CN105376245B - A kind of detection method of rule-based APT attacks - Google Patents

A kind of detection method of rule-based APT attacks Download PDF

Info

Publication number
CN105376245B
CN105376245B CN201510854610.2A CN201510854610A CN105376245B CN 105376245 B CN105376245 B CN 105376245B CN 201510854610 A CN201510854610 A CN 201510854610A CN 105376245 B CN105376245 B CN 105376245B
Authority
CN
China
Prior art keywords
apt
rule
attack
alarm
detection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510854610.2A
Other languages
Chinese (zh)
Other versions
CN105376245A (en
Inventor
李凯
范渊
程华才
史光庭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Dbappsecurity Technology Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN201510854610.2A priority Critical patent/CN105376245B/en
Publication of CN105376245A publication Critical patent/CN105376245A/en
Application granted granted Critical
Publication of CN105376245B publication Critical patent/CN105376245B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to APT detection fields, it is desirable to provide a kind of detection method of rule-based APT attacks.The detection method of this kind of rule-based APT attack includes step:Definition creates the grammer that APT Attack Scenarios rules use;APT Attack Scenarios rules are created, APT Attack Scenarios knowledge bases are built;Analysis module calling rule parsing module, parsing, load APT Attack Scenarios rules;Acquisition module acquires application layer protocol full flow, obtains data on flows;Carry out data screening;Analyze significant alarm;Identification behavior;Build the processing of APT attacks failure.For attack as APT, always there are several attack exposed points in entire attack process, the present invention carries out backtracking association to relevant flow based on this, change the situation that tradition carries out characteristic matching based on single time point, analysis is associated to the data of long-time window, realizes the identification to the complete attack intension of attacker.

