CN103312679A - APT (advanced persistent threat) detection method and system - Google Patents

APT (advanced persistent threat) detection method and system Download PDF

Info

Publication number
CN103312679A
CN103312679A CN2012100688883A CN201210068888A CN103312679A CN 103312679 A CN103312679 A CN 103312679A CN 2012100688883 A CN2012100688883 A CN 2012100688883A CN 201210068888 A CN201210068888 A CN 201210068888A CN 103312679 A CN103312679 A CN 103312679A
Authority
CN
China
Prior art keywords
attack
event
scenarios
sequence
alert
Prior art date
Application number
CN2012100688883A
Other languages
Chinese (zh)
Other versions
CN103312679B (en
Inventor
孙海波
田进山
周涛
Original Assignee
北京启明星辰信息技术股份有限公司
北京启明星辰信息安全技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京启明星辰信息技术股份有限公司, 北京启明星辰信息安全技术有限公司 filed Critical 北京启明星辰信息技术股份有限公司
Priority to CN201210068888.3A priority Critical patent/CN103312679B/en
Publication of CN103312679A publication Critical patent/CN103312679A/en
Application granted granted Critical
Publication of CN103312679B publication Critical patent/CN103312679B/en

Links

Abstract

The invention provides an APT (advanced persistent threat) detection method and an APT detection system. The APT detection method comprises the following steps of obtaining attack steps included by each attack scene of the APT and an association rule which is used for judging whether a previous attack step and a later attack step of each attack step exist or not, wherein each attack step corresponds to a plurality of different events capable of realizing the attack steps; obtaining a detection result of network intrusion, and recording an alarm event generated in network; if the alarm event is taken as an event corresponding to the attack step of a certain attack scene, triggering a detection process of the APT, processing an obtained attack sequence and outputting the obtained process result as APT information.

Description

The detection method of senior lasting threat and system

Technical field

The present invention relates to information security field, relate in particular to a kind of detection method and system of senior lasting threat.

Background technology

Along with the sense of organization of assault behavior, going after profit or gain property are more and more stronger, APT (Advanced Persistent Threat, senior lasting threat) has become government and the most serious threat of each large enterprises' information system.Macro network security monitoring possess monitoring range wide, relate to the many characteristics of key unit, be to detect the ecotopia that APT attacks.

See technically, APT is not a kind of new attack gimmick, but the general name of a class particular attack, namely the assailant is in order to obtain the important information of certain tissue or even country, the whole process of carrying out targetedly a series of attacks.APT attacks and to have utilized the various attacks means, comprises various up-to-date attack methods and social engineering method, step by step obtain the authority that enters organization internal.Find for fear of invaded checkout equipment, the assailant tends to for by the attacker of object of attack write specialized, but not uses some general attack codes.

Can be by making up first Attack Scenarios, then mating the method realization of the concrete steps in the scene to the detection of APT based on traditional Intrusion Detection Technique.But the method has the following disadvantages:

1) owing to the diversity of APT, is difficult to cover all Attack Scenarios, thereby is difficult to complete detection.The assailant can be difficult to exhaustive all possible scene as the defender by diversified approach in order to reach specific target, will cause failing to report in the detection in case scene makes up to occur omitting.

2) APT often adopts cipher mode transmission sensitive information, and monitor bypass is difficult to detect.The assailant is in case invade successfully, tends to by encrypted tunnel the sensitive information unofficial biography of stealing, and can't mate as the data of bypass checkout equipment after for encryption.

3) APT attacks and tends to permeate based on zero day leak, and there is hysteresis quality in traditional intrusion detection device based on characteristic matching in feature.In case missed the real-time detection to attack, even afterwards detected characteristics had been carried out renewal, possessed detectability, also can't recall the process that APT attacks.

4) the APT attack is very long attack process of duration, it attacks purpose is not to obtain for certain interests once but wish the income that can keep long-term usually, this just so that each attack step in the APT attack process is difficult for discovering, uses traditional intrusion detection only can find that the very low security incident of some threaten degrees can't cause keeper's abundant attention.

Based on above-mentioned deficiency, can draw, the difficult point that APT detects is that assailant's behavior launches in a time window, and traditional intrusion detection device is based on the real-time detection of time point, lacks the support that detects context environmental.Therefore be necessary to propose a kind of can the realization and attack the scheme that effectively detects for APT.

Summary of the invention

The invention provides a kind of detection method and system of senior lasting threat, the technical problem that solve is how to detect APT in conjunction with historical events to attack.

For solving the problems of the technologies described above, the invention provides following technical scheme:

A kind of detection method of senior lasting threat comprises:

Obtain the included attack step of each Attack Scenarios of senior lasting threat and be used for judging the correlation rule that whether attack step exists before and after each attack step, the wherein a plurality of different events that can realize this attack step of each attack step correspondence;

Obtain the testing result of network intrusions, the alert event that occurs in the record network;

If alert event is the corresponding event of attack step in a certain Attack Scenarios, then trigger the testing process of senior lasting threat, comprising:

If alert event is the corresponding event of attack step initial in the Attack Scenarios, then the event in the described current network is directly preserved as the corresponding new attack sequence of this Attack Scenarios;

If alert event is not the corresponding event of attack step initial in the Attack Scenarios, then according to the correlation rule that records, judge between the event that has recorded in described alert event and the corresponding attack sequence of this Attack Scenarios and whether have incidence relation, if exist, then alert event directly added in this attack sequence;

The attack sequence that obtains is processed, the result that obtains is exported as senior lasting threat information.

