CN103986706A - Security structure design method dealing with APT attacks - Google Patents
Security structure design method dealing with APT attacks Download PDFInfo
- Publication number
- CN103986706A CN103986706A CN201410203133.9A CN201410203133A CN103986706A CN 103986706 A CN103986706 A CN 103986706A CN 201410203133 A CN201410203133 A CN 201410203133A CN 103986706 A CN103986706 A CN 103986706A
- Authority
- CN
- China
- Prior art keywords
- attack
- modeling
- leak
- monitoring
- unknown
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Abstract
The invention provides a security structure design method dealing with APT attacks. The implementation process includes the procedures that modeling is carried out and the relation between leaks and threats is analyzed; modeling is carried out on a leak defense model; terminal attributes and network attributes of a target under attack are monitored directly, existence of unknown threats is found in the mode that service attributes and social attributes of the target under attack are connected indirectly, terminal attributes, network attributes, service attributes and social attributes of an attack implementer are analyzed, and therefore the connotation of the threats is found out; the attack purposes of the threats are found through high-low position collaborative monitoring; a threat defense model is established on the basis of abnormal discoveries. Compared with the prior art, the security structure design method has the advantages that the APT attacks are found in time through monitoring and discovering from three levels of sources, paths and terminals of the APT attacks by means of the high-low position collaborative monitoring technology, APT attack disasters are effectively avoided, and practicability is high.
Description
Technical field
The present invention relates to network security technology field, specifically a kind of security architecture method for designing of tackling APT attack.
Background technology
Network security, especially Internet internet security is facing unprecedented challenge, this mainly comes from a organized way, has extremely long novel attack and threat of specific objective, duration, be referred to as in the world APT(Advanced Persistent Threat) attack, be domesticly generally referred to as " senior sustainability threat ".Threat is a kind of latency that particular system, tissue and assets thereof are damaged, reflection be to attack the process that implementer attacks imposed constantly for a long time various forms by object of attack according to its mission requirements.Macroscopic view, forming the various aspects of security threat, is a kind of annular closed structure of attacking centered by implementer.Along with the variation of time and other various conditions, ratio, the influence degree of these security threats in closed circulus is dynamically changeable; Accordingly, the deployment of countermeasure and the design of security architecture must adapt with the circulus of this closure, can be according to the variation of time, cluster and other conditions and elasticity adapts to.
" the aurora action " in January, 2010 of take is the beginning, the APT attack for large enterprise and national major project occurs in succession, as shown in Figure 1 in countries in the world.First the file of announcing a large amount of relevant knowledge property rights of impact of its hacker attack by Google is stolen, and You20Jia scientific & technical corporation finds to suffer similar attack subsequently, and its intellectual property faces serious threat, and current network attack is called as " aurora action "." aurora action " blank that just tool APT attacks, has clear and definite attack object and target.Find that the first APT that is arranged in physical isolation Intranet industrial control system that attacks attacks Stuxnet(shake net June in the same year), by disturbing core research and development equipment to control the program of centrifuge speed, successfully sluggish Iranian nuclear programme.Stuxnet has extremely strong disguise, according to < < New York Times > > on June 1st, 2012, Stuxnet originates from " Olympic Games plan " being started by US President Bush, Jr before and after 2006, Stuxnet is successful lays dormant for years on network, until just found by defender after doing great damage.Stuxnet virus is by long-term hiding and infiltration, precision strike hostile country target, for it has striven for huge political interest.In February, 2011, McAfee finds a kind of attack for global energy giant company, and by its called after " dragon action at night ".Target of attack is multinational petroleum corporations, stolen to success attack the extremely sensitive internal file of " GB ", except a large amount of sensitive documents is stolen, merit attention the latent time of " dragon action at night " equally, its actual time of origin, even as far back as 2007, is found its existence without any malware detection instrument therebetween.Find for the first time Duqu virus in September, 2011, its target of attack is the linked groups such as components and parts manufacturer of industrial control field, take to collect its intelligence data and assets information is object.The close relation of Duqu and Stuxnet, its inside confidential information by obtaining particular organization was prepared for the attack of industrial control equipment for the later stage.In May, 2012, this base of kappa has found that a kind of ability of hiding is stronger, harmfulness is larger, the more complicated supervirus of aggressive mechanism, is referred to as Flame(flame).The emphasis of Flame firing area is Middle East, has stolen the confidential information of various countries, a large amount of Middle East.By analyzing the part sample of Flame virus, find that this virus just existed in 2008, had hidden 5 years in confidence.