Description

A kind of detection method of rule-based APT attacks
Technical field
It is special the present invention relates to APT (Advanced Persistent Threat, advanced duration threaten) detection field It is not related to a kind of detection method of rule-based APT attacks.
Background technology
APT attack be it is a kind of in a organized way, have specific objective, concealment are strong, destructive power is big, the duration length novel attack And threat, it is mainly characterized by:
The hidden ability in single attack source is strong:In order to hide traditional detection system, APT more focuses on dynamic behaviour and static state text The concealment of part.Such as avoid network behavior from being detected by convert channel, encrypted tunnel, or by forging legitimate signature Mode avoids malicious code file itself from being identified, this just gives traditional detection based on signature to bring very big difficulty.
Attack means are more, and the attack duration is long:APT attack is divided into multiple steps, from initial information search, obtain into Mouth point implements remote control to significant data discovery, information stealth and unofficial biography etc., often to undergo some months, 1 year even The longer time.And traditional detection mode is the real-time detection based on single time point, it is difficult to the attack so long to span It is effectively tracked, the true intention of None- identified attacker, had occurred before, failed the announcement for causing analysis personnel to pay attention to It is alert, it is possible to which that under cover calculated attack is intended to.Therefore APT could be realized by prolonged suspicious actions being only associated analysis Effective detection.
Based on the reflected These characteristics of APT attacks institute so that tradition is anti-to detect in real time, based on real-time blocking Imperial mode is difficult to effectively play a role.Therefore it effectively to identify, fight APT, it is necessary to take new detection method.
Invention content
It is a primary object of the present invention to overcome deficiency in the prior art, a kind of rule-based APT attacks row is provided For detection method and its system.In order to solve the above technical problems, the solution of the present invention is:
A kind of detection method of rule-based APT attacks is provided, for APT behaviors to be analyzed and are detected, The detection method of the rule-based APT attacks includes the following steps:
Step 1:Definition creates the grammer that APT Attack Scenarios rules use:
(1) arrangement and the relevant attribute of attack, are used for definition rule;It is common with the relevant attribute packet of attack Include benchmark alarm type (the high alarm of detection accuracy or very important alarm type), retrospect time range, association announcement Alert type, the relevant IP location informations of alarm;
(2) information that arrangement rule itself uses, including rule ID, rule name, rule describe, new rule starts to mark Know;
(3) information for arranging (1) and (2) arranges configuration item title, stipulated that each configuration item as can configure item Configuration method, can value range;
Step 2:APT Attack Scenarios rules are created, APT Attack Scenarios knowledge bases are built:
(4) it according to (typical) the APT attacks and the common attack means of attacker having occurred and that, is concluded With summary, APT Attack Scenarios rule (APT Attack Scenarios rules, exactly according to the typical APT attack things occurred in the past are defined Feelings, case and development trend summarize the APT for refining and obtaining and attack the method and steps used), and the APT defined attacks field Scape rule includes that the APT attacks based on WEB, the APT attacks based on mail social worker, file transmission and the APT of access are attacked;
(5) the APT Attack Scenarios rule defined in (4) is come out with the syntactic representation that step 1 is arranged, is saved in configuration File reads for follow-up rule parsing module, parsing, loads;
Step 3:Analysis module calling rule parsing module, parsing, load APT Attack Scenarios rules;
Step 4:Acquisition module acquires (common) application layer protocol full flow, obtains data on flows;
Step 5:Data screening:
Detection module (using a variety of detection instruments and method) carries out complete detection to the data on flows of step 4 acquisition, right It is arranged to short time storage in the data unrelated with attack, delete operation is carried out after expired;For with attack relevant risk number According to (or suspicious data) retain and stored for a long time in platform;
Step 6:Analyze significant alarm:
Analysis module cycle does further in-depth analysis to the alarm data and suspicious data that have generated, successively to each Warning information is detected judgement to each APT Attack Scenarios rule, determines whether current APT Attack Scenarios rule Benchmark alarm or associated alarm, if belong to benchmark alarm, initialize one record, be saved in benchmark warning information table The information of (database table), preservation includes IP values, APT scenes rule ID, alarm type, current alarm ID, enters step seven;If The associated alarm type for belonging to current APT Attack Scenarios rule, enters step eight;
Step 7:Identification behavior:Attack layer semantic relation between identification alarm establishes complete attack according to benchmark alarm Scene;
Analysis module triggers scene analysis according to APT Attack Scenarios rules when benchmark, which alerts, to be generated, and traces history number According to relevant all kinds of attack alarms will be alerted with benchmark, suspicious data (associated alarm) be associated, if finding relevant number According to the main information of associated alarm being then saved in associated alarm information table (database table), the main information of preservation includes closing Join Alarm ID, alarm type, benchmark warning information table Record ID, association IP values, while updating benchmark warning information table and having divided The nearest alarm time of analysis, and according to APT Attack Scenarios rules judge whether constituted by current association results APT attacks;If so, being over for the IP and the analysis of current rule, benchmark warning information table is updated, shape is set State is to complete, and expression has constituted APT attacks;If it is not, it is more than that history traces range then to judge whether, if being more than history Range is traced, then it is to constitute the failure of APT scenes that state, which is arranged,;
Step 8:Benchmark warning information table is inquired according to IP values and alarm type, if record can be inquired, to association Warning information table adds a record, and the main information of preservation includes associated alarm ID, alarm type, benchmark warning information table note ID, association IP values are recorded, while updating the analysed nearest alarm time of benchmark warning information table, and is judged according to rule, Whether current association results have constituted APT Attack Scenarios;If so, the analysis for the IP values and current rule has been tied Beam updates benchmark warning information table, and setting state is to complete, and expression has constituted APT attacks;If it is not, then judgement is No is more than that history traces range, if tracing range more than history, it is to constitute the failure of APT scenes that state, which is arranged,;
Step 9:Build the processing of APT attacks failure:
For the associated alarm data because not constituting APT attacks more than retrospect time range, by analyzing personnel Carry out positioning suspicious actions.
In the present invention, in the step 9, analysis personnel is needed to be concluded to the event for repeatedly building failure, always Knot adjusts existing rule or creates new rule, avoids causing structure to fail because of inaccurate APT Attack Scenarios rules; If rule configuration information has variation, two are entered step.