Preferably, described method also has following features: the testing process of the senior lasting threat of described triggering also comprises:

If alert event is not the initial corresponding event of attack step in this Attack Scenarios, and there is not incidence relation between the event that has recorded in the corresponding attack sequence of this Attack Scenarios yet, then exists two attack steps of incidence relation to set up incidence relation in the attack step that has recorded with same attack step;

According to the correlation rule that newly obtains, judge between the event that has recorded in described alert event and the corresponding attack sequence of this Attack Scenarios whether have incidence relation, if exist, then alert event is directly added in this attack sequence.

Preferably, described method also has following features: the testing process that triggers senior lasting threat also comprises:

If a particular attack step and last attack step or a rear attack step do not have correlation rule in a certain Attack Scenarios, if the alert event that detects has last attack step and the corresponding event of a rear attack step in this Attack Scenarios, then obtain the time interval that the corresponding alert event of last attack step and a rear attack step occurs;

The event that from the event of historical record, belongs to this particular attack step in this time interval of inquiry;

If find, the attack sequence of this Attack Scenarios is upgraded.

A kind of detection system of senior lasting threat comprises:

Deriving means, be used for obtaining the included attack step of each Attack Scenarios of senior lasting threat and be used for judging the correlation rule that whether attack step exists before and after each attack step, the wherein a plurality of different events that can realize this attack step of each attack step correspondence;

Tape deck links to each other with described deriving means, is used for obtaining the testing result of network intrusions, the alert event that occurs in the record network;

Checkout gear links to each other with described tape deck, is used for triggering the testing process of senior lasting threat when alert event is the corresponding event of a certain Attack Scenarios attack step, comprising:

If alert event is the corresponding event of attack step initial in the Attack Scenarios, then the event in the described current network is directly preserved as the corresponding new attack sequence of this Attack Scenarios;

If alert event is not the corresponding event of attack step initial in the Attack Scenarios, then according to the correlation rule that records, judge between the event that has recorded in described alert event and the corresponding attack sequence of this Attack Scenarios and whether have incidence relation, if exist, then alert event directly added in this attack sequence;

Output device links to each other with described checkout gear, is used for the attack sequence that obtains is processed, and the result that obtains is exported as senior lasting threat information.

Preferably, described system also has following features: described system also comprises:

Trigger equipment, link to each other with described tape deck with described checkout gear, being used at alert event is not the initial corresponding event of attack step of this Attack Scenarios, and when not having incidence relation between the event that has recorded in the corresponding attack sequence of this Attack Scenarios yet, for existing two attack steps of incidence relation to set up incidence relation with same attack step in the attack step that has recorded, again according to the correlation rule that newly obtains, judge between the event that has recorded in described alert event and the corresponding attack sequence of this Attack Scenarios and whether have incidence relation, if exist, then alert event directly added in this attack sequence.

Preferably, described system also has following features: described checkout gear also comprises:

Acquisition module, be used for when a certain particular attack step of a certain Attack Scenarios and last attack step or a rear attack step do not have correlation rule, if the alert event that detects has last attack step and the corresponding event of a rear attack step in this Attack Scenarios, then obtain the time interval that the corresponding alert event of last attack step and a rear attack step occurs;

Enquiry module links to each other with described acquisition module, is used for belonging to from this time interval of event inquiry of historical record the event of this particular attack step;

Update module links to each other with described enquiry module, is used for after described enquiry module finds the event of this particular attack step, and the attack sequence of this Attack Scenarios is upgraded.

The beneficial effect of generation of the present invention is: solved general fire compartment wall or the intrusion detection product can't be analyzed again to historical data, thereby can't find the problem of the attack that the assailant carries out based on the 0-day leak, solve simultaneously the whole attack sequence menace assessment of problem general intruding detection system can't be carried out by the association analysis that can recall to(for) each step of APT attack.Adopted the detection mode based on storage, by the rule association technology that can recall, found to have the attack sequence of correlation, thereby the menace of APT attack has been carried out the globality assessment.Improved to a certain extent the detectability that system attacks for APT, the APT attack of predefined Attack Scenarios be can find to meet and contingent APT attack or potential safety hazard showed for user or administrative staff, help management system or administrative staff to comprehensive assurance and the protection of the sensitive data of current system, have good performance and accuracy, can be widely used in the network security testing product.

Description of drawings

Fig. 1 is the schematic flow sheet of the detection method embodiment of senior lasting threat provided by the invention;

Fig. 2 is the structural representation of the detection system embodiment of senior lasting threat provided by the invention;

Fig. 3 is the structural representation of the detection system application example of senior lasting threat provided by the invention.

Embodiment

For making the purpose, technical solutions and advantages of the present invention clearer, the present invention is described in further detail below in conjunction with the accompanying drawings and the specific embodiments.Need to prove, in the situation that do not conflict, the embodiment among the application and the feature among the embodiment be combination in any mutually.