In June, 2013, Edward Snowdon discloses " prism plan ", it starts from Bush, Jr's period of 2007, the Great Britain and America apparatus of information carries out data mining work for a long time in the giant company of 9 internet industrys, the contact method of analyzing personal and action from audio frequency, picture, mail, document and link information.The message registration that is monitored, monitored common people's phone by 10 class monitor modes, monitors the common people's network activity." prism plan ", during carrying out, communication general headquarters of British government just can access PRISM system the earliest from June, 2010, and in 2012, use the data of this plan to write 197 parts of reports." prism plan " seriously invaded citizen's the right of privacy, and global netizen's every act and every move is all under the long-term monitoring of " prism ", and the APT of a new round attacks democracy and the freedom that is seriously threatening the mankind.
By the above-mentioned typical APT attack case of comprehensive analysis, show that APT attack possesses following characteristics:
1) attack object more and clearer and more definite, firing area is more and more absorbed, and attack field expands to industrial control system from simple computer network, more and more for large enterprise and national basis facility, key equipment.
2) attack form becomes increasingly complex.If Flame virus is with features such as worm, back door, wooden horse, Botnet, social engineerings, the size of code of its program reaches 650,000 row, is 100 times of common spyware.
3) there is extremely strong disguise and continue for a long time.APT attacks the detection that can be good at hiding defense installation before outburst, and incubation period is more and more longer, collects a large amount of confidential information., may there are a large amount of other undiscovered threats in the disguise based on it, seriously threatening national security and civil rights.
Based on this, now provide a kind of and be not only confined to strict protection, but keep away the security architecture method for designing that the reply APT of calamity, impairment and counter attacks.
Summary of the invention
Technical assignment of the present invention is to solve the deficiencies in the prior art, and the security architecture method for designing of the reply APT attack that a kind of effective elimination national security threatens and civil rights threaten is provided.
Technical scheme of the present invention realizes in the following manner, this kind of security architecture method for designing of tackling APT attack, and its implementation procedure is:
One, the relation of modeling analysis leak and threat;
Two, leak defence model is carried out to modeling, the modeling of this defence model comprises following three kinds:
Without upgrading, modeling during without weak connection;
There is renewal, modeling during without weak connection;
There is renewal, modeling while having weak connection;
Three, the terminal attribute of object of attack and network attribute are directly monitored, mode to the service attribute of object of attack and social property indirect association, find the unknown existence threatening, analytical attack implementer's terminal attribute, network attribute, service attribute and social property, and then be found to be the intension of threat;
Four, by the synergic monitoring of high-low-position, find the attack object threatening, the high position here detects the monitoring technology that refers to attribute Network Based, and low level detects and refers to the monitoring technology based on terminal attribute;
Five,, based on anomaly, set up intimidation defense model.
In described step 1, modeling analysis process is:
Known bugs set is set:
, wherein known bugs quantity is
;
Unknown leak set is set:
, wherein unknown leak quantity is
;
Attack function is set:
, being respectively the known bugs of attack utilization and the quantity of unknown leak, total quantity is designated as:
;
Event analysis function is set:
, wherein
for ability weight;
Leak analysis function is set:
, wherein
for ability weight;
The weak known bugs set KN that connects of unknown leak set UM, i.e. unknown leak set is connected known bugs set by step 4) with the function in step 5), establishes transition probability simultaneously and is:
;
Known bugs growth rate is set:
, wherein
empirical value for known bugs growth rate;
Unknown leak growth rate is set:
, wherein
empirical value for unknown leak growth rate;
Update condition is set: when
shi Jinhang upgrades, after renewal
.Wherein
be update condition, when condition meets, upgrade, by defender, determine update condition, its value is inversely proportional to defence cost.
the time apart from last update,
represent sum,
influence power weight for attack;
Calculating risk is:
; Wherein
with
be by known bugs and unknown leak, to be caused the weight of risk, the potential risk of unknown leak is greater than the risk causing of known bugs.