In the present invention, the described pair of APT attack for having been built up completion, it is also desirable to the participation of manual analysis, analysis Whether the APT attacks identified are accurate, for the correct attack of identification, further take intervening measure, Defence blocks attack, and important information is avoided to reveal, and reduces under fire range, the attack for identification mistake, in conjunction with A situation arises for practical risk, deletes pervious rule, re-creates new rule;If rule configuration information has variation, into step Rapid two.
There is provided the APT behavioral value systems based on the detection method, including acquisition module, detection module, analysis module, Rule parsing module;
The acquisition module for network flow acquire, can directly from network interface card gathered data, also can directly receive other The program for the data on flows that system sends over;
The detection module is made of detection sub-module, and detection sub-module includes Malicious Code Detection submodule, Web Shell detection sub-modules, sender's fraud detection submodule, mail head's fraud detection submodule, mail fishing detection sub-module, Mail malicious link detection sub-module, Email attachment Malicious Code Detection submodule, Web feature detection sub-modules, abnormal access Detection sub-module, C&C IP/URL detection sub-modules, malice wooden horse return even detection sub-module, transmission invalid data and detect submodule Block, Web behavioural analysis submodules;Wherein, Malicious Code Detection submodule includes being respectively used to viral diagnosis, static detection and moving The submodule of state detection;
The analysis module includes identifying base from the alarm data generated for realizing APT behavioral value functions Quasi- alarm data, associated alarm data attempt structure APT Attack Scenarios;
The rule parsing module is used to read the configuration file of APT Attack Scenarios rules, and is advised to each It is then parsed and (judges whether grammer configuration is wrong, and whether the title of configuration item is legal and whether value of configuration item is taking It is worth in range), it is loaded into memory for parsing correct rule, is used for analysis module, occur the rule of mistake for parsing Then, it is considered as invalid rule.
The operation principle of the present invention:It refines and summarizes typical APT Attack Scenarios, be abstracted into corresponding APT attacks rule Then, some important key alarms are arranged in rule to alert as benchmark, when detection module detects risk, according to IP With risk classifications association analysis historical data, attempt to build complete attack path figure.
Compared with prior art, the beneficial effects of the invention are as follows:
For time span as APT, long, the specific attack of target of attack, is always deposited in entire attack process In several attack exposed points, the present invention carries out backtracking association to relevant flow based on this, changes tradition based on single Time point carries out the situation of characteristic matching, is associated analysis to the data of long-time window, meaning is completely attacked attacker in realization The identification of figure.
Description of the drawings
Fig. 1 is the analysis APT attack main process figures of the present invention.
Fig. 2 improves APT attack rule flow charts for the present invention's.
Specific implementation mode
Firstly the need of explanation, APT attacks detection method of the present invention is that computer technology is pacified in information A kind of application of full technical field.During the realization of the present invention, the application of multiple software function modules can be related to.Application People thinks, existing combining such as after the realization principle and goal of the invention for reading over application documents, the accurate understanding present invention In the case of known technology, those skilled in the art can use the software programming technical ability of its grasp to realize the present invention completely, no There is a possibility that not understanding or can not reproduce.Aforementioned software function module includes but is not limited to:Acquisition module, detection mould Block, rule parsing module, analysis module etc., specific implementation can there are many kinds of, what all the present patent application files referred to Belong to this scope, applicant will not enumerate.
Present invention is further described in detail with specific implementation mode below in conjunction with the accompanying drawings, the data used in the present invention Library may be used the Relational DBMSs such as MySQL, Oracle (RDBMS) or is based on NoSQL in specific implementation Distributed computing framework, to preserve network session Audit data, alarm data, analysis result.
As shown in Figure 1 and Figure 2, a kind of detection method of rule-based APT attacks, for certain time range Alarm be associated analysis, identify APT attacks.Detection method specifically includes following step:
Step 1:Definition creates the grammatical and semantic that APT rule of conduct uses.
The Event element that typical case's APT attacks are related to is concluded, is formed and can configure item, while providing taking for each configuration item It is worth range, configuration method.
1, arrange with the relevant attribute of attack, be used for definition rule, it is common with the relevant attribute packet of attack It includes with lower part:When benchmark alarm type (the high alarm of testing result accuracy or very important alarm type), retrospect Between range (i.e. when there is new risk to occur, trace the relevant risk in a period, support chronomere's year, month, day, Hour), associated alarm type, benchmark alarm IP (source IP or Target IP, i.e., using source IP or Target IP go association history announcement Alert information), associated alarm IP (source IP or Target IP), benchmark alarm sequence requirement is (when a regular configuration baseline alerts number When more than one, if it is required that occur alarm time according to the sequencing configured in rule), associated alarm sequence requirement (when a rule configuration association alarm number is more than one, if it is required that the time alerted is according to the elder generation configured in rule Afterwards sequentially), the positions benchmark alarm source IP (belonging to monitoring unit Intranet IP or remote server outer net IP), benchmark alarm purpose The positions IP, associated alarm source IP position, associated alarm destination IP position, it is multiple alarm whether in the same session (benchmark accuse When alert or associated alarm number of types is more than one, if it is required that these alarms must take place at the same session of network connection In).
2, the information that rule uses itself:Rule ID, rule name, rule description, new rule start to identify.
3, the information for arranging the 1st step and the 2nd step arranges configuration item title, stipulated that each is matched as configurable item The configuration method for setting item, if necessary to assignment, then specified configuration item can value range.
Step 2:APT Attack Scenarios rules are created, APT Attack Scenarios knowledge bases are built.
Conclude the affair character that typical case's APT attacks are related to (may successively occur several in an APT attack Alarm type or suspicious actions, attack time range, the positions IP, the alarm type etc. successively occurred), create corresponding APT Attack rule.
APT Attack Scenarios rules, exactly attack thing, case and development trend according to the typical APT occurred in the past, It summarizes the APT for refining and obtaining and attacks the method and steps used.The relevant grammer of rule is created in a particular application completely may be used According to the actual needs, to increase new configuration item, arranges other grammers and configuration method for creating rule, can refer to following Demonstration:
For example, the RSA SecurID occurred in 2011 steal attack, the following (note of rough attack process:Below Attack process information source is in internet, and typical APT attacks are in addition, the attack of Google aurora, the attack of night dragon, super work Factory's virus attack (attack of shake net) etc.):
A, attacker has sent two groups of malious emails to 4 employees of the parent company EMC of RSA, and attachment is entitled "2011Recruitment plan.xls";
B, wherein it is taken out reading by an employee from spam, by newest Adobe Flash's at that time 0day loopholes (CVE-2011-0609) are hit;
C, employee's computer is implanted wooden horse, starts to execute task from the C&C server download instructions of BotNet;
D, first batch of aggrieved user is not " powerful " personage, and and then associated personage includes IT and non-IT etc. Server administrators are hacked in succession;
E, RSA has found that staging server (Staging server) is invaded, and attacker withdraws immediately, encrypts and compresses All data are simultaneously sent to distance host with FTP, then remove invasion trace;
F, after taking SecurID information, attacker starts to using the company of SecurID that further attack is unfolded.
Attack process as described above, we can define such APT Attack Scenarios rule:
Mail social worker attack+malicious code attack+Web behavioural analyses/wooden horse Hui Lian/C&C ip/url (Target IP initiation) =successfully mail APT attacks
Wherein, mail social worker attack includes following several types:Sender's deception, mail head's deception, mail fishing, mail Malicious link.Malicious code refers mainly to deliberately to work out or setting, meter that will produce threat or potential threat to network or system Calculation machine code.Most common malicious code has computer virus (referred to as virus), Trojan Horse (abbreviation wooden horse), computer compacted Worm (abbreviation worm), back door, logic bomb, spyware (spyware), malicious shareware (malicious Shareware) etc..They are usually installation software, the office documents etc. for disguising oneself as common.
WEB behavioural analyses are the statistical alarms based on multiple dimensions, on the basis of specified dimension, in specified time When WEB behaviors (can be generic access behavior, can also be Web features attack etc.) number of generation reaches predetermined number of times, into Row alarm, such as:To some Web server in 10 minutes to the same list (for example, the user name of user's login page and Password) submission (http protocol POST method) more than 1000 times is performed, WEB behavioural analysis functions are after statistics, it is believed that This class behavior constitutes as Web list Brute Forces, suchlike in addition, multiple client IP is in a period of time to same One Web server carries out a large amount of CC attacks, and (Challenge Collapsar are that attacker controls certain hosts ceaselessly Hair mass data packet causes server resource to exhaust to other side's server, until delay machine is collapsed), WEB behavioural analysis functions warp After crossing statistical analysis, it is believed that this class behavior constitutes WEB CC attacks, etc..The statistics latitude of WEB behavioural analyses can by with Lower aspect:The number of attack source IP, the behavior of http generic access or certain web attacks, measurement period time, access times, visit Ask file type etc..
Wooden horse Hui Lian, refer to malicious code at runtime, a certain remote server is connected, using some methods (for example, profit The data of non-http agreements are transmitted with 80 port of http agreements) significant data in the network of place is transmitted to remote server Behavior.
C&C ip/url, C&C servers are remote command and control server, and target machine can be received from server Order, to achieve the purpose that server controls target machine.This method is usually used in viral wooden horse and controls infected machine.
To APT Attack Scenarios defined above rule, " the WEB behavioural analyses/wooden horse Hui Lian/C&C ip/ of runic mark Url " can be regarded as benchmark alarm, and either wooden horse returns even alarm or C&C ip/url alarms for WEB behavioural analyses alarm, this The alarm of sample is a step very crucial in APT attack processes, and scene analysis is triggered immediately when finding the type alarm, Historical data is traced, goes correlation inquiry to go through by alerting the elements such as relevant IP address, port, alarm type with generation History alarm data, and the follow-up relevant alarm data occurred again, if the result of association analysis meets some APT attacks Scene rule, then it is assumed that actually have occurred that APT attacks.
In specific implementation, rule defined above can be described using following grammer, parsed convenient for program:
$ NEW_APT_RULE # identify a new rule and start
$ RULE_ID=1 # rule numbers
$ RULE_NAME=mail social workers APT attacks # rule names
The detailed description of $ RULE_DESCRIPTION=mail social workers APT attack # rules
$ TRIGGER_RISK=TROJAN_RECONNECT | MALICIOUS_CODE | WEB_BEHAVIOR_ANALYZE # It can be malicious code or WEB behavioural analyses, multiple alarms that benchmark alarm type, which can be wooden horse Hui Lian, benchmark alarm type, Connection operator is used between type
The $ TRACE_BACK_TIME=1Y # retrospect times are 1 year, can also be configured to 12M, indicate 12 months
Still under fire IP goes association history to the attack source IP that $ TRIGGER_IP=TARGET # are alerted using current base Data are configurable to SOURCE (attack source IP), TARGET (under fire IP), while configuring SOURCE and TARGET, indicate Association attack source IP or the under fire historical data of IP are removed simultaneously.
The source IP position of $ TRIGGER_SOUCRCE_LOC=INNER# benchmark alarm, is arranged attack source IP position attributions, It is Intranet IP (monitoring internal institution) or outer net IP (remote server), INNER or OUTER is can be configured to, if be unworthy of It sets, or configures INNER and OUTER simultaneously, it is believed that do not distinguish
$ TRIGGER_SOUCRCE_LOC=OUTER
Under fire the positions IP, configuration method alert the alarm of $ TRIGGER_TARGET_LOC=INNER # benchmark with benchmark The attack source positions IP
$ TRIGGER_TARGET_LOC=OUTER
$ TRIGGER_LINED=false # are when a regular configuration baseline class alerts more than one, if it is required that occurring Alarm time according to the sequencing configured in rule, be configurable to true or false, do not configure, be defaulted as false
$ RELATED_RISK=MAIL_CHEAT | MALICIOUS_CODE # associated alarms type can be mail social worker Or malicious code, configuration method are identical as triggering alarm type
$ RAELATED_LINED=false # meanings are with configuration method with $ TRIGGER_LINED
$ RELATED_IP=TARGET # configuration methods are identical as $ TRIGGER_IP, are configured to TARGET, indicate main The under fire IP of analyzing and associating alarm
The RELATED_SOURCE_LOC=OUTER # associated alarms attack sources the $ positions IP
$ RELATED_TARGET_LOC=INNER # associated alarms under fire positions IP
If the network environment of user has occurred similar RSA SecurID mentioned above and steals attack, c occurs When walking attack, analysis program thinks that benchmark alarm has occurred, and then is analyzed, if can be with association analysis according to rule Behavior (the i.e. associated alarm, with some benchmark announcement of correlation a steps and b steps has occurred within some pervious period Alert relevant alarm event).Then think this time to analyze and successfully identify APT attacks, is alerted.
Because of the under fire diversity of network environment, causes APT attacks in elementary step collection information, obtains entrance Method is also various, and final implementation is attacked, the means of steal confidential information are also various, it is therefore desirable to configure multiple rule Then, the type of benchmark alarm and associated alarm may also be different in different rules, and the benchmark alarm in a rule can Can be the associated alarm in another rule, the alarm of benchmark in a rule and associated alarm are configurable to one or more It is a.