For the ease of understanding, at first following concept is made an explanation:

Attack Scenarios is comprised of at least two attack steps, and for example Attack Scenarios can be " implant at vulnerability scanning+buffer overflow attack+back door ", and wherein vulnerability scanning, buffer overflow attack and back door implantation are attack steps, and order is as implied above.

Wherein, be similar to setting to ids event for the setting of Attack Scenarios, carrying out need to satisfying following requirement when Attack Scenarios is set:

1, each attack step in the middle of the Attack Scenarios should be accurate, not should be the event classification and bring uncertainty.

2, for the attribute of each step in the Attack Scenarios according to current ids event language definition, should provide and carry out related employed rule between each step, namely should rule whether exist for searching a certain attack step attack step before and after this Attack Scenarios.For example: continue to use above-mentioned example Attack Scenarios and be set as vulnerability scanning+buffer overflow attack+back door implantation.For this step of buffer overflow attack.Set the purpose IP of a step behind the purpose IP=that its bidirectional association rule is previous step.This explanation seeks with relying on this rule whether front and back can exist by related attack step in the Attack Scenarios when detecting buffer overflow attack class event.

3, should have level for the setting of the correlation rule of each step in the Attack Scenarios divides.For example: when setting Attack Scenarios and being A+B+C+D+E, when finding attack step C, be associated with the rule of step B and D except setting by C, also should be in the situation that the possible rule that is associated with other steps such as A and E that arranges.Continue to use top example.Attack Scenarios is set as in vulnerability scanning+buffer overflow attack+back door implantation, implant this attack step if detected the back door, can set correlation rule between buffer overflow attack step and back door implantation step and be the purpose IP of a step behind the purpose IP=of previous step.The rule of carrying out time one-level in the correlation rule of this external back door implantation step is set as the purpose IP of a step behind the purpose IP=that correlation rule between vulnerability scanning step and back door implantation step is previous step.

In addition, same attack step can have the different technologies means to realize, and can realize that whole events of this attack step can be used as a class event.For example, when attack step was vulnerability scanning, its corresponding event class was the vulnerability scanning event class, and is to realize that the event of vulnerability scanning function is all in this vulnerability scanning event class in the prior art.

If a certain alert event that occurs in the network is the corresponding event of attack step in a certain Attack Scenarios, event in this network is recorded as an attack sequence, as detect a leak surface sweeping event, then this event is recorded as an attack sequence.

The below describes the method for the senior lasting threat of detection provided by the invention, and the method comprises:

Fig. 1 is the schematic flow sheet of the detection method embodiment of senior lasting threat provided by the invention.Embodiment of the method shown in Figure 1 comprises:

Step 11, obtain the included attack step of each Attack Scenarios of senior lasting threat and be used for judging the correlation rule that whether attack step exists before and after each attack step, the wherein a plurality of different events that can realize this attack step of each attack step correspondence;

Step 12, obtain the testing result of network intrusions, the alert event that occurs in the record network;

If step 13 alert event is the corresponding event of attack step in a certain Attack Scenarios, then trigger the testing process of senior lasting threat, comprising:

If alert event is the corresponding event of attack step initial in the Attack Scenarios, then the event in the described current network is directly preserved as the corresponding new attack sequence of this Attack Scenarios;

If alert event is not the corresponding event of attack step initial in the Attack Scenarios, then according to the correlation rule that records, judge between the event that has recorded in described alert event and the corresponding attack sequence of this Attack Scenarios and whether have incidence relation, if exist, then alert event directly added in this attack sequence;

Step 14, the attack sequence that obtains is processed, the result that obtains is exported as senior lasting threat information.

Because attacking, APT formed by series of steps, its possible sudden and violent leak source often is positioned at the rear end of attack path, therefore, technical scheme provided by the invention is by the detection to real-time traffic, after suspicious actions (such as the outside connection of the unknown, unusual coded communication etc.) occurring, carry out depth analysis with related in the historical flow before can dating back to, the APT that discovery may exist attacks and potential safety hazard, avoid core data destroyed or run off, improve the protective capacities of network system.

The below is described further method provided by the invention:

Embodiment one

Step 101, obtain the attack step of each set Attack Scenarios of user and be used for judging the correlation rule that whether attack step exists before and after each attack step, the wherein corresponding a plurality of different events that are used for this attack step of realization of each attack step.

Step 102, carry out intrusion detection in real time, obtain the alert event that occurs in the network.

If step 103 alert event is the corresponding event of attack step in a certain Attack Scenarios, then trigger APT and attack the state-detection flow process, specifically comprise:

If alert event is the corresponding event of attack step initial in the Attack Scenarios, then the event in the described current network is directly preserved as the corresponding new attack sequence of this Attack Scenarios;

If alert event is not the initial corresponding event of attack step, then judge between the event that has recorded in alert event described in the attack sequence of having preserved and the attack sequence and whether have incidence relation, if exist, then alert event directly added in this attack sequence.

For instance, if detect a cache overflow event, record the vulnerability scanning event if having in the attack sequence, then directly this cache overflow event is increased in this attack sequence.