In described step 2, without upgrading, during without weak connection, modeling process is:
,
Wherein
the expression time,
be expressed in and do not upgrade not in patching bugs and the situation without weak connection, risk is rule over time;
Have renewal, during without weak connection, modeling process is:
,
,
In this model, the time
by unlimited a plurality of discrete integral points, formed, wherein
refer to the quantity of known bugs in the previous moment of current time;
Have renewal, while having weak connection, modeling process is:
,
,
。
The threat that in described step 4, the synergic monitoring of high-low-position is found refers to the program of responsive API, and this api routine comprises:
Request remote server: HttpClient_execute;
Open URL linking URL _ openConnection;
Obtain equipment I MEI and telephone number: TelephonyManager_getDeviceId;
Query communication record: ContentResolver_query;
Open camera, WIFI and sound pick-up outfit: Camera_open;
Dlm (dynamic loading module): System_loadLibrary;
Run mode is carried out: Runtime_exec.
The detailed process of described step 5 is:
1) first calculate
the discovery strategy of the terminal blind area of dimension:
,
Wherein
for
the discovery strategy of the network black spots of dimension,
for
the business blind area discovery strategy of dimension,
for
the social blind area discovery strategy of dimension,
for
the attack object discovery technique of dimension, establishes
,
,
,
,
;
2) establishing high-order monitoring is
, wherein
for the intensity of high position monitoring, low level monitoring is
, wherein
for the intensity of low level monitoring, its detected intensity computational process is:
;
;
, have
;
, have
;
, have
;
Wherein
for attacking dimension,
for counter technology,
initiative Defense,
weighted value for defender and assailant's ability comparison;
3) draw the intimidation defense model based on anomaly:
The beneficial effect that the present invention compared with prior art produced is:
A kind of security architecture method for designing of tackling APT attack of the present invention is by the technology of high-low position synergic monitoring, the source of attacking from APT, approach and three aspect monitorings of terminal and discovery, find that in time APT attacks, effectively avoid APT to attack the generation of disaster, reduce the loss of large enterprise or national major project, and facilitate network maintenance staff to formulate in time counterattacking measure, and practical, be easy to promote.
Accompanying drawing explanation
Accompanying drawing 1 is the behavior relation figure of security breaches of the present invention and guard system.
Accompanying drawing 2 is security architecture schematic diagrames of the present invention.
Accompanying drawing 3 is that the communication feature of Bgserv virus is caught schematic diagram.
Embodiment
The security architecture method for designing of a kind of APT of reply of the present invention being attacked below in conjunction with accompanying drawing is described in detail below.
As shown in Figure 1, the security architecture method for designing that now provides a kind of APT of reply to attack, its implementation procedure is:
One, the relation of modeling analysis leak and threat.
The defence threatening can be divided into three aspects:, is respectively intimidation defense, the intimidation defense based on practical risk and the intimidation defense based on attacking motivation based on technology fragility.Wherein, the threat based on technology fragility refers to the risk being caused by security breaches, as system vulnerability, and the leak of firewall filtering rule, the magnitude of the Virus Sample of security protection software or detect regular defect etc.; Threat based on practical risk refers to the risk that carelessness causes when reality is used, as weak passwurd etc.; Threat based on attacking motivation refers to the risk that the social value of system itself causes, can weigh by the attack benefit of this system.
The security breaches of defence are long-term objective reality, and to repair these leaks are endless processes.At present almost in all guard systems, there is such relation, as shown in Figure 1.
Known bugs can be understood as 0day leak, by certain safe practice fan or white-hat discovery the leak of announcing in be correlated with forum or website or potential safety disappearance, also comprises the leak of management domain.Unknown leak does not refer to not to be found by defender, just in victim utilization or attack in support the leak of resource.The long-term lasting characteristic of APT has also just been explained in the long-term existence of unknown leak from the side of another technology.
So-called weak connect be exactly unknown leak to the transfer process of known bugs, its process divide long-term transfer, short-term to shift and even have shift two kinds, its medium-term and long-term transfer and short-term shift the main object of attacking and determine.Utilize unknown leak to carry out large-scale damage sexual assault, thereby cause that rapidly defender pays close attention to, unknown leak is found and the transfer of repairing at short notice, is referred to as short-term and shifts; Otherwise assailant utilizes the unknown leak crypticity such as steal secret information to attack, the discovery of the unknown leak that is difficult for causing that defender notes, is referred to as long-term transfer; Occasionally have to shift to refer to by defender or safe practice fan leak serendipitous, it finds that the process shifting has stronger Discrete Stochastic, but objective reality can be referred to as the even transfer that has.
