击信息。根据预设引擎判定策略判断所述攻击信息是否为横向渗透攻击;在所述攻击信息为横向渗透攻击时,阻断所述横向渗透攻击。It is easy to understand that the attack type of the penetration attack can be identified according to the operation function and the communication function as lateral penetration through the remote COM method, and further, the attack source IP address needs to be determined according to the attack type. obtaining the attack instruction corresponding to the attack source IP through a preset mapping relationship; determining the attack information according to the attack type, the attack source IP and the attack instruction. Determine whether the attack information is a lateral penetration attack according to a preset engine determination policy; when the attack information is a lateral penetration attack, block the lateral penetration attack.
本实施例中,在监测到渗透攻击时,获取所述渗透攻击对应的的远程桌面控制行为函数;调用桌面进程函数,根据所述桌面进程函数对所述远程桌面控制行为函数进行HOOK,以获得所述远程桌面控制行为函数的操作函数和通信函数;根据所述操作函数和所述通信函数识别所述渗透攻击的攻击类型。通过上述方式,调用桌面进程函数识别所述渗透攻击的攻击类型,用于判断所述渗透攻击是否为横向渗透攻击,在确定为横向渗透攻击时,阻断所述横向渗透攻击,从而实现对横向渗透攻击的实时监控,阻止横向渗透攻击扩散,提高对网络安全的监控,解决了现有技术中传统的网络攻击检测方法无法监控横向渗透攻击,网络安全监控存在死角的技术问题。In this embodiment, when an infiltration attack is detected, the remote desktop control behavior function corresponding to the infiltration attack is obtained; the desktop process function is called, and the remote desktop control behavior function is hooked according to the desktop process function to obtain The operation function and the communication function of the remote desktop control behavior function; the attack type of the penetration attack is identified according to the operation function and the communication function. Through the above method, the desktop process function is called to identify the attack type of the penetration attack, which is used to judge whether the penetration attack is a lateral penetration attack, and when it is determined to be a lateral penetration attack, the lateral penetration attack is blocked, so as to realize the horizontal penetration attack. The real-time monitoring of penetration attacks prevents the spread of lateral penetration attacks, improves the monitoring of network security, and solves the technical problem that traditional network attack detection methods in the prior art cannot monitor horizontal penetration attacks, and network security monitoring has dead ends.
此外,本申请实施例还提出一种存储介质,所述存储介质上存储有横向渗透防护程序,所述横向渗透防护程序被处理器执行时实现如上文所述的横向渗透防护方法的步骤。In addition, an embodiment of the present application further provides a storage medium, where a lateral penetration protection program is stored thereon, and when the lateral penetration protection program is executed by a processor, the steps of the lateral penetration protection method as described above are implemented.
由于本存储介质采用了上述所有实施例的全部技术方案,因此至少具有上述实施例的技术方案所带来的所有有益效果,在此不再一一赘述。Since the storage medium adopts all the technical solutions of all the above-mentioned embodiments, it has at least all the beneficial effects brought by the technical solutions of the above-mentioned embodiments, which will not be repeated here.
此外,参照图11,本申请实施例还提出一种横向渗透防护装置,所述横向渗透防护装置包括:In addition, referring to FIG. 11 , an embodiment of the present application further proposes a lateral penetration protection device, and the lateral penetration protection device includes:
识别模块10,用于在监测到渗透攻击时,识别所述渗透攻击的攻击类型。The identification module 10 is configured to identify the attack type of the penetration attack when the penetration attack is detected.
确定模块20,用于根据所述攻击类型确定攻击信息。The determining module 20 is configured to determine attack information according to the attack type.
判断模块30,用于根据预设引擎判定策略判断所述攻击信息是否为横向渗透攻击。The judgment module 30 is configured to judge whether the attack information is a lateral penetration attack according to a preset engine judgment strategy.
执行模块40,用于在所述攻击信息为横向渗透攻击时阻断所述横向渗透攻击。The execution module 40 is configured to block the lateral penetration attack when the attack information is a lateral penetration attack.