Step 104, renewal APT attack sequence is carried out whole threat assessment and exports assessment result to user or keeper.

Embodiment two

Different from embodiment one is, the initial condition of non-certain ATP attack mode sequence of alert event also can't accurately be associated with the NextState of a certain ATP attack sequence in the APT attack sequence storehouse of storage simultaneously, then carries out following operation:

ATP detects engine loading the most comprehensive up-to-date attack signature and analysis strategy carries out the depth data detection to historical data.Specifically:

Step 201, when all there is incidence relation in any two attack steps with same attack step, should any two attack step merger for there being incidence relation;

Hereinafter represent attack step with capitalization, lowercase represents the corresponding event of this attack step, and such as attack step A, the corresponding event of this attack step is a.

For the merger between the attack step, for instance:

As the related attack step B of attack step A, during the related attack step C of attack step B, merger is the related attack step C of the related attack step B of attack step A;

As the related attack step C of the related attack step B of attack step A, during the related attack step D of the related attack step C of attack step B, merger is the related attack step D of the related attack step C of the related attack step B of attack step A.

According to above-mentioned merger principle, according to the association results of attack step, the corresponding event sets of each attack step is carried out related in twos; Then repeatedly association results is carried out merger, obtain final association results.

Accordingly, because attack step has been set up association in twos, the corresponding event combination of so corresponding each attack step is also with regard to the corresponding incidence relation that existed.

The purpose of doing like this is, can carry out effective association to event, because, under some scene, the assailant can't launch a offensive according to the order of attack step in the Attack Scenarios, therefore, if an attack step is not linked to each other with at least two attack steps of front and back, just be difficult to find that same assailant finishes the attack that this attack has been done, very unfavorable to detecting the APT attack.

The incidence relation that step 202, employing newly obtain, again according to the correlation rule that newly obtains, judge between the event that has recorded in described alert event and the corresponding attack sequence of this Attack Scenarios whether have incidence relation, if exist, then alert event is directly added in this attack sequence.

Carry out related to all APT attack sequences of storing in the up-to-date detection event sets of historical data and the current ATP attack sequence storehouse according to predetermined correlation rule.

For example: when certain attack mode is defined as " A+B+C+D+E ", stored the current detection sequence in the current APT attack sequence storehouse and be " a+b+c+d ", the event that detect this moment is e, and e is one among the event class E, and then related result is (A+B+C+D+E: " a+b+c+d+e ").

Be " a+b+c " if stored the current detection sequence in the current APT attack sequence storehouse, the event that detect this moment is e, set with different levels association of setting in the step according to our Attack Scenarios, although the event among the step D is not detected, if but had the correlation rule of step C and E in the predefined correlation rule, then association results would be (A+B+C+D+E: " a+b+c+*+e ").To call the data between streaming storage device extraction event c and the event e this moment and load up-to-date temporal characteristics storehouse and carry out deep detection.If the event d that detects among the step D then is updated to association results (A+B+C+D+E: " a+b+c+d+e "), otherwise (A+B+C+D+E: " a+b+c+*+e ") is as current association results.And then adopt above-mentioned association results merger principle that association results is carried out further merger.

And for example: when the result of rule association corresponding to some step in some attack mode, but during attack mode that can't complete, the rule association module produces all possible attack sequence.For example: predefined two kinds of attack modes are " A+B+C+D+E " and " A+B+X+D+E ", and the result of rule match is " a+b " and " d+e ".Wherein a, b, d, e are respectively the events that detects that meets A in the attack mode, B, D, E step.It is related that but attack b wherein and d can't be undertaken by rule association described above, that is to say that do not exist between attack b and the d can related attribute.To according to the attack mode that may meet produce corresponding attack sequence with us this moment.In the above-mentioned situation, the possible attack sequence of generation is (A+B+C+D+E: " a+b+*+d+e "; A+B+X+D+E: " a+b+*+d+e ").Export simultaneously the time range that the * event occurs.When loading the regeneration characteristics storehouse, the historical data in this time range is analyzed to determine correct rule association result again.If when two kinds of attack modes that mate this moment have subsequent step, also can judge current real attack sequence according to the subsequent detection result.

Embodiment three

If it is relevant with already present attack sequence to process this attack sequence in the method that adopts embodiment two, then in ATP attack sequence storehouse, increase the new attack genbank entry;

If the new attack sequence that produces is unique (being that attack mode is unique in the Output rusults), such as (A+B+C+D+E: " a+b+*+d+e ").And the relevant attack sequence of existence is (A+B+C+D+E: " a+b ") in the ATP attack sequence storehouse of storage this moment, and then the attack sequence with storage replaces with the new attack sequence.

If exist relevant attack sequence such as (A+B+C+D+E: " a+b+*+*+e " in the ATP attack sequence storehouse of storage this moment; A+B+X+D+E: " a+b+*+*+e "); Then the attack sequence of updated stored is (A+B+C+D+E: " a+b+*+d+e ") and delete unmatched attack mode (A+B+X+D+E: " a+b+*+*+e ").