Although APT has the characteristic of various dimensions, leak utilization remains the core of attack.Therefore before the senior intimidation defense model of modeling analysis, first the relation of modeling analysis leak and threat is necessary.Its concrete steps are:
Known bugs set is set:
, wherein known bugs quantity is
;
Unknown leak set is set:
, wherein unknown leak quantity is
;
Attack function is set:
, being respectively the known bugs of attack utilization and the quantity of unknown leak, total quantity is designated as:
;
Event analysis function is set:
, wherein
for ability weight;
Leak analysis function is set:
, wherein
for ability weight;
The weak known bugs set KN that connects of unknown leak set UM, i.e. unknown leak set is connected known bugs set by step 4) with the function in step 5), establishes transition probability simultaneously and is:
;
Known bugs growth rate is set:
, wherein
empirical value for known bugs growth rate;
Unknown leak growth rate is set:
, wherein
empirical value for unknown leak growth rate;
Update condition is set: when
shi Jinhang upgrades, after renewal
.Wherein
be update condition, when condition meets, upgrade, by defender, determine update condition, its value is inversely proportional to defence cost.
the time apart from last update,
represent sum,
influence power weight for attack;
Calculating risk is:
; Wherein
with
be by known bugs and unknown leak, to be caused the weight of risk, the potential risk of unknown leak is greater than the risk causing of known bugs.
Two, leak defence model is carried out to modeling.
The modeling of this defence model comprises following three kinds: without upgrading, and modeling during without weak connection; There is renewal, modeling during without weak connection; There is renewal, modeling while having weak connection; Wherein
Without upgrading, without the modeling process of weak connection, be:
。
Wherein
the expression time,
be expressed in and do not upgrade not in patching bugs and the situation without weak connection, risk is rule over time.
There is renewal, without the modeling process of weak connection, be:
。
。
be expressed in renewal patching bugs, but the Changing Pattern of risk has been discussed in situation without weak connection.In this model, suppose the time
by unlimited a plurality of discrete integral points, formed, wherein
refer to the quantity of known bugs in the previous moment of current time.Upgrading implication is that the quantity of known bugs is 0 after each renewal, but As time goes on, the quantity of leak is again in ever-increasing reciprocal process.
There is renewal, have the weak modeling process connecting to be:
。
the Changing Pattern of risk in the situation of statement existence renewal and weak connection.
Three, the terminal attribute of object of attack and network attribute are directly monitored, mode to the service attribute of object of attack and social property indirect association, find the unknown existence threatening, analytical attack implementer's terminal attribute, network attribute, service attribute and social property, and then be found to be the intension of threat.
Above-mentioned steps belongs to anomaly, this anomaly be exactly real-time multidimensional find to exist abnormal, understand unknown threat, analytical attack implementer's object, submits necessary information for formulating pointed countermeasure.Anomaly is all defence policies and the prerequisite that maps out the work of protection, and it is incomplete merely adopting the way that reaches certain safe class to weigh to resist the ability of security threat.
Four, by the synergic monitoring of high-low-position, find the attack object threatening, the high position here detects the monitoring technology that refers to attribute Network Based, and low level detects and refers to the monitoring technology based on terminal attribute.
The threat that in this step 4, the synergic monitoring of high-low-position is found refers to the program of responsive API, and this api routine comprises:
Request remote server: HttpClient_execute;
Open URL linking URL _ openConnection;
Obtain equipment I MEI and telephone number: TelephonyManager_getDeviceId;
Query communication record: ContentResolver_query;
Open camera, WIFI and sound pick-up outfit: Camera_open;
Dlm (dynamic loading module): System_loadLibrary;
Run mode is carried out: Runtime_exec.
By testing, knownly in 49 virus families, have 85.714% to comprise above suspicious API; System Real-Time Monitoring rogue program movable each time, in table by the digital order that represents critical activity.Example Bgserv virus is as shown in Figure 3 called order and is the sequence number 6 in this table.