Typically at least define following several rule-likes:APT attacks based on WEB, the APT attacks based on mail social worker, file Transmission is attacked with the APT accessed.
Step 3:Analysis module calling rule parsing module, parsing, load APT Attack Scenarios rules.
Step 4:Flow collection modules acquiring data:It can be to including HTTP, FTP, SMTP, POP3, IMAP and SMB etc. The parsing of various protocols, can be as needed, increases the acquisition to other agreements, and either selection to some IP, IP sections or is held Slogan is acquired.
Step 5:Detection module detection flows data:
1, different detection instrument and method are used to different agreement:
1), to POP3, SMTP, IMAP mail related protocol, detection risk includes:Sender's deception, mail head's deception, postal Part fishing, mail malicious link, Email attachment malicious code;
2) Malicious Code Detection, is carried out to the file of FTP, SMB agreement transmission;
3), include to http protocol detection risk:WEB features, abnormal access, C&C IP/URL, Web shell, malice Wooden horse Hui Lian, transmission invalid data, WEB behavioural analyses (Brute Force, automatically scanning, catalogue detection, CC attacks etc.), maliciously generation Code;
4) include, virus base detection, static detection, dynamic behaviour detection to Malicious Code Detection in 1,2 and 3 steps.Inspection The file type of survey is divided into PE classes (exe, dll etc.) and non-PE classes (office, pdf, flash, chm, html etc.);
5), when it is implemented, other detection instruments and detection method can be increased as needed.
2, risk data table is saved in by detailed session information to the risk data of discovery, while by the key letter of session Breath is saved in risk summary info table (risk identification ID, protocol type, risk classifications and grade, session request IP and port, meeting Words response IP and port), include session time of origin in wherein risk identification ID, and can be with correlation inquiry wind according to risk ID Dangerous tables of data inquires detailed session information, including source IP request content, destination IP response contents, response message, protocol class Type etc..
Step 6:Analysis module analysis alarm.
Whether analysis module circular test risk summary info table has new risk data, if new risk does not occur, It then waits for a period of time, checks again for, if having:
Judge whether the benchmark alarm of current APT rules makes alarm record if belonging to benchmark alarm according to risk classifications With IP and alarm type querying triggering class benchmark warning information table.One record of initialization, is saved in benchmark warning information table, protects The information deposited includes IP values, APT scenes rule ID, alarm type, current alarm ID, APT event id (in structure scene success When, for identifying an APT attack) etc., if finding existing benchmark alarm record in benchmark warning information table, just The APT event ids of the record of beginningization use the event id for having existed record (in entire APT behaviors, to same IP same types Triggering class alarm may occur repeatedly).Enter step seven;If belonging to associated alarm type, eight are entered step.
After checking out current rule, next rule is reexamined, after having detected strictly all rules, is then judged whether there is new APT rules need to parse, if so, then entering step three, parsing module are called to parse new rule, no subsequently into step 6 Then, it is directly entered step 6, handles new warning information.
Step 7:Identification behavior.Attack layer semantic relation between identification alarm establishes complete attack according to isolated alarm Scene.
Analysis module triggers scene analysis according to APT Attack Scenarios rules when benchmark, which alerts, to be generated, and traces history number According to, it will be associated with the relevant all kinds of attack alarms of benchmark alarm, suspicious data, it, will association if finding relevant alarm The main information of alarm is saved in associated alarm information table, and the main information of preservation includes associated alarm ID, alarm type, benchmark Warning information table Record ID, benchmark warning information list event ID, association IP values, while updating corresponding benchmark warning information table note The analysed nearest alarm time (next cycle is analyzed since the time point subsequent risk data) of record, and root Judge according to rule, by whether having constituted APT attacks to current association results, if so, for the IP and currently The analysis of rule is over, and updates benchmark warning information table, and setting state is to complete, and expression has constituted APT attacks.
Step 8:Analysis module inquires benchmark warning information table according to IP values and alarm type, if record can be inquired, Then giving associated alarm information table to add a record, (indicating to alert with the benchmark has new risk to believe on relevant attack path Cease node), the main information of preservation includes associated alarm ID, alarm type, benchmark warning information table Record ID, benchmark alarm letter Cease list event ID, association IP values, at the same update the analysed nearest alarm time of corresponding benchmark warning information table record (under In one cycle, which is alerted and is recorded, is analyzed since the time point subsequent risk data).And sentenced according to rule Disconnected, whether current association results have constituted APT Attack Scenarios, if so, for the IP values and current regular analysis Through terminating, benchmark warning information table is updated, setting state is to complete, and expression has constituted APT attacks.
Step 9:Analysis module inspection alreadys exceed the benchmark warning information of retrospect time range.
1, the processing of structure APT attacks failure.Due to the complexity of APT attack means, in the actual environment often It can be because the reasons such as acquisition module lost data packets, missing of alarm event lead to not for carrying out complete attack path figure Match, and then cause to build the failure of APT Attack Scenarios, to solve the matching of the Attack Scenarios based on imperfect attack path thus and ask Topic.Do not constitute the associated alarm data of APT attacks more than retrospect time range, need analysis personnel position it is suspicious Behavior.It is lost in addition, the inaccuracy or attacker for rule of conduct establishment have used new attack method to also result in structure It loses, this just needs analysis personnel to conclude, summarize to the event for repeatedly building failure, adjusts existing rule or establishment New rule.If rule configuration information has variation, two are entered step.
2, the APT Attack Scenarios for having been built up completion are checked.To having been built up the APT attacks of completion, it is also desirable to people The participation of work point analysis, whether the APT attacks that sampling analysis has identified are accurate, for identifying correctly attack row For, it further takes intervening measure, defence to block attack, important information is avoided to reveal, reduce under fire range, for Identify the attack of mistake, a situation arises in conjunction with practical risk, deletes pervious rule, re-creates new rule, enters Step 2.
Finally it should be noted that listed above is only specific embodiments of the present invention.It is clear that the invention is not restricted to Above example can also have many variations.Those skilled in the art can directly lead from present disclosure All deformations for going out or associating, are considered as protection scope of the present invention.