If produce attack sequence be (A+B+C+D+E: " *+*+c+d+e "), exist the attack sequence of being correlated with such as (A+B+C+D+E: " a+b+c+*+* ") in the ATP attack sequence storehouse of current storage.This moment, attack mode was identical, and the c in the attack sequence is when being same event, attack sequence was merged be stored as (A+B+C+D+E: " a+b+c+d+e ").

For can't determine unique Attack Scenarios the time, keep as much as possible possible attack mode and attack sequence; The testing result that relies on follow-up renewal increases the certainty of attack sequence, and removes the attack sequence of the uncertainty that it fails to match.

Fig. 2 is the structural representation of the detection system of senior lasting threat provided by the invention.In conjunction with method mentioned above, system shown in Figure 2 embodiment comprises:

Deriving means 21, be used for obtaining the included attack step of each Attack Scenarios of senior lasting threat and be used for judging the correlation rule that whether attack step exists before and after each attack step, the wherein a plurality of different events that can realize this attack step of each attack step correspondence;

Tape deck 22 links to each other with described deriving means 21, is used for obtaining the testing result of network intrusions, the alert event that occurs in the record network;

Checkout gear 23 links to each other with described tape deck 22, is the corresponding event of a certain Attack Scenarios attack step if be used for alert event, then triggers the testing process of senior lasting threat, comprising:

If alert event is the corresponding event of attack step initial in the Attack Scenarios, then the event in the described current network is directly preserved as the corresponding new attack sequence of this Attack Scenarios;

If alert event is not the corresponding event of attack step initial in the Attack Scenarios, then according to the correlation rule that records, judge between the event that has recorded in described alert event and the corresponding attack sequence of this Attack Scenarios and whether have incidence relation, if exist, then alert event directly added in this attack sequence;

Output device 24 links to each other with described checkout gear 23, is used for the attack sequence that obtains is processed, and the result that obtains is exported as senior lasting threat information.

Wherein, described system also comprises:

Trigger equipment, link to each other with described tape deck with described checkout gear, being used at alert event is not the initial corresponding event of attack step of this Attack Scenarios, and when not having incidence relation between the event that has recorded in the corresponding attack sequence of this Attack Scenarios yet, for existing two attack steps of incidence relation to set up incidence relation with same attack step in the attack step that has recorded, adopt again the incidence relation that newly obtains according to the correlation rule that newly obtains, judge between the event that has recorded in described alert event and the corresponding attack sequence of this Attack Scenarios and whether have incidence relation, if exist, then alert event directly added in this attack sequence.

Optionally, described checkout gear also comprises:

Acquisition module, be used for when a certain particular attack step of a certain Attack Scenarios and last attack step or a rear attack step do not have correlation rule, if the alert event that detects has last attack step and the corresponding event of a rear attack step in this Attack Scenarios, then obtain the time interval that the corresponding alert event of last attack step and a rear attack step occurs;

Enquiry module links to each other with described acquisition module, is used for belonging to from this time interval of event inquiry of historical record the event of this particular attack step;

Update module links to each other with described enquiry module, is used for after described enquiry module finds the event of this particular attack step, and the attack sequence of this Attack Scenarios is upgraded.

The below is described further system provided by the invention:

Fig. 3 is the structural representation of the detection system application example of senior lasting threat provided by the invention.The present embodiment is the virtual bench system in other words of the described method of above-described embodiment, and the system in the present embodiment comprises: be responsible for the IDS real-time detecting system that carries out real-time intrusion detection according to the data message of actual acquisition; Stored the APT Attack Scenarios storehouse of predefined event classifying rules and APT Attack Scenarios; Store the current APT attack sequence storehouse that is in the APT attack sequence current state in the detection; The streaming storage device of historical data need to be provided according to intellectualized analysis platform; According to the historical data that streaming storage device provides, load up-to-date detection event and feature the APT that historical data detects is again detected engine; Product platform one intellectualized analysis platform of system, be responsible for the default APT Attack Scenarios of foundation and current network event triggering association analysis function and the attack sequence that carries out storing in current event and the APT attack sequence storehouse according to the up-to-date event that APT detection engine provides and carry out intellectual analysis, the APT attack sequence in the APT attack sequence storehouse is upgraded.Simultaneously to each impending property of attack sequence assessment and output detections result.

Wherein, the function that event classification and Attack Scenarios are set has been realized in APT Attack Scenarios storehouse; The IDS real-time detecting system has been realized the function that network message is carried out real-time intrusion detection described in embodiment three; Streaming storage device, APT attack sequence storehouse and intellectualized analysis platform function have realized such as embodiment four and embodiment five described rule association analyses, the APT attack sequence upgrades and the function of threat assessment.

System embodiment provided by the invention, in the real network environment, use IDS (intruding detection system) to carry out real-time intrusion detection, generate the current network event, and judge whether and to carry out intellectual analysis to historical data in conjunction with predefined event classification and APT Attack Scenarios.Set up the event correlation model that can recall for default APT Attack Scenarios, and with this model the historical events of current detection event and storage carried out association analysis, with determine attack is occured whether is had correlation.And judge based on the threat coefficient of the attack step in the default Attack Scenarios and the threaten degree of the correlation attack sequence that intellectual analysis obtains to look that the very low single attack association of threaten degree becomes the high attack sequence that threatens.The association analysis technology that the present invention is based on the real-time detectability of IDS equipment and can recall detects and intellectual analysis in real time to real network data and event, can find that the APT that meets predefined Attack Scenarios attacks, and can assess the threaten degree that this attack sequence causes according to the attack that detects, thereby reflect to a certain extent that the APT that may exist attacks and current state under threaten degree report user or keeper, for system provides safeguard function.