本实施例提出一种横向渗透防护装置,所述横向渗透防护装置包括识别模块10,用于在监测到渗透攻击时,识别所述渗透攻击的攻击类型;确定模块20,用于根据所述攻击类型确定攻击信息;判断模块30,用于根据预设引擎判定策略判断所述攻击信息是否为横向渗透攻击;执行模块40,用于在所述攻击信息为横向渗透攻击时,阻断所述横向渗透攻击。通过上述方式,根据捕获到的攻击信息及预设引擎判定策略判断攻击信息是否为横向渗透攻击,在确定为横向渗透攻击时,阻断所述横向渗透攻击,从而实现对横向渗透攻击的实时监控,阻止横向渗透攻击扩散,提高对网络安全的监控,解决了现有技术中传统的网络攻击检测方法无法监控横向渗透攻击,网络安全监控存在死角的技术问题。This embodiment proposes a lateral penetration protection device, the lateral penetration protection device includes an identification module 10 for identifying an attack type of the penetration attack when a penetration attack is detected; a determination module 20 for identifying the attack type according to the attack The type determines attack information; the judgment module 30 is used to judge whether the attack information is a lateral penetration attack according to a preset engine judgment strategy; the execution module 40 is used to block the lateral penetration attack when the attack information is a lateral penetration attack Penetration attack. Through the above method, it is determined whether the attack information is a lateral penetration attack according to the captured attack information and the preset engine determination strategy, and when it is determined to be a lateral penetration attack, the lateral penetration attack is blocked, so as to realize real-time monitoring of the lateral penetration attack , preventing the spread of lateral penetration attacks, improving the monitoring of network security, and solving the technical problems that the traditional network attack detection methods in the prior art cannot monitor lateral penetration attacks, and network security monitoring has dead ends.
本申请所述横向渗透防护装置的其他实施例或具体实现方式可参照上述各方法实施例,此处不再赘述。For other embodiments or specific implementation manners of the lateral penetration protection device described in the present application, reference may be made to the foregoing method embodiments, which will not be repeated here.
需要说明的是,在本文中,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者系统不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者系统所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括该要素的过程、方法、物品或者系统中还存在另外的相同要素。It should be noted that, herein, the terms "comprising", "comprising" or any other variation thereof are intended to encompass non-exclusive inclusion, such that a process, method, article or system comprising a series of elements includes not only those elements, It also includes other elements not expressly listed or inherent to such a process, method, article or system. Without further limitation, an element qualified by the phrase "comprising a..." does not preclude the presence of additional identical elements in the process, method, article or system that includes the element.
上述本申请实施例序号仅仅为了描述,不代表实施例的优劣。在列举了若干装置的单元权利要求中,这些装置中的若干个可以是通过同一个硬件项来具体体现。词语第一、第二、以及第三等的使用不表示任何顺序,可将这些词语解释为标识。The above-mentioned serial numbers of the embodiments of the present application are only for description, and do not represent the advantages or disadvantages of the embodiments. In a unit claim enumerating several means, several of these means may be embodied by one and the same item of hardware. The use of the words first, second, and third, etc. do not denote any order, and these words may be construed as identifications.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到上述实施例方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质(如只读存储器镜像(Read Only Memory image,ROM)/随机存取存储器(Random Access Memory,RAM)、磁碟、光盘)中,包括若干指令用以使得一台终端设备(可以是手机,计算机,服务器,空调器,或者网络设备等)执行本申请各个实施例所述的方法。From the description of the above embodiments, those skilled in the art can clearly understand that the method of the above embodiment can be implemented by means of software plus a necessary general hardware platform, and of course can also be implemented by hardware, but in many cases the former is better implementation. Based on this understanding, the technical solutions of the present application can be embodied in the form of software products in essence or the parts that make contributions to the prior art, and the computer software products are stored in a storage medium (such as a read-only memory image (Read Only Memory image, ROM) / Random Access Memory (Random Access Memory, RAM), disk, CD), including several instructions to make a terminal device (can be a mobile phone, computer, server, air conditioner, or network equipment, etc.) to execute the methods described in the various embodiments of the present application.
以上仅为本申请的优选实施例,并非因此限制本申请的专利范围,凡是利用本申请说明书及附图内容所作的等效结构或等效流程变换,或直接或间接运用在其他相关的技术领域,均同理包括在本申请的专利保护范围内。The above are only the preferred embodiments of the present application, and are not intended to limit the patent scope of the present application. Any equivalent structure or equivalent process transformation made by using the contents of the description and drawings of the present application, or directly or indirectly applied in other related technical fields , are similarly included within the scope of patent protection of this application.