Table 1 has represented the information that the communication feature of Bgserv virus is caught, and can catch this program to the request of a plurality of IP address transmission data, and has shown that at the 9th row and the 12nd row two URL of Bgserv virus access link.The communication feature that can note abnormalities by these information, uploads high-order monitoring by off-note collection, can further analyze the concrete condition of abnormal IP and link, seat offence person's controllable resources.
Because the available public resource of assailant is limited, and there is the possibility reusing, therefore by a high position, monitor the access situation of exceptional communication address, also can find other unknown virus by same attack team develops.
Take the strategy of high-low position monitoring association analysis viral behavioural characteristic of the same clan, can progressively find that assailant is intended to, lock the colony that is injured, find potential threat, formulate counte-rplan.
Five,, based on anomaly, set up intimidation defense model.
The detailed process of this step 5 is:
1) first calculate
the discovery strategy of the terminal blind area of dimension:
,
Wherein
for
the discovery strategy of the network black spots of dimension,
for
the business blind area discovery strategy of dimension,
for
the social blind area discovery strategy of dimension,
for
the attack object discovery technique of dimension, establishes
,
,
,
,
;
2) establishing high-order monitoring is
, wherein
for the intensity of high position monitoring, low level monitoring is
, wherein
for the intensity of low level monitoring, its detected intensity computational process is:
;
;
, have
;
, have
;
, have
;
Wherein
for attacking dimension,
for counter technology, as mist calculating etc.,
initiative Defense,
weighted value for defender and assailant's ability comparison.
3) draw the intimidation defense model based on anomaly:
Intimidation defense model based on anomaly adopts high-low-position monitoring technology, from " source ", " approach " and " terminal " three aspects of rogue program, monitors and finds, overall framework as shown in Figure 2.
The foregoing is only embodiments of the invention, within the spirit and principles in the present invention all, any modification of doing, be equal to replacement, improvement etc., within all should being included in protection scope of the present invention.
Claims (5)
1. tackle the security architecture method for designing that APT attacks, it is characterized in that its implementation procedure is:
One, the relation of modeling analysis leak and threat;
Two, leak defence model is carried out to modeling, the modeling of this defence model comprises following three kinds:
Without upgrading, modeling during without weak connection;
There is renewal, modeling during without weak connection;
There is renewal, modeling while having weak connection;
Three, the terminal attribute of object of attack and network attribute are directly monitored, mode to the service attribute of object of attack and social property indirect association, find the unknown existence threatening, analytical attack implementer's terminal attribute, network attribute, service attribute and social property, and then be found to be the intension of threat;
Four, by the synergic monitoring of high-low-position, find the attack object threatening, the high position here detects the monitoring technology that refers to attribute Network Based, and low level detects and refers to the monitoring technology based on terminal attribute;
Five,, based on anomaly, set up intimidation defense model.
2. a kind of security architecture method for designing that APT attacks of tackling according to claim 1, is characterized in that: in described step 1, modeling analysis process is:
Known bugs set is set:
, wherein known bugs quantity is
;
Unknown leak set is set:
, wherein unknown leak quantity is
;
Attack function is set:
, being respectively the known bugs of attack utilization and the quantity of unknown leak, total quantity is designated as:
;
Event analysis function is set:
, wherein
for ability weight;
Leak analysis function is set:
, wherein
for ability weight;
The weak known bugs set KN that connects of unknown leak set UM, i.e. unknown leak set is connected known bugs set by step 4) with the function in step 5), establishes transition probability simultaneously and is:
;
Known bugs growth rate is set:
, wherein
empirical value for known bugs growth rate;
Unknown leak growth rate is set:
, wherein
empirical value for unknown leak growth rate;
Update condition is set: when
shi Jinhang upgrades, after renewal
; Wherein
it is update condition;
the time apart from last update,
represent sum,
influence power weight for attack;
Calculating risk is:
; Wherein
with
be by known bugs and unknown leak, to be caused the weight of risk, the potential risk of unknown leak is greater than the risk causing of known bugs.
3. a kind of security architecture method for designing that APT attacks of tackling according to claim 2, is characterized in that: in described step 2, without upgrading, during without weak connection, modeling process is:
,
Wherein
the expression time,
be expressed in and do not upgrade not in patching bugs and the situation without weak connection, risk is rule over time;
Have renewal, during without weak connection, modeling process is:
,
,
In this model, the time
by unlimited a plurality of discrete integral points, formed, wherein
refer to the quantity of known bugs in the previous moment of current time;
Have renewal, while having weak connection, modeling process is:
,
,
。
4. according to arbitrary described a kind of security architecture method for designing of tackling APT attack in claim 1~3, it is characterized in that: the threat that in described step 4, the synergic monitoring of high-low-position is found refers to the program of responsive API, and this api routine comprises:
Request remote server: HttpClient_execute;
Open URL linking URL _ openConnection;
Obtain equipment I MEI and telephone number: TelephonyManager_getDeviceId;
Query communication record: ContentResolver_query;
Open camera, WIFI and sound pick-up outfit: Camera_open;
Dlm (dynamic loading module): System_loadLibrary;
Run mode is carried out: Runtime_exec.
5. a kind of security architecture method for designing that APT attacks of tackling according to claim 4, is characterized in that: the detailed process of described step 5 is:
1) first calculate
the discovery strategy of the terminal blind area of dimension:
,
Wherein
for
the discovery strategy of the network black spots of dimension,
for
the business blind area discovery strategy of dimension,
for
the social blind area discovery strategy of dimension,
for
the attack object discovery technique of dimension, establishes
,
,
,
,
;
2) establishing high-order monitoring is
, wherein
for the intensity of high position monitoring, low level monitoring is
, wherein
for the intensity of low level monitoring, its detected intensity computational process is:
;
;
, have
;
, have
;
, have
;
Wherein
for attacking dimension,
for counter technology,
initiative Defense,
weighted value for defender and assailant's ability comparison;
3) draw the intimidation defense model based on anomaly:
。
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410203133.9A CN103986706A (en) | 2014-05-14 | 2014-05-14 | Security structure design method dealing with APT attacks |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410203133.9A CN103986706A (en) | 2014-05-14 | 2014-05-14 | Security structure design method dealing with APT attacks |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103986706A true CN103986706A (en) | 2014-08-13 |
Family
ID=51278531
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410203133.9A Pending CN103986706A (en) | 2014-05-14 | 2014-05-14 | Security structure design method dealing with APT attacks |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103986706A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107018143A (en) * | 2017-05-03 | 2017-08-04 | 成都国腾实业集团有限公司 | The monitoring system of defense for the APT monitoring defence platforms analyzed based on big data |
| CN107248975A (en) * | 2017-05-03 | 2017-10-13 | 成都国腾实业集团有限公司 | System of defense is monitored based on the APT that big data is analyzed |
| CN107248976A (en) * | 2017-05-03 | 2017-10-13 | 成都国腾实业集团有限公司 | The APT monitoring defence platforms analyzed based on big data |
| CN107659543A (en) * | 2016-07-26 | 2018-02-02 | 北京计算机技术及应用研究所 | The means of defence of facing cloud platform APT attacks |
| CN108234419A (en) * | 2016-12-21 | 2018-06-29 | 江苏神州信源系统工程有限公司 | A kind of network attack monitoring method and device based on big data |
| CN109558736A (en) * | 2018-11-22 | 2019-04-02 | 浙江国利网安科技有限公司 | A kind of unknown threat construction method of industry and threaten generation system |
| CN112351017A (en) * | 2020-10-28 | 2021-02-09 | 北京奇虎科技有限公司 | Transverse penetration protection method, device, equipment and storage medium |
| CN112491917A (en) * | 2020-12-08 | 2021-03-12 | 物鼎安全科技(武汉)有限公司 | Unknown vulnerability identification method and device for Internet of things equipment |
-
2014
- 2014-05-14 CN CN201410203133.9A patent/CN103986706A/en active Pending
Non-Patent Citations (2)
| Title |
|---|
| 林龙成,等: "传统网络安全防御面临的新威胁:APT攻击", 《信息安全与技术》 * |
| 翟立东,等: "融合网络空间的APT威胁检测与防护", 《信息网络安全》 * |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107659543A (en) * | 2016-07-26 | 2018-02-02 | 北京计算机技术及应用研究所 | The means of defence of facing cloud platform APT attacks |
| CN107659543B (en) * | 2016-07-26 | 2020-12-01 | 北京计算机技术及应用研究所 | Protection method for APT (android packet) attack of cloud platform |
| CN108234419A (en) * | 2016-12-21 | 2018-06-29 | 江苏神州信源系统工程有限公司 | A kind of network attack monitoring method and device based on big data |
| CN107018143A (en) * | 2017-05-03 | 2017-08-04 | 成都国腾实业集团有限公司 | The monitoring system of defense for the APT monitoring defence platforms analyzed based on big data |
| CN107248975A (en) * | 2017-05-03 | 2017-10-13 | 成都国腾实业集团有限公司 | System of defense is monitored based on the APT that big data is analyzed |
| CN107248976A (en) * | 2017-05-03 | 2017-10-13 | 成都国腾实业集团有限公司 | The APT monitoring defence platforms analyzed based on big data |
| CN109558736A (en) * | 2018-11-22 | 2019-04-02 | 浙江国利网安科技有限公司 | A kind of unknown threat construction method of industry and threaten generation system |
| CN109558736B (en) * | 2018-11-22 | 2022-12-09 | 浙江国利网安科技有限公司 | Industrial unknown threat construction method and threat generation system for enriching industrial control system attack samples |
| CN112351017A (en) * | 2020-10-28 | 2021-02-09 | 北京奇虎科技有限公司 | Transverse penetration protection method, device, equipment and storage medium |
| CN112351017B (en) * | 2020-10-28 | 2022-08-26 | 北京奇虎科技有限公司 | Transverse penetration protection method, device, equipment and storage medium |
| CN112491917A (en) * | 2020-12-08 | 2021-03-12 | 物鼎安全科技(武汉)有限公司 | Unknown vulnerability identification method and device for Internet of things equipment |
| CN112491917B (en) * | 2020-12-08 | 2021-05-28 | 物鼎安全科技(武汉)有限公司 | Unknown vulnerability identification method and device for Internet of things equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103986706A (en) | Security structure design method dealing with APT attacks | |
| Bryant et al. | A novel kill-chain framework for remote security log analysis with SIEM software | |
| CN106790186B (en) | Multi-step attack detection method based on multi-source abnormal event correlation analysis | |
| Ruefle et al. | Computer security incident response team development and evolution | |
| Tien et al. | KubAnomaly: Anomaly detection for the Docker orchestration platform with neural network approaches | |
| CN111490970A (en) | Tracing analysis method for network attack | |
| Cristea | Current security threats in the national and international context | |
| CN106341426A (en) | Method for defending APT attack and safety controller | |
| CN106302404A (en) | A kind of collection network is traced to the source the method and system of information | |
| CN116566674A (en) | Automated penetration test method, system, electronic equipment and storage medium | |
| Al-Kadhimi et al. | Fingerprint for mobile-sensor apt detection framework (FORMAP) based on tactics techniques and procedures (TTP) and Mitre | |
| Dimitrov et al. | Analysis of the functionalities of a shared ICS security operations center | |
| Miloslavskaya et al. | Taxonomy for unsecure big data processing in security operations centers | |
| Williams et al. | Small business-a cyber resilience vulnerability | |
| CN112487419A (en) | Computer network information security event processing method | |
| Lau et al. | Securing supervisory control and data acquisition control systems | |
| Vishnu et al. | Identifying key strategies for reconnaissance in cybersecurity | |
| Shihan et al. | Internal and External Factors to Adopt a Cyber Security Strategy in Iraqi Organisations | |
| Wickline | The Capabilities of Antivirus Software to Detect and Prevent Emerging Cyberthreats | |
| Hassan et al. | Extraction of malware iocs and ttps mapping with coas | |
| Sobol et al. | Modeling the State of Information Security of a Smart Campus | |
| Mahdi et al. | Role of YARA Tool in Intrusion Detection Systems (IDS) | |
| Çakmakçı et al. | APT Detection: an Incremental Correlation Approach | |
| Zhuravka et al. | Some Questions of Cybersecurity in Ukrainian Modern Conditions | |
| Mohd et al. | CSIRT Management Workflow: Practical Guide for Critical Infrastructure Organizations |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20140813 |
|
| WD01 | Invention patent application deemed withdrawn after publication |