The above; be the specific embodiment of the present invention only, but protection scope of the present invention is not limited to this, anyly is familiar with those skilled in the art in the technical scope that the present invention discloses; can expect easily changing or replacing, all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the described protection range of claim.

Claims (6)

1. the detection method of a senior lasting threat is characterized in that, comprising:
Obtain the included attack step of each Attack Scenarios of senior lasting threat and be used for judging the correlation rule that whether attack step exists before and after each attack step, the wherein a plurality of different events that can realize this attack step of each attack step correspondence;
Obtain the testing result of network intrusions, the alert event that occurs in the record network;
If alert event is the corresponding event of attack step in a certain Attack Scenarios, then trigger the testing process of senior lasting threat, comprising:
If alert event is the corresponding event of attack step initial in the Attack Scenarios, then the event in the described current network is directly preserved as the corresponding new attack sequence of this Attack Scenarios;
If alert event is not the corresponding event of attack step initial in the Attack Scenarios, then according to the correlation rule that records, judge between the event that has recorded in described alert event and the corresponding attack sequence of this Attack Scenarios and whether have incidence relation, if exist, then alert event directly added in this attack sequence;
The attack sequence that obtains is processed, the result that obtains is exported as senior lasting threat information.
2. method according to claim 1 is characterized in that, the testing process of the senior lasting threat of described triggering also comprises:
If alert event is not the initial corresponding event of attack step in this Attack Scenarios, and there is not incidence relation between the event that has recorded in the corresponding attack sequence of this Attack Scenarios yet, then exists two attack steps of incidence relation to set up incidence relation in the attack step that has recorded with same attack step;
According to the correlation rule that newly obtains, judge between the event that has recorded in described alert event and the corresponding attack sequence of this Attack Scenarios whether have incidence relation, if exist, then alert event is directly added in this attack sequence.
3. method according to claim 2 is characterized in that, the testing process that triggers senior lasting threat also comprises:
If a particular attack step and last attack step or a rear attack step do not have correlation rule in a certain Attack Scenarios, if the alert event that detects has last attack step and the corresponding event of a rear attack step in this Attack Scenarios, then obtain the time interval that the corresponding alert event of last attack step and a rear attack step occurs;
The event that from the event of historical record, belongs to this particular attack step in this time interval of inquiry;
If find, the attack sequence of this Attack Scenarios is upgraded.
4. the detection system of a senior lasting threat is characterized in that, comprising:
Deriving means, be used for obtaining the included attack step of each Attack Scenarios of senior lasting threat and be used for judging the correlation rule that whether attack step exists before and after each attack step, the wherein a plurality of different events that can realize this attack step of each attack step correspondence;
Tape deck links to each other with described deriving means, is used for obtaining the testing result of network intrusions, the alert event that occurs in the record network;
Checkout gear links to each other with described tape deck, is used for triggering the testing process of senior lasting threat when alert event is the corresponding event of a certain Attack Scenarios attack step, comprising:
If alert event is the corresponding event of attack step initial in the Attack Scenarios, then the event in the described current network is directly preserved as the corresponding new attack sequence of this Attack Scenarios;
If alert event is not the corresponding event of attack step initial in the Attack Scenarios, then according to the correlation rule that records, judge between the event that has recorded in described alert event and the corresponding attack sequence of this Attack Scenarios and whether have incidence relation, if exist, then alert event directly added in this attack sequence;
Output device links to each other with described checkout gear, is used for the attack sequence that obtains is processed, and the result that obtains is exported as senior lasting threat information.
5. system according to claim 4 is characterized in that, described system also comprises:
Trigger equipment, link to each other with described tape deck with described checkout gear, being used at alert event is not the initial corresponding event of attack step of this Attack Scenarios, and when not having incidence relation between the event that has recorded in the corresponding attack sequence of this Attack Scenarios yet, for existing two attack steps of incidence relation to set up incidence relation with same attack step in the attack step that has recorded, again according to the correlation rule that newly obtains, judge between the event that has recorded in described alert event and the corresponding attack sequence of this Attack Scenarios and whether have incidence relation, if exist, then alert event directly added in this attack sequence.
6. according to claim 4 or 5 described systems, it is characterized in that, described checkout gear also comprises:
Acquisition module, be used for when a certain particular attack step of a certain Attack Scenarios and last attack step or a rear attack step do not have correlation rule, if the alert event that detects has last attack step and the corresponding event of a rear attack step in this Attack Scenarios, then obtain the time interval that the corresponding alert event of last attack step and a rear attack step occurs;
Enquiry module links to each other with described acquisition module, is used for belonging to from this time interval of event inquiry of historical record the event of this particular attack step;
Update module links to each other with described enquiry module, is used for after described enquiry module finds the event of this particular attack step, and the attack sequence of this Attack Scenarios is upgraded.
CN201210068888.3A 2012-03-15 2012-03-15 The detection method of senior constant threat and system CN103312679B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210068888.3A CN103312679B (en) 2012-03-15 2012-03-15 The detection method of senior constant threat and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210068888.3A CN103312679B (en) 2012-03-15 2012-03-15 The detection method of senior constant threat and system