Claims (20)

  1. 一种横向渗透防护方法,其中,所述横向渗透防护方法包括以下步骤:A lateral penetration protection method, wherein the lateral penetration protection method comprises the following steps:
    在监测到渗透攻击时,识别所述渗透攻击的攻击类型;When an infiltration attack is detected, identifying the attack type of the infiltration attack;
    根据所述攻击类型确定攻击信息;Determine attack information according to the attack type;
    根据预设引擎判定策略判断所述攻击信息是否为横向渗透攻击;Determine whether the attack information is a lateral penetration attack according to a preset engine determination strategy;
    在所述攻击信息为横向渗透攻击时,阻断所述横向渗透攻击。When the attack information is a lateral penetration attack, the lateral penetration attack is blocked.
  2. 如权利要求1所述的横向渗透防护方法,其中,所述在监测到渗透攻击时,识别所述渗透攻击的攻击类型的步骤,具体包括:The lateral penetration protection method according to claim 1, wherein the step of identifying the attack type of the penetration attack when the penetration attack is detected, specifically comprises:
    在监测到渗透攻击时,调用服务进程函数,以识别所述渗透攻击的攻击类型。When the penetration attack is detected, the service process function is called to identify the attack type of the penetration attack.
  3. 如权利要求2所述的横向渗透防护方法,其中,所述在监测到渗透攻击时,调用服务进程函数,以识别所述渗透攻击的攻击类型的步骤,具体包括:The lateral penetration protection method according to claim 2, wherein the step of invoking a service process function to identify the attack type of the penetration attack when a penetration attack is detected, specifically includes:
    在监测到渗透攻击时,修改系统调用表中的指针地址,以使所述指针地址指向服务进程函数;When the penetration attack is detected, modify the pointer address in the system call table, so that the pointer address points to the service process function;
    通过所述指针地址调用所述服务进程函数,通过所述服务进程函数确定所述渗透攻击对应的服务进程信息;The service process function is called by the pointer address, and the service process information corresponding to the penetration attack is determined by the service process function;
    根据所述服务进程信息识别所述渗透攻击的攻击类型。Identify the attack type of the penetration attack according to the service process information.
  4. 如权利要求1所述的横向渗透防护方法,其中,所述在监测到渗透攻击时,识别所述渗透攻击的攻击类型的步骤,具体包括:The lateral penetration protection method according to claim 1, wherein the step of identifying the attack type of the penetration attack when the penetration attack is detected, specifically comprises:
    在监测到渗透攻击时,调用操作进程函数,以识别所述渗透攻击的攻击类型。When the penetration attack is detected, the operation process function is called to identify the attack type of the penetration attack.
  5. 如权利要求4所述的横向渗透防护方法,其中,所述在监测到渗透攻击时,调用操作进程函数,以识别所述渗透攻击的攻击类型的步骤,具体包括:The lateral penetration protection method according to claim 4, wherein the step of invoking an operation process function to identify the attack type of the penetration attack when a penetration attack is detected, specifically includes:
    在监测到渗透攻击时,调用操作进程函数,并通过所述操作进程函数设置注册HOOK点;When the penetration attack is detected, the operation process function is called, and the registered HOOK point is set by the operation process function;
    通过所述注册HOOK点监测所述渗透攻击的操作进程创建;Monitoring the creation of the operation process of the penetration attack through the registered HOOK point;
    当监测到所述渗透攻击的操作进程创建时,通过所述注册HOOK点确定所述渗透攻击对应的操作进程信息;When monitoring the creation of the operation process of the infiltration attack, determine the operation process information corresponding to the infiltration attack through the registered HOOK point;
    根据所述操作进程信息识别所述渗透攻击的攻击类型。Identify the attack type of the penetration attack according to the operation process information.
  6. 如权利要求1所述的横向渗透防护方法,其中,所述在监测到渗透攻击时,识别所述渗透攻击的攻击类型的步骤,具体包括:The lateral penetration protection method according to claim 1, wherein the step of identifying the attack type of the penetration attack when the penetration attack is detected, specifically comprises:
    在监测到渗透攻击时,调用操作接口进程函数,以识别所述渗透攻击的攻击类型。When the penetration attack is detected, the operation interface process function is called to identify the attack type of the penetration attack.
  7. 如权利要求6所述的横向渗透防护方法,其中,所述在监测到渗透攻击时,调用操作接口进程函数,以识别所述渗透攻击的攻击类型的步骤,具体包括:The lateral penetration protection method according to claim 6, wherein the step of invoking an operation interface process function to identify the attack type of the penetration attack when a penetration attack is detected, specifically includes:
    在监测到渗透攻击时,获取所述渗透攻击对应的接口输出参数;When the penetration attack is detected, obtain the interface output parameter corresponding to the penetration attack;
    调用操作接口进程函数,通过所述操作接口进程函数从所述接口输出参数中提取接口进程信息;calling the operation interface process function, and extracting interface process information from the interface output parameter through the operation interface process function;
    根据所述接口进程信息识别所述渗透攻击的攻击类型。Identify the attack type of the penetration attack according to the interface process information.
  8. 如权利要求1所述的横向渗透防护方法,其中,所述在监测到渗透攻击时,识别所述渗透攻击的攻击类型的步骤,具体包括:The lateral penetration protection method according to claim 1, wherein the step of identifying the attack type of the penetration attack when the penetration attack is detected, specifically comprises:
    在监测到渗透攻击时,调用桌面进程函数,以识别所述渗透攻击的攻击类型。When the penetration attack is detected, the desktop process function is called to identify the attack type of the penetration attack.
  9. 如权利要求8所述的横向渗透防护方法,其中,所述在监测到渗透攻击时,调用桌面进程函数,以识别所述渗透攻击的攻击类型的步骤,具体包括:The lateral penetration protection method according to claim 8, wherein the step of invoking a desktop process function to identify the attack type of the penetration attack when a penetration attack is detected, specifically includes:
    在监测到渗透攻击时,获取所述渗透攻击对应的的远程桌面控制行为函数;When the penetration attack is detected, obtain the remote desktop control behavior function corresponding to the penetration attack;
    调用桌面进程函数,根据所述桌面进程函数对所述远程桌面控制行为函数进行HOOK,以获得所述远程桌面控制行为函数的操作函数和通信函数;Call the desktop process function, and HOOK the remote desktop control behavior function according to the desktop process function to obtain the operation function and the communication function of the remote desktop control behavior function;
    根据所述操作函数和所述通信函数识别所述渗透攻击的攻击类型。The attack type of the penetration attack is identified according to the operation function and the communication function.
  10. 如权利要求1~9任一项所述的横向渗透防护方法,其中,所述根据所述攻击类型确定攻击信息的步骤,具体包括:The lateral penetration protection method according to any one of claims 1 to 9, wherein the step of determining attack information according to the attack type specifically includes:
    根据所述攻击类型确定攻击来源IP;Determine the attack source IP according to the attack type;
    通过预设映射关系获取所述攻击来源IP对应的攻击指令;Obtain the attack instruction corresponding to the attack source IP through a preset mapping relationship;
    根据所述攻击类型、所述攻击来源IP以及所述攻击指令确定攻击信息。The attack information is determined according to the attack type, the attack source IP and the attack instruction.
  11. 如权利要求10所述的横向渗透防护方法,其中,所述根据预设引擎判定策略判断所述攻击信息是否为横向渗透攻击的步骤,具体包括:The lateral penetration protection method according to claim 10, wherein the step of judging whether the attack information is a lateral penetration attack according to a preset engine determination policy specifically includes:
    根据预设引擎判定策略从所述攻击信息中提取攻击事件数据包;Extracting attack event data packets from the attack information according to a preset engine determination strategy;
    通过聚类算法对所述攻击事件数据包进行处理,获得攻击模式信息;Process the attack event data packets through a clustering algorithm to obtain attack mode information;
    根据所述攻击模式信息判断所述攻击信息是否为横向渗透攻击。Whether the attack information is a lateral penetration attack is determined according to the attack mode information.
  12. 如权利要求10所述的横向渗透防护方法,其中,所述根据预设引擎判定策略判断所述攻击信息是否为横向渗透攻击的步骤,具体包括:The lateral penetration protection method according to claim 10, wherein the step of judging whether the attack information is a lateral penetration attack according to a preset engine determination policy specifically includes:
    根据预设引擎判定策略从所述攻击信息中提取攻击事件数据包;Extracting attack event data packets from the attack information according to a preset engine determination strategy;
    通过聚类算法对所述攻击事件数据包进行处理,获得攻击模式信息;Process the attack event data packets through a clustering algorithm to obtain attack mode information;
    根据时间序列分析所述攻击模式信息,获得还原攻击场景信息;Analyze the attack mode information according to the time series, and obtain the restoration attack scene information;
    根据所述还原攻击场景信息以及所述攻击信息构建目标攻击链;constructing a target attack chain according to the restoration attack scenario information and the attack information;
    根据所述攻击模式信息和所述目标攻击链通过主机入侵防御系统判断所述攻击信息是否为横向渗透攻击。According to the attack mode information and the target attack chain, the host intrusion prevention system determines whether the attack information is a lateral penetration attack.
  13. 如权利要求10所述的横向渗透防护方法,其中,所述根据预设引擎判定策略判断所述攻击信息是否为横向渗透攻击的步骤,具体包括:The lateral penetration protection method according to claim 10, wherein the step of judging whether the attack information is a lateral penetration attack according to a preset engine determination policy specifically includes:
    根据预设引擎判定策略从所述攻击信息中提取攻击事件数据包;Extracting attack event data packets from the attack information according to a preset engine determination strategy;
    通过聚类算法对所述攻击事件数据包进行处理,获得攻击模式信息;Process the attack event data packets through a clustering algorithm to obtain attack mode information;
    根据云规则对所述攻击模式信息进行数据分析,获得云端分析信息;Perform data analysis on the attack mode information according to cloud rules to obtain cloud analysis information;
    根据所述攻击模式信息以及云端分析信息判断所述攻击信息是否为横向渗透攻击。Whether the attack information is a lateral penetration attack is determined according to the attack mode information and the cloud analysis information.
  14. 如权利要求1~13任一项所述的横向渗透防护方法,其中,所述在所述攻击信息为横向渗透攻击时,阻断所述横向渗透攻击的步骤,具体包括:The lateral penetration protection method according to any one of claims 1 to 13, wherein, when the attack information is a lateral penetration attack, the step of blocking the lateral penetration attack specifically includes:
    在所述攻击信息为横向渗透攻击时,判断所述横向渗透攻击是否为目标横向渗透攻击;When the attack information is a lateral penetration attack, determine whether the lateral penetration attack is a target lateral penetration attack;
    在所述横向渗透攻击为所述目标横向渗透攻击时,根据预设攻击阻断方式阻断所述目标横向渗透攻击;When the lateral penetration attack is the target lateral penetration attack, blocking the target lateral penetration attack according to a preset attack blocking method;
    在所述横向渗透攻击不为所述目标横向渗透攻击时,根据主机入侵防御系统阻断所述横向渗透攻击。When the lateral penetration attack is not the target lateral penetration attack, the lateral penetration attack is blocked according to the host intrusion prevention system.
  15. 如权利要求1~13任一项所述的横向渗透防护方法,其中,所述在所述攻击信息为横向渗透攻击时,阻断所述横向渗透攻击的步骤之后,还包括:The lateral penetration protection method according to any one of claims 1 to 13, wherein, when the attack information is a lateral penetration attack, after the step of blocking the lateral penetration attack, the method further comprises:
    根据所述横向渗透攻击生成攻击日志文件;generating an attack log file according to the lateral penetration attack;
    对所述攻击日志文件进行分析,以生成分析报告;analyze the attack log file to generate an analysis report;
    将所述分析报告进行显示。The analysis report is displayed.
  16. 一种横向渗透防护装置,其中,所述横向渗透防护装置包括:A lateral penetration protection device, wherein the lateral penetration protection device comprises:
    识别模块,用于在监测到渗透攻击时,识别所述渗透攻击的攻击类型;an identification module, used for identifying the attack type of the penetration attack when the penetration attack is detected;
    确定模块,用于根据所述攻击类型确定攻击信息;a determining module, configured to determine attack information according to the attack type;
    判断模块,用于根据预设引擎判定策略判断所述攻击信息是否为横向渗透攻击;a judgment module, configured to judge whether the attack information is a lateral penetration attack according to a preset engine judgment strategy;
    执行模块,用于在所述攻击信息为横向渗透攻击时,阻断所述横向渗透攻击。An execution module, configured to block the lateral penetration attack when the attack information is a lateral penetration attack.
  17. 如权利要求16所述的横向渗透防护装置,其中,所述识别模块,还用于在监测到渗透攻击时,调用服务进程函数,以识别所述渗透攻击的攻击类型。The lateral penetration protection device according to claim 16, wherein the identifying module is further configured to call a service process function to identify the attack type of the penetration attack when the penetration attack is detected.
  18. 如权利要求17所述的横向渗透防护装置,其中,所述识别模块,还用于在监测到渗透攻击时,修改系统调用表中的指针地址,以使所述指针地址指向服务进程函数;The lateral penetration protection device according to claim 17, wherein the identification module is further configured to modify the pointer address in the system call table when the penetration attack is detected, so that the pointer address points to the service process function;
    所述识别模块,还用于通过所述指针地址调用所述服务进程函数,通过所述服务进程函数确定所述渗透攻击对应的服务进程信息;The identification module is further configured to call the service process function through the pointer address, and determine the service process information corresponding to the penetration attack through the service process function;
    所述识别模块,还用于根据所述服务进程信息识别所述渗透攻击的攻击类型。The identifying module is further configured to identify the attack type of the penetration attack according to the service process information.
  19. 一种横向渗透防护设备,其中,所述横向渗透防护设备包括:存储器、处理器及存储在所述存储器上并可在所述处理器上运行的横向渗透防护程序,所述横向渗透防护程序配置有实现如权利要求1至15中任一项所述的横向渗透防护方法的步骤。A lateral penetration protection device, wherein the lateral penetration protection device includes: a memory, a processor, and a lateral penetration protection program stored on the memory and executable on the processor, the lateral penetration protection program configured There are steps to implement a lateral penetration protection method as claimed in any one of claims 1 to 15.
  20. 一种存储介质,其中,所述存储介质上存储有横向渗透防护程序,所述横向渗透防护程序被处理器执行时实现如权利要求1至15中任一项所述的横向渗透防护方法的步骤。A storage medium, wherein a lateral penetration protection program is stored on the storage medium, and when the lateral penetration protection program is executed by a processor, the steps of the lateral penetration protection method according to any one of claims 1 to 15 are implemented .
PCT/CN2021/090702 2020-10-28 2021-04-28 Lateral penetration protection method and apparatus, device and storage medium WO2022088633A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202011176011.7 2020-10-28
CN202011176011.7A CN112351017B (en) 2020-10-28 2020-10-28 Transverse penetration protection method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
WO2022088633A1 true WO2022088633A1 (en) 2022-05-05

Family

ID=74355645

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/090702 WO2022088633A1 (en) 2020-10-28 2021-04-28 Lateral penetration protection method and apparatus, device and storage medium

Country Status (2)

Country Link
CN (1) CN112351017B (en)
WO (1) WO2022088633A1 (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112351017B (en) * 2020-10-28 2022-08-26 北京奇虎科技有限公司 Transverse penetration protection method, device, equipment and storage medium
CN114363006A (en) * 2021-12-10 2022-04-15 奇安信科技集团股份有限公司 Protection method and device based on WinRM service
CN114465753A (en) * 2021-12-10 2022-05-10 奇安信科技集团股份有限公司 Remote operation behavior identification method and device, electronic equipment and storage medium
CN114466074B (en) * 2021-12-10 2024-04-30 奇安信科技集团股份有限公司 WMI-based attack behavior detection method and device
CN114499929A (en) * 2021-12-13 2022-05-13 奇安信科技集团股份有限公司 Remote transverse penetration monitoring method and device for planned task intranet
CN114499928A (en) * 2021-12-13 2022-05-13 奇安信科技集团股份有限公司 Remote registry monitoring method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108471429A (en) * 2018-06-29 2018-08-31 北京奇虎科技有限公司 A kind of network attack alarm method and system
CN111314328A (en) * 2020-02-03 2020-06-19 北京字节跳动网络技术有限公司 Network attack protection method and device, storage medium and electronic equipment
CN111581643A (en) * 2020-05-07 2020-08-25 中国工商银行股份有限公司 Penetration attack evaluation method and device, electronic equipment and readable storage medium
US20200336497A1 (en) * 2019-04-18 2020-10-22 International Business Machines Corporation Detecting sensitive data exposure via logging
CN112351017A (en) * 2020-10-28 2021-02-09 北京奇虎科技有限公司 Transverse penetration protection method, device, equipment and storage medium

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009038818A2 (en) * 2007-04-12 2009-03-26 Core Sdi, Incorporated System and method for providing network penetration testing
CN103986706A (en) * 2014-05-14 2014-08-13 浪潮电子信息产业股份有限公司 Security structure design method dealing with APT attacks
US10291634B2 (en) * 2015-12-09 2019-05-14 Checkpoint Software Technologies Ltd. System and method for determining summary events of an attack
CN111147513B (en) * 2019-12-31 2020-08-14 广州锦行网络科技有限公司 Transverse moving attack path determination method in honey net based on attack behavior analysis
CN111651754A (en) * 2020-04-13 2020-09-11 北京奇艺世纪科技有限公司 Intrusion detection method and device, storage medium and electronic device
CN111756759B (en) * 2020-06-28 2023-04-07 杭州安恒信息技术股份有限公司 Network attack tracing method, device and equipment
CN111565205B (en) * 2020-07-16 2020-10-23 腾讯科技(深圳)有限公司 Network attack identification method and device, computer equipment and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108471429A (en) * 2018-06-29 2018-08-31 北京奇虎科技有限公司 A kind of network attack alarm method and system
US20200336497A1 (en) * 2019-04-18 2020-10-22 International Business Machines Corporation Detecting sensitive data exposure via logging
CN111314328A (en) * 2020-02-03 2020-06-19 北京字节跳动网络技术有限公司 Network attack protection method and device, storage medium and electronic equipment
CN111581643A (en) * 2020-05-07 2020-08-25 中国工商银行股份有限公司 Penetration attack evaluation method and device, electronic equipment and readable storage medium
CN112351017A (en) * 2020-10-28 2021-02-09 北京奇虎科技有限公司 Transverse penetration protection method, device, equipment and storage medium

Also Published As

Publication number Publication date
CN112351017A (en) 2021-02-09
CN112351017B (en) 2022-08-26

Similar Documents

Publication Publication Date Title
WO2022088633A1 (en) Lateral penetration protection method and apparatus, device and storage medium
EP3462698B1 (en) System and method of cloud detection, investigation and elimination of targeted attacks
US8522349B2 (en) Detecting and defending against man-in-the-middle attacks
US9648029B2 (en) System and method of active remediation and passive protection against cyber attacks
US7096503B1 (en) Network-based risk-assessment tool for remotely detecting local computer vulnerabilities
US7752320B2 (en) Method and apparatus for content based authentication for network access
US8079030B1 (en) Detecting stealth network communications
US8763127B2 (en) Systems and method for malware detection
CN107612924B (en) Attacker positioning method and device based on wireless network intrusion
US20040225877A1 (en) Method and system for protecting computer system from malicious software operation
US20100071065A1 (en) Infiltration of malware communications
RU2634173C1 (en) System and detecting method of remote administration application
CN107465702B (en) Early warning method and device based on wireless network intrusion
JP2015225500A (en) Authentication information theft detection method, authentication information theft detection device, and program
CN107566401B (en) Protection method and device for virtualized environment
US7000250B1 (en) Virtual opened share mode system with virus protection
Yamada et al. RAT-based malicious activities detection on enterprise internal networks
US11075931B1 (en) Systems and methods for detecting malicious network activity
WO2021217449A1 (en) Malicious intrusion detection method, apparatus, and system, computing device, medium, and program
US20150172310A1 (en) Method and system to identify key logging activities
CN107517226B (en) Alarm method and device based on wireless network intrusion
KR101186873B1 (en) Wireless intrusion protecting system based on signature
JP2006277063A (en) Hacking defence device and hacking defence program
Wu et al. A novel approach to trojan horse detection by process tracing
US7484094B1 (en) Opening computer files quickly and safely over a network

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21884376

Country of ref document: EP

Kind code of ref document: A1