Claims (4)

1. a kind of detection method of rule-based APT attacks, for APT behaviors to be analyzed and are detected, feature It is, the detection method of the rule-based APT attacks includes the following steps:
Step 1:Definition creates the grammer that APT Attack Scenarios rules use:
(1) arrangement and the relevant attribute of attack, are used for definition rule;Common includes base with the relevant attribute of attack Quasi- alarm type, retrospect time range, associated alarm type and the relevant IP location informations of alarm;
(2) information that arrangement rule itself uses, including rule ID, rule name, rule description and new rule start to identify;
(3) information for arranging (1) and (2) arranges configuration item title, stipulated that each configuration item is matched as can configure item Set method, can value range;
Step 2:APT Attack Scenarios rules are created, APT Attack Scenarios knowledge bases are built:
(4) it according to the APT attacks and the common attack means of attacker having occurred and that, is concluded and is summarized, defined APT Attack Scenarios rules, and the APT Attack Scenarios rules defined include the APT attacks based on WEB, the APT based on mail social worker Attack and file transmission are attacked with the APT accessed;
(5) the APT Attack Scenarios rule defined in (4) is come out with the syntactic representation that step 1 is arranged, is saved in configuration file, It reads, parsing, load for follow-up rule parsing module;
Step 3:Analysis module calling rule parsing module, parsing, load APT Attack Scenarios rules;
Step 4:Acquisition module acquires application layer protocol full flow, obtains data on flows;
Step 5:Data screening:
Detection module carries out complete detection to the data on flows that step 4 acquires, and the data unrelated with attack are arranged in short-term Between store, it is expired after carry out delete operation;For retain and being carried out in platform long-term with the relevant risk data of attack Storage;
Step 6:Analyze significant alarm:
Analysis module cycle does further in-depth analysis to the alarm data and suspicious data that have generated, is accused successively to each Alert information is detected judgement to each APT Attack Scenarios rule, determines whether the base of current APT Attack Scenarios rule Quasi- alarm or associated alarm initialize a record, are saved in benchmark warning information table, preserve if belonging to benchmark alarm Information include IP values, APT scenes rule ID, alarm type and current alarm ID, enter step seven;If belonging to current APT to attack The associated alarm type for hitting scene rule, enters step eight;
Step 7:Identification behavior:Attack layer semantic relation between identification alarm establishes complete attack field according to benchmark alarm Scape;
Analysis module triggers scene analysis according to APT Attack Scenarios rules when benchmark, which alerts, to be generated, and traces historical data, will It is associated with the relevant all kinds of attack alarms of benchmark alarm, suspicious data, if relevant data are found, by associated alarm Main information is saved in associated alarm information table, and the main information of preservation includes associated alarm ID, alarm type, benchmark alarm letter It ceases table Record ID and is associated with IP values, while updating the analysed nearest alarm time of benchmark warning information table, and according to APT Attack Scenarios rule judges, by whether having constituted APT attacks to current association results;If so, being directed to the IP Analysis with current rule is over, and updates benchmark warning information table, and setting state is to complete, and expression has constituted APT and attacked Hit behavior;If it is not, it is more than that history traces range then to judge whether, if tracing range more than history, it is to constitute that state, which is arranged, APT scenes fail;
Step 8:Benchmark warning information table is inquired according to IP values and alarm type, if record can be inquired, gives associated alarm Information table adds a record, and the main information of preservation includes associated alarm ID, alarm type, benchmark warning information table Record ID Be associated with IP values, while updating the analysed nearest alarm time of benchmark warning information table, and judge according to rule, currently Association results whether constituted APT Attack Scenarios;If so, the analysis for the IP values and current rule is over, Benchmark warning information table is updated, setting state is to complete, and expression has constituted APT attacks;If it is not, then judging whether to surpass History retrospect range is crossed, if tracing range more than history, it is to constitute the failure of APT scenes that state, which is arranged,;
Step 9:Build the processing of APT attacks failure:
For the associated alarm data because not constituting APT attacks more than retrospect time range, carried out by analyzing personnel Position suspicious actions.
2. a kind of detection method of rule-based APT attacks according to claim 1, which is characterized in that described In step 9, analysis personnel is needed to conclude, summarize to the event for repeatedly building failure, adjusts existing rule or establishment New rule avoids causing structure to fail because of inaccurate APT Attack Scenarios rules;If rule configuration information has variation, enter Step 2.
3. a kind of detection method of rule-based APT attacks according to claim 1, which is characterized in that described To having been built up the APT attacks of completion, it is also desirable to which the APT attack rows identified are analyzed in the participation of manual analysis To be whether accurate, for identifying correct attack, further take intervening measure, defence to block attack, avoid weight Want information leakage, reduce under fire range, the attack for identification mistake, in conjunction with practical risk, a situation arises, delete with Preceding rule re-creates new rule;If rule configuration information has variation, two are entered step.
4. the APT behavioral value systems based on detection method described in claim 1, which is characterized in that including acquisition module, detection Module, analysis module and rule parsing module;
The acquisition module for network flow acquire, can directly from network interface card gathered data, also can directly receive other systems The program of the data on flows sended over;
The detection module is made of detection sub-module, and detection sub-module includes Malicious Code Detection submodule, Web shell inspections Submodule, sender's fraud detection submodule, mail head's fraud detection submodule, mail fishing detection sub-module, mail is surveyed to dislike Link detection of anticipating submodule, Email attachment Malicious Code Detection submodule, Web feature detection sub-modules, abnormal access detection Module, C&C IP/URL detection sub-modules, malice wooden horse return even detection sub-module, transmission invalid data detection sub-module and Web Behavioural analysis submodule;Wherein, Malicious Code Detection submodule includes being respectively used to viral diagnosis, static detection and dynamic detection Submodule;
The analysis module includes identifying that benchmark is accused from the alarm data generated for realizing APT behavioral value functions Alert data and associated alarm data attempt structure APT Attack Scenarios;
The rule parsing module is used to read the configuration files of APT Attack Scenarios rules, and to each rule into Row parsing is loaded into memory for parsing correct rule, is used for analysis module, occurs the rule of mistake for parsing, It is considered as invalid rule.
CN201510854610.2A 2015-11-27 2015-11-27 A kind of detection method of rule-based APT attacks Active CN105376245B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510854610.2A CN105376245B (en) 2015-11-27 2015-11-27 A kind of detection method of rule-based APT attacks

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510854610.2A CN105376245B (en) 2015-11-27 2015-11-27 A kind of detection method of rule-based APT attacks

Publications (2)

Publication Number Publication Date
CN105376245A CN105376245A (en) 2016-03-02
CN105376245B true CN105376245B (en) 2018-10-30

Family

ID=55378050

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510854610.2A Active CN105376245B (en) 2015-11-27 2015-11-27 A kind of detection method of rule-based APT attacks

Country Status (1)

Country Link
CN (1) CN105376245B (en)

Families Citing this family (36)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106022115A (en) * 2016-07-20 2016-10-12 浪潮电子信息产业股份有限公司 Risk program tracing method
CN106341282A (en) * 2016-11-10 2017-01-18 广东电网有限责任公司电力科学研究院 Malicious code behavior analyzer
CN106506507B (en) * 2016-11-16 2020-08-14 新华三技术有限公司 Method and device for generating flow detection rule
CN106789944A (en) * 2016-11-29 2017-05-31 神州网云(北京)信息技术有限公司 Attack main body in attack determines method and device
CN108134761B (en) * 2016-12-01 2021-05-04 中兴通讯股份有限公司 APT detection system and device
CN108234400B (en) * 2016-12-15 2021-01-22 北京金山云网络技术有限公司 Attack behavior determination method and device and situation awareness system
CN108632224B (en) * 2017-03-23 2022-03-15 中兴通讯股份有限公司 APT attack detection method and device
CN106878340B (en) * 2017-04-01 2023-09-01 中国人民解放军61660部队 Comprehensive safety monitoring analysis system based on network flow
CN107483425B (en) * 2017-08-08 2020-12-18 北京盛华安信息技术有限公司 Composite attack detection method based on attack chain
CN107370755B (en) * 2017-08-23 2020-03-03 杭州安恒信息技术股份有限公司 Method for multi-dimensional deep detection of APT (active Power test) attack
CN107454103B (en) * 2017-09-07 2021-02-26 杭州安恒信息技术股份有限公司 Network security event process analysis method and system based on time line
CN110022288A (en) * 2018-01-10 2019-07-16 贵州电网有限责任公司遵义供电局 A kind of APT threat recognition methods
CN109194605B (en) * 2018-07-02 2020-08-25 中国科学院信息工程研究所 Active verification method and system for suspicious threat indexes based on open source information
CN109005175B (en) * 2018-08-07 2020-12-25 腾讯科技(深圳)有限公司 Network protection method, device, server and storage medium
CN109696892A (en) * 2018-12-21 2019-04-30 上海瀚之友信息技术服务有限公司 A kind of Safety Automation System and its control method
CN109902176B (en) * 2019-02-26 2021-07-13 北京微步在线科技有限公司 Data association expansion method and non-transitory computer instruction storage medium
CN110247906A (en) * 2019-06-10 2019-09-17 平安科技(深圳)有限公司 A kind of method for monitoring network and device, equipment, storage medium
CN110324354B (en) * 2019-07-11 2022-02-25 武汉思普崚技术有限公司 Method, device and system for network tracking long chain attack
CN110324353B (en) * 2019-07-11 2022-02-25 武汉思普崚技术有限公司 Method, device and system for network tracking long chain attack
CN110311930B (en) * 2019-08-01 2021-09-28 杭州安恒信息技术股份有限公司 Identification method and device for remote control loop connection behavior and electronic equipment
CN110602042B (en) * 2019-08-07 2022-04-29 中国人民解放军战略支援部队信息工程大学 APT attack behavior analysis and detection method and device based on cascade attack chain model
CN112398793B (en) * 2019-08-16 2021-08-31 北京邮电大学 Social engineering interaction method and device and storage medium
CN110474837A (en) * 2019-08-19 2019-11-19 赛尔网络有限公司 A kind of Junk mail processing method, device, electronic equipment and storage medium
CN110365714B (en) * 2019-08-23 2024-05-31 深圳前海微众银行股份有限公司 Host intrusion detection method, device, equipment and computer storage medium
CN110489611B (en) * 2019-08-23 2022-12-30 杭州安恒信息技术股份有限公司 Intelligent clue analysis method and system
CN110826069B (en) * 2019-11-05 2022-09-30 深信服科技股份有限公司 Virus processing method, device, equipment and storage medium
CN111400075A (en) * 2019-12-31 2020-07-10 南京联成科技发展股份有限公司 Real-time alarm correlation method applied to industrial control system
CN111641951B (en) * 2020-04-30 2023-10-24 中国移动通信集团有限公司 5G network APT attack tracing method and system based on SA architecture
CN112165445B (en) * 2020-08-13 2023-04-07 杭州数梦工场科技有限公司 Method, device, storage medium and computer equipment for detecting network attack
CN111818097B (en) * 2020-09-01 2020-12-22 北京安帝科技有限公司 Traffic monitoring method and device based on behaviors
CN112468347B (en) * 2020-12-14 2022-02-25 中国科学院信息工程研究所 Security management method and device for cloud platform, electronic equipment and storage medium
CN113596037B (en) * 2021-07-31 2023-04-14 广州广电研究院有限公司 APT attack detection method based on event relation directed graph in network full flow
CN114257447A (en) * 2021-12-20 2022-03-29 国汽(北京)智能网联汽车研究院有限公司 Vehicle-mounted network IDPS joint defense linkage system
CN114500038A (en) * 2022-01-24 2022-05-13 深信服科技股份有限公司 Network security detection method and device, electronic equipment and readable storage medium
CN114553580B (en) * 2022-02-28 2024-04-09 国网新疆电力有限公司博尔塔拉供电公司 Network attack detection method and device based on rule generalization and attack reconstruction
CN114826705A (en) * 2022-04-12 2022-07-29 国网湖北省电力有限公司信息通信公司 APT attack determination method and system based on independent component analysis method and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101272286A (en) * 2008-05-15 2008-09-24 上海交通大学 Network inbreak event association detecting method
CN103312679A (en) * 2012-03-15 2013-09-18 北京启明星辰信息技术股份有限公司 APT (advanced persistent threat) detection method and system
CN104811447A (en) * 2015-04-21 2015-07-29 深信服网络科技(深圳)有限公司 Security detection method and system based on attack association
WO2015120752A1 (en) * 2014-02-17 2015-08-20 北京奇虎科技有限公司 Method and device for handling network threats
CN105024976A (en) * 2014-04-24 2015-11-04 中国移动通信集团山西有限公司 Advanced persistent threat attack recognition method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101272286A (en) * 2008-05-15 2008-09-24 上海交通大学 Network inbreak event association detecting method
CN103312679A (en) * 2012-03-15 2013-09-18 北京启明星辰信息技术股份有限公司 APT (advanced persistent threat) detection method and system
WO2015120752A1 (en) * 2014-02-17 2015-08-20 北京奇虎科技有限公司 Method and device for handling network threats
CN105024976A (en) * 2014-04-24 2015-11-04 中国移动通信集团山西有限公司 Advanced persistent threat attack recognition method and device
CN104811447A (en) * 2015-04-21 2015-07-29 深信服网络科技(深圳)有限公司 Security detection method and system based on attack association

Also Published As

Publication number Publication date
CN105376245A (en) 2016-03-02

Similar Documents

Publication Publication Date Title
CN105376245B (en) A kind of detection method of rule-based APT attacks
Skopik et al. Under false flag: using technical artifacts for cyber attack attribution
Martins et al. Towards a systematic threat modeling approach for cyber-physical systems
Goseva-Popstojanova et al. Characterization and classification of malicious Web traffic
CN111651757A (en) Attack behavior monitoring method, device, equipment and storage medium
CN107634967A (en) A kind of the CSRFToken systems of defense and method of CSRF attacks
CN103581185A (en) Cloud searching and killing method, device and system for resisting anti-antivirus test
Bollinger et al. Crafting the InfoSec playbook: security monitoring and incident response master plan
Lincke et al. Designing system security with UML misuse deployment diagrams
CN113886829B (en) Method and device for detecting defect host, electronic equipment and storage medium
CN111859374A (en) Method, device and system for detecting social engineering attack event
CN104683378A (en) Computing and debugging system for novel cloud computing service platform adopting new technology
Zamiri-Gourabi et al. Gas what? i can see your gaspots. studying the fingerprintability of ics honeypots in the wild
CN112398857B (en) Firewall testing method, device, computer equipment and storage medium
Davis et al. A framework for programming and budgeting for cybersecurity
Yermalovich et al. Formalization of attack prediction problem
Su et al. Crowdsourcing platform for collaboration management in vulnerability verification
Pasandideh et al. Improving attack trees analysis using Petri net modeling of cyber-attacks
Kumar et al. A Review on Recent Advances & Future Trends of Security in Honeypot.
Kim et al. Involvers’ behavior-based modeling in cyber targeted attack
Xu et al. Identification of ICS Security Risks toward the Analysis of Packet Interaction Characteristics Using State Sequence Matching Based on SF‐FSM
Ussath et al. Automatic multi-step signature derivation from taint graphs
CN104683379A (en) A new system for computing and debugging facing enterprise service platform with new technique of novel cloud computing
Rushing et al. Collaborative penetration-testing and analysis toolkit (cpat)
Razzaq et al. Multi-layered defense against web application attacks

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder

Address after: 310051 15-storey Zhongcai Building, Tonghe Road, Binjiang District, Hangzhou City, Zhejiang Province

Patentee after: Hangzhou Annan information technology Limited by Share Ltd

Address before: 310051 15-storey Zhongcai Building, Tonghe Road, Binjiang District, Hangzhou City, Zhejiang Province

Patentee before: Dbappsecurity Co.,ltd.

CP01 Change in the name or title of a patent holder