Publications (2)

Publication Number Publication Date
CN103312679A true CN103312679A (en) 2013-09-18
CN103312679B CN103312679B (en) 2016-07-27

Family

ID=49137465

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210068888.3A CN103312679B (en) 2012-03-15 2012-03-15 The detection method of senior constant threat and system

Country Status (1)

Country Link
CN (1) CN103312679B (en)

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103607388A (en) * 2013-11-18 2014-02-26 浪潮(北京)电子信息产业有限公司 APT threat prediction method and system
CN103746991A (en) * 2014-01-02 2014-04-23 曙光云计算技术有限公司 Security event analysis method and system in cloud computing network
CN103905418A (en) * 2013-11-12 2014-07-02 北京安天电子设备有限公司 APT multi-dimensional detection and defense system and method
CN103957193A (en) * 2014-04-04 2014-07-30 华为技术有限公司 Client terminal, server and event type determining method
CN105376245A (en) * 2015-11-27 2016-03-02 杭州安恒信息技术有限公司 Rule-based detection method of ATP attack behavior
CN105491002A (en) * 2015-06-19 2016-04-13 哈尔滨安天科技股份有限公司 Advanced threat tracing method and system
CN105681286A (en) * 2015-12-31 2016-06-15 中电长城网际系统应用有限公司 Association analysis method and association analysis system
CN105791264A (en) * 2016-01-08 2016-07-20 国家电网公司 Network security pre-warning method
CN106612287A (en) * 2017-01-10 2017-05-03 厦门大学 Method for detecting persistent attack of cloud storage system
CN107251038A (en) * 2014-12-05 2017-10-13 T移动美国公司 Recombinate Threat moulding
CN107277065A (en) * 2017-08-11 2017-10-20 厦门大学 The resource regulating method of the senior constant threat of detection based on intensified learning
CN107483425A (en) * 2017-08-08 2017-12-15 北京盛华安信息技术有限公司 Composite attack detection method based on attack chain
CN107659543A (en) * 2016-07-26 2018-02-02 北京计算机技术及应用研究所 The means of defence of facing cloud platform APT attacks
CN108234426A (en) * 2016-12-21 2018-06-29 中国移动通信集团安徽有限公司 APT attacks alarm method and APT attack alarm devices
CN108616381A (en) * 2018-02-28 2018-10-02 北京奇艺世纪科技有限公司 A kind of event correlation alarm method and device
CN109981587A (en) * 2019-02-27 2019-07-05 南京众智维信息科技有限公司 A kind of network security monitoring traceability system based on APT attack
CN110830518A (en) * 2020-01-08 2020-02-21 浙江乾冠信息安全研究院有限公司 Traceability analysis method and device, electronic equipment and storage medium
US10574675B2 (en) 2014-12-05 2020-02-25 T-Mobile Usa, Inc. Similarity search for discovering multiple vector attacks

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101034974A (en) * 2007-03-29 2007-09-12 北京启明星辰信息技术有限公司 Associative attack analysis and detection method and device based on the time sequence and event sequence
CN101272286A (en) * 2008-05-15 2008-09-24 上海交通大学 Network inbreak event association detecting method
CN101494535A (en) * 2009-03-05 2009-07-29 范九伦 Method for constructing network inbreak scene based on hidden Mrakov model
CN101599855A (en) * 2008-11-10 2009-12-09 南京大学 Related and the attack scene construction method based on the compound attack of attack mode modeling
CN101697545A (en) * 2009-10-29 2010-04-21 成都市华为赛门铁克科技有限公司 Security incident correlation method and device as well as network server

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101034974A (en) * 2007-03-29 2007-09-12 北京启明星辰信息技术有限公司 Associative attack analysis and detection method and device based on the time sequence and event sequence
CN101272286A (en) * 2008-05-15 2008-09-24 上海交通大学 Network inbreak event association detecting method
CN101599855A (en) * 2008-11-10 2009-12-09 南京大学 Related and the attack scene construction method based on the compound attack of attack mode modeling
CN101494535A (en) * 2009-03-05 2009-07-29 范九伦 Method for constructing network inbreak scene based on hidden Mrakov model
CN101697545A (en) * 2009-10-29 2010-04-21 成都市华为赛门铁克科技有限公司 Security incident correlation method and device as well as network server

Cited By (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103905418B (en) * 2013-11-12 2017-02-15 北京安天电子设备有限公司 APT multi-dimensional detection and defense system and method
CN103905418A (en) * 2013-11-12 2014-07-02 北京安天电子设备有限公司 APT multi-dimensional detection and defense system and method
CN103607388B (en) * 2013-11-18 2016-09-21 浪潮(北京)电子信息产业有限公司 A kind of APT threat prediction method and system
CN103607388A (en) * 2013-11-18 2014-02-26 浪潮(北京)电子信息产业有限公司 APT threat prediction method and system
CN103746991B (en) * 2014-01-02 2017-03-15 曙光云计算技术有限公司 Safety case investigation method and system in system for cloud computing
CN103746991A (en) * 2014-01-02 2014-04-23 曙光云计算技术有限公司 Security event analysis method and system in cloud computing network
CN103957193A (en) * 2014-04-04 2014-07-30 华为技术有限公司 Client terminal, server and event type determining method
CN107251038A (en) * 2014-12-05 2017-10-13 T移动美国公司 Recombinate Threat moulding
US10574675B2 (en) 2014-12-05 2020-02-25 T-Mobile Usa, Inc. Similarity search for discovering multiple vector attacks
CN105491002A (en) * 2015-06-19 2016-04-13 哈尔滨安天科技股份有限公司 Advanced threat tracing method and system
CN105376245A (en) * 2015-11-27 2016-03-02 杭州安恒信息技术有限公司 Rule-based detection method of ATP attack behavior
CN105376245B (en) * 2015-11-27 2018-10-30 杭州安恒信息技术有限公司 A kind of detection method of rule-based APT attacks
CN105681286A (en) * 2015-12-31 2016-06-15 中电长城网际系统应用有限公司 Association analysis method and association analysis system
CN105791264A (en) * 2016-01-08 2016-07-20 国家电网公司 Network security pre-warning method
CN107659543B (en) * 2016-07-26 2020-12-01 北京计算机技术及应用研究所 Protection method for APT (android packet) attack of cloud platform
CN107659543A (en) * 2016-07-26 2018-02-02 北京计算机技术及应用研究所 The means of defence of facing cloud platform APT attacks
CN108234426A (en) * 2016-12-21 2018-06-29 中国移动通信集团安徽有限公司 APT attacks alarm method and APT attack alarm devices
CN106612287A (en) * 2017-01-10 2017-05-03 厦门大学 Method for detecting persistent attack of cloud storage system
CN106612287B (en) * 2017-01-10 2019-05-07 厦门大学 A kind of detection method of the lasting sexual assault of cloud storage system
CN107483425A (en) * 2017-08-08 2017-12-15 北京盛华安信息技术有限公司 Composite attack detection method based on attack chain
CN107483425B (en) * 2017-08-08 2020-12-18 北京盛华安信息技术有限公司 Composite attack detection method based on attack chain
CN107277065B (en) * 2017-08-11 2019-12-17 厦门大学 Resource scheduling method for detecting advanced persistent threat based on reinforcement learning
CN107277065A (en) * 2017-08-11 2017-10-20 厦门大学 The resource regulating method of the senior constant threat of detection based on intensified learning
CN108616381A (en) * 2018-02-28 2018-10-02 北京奇艺世纪科技有限公司 A kind of event correlation alarm method and device
CN109981587A (en) * 2019-02-27 2019-07-05 南京众智维信息科技有限公司 A kind of network security monitoring traceability system based on APT attack
CN110830518A (en) * 2020-01-08 2020-02-21 浙江乾冠信息安全研究院有限公司 Traceability analysis method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN103312679B (en) 2016-07-27

Similar Documents

Publication Publication Date Title
Tuptuk et al. Security of smart manufacturing systems
US20190311121A1 (en) Method for predicting and characterizing cyber attacks
US10721249B2 (en) Method for web application layer attack detection and defense based on behavior characteristic matching and analysis
CN104067280B (en) System and method for detecting malicious commands and control passage
Amin et al. Cyber security of water SCADA systems—Part I: Analysis and experimentation of stealthy deception attacks
KR101057432B1 (en) System, method, program and recording medium for detection and blocking the harmful program in a real-time throught behavior analysis of the process
EP2828753B1 (en) Anomaly detection to identify coordinated group attacks in computer networks
Bai et al. Intrusion detection systems: technology and development
US7454790B2 (en) Method for detecting sophisticated cyber attacks
Brewer Advanced persistent threats: minimising the damage
Libicki Cyberdeterrence and cyberwar
US8806632B2 (en) Systems, methods, and devices for detecting security vulnerabilities in IP networks
Varshney et al. A phish detector using lightweight search features
US9043905B1 (en) System and method for insider threat detection
CN100448203C (en) System and method for identifying and preventing malicious intrusions
Tellenbach et al. Beyond shannon: Characterizing internet traffic with generalized entropy metrics
Navarro et al. A systematic survey on multi-step attack detection
KR20000072707A (en) The Method of Intrusion Detection and Automatical Hacking Prevention
Meng Intrusion detection in the era of IoT: Building trust via traffic filtering and sampling
US20140245374A1 (en) Device and Method for Detection of Anomalous Behavior in a Computer Network
Julisch Understanding and overcoming cyber security anti-patterns
US20180004942A1 (en) Method for detecting a cyber attack
KR20030069240A (en) Network-based Attack Tracing System and Method Using Distributed Agent and Manager Systems
CN106790186B (en) Multi-step attack detection method based on multi-source abnormal event correlation analysis
Alserhani et al. MARS: multi-stage attack recognition system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant