CN105376245B - A kind of detection method of rule-based APT attacks - Google Patents
A kind of detection method of rule-based APT attacks Download PDFInfo
- Publication number
- CN105376245B CN105376245B CN201510854610.2A CN201510854610A CN105376245B CN 105376245 B CN105376245 B CN 105376245B CN 201510854610 A CN201510854610 A CN 201510854610A CN 105376245 B CN105376245 B CN 105376245B
- Authority
- CN
- China
- Prior art keywords
- apt
- rule
- attack
- alarm
- detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention relates to APT detection fields, it is desirable to provide a kind of detection method of rule-based APT attacks.The detection method of this kind of rule-based APT attack includes step:Definition creates the grammer that APT Attack Scenarios rules use;APT Attack Scenarios rules are created, APT Attack Scenarios knowledge bases are built;Analysis module calling rule parsing module, parsing, load APT Attack Scenarios rules;Acquisition module acquires application layer protocol full flow, obtains data on flows;Carry out data screening;Analyze significant alarm;Identification behavior;Build the processing of APT attacks failure.For attack as APT, always there are several attack exposed points in entire attack process, the present invention carries out backtracking association to relevant flow based on this, change the situation that tradition carries out characteristic matching based on single time point, analysis is associated to the data of long-time window, realizes the identification to the complete attack intension of attacker.
Description
Technical field
It is special the present invention relates to APT (Advanced Persistent Threat, advanced duration threaten) detection field
It is not related to a kind of detection method of rule-based APT attacks.
Background technology
APT attack be it is a kind of in a organized way, have specific objective, concealment are strong, destructive power is big, the duration length novel attack
And threat, it is mainly characterized by:
The hidden ability in single attack source is strong:In order to hide traditional detection system, APT more focuses on dynamic behaviour and static state text
The concealment of part.Such as avoid network behavior from being detected by convert channel, encrypted tunnel, or by forging legitimate signature
Mode avoids malicious code file itself from being identified, this just gives traditional detection based on signature to bring very big difficulty.
Attack means are more, and the attack duration is long:APT attack is divided into multiple steps, from initial information search, obtain into
Mouth point implements remote control to significant data discovery, information stealth and unofficial biography etc., often to undergo some months, 1 year even
The longer time.And traditional detection mode is the real-time detection based on single time point, it is difficult to the attack so long to span
It is effectively tracked, the true intention of None- identified attacker, had occurred before, failed the announcement for causing analysis personnel to pay attention to
It is alert, it is possible to which that under cover calculated attack is intended to.Therefore APT could be realized by prolonged suspicious actions being only associated analysis
Effective detection.
Based on the reflected These characteristics of APT attacks institute so that tradition is anti-to detect in real time, based on real-time blocking
Imperial mode is difficult to effectively play a role.Therefore it effectively to identify, fight APT, it is necessary to take new detection method.
Invention content
It is a primary object of the present invention to overcome deficiency in the prior art, a kind of rule-based APT attacks row is provided
For detection method and its system.In order to solve the above technical problems, the solution of the present invention is:
A kind of detection method of rule-based APT attacks is provided, for APT behaviors to be analyzed and are detected,
The detection method of the rule-based APT attacks includes the following steps:
Step 1:Definition creates the grammer that APT Attack Scenarios rules use:
(1) arrangement and the relevant attribute of attack, are used for definition rule;It is common with the relevant attribute packet of attack
Include benchmark alarm type (the high alarm of detection accuracy or very important alarm type), retrospect time range, association announcement
Alert type, the relevant IP location informations of alarm;
(2) information that arrangement rule itself uses, including rule ID, rule name, rule describe, new rule starts to mark
Know;
(3) information for arranging (1) and (2) arranges configuration item title, stipulated that each configuration item as can configure item
Configuration method, can value range;
Step 2:APT Attack Scenarios rules are created, APT Attack Scenarios knowledge bases are built:
(4) it according to (typical) the APT attacks and the common attack means of attacker having occurred and that, is concluded
With summary, APT Attack Scenarios rule (APT Attack Scenarios rules, exactly according to the typical APT attack things occurred in the past are defined
Feelings, case and development trend summarize the APT for refining and obtaining and attack the method and steps used), and the APT defined attacks field
Scape rule includes that the APT attacks based on WEB, the APT attacks based on mail social worker, file transmission and the APT of access are attacked;
(5) the APT Attack Scenarios rule defined in (4) is come out with the syntactic representation that step 1 is arranged, is saved in configuration
File reads for follow-up rule parsing module, parsing, loads;
Step 3:Analysis module calling rule parsing module, parsing, load APT Attack Scenarios rules;
Step 4:Acquisition module acquires (common) application layer protocol full flow, obtains data on flows;
Step 5:Data screening:
Detection module (using a variety of detection instruments and method) carries out complete detection to the data on flows of step 4 acquisition, right
It is arranged to short time storage in the data unrelated with attack, delete operation is carried out after expired;For with attack relevant risk number
According to (or suspicious data) retain and stored for a long time in platform;
Step 6:Analyze significant alarm:
Analysis module cycle does further in-depth analysis to the alarm data and suspicious data that have generated, successively to each
Warning information is detected judgement to each APT Attack Scenarios rule, determines whether current APT Attack Scenarios rule
Benchmark alarm or associated alarm, if belong to benchmark alarm, initialize one record, be saved in benchmark warning information table
The information of (database table), preservation includes IP values, APT scenes rule ID, alarm type, current alarm ID, enters step seven;If
The associated alarm type for belonging to current APT Attack Scenarios rule, enters step eight;
Step 7:Identification behavior:Attack layer semantic relation between identification alarm establishes complete attack according to benchmark alarm
Scene;
Analysis module triggers scene analysis according to APT Attack Scenarios rules when benchmark, which alerts, to be generated, and traces history number
According to relevant all kinds of attack alarms will be alerted with benchmark, suspicious data (associated alarm) be associated, if finding relevant number
According to the main information of associated alarm being then saved in associated alarm information table (database table), the main information of preservation includes closing
Join Alarm ID, alarm type, benchmark warning information table Record ID, association IP values, while updating benchmark warning information table and having divided
The nearest alarm time of analysis, and according to APT Attack Scenarios rules judge whether constituted by current association results
APT attacks;If so, being over for the IP and the analysis of current rule, benchmark warning information table is updated, shape is set
State is to complete, and expression has constituted APT attacks;If it is not, it is more than that history traces range then to judge whether, if being more than history
Range is traced, then it is to constitute the failure of APT scenes that state, which is arranged,;
Step 8:Benchmark warning information table is inquired according to IP values and alarm type, if record can be inquired, to association
Warning information table adds a record, and the main information of preservation includes associated alarm ID, alarm type, benchmark warning information table note
ID, association IP values are recorded, while updating the analysed nearest alarm time of benchmark warning information table, and is judged according to rule,
Whether current association results have constituted APT Attack Scenarios;If so, the analysis for the IP values and current rule has been tied
Beam updates benchmark warning information table, and setting state is to complete, and expression has constituted APT attacks;If it is not, then judgement is
No is more than that history traces range, if tracing range more than history, it is to constitute the failure of APT scenes that state, which is arranged,;
Step 9:Build the processing of APT attacks failure:
For the associated alarm data because not constituting APT attacks more than retrospect time range, by analyzing personnel
Carry out positioning suspicious actions.
In the present invention, in the step 9, analysis personnel is needed to be concluded to the event for repeatedly building failure, always
Knot adjusts existing rule or creates new rule, avoids causing structure to fail because of inaccurate APT Attack Scenarios rules;
If rule configuration information has variation, two are entered step.
In the present invention, the described pair of APT attack for having been built up completion, it is also desirable to the participation of manual analysis, analysis
Whether the APT attacks identified are accurate, for the correct attack of identification, further take intervening measure,
Defence blocks attack, and important information is avoided to reveal, and reduces under fire range, the attack for identification mistake, in conjunction with
A situation arises for practical risk, deletes pervious rule, re-creates new rule;If rule configuration information has variation, into step
Rapid two.
There is provided the APT behavioral value systems based on the detection method, including acquisition module, detection module, analysis module,
Rule parsing module;
The acquisition module for network flow acquire, can directly from network interface card gathered data, also can directly receive other
The program for the data on flows that system sends over;
The detection module is made of detection sub-module, and detection sub-module includes Malicious Code Detection submodule, Web
Shell detection sub-modules, sender's fraud detection submodule, mail head's fraud detection submodule, mail fishing detection sub-module,
Mail malicious link detection sub-module, Email attachment Malicious Code Detection submodule, Web feature detection sub-modules, abnormal access
Detection sub-module, C&C IP/URL detection sub-modules, malice wooden horse return even detection sub-module, transmission invalid data and detect submodule
Block, Web behavioural analysis submodules;Wherein, Malicious Code Detection submodule includes being respectively used to viral diagnosis, static detection and moving
The submodule of state detection;
The analysis module includes identifying base from the alarm data generated for realizing APT behavioral value functions
Quasi- alarm data, associated alarm data attempt structure APT Attack Scenarios;
The rule parsing module is used to read the configuration file of APT Attack Scenarios rules, and is advised to each
It is then parsed and (judges whether grammer configuration is wrong, and whether the title of configuration item is legal and whether value of configuration item is taking
It is worth in range), it is loaded into memory for parsing correct rule, is used for analysis module, occur the rule of mistake for parsing
Then, it is considered as invalid rule.
The operation principle of the present invention:It refines and summarizes typical APT Attack Scenarios, be abstracted into corresponding APT attacks rule
Then, some important key alarms are arranged in rule to alert as benchmark, when detection module detects risk, according to IP
With risk classifications association analysis historical data, attempt to build complete attack path figure.
Compared with prior art, the beneficial effects of the invention are as follows:
For time span as APT, long, the specific attack of target of attack, is always deposited in entire attack process
In several attack exposed points, the present invention carries out backtracking association to relevant flow based on this, changes tradition based on single
Time point carries out the situation of characteristic matching, is associated analysis to the data of long-time window, meaning is completely attacked attacker in realization
The identification of figure.
Description of the drawings
Fig. 1 is the analysis APT attack main process figures of the present invention.
Fig. 2 improves APT attack rule flow charts for the present invention's.
Specific implementation mode
Firstly the need of explanation, APT attacks detection method of the present invention is that computer technology is pacified in information
A kind of application of full technical field.During the realization of the present invention, the application of multiple software function modules can be related to.Application
People thinks, existing combining such as after the realization principle and goal of the invention for reading over application documents, the accurate understanding present invention
In the case of known technology, those skilled in the art can use the software programming technical ability of its grasp to realize the present invention completely, no
There is a possibility that not understanding or can not reproduce.Aforementioned software function module includes but is not limited to:Acquisition module, detection mould
Block, rule parsing module, analysis module etc., specific implementation can there are many kinds of, what all the present patent application files referred to
Belong to this scope, applicant will not enumerate.
Present invention is further described in detail with specific implementation mode below in conjunction with the accompanying drawings, the data used in the present invention
Library may be used the Relational DBMSs such as MySQL, Oracle (RDBMS) or is based on NoSQL in specific implementation
Distributed computing framework, to preserve network session Audit data, alarm data, analysis result.
As shown in Figure 1 and Figure 2, a kind of detection method of rule-based APT attacks, for certain time range
Alarm be associated analysis, identify APT attacks.Detection method specifically includes following step:
Step 1:Definition creates the grammatical and semantic that APT rule of conduct uses.
The Event element that typical case's APT attacks are related to is concluded, is formed and can configure item, while providing taking for each configuration item
It is worth range, configuration method.
1, arrange with the relevant attribute of attack, be used for definition rule, it is common with the relevant attribute packet of attack
It includes with lower part:When benchmark alarm type (the high alarm of testing result accuracy or very important alarm type), retrospect
Between range (i.e. when there is new risk to occur, trace the relevant risk in a period, support chronomere's year, month, day,
Hour), associated alarm type, benchmark alarm IP (source IP or Target IP, i.e., using source IP or Target IP go association history announcement
Alert information), associated alarm IP (source IP or Target IP), benchmark alarm sequence requirement is (when a regular configuration baseline alerts number
When more than one, if it is required that occur alarm time according to the sequencing configured in rule), associated alarm sequence requirement
(when a rule configuration association alarm number is more than one, if it is required that the time alerted is according to the elder generation configured in rule
Afterwards sequentially), the positions benchmark alarm source IP (belonging to monitoring unit Intranet IP or remote server outer net IP), benchmark alarm purpose
The positions IP, associated alarm source IP position, associated alarm destination IP position, it is multiple alarm whether in the same session (benchmark accuse
When alert or associated alarm number of types is more than one, if it is required that these alarms must take place at the same session of network connection
In).
2, the information that rule uses itself:Rule ID, rule name, rule description, new rule start to identify.
3, the information for arranging the 1st step and the 2nd step arranges configuration item title, stipulated that each is matched as configurable item
The configuration method for setting item, if necessary to assignment, then specified configuration item can value range.
Step 2:APT Attack Scenarios rules are created, APT Attack Scenarios knowledge bases are built.
Conclude the affair character that typical case's APT attacks are related to (may successively occur several in an APT attack
Alarm type or suspicious actions, attack time range, the positions IP, the alarm type etc. successively occurred), create corresponding APT
Attack rule.
APT Attack Scenarios rules, exactly attack thing, case and development trend according to the typical APT occurred in the past,
It summarizes the APT for refining and obtaining and attacks the method and steps used.The relevant grammer of rule is created in a particular application completely may be used
According to the actual needs, to increase new configuration item, arranges other grammers and configuration method for creating rule, can refer to following
Demonstration:
For example, the RSA SecurID occurred in 2011 steal attack, the following (note of rough attack process:Below
Attack process information source is in internet, and typical APT attacks are in addition, the attack of Google aurora, the attack of night dragon, super work
Factory's virus attack (attack of shake net) etc.):
A, attacker has sent two groups of malious emails to 4 employees of the parent company EMC of RSA, and attachment is entitled
"2011Recruitment plan.xls";
B, wherein it is taken out reading by an employee from spam, by newest Adobe Flash's at that time
0day loopholes (CVE-2011-0609) are hit;
C, employee's computer is implanted wooden horse, starts to execute task from the C&C server download instructions of BotNet;
D, first batch of aggrieved user is not " powerful " personage, and and then associated personage includes IT and non-IT etc.
Server administrators are hacked in succession;
E, RSA has found that staging server (Staging server) is invaded, and attacker withdraws immediately, encrypts and compresses
All data are simultaneously sent to distance host with FTP, then remove invasion trace;
F, after taking SecurID information, attacker starts to using the company of SecurID that further attack is unfolded.
Attack process as described above, we can define such APT Attack Scenarios rule:
Mail social worker attack+malicious code attack+Web behavioural analyses/wooden horse Hui Lian/C&C ip/url (Target IP initiation)
=successfully mail APT attacks
Wherein, mail social worker attack includes following several types:Sender's deception, mail head's deception, mail fishing, mail
Malicious link.Malicious code refers mainly to deliberately to work out or setting, meter that will produce threat or potential threat to network or system
Calculation machine code.Most common malicious code has computer virus (referred to as virus), Trojan Horse (abbreviation wooden horse), computer compacted
Worm (abbreviation worm), back door, logic bomb, spyware (spyware), malicious shareware (malicious
Shareware) etc..They are usually installation software, the office documents etc. for disguising oneself as common.
WEB behavioural analyses are the statistical alarms based on multiple dimensions, on the basis of specified dimension, in specified time
When WEB behaviors (can be generic access behavior, can also be Web features attack etc.) number of generation reaches predetermined number of times, into
Row alarm, such as:To some Web server in 10 minutes to the same list (for example, the user name of user's login page and
Password) submission (http protocol POST method) more than 1000 times is performed, WEB behavioural analysis functions are after statistics, it is believed that
This class behavior constitutes as Web list Brute Forces, suchlike in addition, multiple client IP is in a period of time to same
One Web server carries out a large amount of CC attacks, and (Challenge Collapsar are that attacker controls certain hosts ceaselessly
Hair mass data packet causes server resource to exhaust to other side's server, until delay machine is collapsed), WEB behavioural analysis functions warp
After crossing statistical analysis, it is believed that this class behavior constitutes WEB CC attacks, etc..The statistics latitude of WEB behavioural analyses can by with
Lower aspect:The number of attack source IP, the behavior of http generic access or certain web attacks, measurement period time, access times, visit
Ask file type etc..
Wooden horse Hui Lian, refer to malicious code at runtime, a certain remote server is connected, using some methods (for example, profit
The data of non-http agreements are transmitted with 80 port of http agreements) significant data in the network of place is transmitted to remote server
Behavior.
C&C ip/url, C&C servers are remote command and control server, and target machine can be received from server
Order, to achieve the purpose that server controls target machine.This method is usually used in viral wooden horse and controls infected machine.
To APT Attack Scenarios defined above rule, " the WEB behavioural analyses/wooden horse Hui Lian/C&C ip/ of runic mark
Url " can be regarded as benchmark alarm, and either wooden horse returns even alarm or C&C ip/url alarms for WEB behavioural analyses alarm, this
The alarm of sample is a step very crucial in APT attack processes, and scene analysis is triggered immediately when finding the type alarm,
Historical data is traced, goes correlation inquiry to go through by alerting the elements such as relevant IP address, port, alarm type with generation
History alarm data, and the follow-up relevant alarm data occurred again, if the result of association analysis meets some APT attacks
Scene rule, then it is assumed that actually have occurred that APT attacks.
In specific implementation, rule defined above can be described using following grammer, parsed convenient for program:
$ NEW_APT_RULE # identify a new rule and start
$ RULE_ID=1 # rule numbers
$ RULE_NAME=mail social workers APT attacks # rule names
The detailed description of $ RULE_DESCRIPTION=mail social workers APT attack # rules
$ TRIGGER_RISK=TROJAN_RECONNECT | MALICIOUS_CODE | WEB_BEHAVIOR_ANALYZE #
It can be malicious code or WEB behavioural analyses, multiple alarms that benchmark alarm type, which can be wooden horse Hui Lian, benchmark alarm type,
Connection operator is used between type
The $ TRACE_BACK_TIME=1Y # retrospect times are 1 year, can also be configured to 12M, indicate 12 months
Still under fire IP goes association history to the attack source IP that $ TRIGGER_IP=TARGET # are alerted using current base
Data are configurable to SOURCE (attack source IP), TARGET (under fire IP), while configuring SOURCE and TARGET, indicate
Association attack source IP or the under fire historical data of IP are removed simultaneously.
The source IP position of $ TRIGGER_SOUCRCE_LOC=INNER# benchmark alarm, is arranged attack source IP position attributions,
It is Intranet IP (monitoring internal institution) or outer net IP (remote server), INNER or OUTER is can be configured to, if be unworthy of
It sets, or configures INNER and OUTER simultaneously, it is believed that do not distinguish
$ TRIGGER_SOUCRCE_LOC=OUTER
Under fire the positions IP, configuration method alert the alarm of $ TRIGGER_TARGET_LOC=INNER # benchmark with benchmark
The attack source positions IP
$ TRIGGER_TARGET_LOC=OUTER
$ TRIGGER_LINED=false # are when a regular configuration baseline class alerts more than one, if it is required that occurring
Alarm time according to the sequencing configured in rule, be configurable to true or false, do not configure, be defaulted as
false
$ RELATED_RISK=MAIL_CHEAT | MALICIOUS_CODE # associated alarms type can be mail social worker
Or malicious code, configuration method are identical as triggering alarm type
$ RAELATED_LINED=false # meanings are with configuration method with $ TRIGGER_LINED
$ RELATED_IP=TARGET # configuration methods are identical as $ TRIGGER_IP, are configured to TARGET, indicate main
The under fire IP of analyzing and associating alarm
The RELATED_SOURCE_LOC=OUTER # associated alarms attack sources the $ positions IP
$ RELATED_TARGET_LOC=INNER # associated alarms under fire positions IP
If the network environment of user has occurred similar RSA SecurID mentioned above and steals attack, c occurs
When walking attack, analysis program thinks that benchmark alarm has occurred, and then is analyzed, if can be with association analysis according to rule
Behavior (the i.e. associated alarm, with some benchmark announcement of correlation a steps and b steps has occurred within some pervious period
Alert relevant alarm event).Then think this time to analyze and successfully identify APT attacks, is alerted.
Because of the under fire diversity of network environment, causes APT attacks in elementary step collection information, obtains entrance
Method is also various, and final implementation is attacked, the means of steal confidential information are also various, it is therefore desirable to configure multiple rule
Then, the type of benchmark alarm and associated alarm may also be different in different rules, and the benchmark alarm in a rule can
Can be the associated alarm in another rule, the alarm of benchmark in a rule and associated alarm are configurable to one or more
It is a.
Typically at least define following several rule-likes:APT attacks based on WEB, the APT attacks based on mail social worker, file
Transmission is attacked with the APT accessed.
Step 3:Analysis module calling rule parsing module, parsing, load APT Attack Scenarios rules.
Step 4:Flow collection modules acquiring data:It can be to including HTTP, FTP, SMTP, POP3, IMAP and SMB etc.
The parsing of various protocols, can be as needed, increases the acquisition to other agreements, and either selection to some IP, IP sections or is held
Slogan is acquired.
Step 5:Detection module detection flows data:
1, different detection instrument and method are used to different agreement:
1), to POP3, SMTP, IMAP mail related protocol, detection risk includes:Sender's deception, mail head's deception, postal
Part fishing, mail malicious link, Email attachment malicious code;
2) Malicious Code Detection, is carried out to the file of FTP, SMB agreement transmission;
3), include to http protocol detection risk:WEB features, abnormal access, C&C IP/URL, Web shell, malice
Wooden horse Hui Lian, transmission invalid data, WEB behavioural analyses (Brute Force, automatically scanning, catalogue detection, CC attacks etc.), maliciously generation
Code;
4) include, virus base detection, static detection, dynamic behaviour detection to Malicious Code Detection in 1,2 and 3 steps.Inspection
The file type of survey is divided into PE classes (exe, dll etc.) and non-PE classes (office, pdf, flash, chm, html etc.);
5), when it is implemented, other detection instruments and detection method can be increased as needed.
2, risk data table is saved in by detailed session information to the risk data of discovery, while by the key letter of session
Breath is saved in risk summary info table (risk identification ID, protocol type, risk classifications and grade, session request IP and port, meeting
Words response IP and port), include session time of origin in wherein risk identification ID, and can be with correlation inquiry wind according to risk ID
Dangerous tables of data inquires detailed session information, including source IP request content, destination IP response contents, response message, protocol class
Type etc..
Step 6:Analysis module analysis alarm.
Whether analysis module circular test risk summary info table has new risk data, if new risk does not occur,
It then waits for a period of time, checks again for, if having:
Judge whether the benchmark alarm of current APT rules makes alarm record if belonging to benchmark alarm according to risk classifications
With IP and alarm type querying triggering class benchmark warning information table.One record of initialization, is saved in benchmark warning information table, protects
The information deposited includes IP values, APT scenes rule ID, alarm type, current alarm ID, APT event id (in structure scene success
When, for identifying an APT attack) etc., if finding existing benchmark alarm record in benchmark warning information table, just
The APT event ids of the record of beginningization use the event id for having existed record (in entire APT behaviors, to same IP same types
Triggering class alarm may occur repeatedly).Enter step seven;If belonging to associated alarm type, eight are entered step.
After checking out current rule, next rule is reexamined, after having detected strictly all rules, is then judged whether there is new
APT rules need to parse, if so, then entering step three, parsing module are called to parse new rule, no subsequently into step 6
Then, it is directly entered step 6, handles new warning information.
Step 7:Identification behavior.Attack layer semantic relation between identification alarm establishes complete attack according to isolated alarm
Scene.
Analysis module triggers scene analysis according to APT Attack Scenarios rules when benchmark, which alerts, to be generated, and traces history number
According to, it will be associated with the relevant all kinds of attack alarms of benchmark alarm, suspicious data, it, will association if finding relevant alarm
The main information of alarm is saved in associated alarm information table, and the main information of preservation includes associated alarm ID, alarm type, benchmark
Warning information table Record ID, benchmark warning information list event ID, association IP values, while updating corresponding benchmark warning information table note
The analysed nearest alarm time (next cycle is analyzed since the time point subsequent risk data) of record, and root
Judge according to rule, by whether having constituted APT attacks to current association results, if so, for the IP and currently
The analysis of rule is over, and updates benchmark warning information table, and setting state is to complete, and expression has constituted APT attacks.
Step 8:Analysis module inquires benchmark warning information table according to IP values and alarm type, if record can be inquired,
Then giving associated alarm information table to add a record, (indicating to alert with the benchmark has new risk to believe on relevant attack path
Cease node), the main information of preservation includes associated alarm ID, alarm type, benchmark warning information table Record ID, benchmark alarm letter
Cease list event ID, association IP values, at the same update the analysed nearest alarm time of corresponding benchmark warning information table record (under
In one cycle, which is alerted and is recorded, is analyzed since the time point subsequent risk data).And sentenced according to rule
Disconnected, whether current association results have constituted APT Attack Scenarios, if so, for the IP values and current regular analysis
Through terminating, benchmark warning information table is updated, setting state is to complete, and expression has constituted APT attacks.
Step 9:Analysis module inspection alreadys exceed the benchmark warning information of retrospect time range.
1, the processing of structure APT attacks failure.Due to the complexity of APT attack means, in the actual environment often
It can be because the reasons such as acquisition module lost data packets, missing of alarm event lead to not for carrying out complete attack path figure
Match, and then cause to build the failure of APT Attack Scenarios, to solve the matching of the Attack Scenarios based on imperfect attack path thus and ask
Topic.Do not constitute the associated alarm data of APT attacks more than retrospect time range, need analysis personnel position it is suspicious
Behavior.It is lost in addition, the inaccuracy or attacker for rule of conduct establishment have used new attack method to also result in structure
It loses, this just needs analysis personnel to conclude, summarize to the event for repeatedly building failure, adjusts existing rule or establishment
New rule.If rule configuration information has variation, two are entered step.
2, the APT Attack Scenarios for having been built up completion are checked.To having been built up the APT attacks of completion, it is also desirable to people
The participation of work point analysis, whether the APT attacks that sampling analysis has identified are accurate, for identifying correctly attack row
For, it further takes intervening measure, defence to block attack, important information is avoided to reveal, reduce under fire range, for
Identify the attack of mistake, a situation arises in conjunction with practical risk, deletes pervious rule, re-creates new rule, enters
Step 2.
Finally it should be noted that listed above is only specific embodiments of the present invention.It is clear that the invention is not restricted to
Above example can also have many variations.Those skilled in the art can directly lead from present disclosure
All deformations for going out or associating, are considered as protection scope of the present invention.
Claims (4)
1. a kind of detection method of rule-based APT attacks, for APT behaviors to be analyzed and are detected, feature
It is, the detection method of the rule-based APT attacks includes the following steps:
Step 1:Definition creates the grammer that APT Attack Scenarios rules use:
(1) arrangement and the relevant attribute of attack, are used for definition rule;Common includes base with the relevant attribute of attack
Quasi- alarm type, retrospect time range, associated alarm type and the relevant IP location informations of alarm;
(2) information that arrangement rule itself uses, including rule ID, rule name, rule description and new rule start to identify;
(3) information for arranging (1) and (2) arranges configuration item title, stipulated that each configuration item is matched as can configure item
Set method, can value range;
Step 2:APT Attack Scenarios rules are created, APT Attack Scenarios knowledge bases are built:
(4) it according to the APT attacks and the common attack means of attacker having occurred and that, is concluded and is summarized, defined
APT Attack Scenarios rules, and the APT Attack Scenarios rules defined include the APT attacks based on WEB, the APT based on mail social worker
Attack and file transmission are attacked with the APT accessed;
(5) the APT Attack Scenarios rule defined in (4) is come out with the syntactic representation that step 1 is arranged, is saved in configuration file,
It reads, parsing, load for follow-up rule parsing module;
Step 3:Analysis module calling rule parsing module, parsing, load APT Attack Scenarios rules;
Step 4:Acquisition module acquires application layer protocol full flow, obtains data on flows;
Step 5:Data screening:
Detection module carries out complete detection to the data on flows that step 4 acquires, and the data unrelated with attack are arranged in short-term
Between store, it is expired after carry out delete operation;For retain and being carried out in platform long-term with the relevant risk data of attack
Storage;
Step 6:Analyze significant alarm:
Analysis module cycle does further in-depth analysis to the alarm data and suspicious data that have generated, is accused successively to each
Alert information is detected judgement to each APT Attack Scenarios rule, determines whether the base of current APT Attack Scenarios rule
Quasi- alarm or associated alarm initialize a record, are saved in benchmark warning information table, preserve if belonging to benchmark alarm
Information include IP values, APT scenes rule ID, alarm type and current alarm ID, enter step seven;If belonging to current APT to attack
The associated alarm type for hitting scene rule, enters step eight;
Step 7:Identification behavior:Attack layer semantic relation between identification alarm establishes complete attack field according to benchmark alarm
Scape;
Analysis module triggers scene analysis according to APT Attack Scenarios rules when benchmark, which alerts, to be generated, and traces historical data, will
It is associated with the relevant all kinds of attack alarms of benchmark alarm, suspicious data, if relevant data are found, by associated alarm
Main information is saved in associated alarm information table, and the main information of preservation includes associated alarm ID, alarm type, benchmark alarm letter
It ceases table Record ID and is associated with IP values, while updating the analysed nearest alarm time of benchmark warning information table, and according to APT
Attack Scenarios rule judges, by whether having constituted APT attacks to current association results;If so, being directed to the IP
Analysis with current rule is over, and updates benchmark warning information table, and setting state is to complete, and expression has constituted APT and attacked
Hit behavior;If it is not, it is more than that history traces range then to judge whether, if tracing range more than history, it is to constitute that state, which is arranged,
APT scenes fail;
Step 8:Benchmark warning information table is inquired according to IP values and alarm type, if record can be inquired, gives associated alarm
Information table adds a record, and the main information of preservation includes associated alarm ID, alarm type, benchmark warning information table Record ID
Be associated with IP values, while updating the analysed nearest alarm time of benchmark warning information table, and judge according to rule, currently
Association results whether constituted APT Attack Scenarios;If so, the analysis for the IP values and current rule is over,
Benchmark warning information table is updated, setting state is to complete, and expression has constituted APT attacks;If it is not, then judging whether to surpass
History retrospect range is crossed, if tracing range more than history, it is to constitute the failure of APT scenes that state, which is arranged,;
Step 9:Build the processing of APT attacks failure:
For the associated alarm data because not constituting APT attacks more than retrospect time range, carried out by analyzing personnel
Position suspicious actions.
2. a kind of detection method of rule-based APT attacks according to claim 1, which is characterized in that described
In step 9, analysis personnel is needed to conclude, summarize to the event for repeatedly building failure, adjusts existing rule or establishment
New rule avoids causing structure to fail because of inaccurate APT Attack Scenarios rules;If rule configuration information has variation, enter
Step 2.
3. a kind of detection method of rule-based APT attacks according to claim 1, which is characterized in that described
To having been built up the APT attacks of completion, it is also desirable to which the APT attack rows identified are analyzed in the participation of manual analysis
To be whether accurate, for identifying correct attack, further take intervening measure, defence to block attack, avoid weight
Want information leakage, reduce under fire range, the attack for identification mistake, in conjunction with practical risk, a situation arises, delete with
Preceding rule re-creates new rule;If rule configuration information has variation, two are entered step.
4. the APT behavioral value systems based on detection method described in claim 1, which is characterized in that including acquisition module, detection
Module, analysis module and rule parsing module;
The acquisition module for network flow acquire, can directly from network interface card gathered data, also can directly receive other systems
The program of the data on flows sended over;
The detection module is made of detection sub-module, and detection sub-module includes Malicious Code Detection submodule, Web shell inspections
Submodule, sender's fraud detection submodule, mail head's fraud detection submodule, mail fishing detection sub-module, mail is surveyed to dislike
Link detection of anticipating submodule, Email attachment Malicious Code Detection submodule, Web feature detection sub-modules, abnormal access detection
Module, C&C IP/URL detection sub-modules, malice wooden horse return even detection sub-module, transmission invalid data detection sub-module and Web
Behavioural analysis submodule;Wherein, Malicious Code Detection submodule includes being respectively used to viral diagnosis, static detection and dynamic detection
Submodule;
The analysis module includes identifying that benchmark is accused from the alarm data generated for realizing APT behavioral value functions
Alert data and associated alarm data attempt structure APT Attack Scenarios;
The rule parsing module is used to read the configuration files of APT Attack Scenarios rules, and to each rule into
Row parsing is loaded into memory for parsing correct rule, is used for analysis module, occurs the rule of mistake for parsing,
It is considered as invalid rule.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510854610.2A CN105376245B (en) | 2015-11-27 | 2015-11-27 | A kind of detection method of rule-based APT attacks |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510854610.2A CN105376245B (en) | 2015-11-27 | 2015-11-27 | A kind of detection method of rule-based APT attacks |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105376245A CN105376245A (en) | 2016-03-02 |
CN105376245B true CN105376245B (en) | 2018-10-30 |
Family
ID=55378050
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510854610.2A Active CN105376245B (en) | 2015-11-27 | 2015-11-27 | A kind of detection method of rule-based APT attacks |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105376245B (en) |
Families Citing this family (36)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106022115A (en) * | 2016-07-20 | 2016-10-12 | 浪潮电子信息产业股份有限公司 | Risk program tracing method |
CN106341282A (en) * | 2016-11-10 | 2017-01-18 | 广东电网有限责任公司电力科学研究院 | Malicious code behavior analyzer |
CN106506507B (en) * | 2016-11-16 | 2020-08-14 | 新华三技术有限公司 | Method and device for generating flow detection rule |
CN106789944A (en) * | 2016-11-29 | 2017-05-31 | 神州网云(北京)信息技术有限公司 | Attack main body in attack determines method and device |
CN108134761B (en) * | 2016-12-01 | 2021-05-04 | 中兴通讯股份有限公司 | APT detection system and device |
CN108234400B (en) * | 2016-12-15 | 2021-01-22 | 北京金山云网络技术有限公司 | Attack behavior determination method and device and situation awareness system |
CN108632224B (en) * | 2017-03-23 | 2022-03-15 | 中兴通讯股份有限公司 | APT attack detection method and device |
CN106878340B (en) * | 2017-04-01 | 2023-09-01 | 中国人民解放军61660部队 | Comprehensive safety monitoring analysis system based on network flow |
CN107483425B (en) * | 2017-08-08 | 2020-12-18 | 北京盛华安信息技术有限公司 | Composite attack detection method based on attack chain |
CN107370755B (en) * | 2017-08-23 | 2020-03-03 | 杭州安恒信息技术股份有限公司 | Method for multi-dimensional deep detection of APT (active Power test) attack |
CN107454103B (en) * | 2017-09-07 | 2021-02-26 | 杭州安恒信息技术股份有限公司 | Network security event process analysis method and system based on time line |
CN110022288A (en) * | 2018-01-10 | 2019-07-16 | 贵州电网有限责任公司遵义供电局 | A kind of APT threat recognition methods |
CN109194605B (en) * | 2018-07-02 | 2020-08-25 | 中国科学院信息工程研究所 | Active verification method and system for suspicious threat indexes based on open source information |
CN109005175B (en) * | 2018-08-07 | 2020-12-25 | 腾讯科技(深圳)有限公司 | Network protection method, device, server and storage medium |
CN109696892A (en) * | 2018-12-21 | 2019-04-30 | 上海瀚之友信息技术服务有限公司 | A kind of Safety Automation System and its control method |
CN109902176B (en) * | 2019-02-26 | 2021-07-13 | 北京微步在线科技有限公司 | Data association expansion method and non-transitory computer instruction storage medium |
CN110247906A (en) * | 2019-06-10 | 2019-09-17 | 平安科技(深圳)有限公司 | A kind of method for monitoring network and device, equipment, storage medium |
CN110324354B (en) * | 2019-07-11 | 2022-02-25 | 武汉思普崚技术有限公司 | Method, device and system for network tracking long chain attack |
CN110324353B (en) * | 2019-07-11 | 2022-02-25 | 武汉思普崚技术有限公司 | Method, device and system for network tracking long chain attack |
CN110311930B (en) * | 2019-08-01 | 2021-09-28 | 杭州安恒信息技术股份有限公司 | Identification method and device for remote control loop connection behavior and electronic equipment |
CN110602042B (en) * | 2019-08-07 | 2022-04-29 | 中国人民解放军战略支援部队信息工程大学 | APT attack behavior analysis and detection method and device based on cascade attack chain model |
CN112398793B (en) * | 2019-08-16 | 2021-08-31 | 北京邮电大学 | Social engineering interaction method and device and storage medium |
CN110474837A (en) * | 2019-08-19 | 2019-11-19 | 赛尔网络有限公司 | A kind of Junk mail processing method, device, electronic equipment and storage medium |
CN110365714B (en) * | 2019-08-23 | 2024-05-31 | 深圳前海微众银行股份有限公司 | Host intrusion detection method, device, equipment and computer storage medium |
CN110489611B (en) * | 2019-08-23 | 2022-12-30 | 杭州安恒信息技术股份有限公司 | Intelligent clue analysis method and system |
CN110826069B (en) * | 2019-11-05 | 2022-09-30 | 深信服科技股份有限公司 | Virus processing method, device, equipment and storage medium |
CN111400075A (en) * | 2019-12-31 | 2020-07-10 | 南京联成科技发展股份有限公司 | Real-time alarm correlation method applied to industrial control system |
CN111641951B (en) * | 2020-04-30 | 2023-10-24 | 中国移动通信集团有限公司 | 5G network APT attack tracing method and system based on SA architecture |
CN112165445B (en) * | 2020-08-13 | 2023-04-07 | 杭州数梦工场科技有限公司 | Method, device, storage medium and computer equipment for detecting network attack |
CN111818097B (en) * | 2020-09-01 | 2020-12-22 | 北京安帝科技有限公司 | Traffic monitoring method and device based on behaviors |
CN112468347B (en) * | 2020-12-14 | 2022-02-25 | 中国科学院信息工程研究所 | Security management method and device for cloud platform, electronic equipment and storage medium |
CN113596037B (en) * | 2021-07-31 | 2023-04-14 | 广州广电研究院有限公司 | APT attack detection method based on event relation directed graph in network full flow |
CN114257447A (en) * | 2021-12-20 | 2022-03-29 | 国汽(北京)智能网联汽车研究院有限公司 | Vehicle-mounted network IDPS joint defense linkage system |
CN114500038A (en) * | 2022-01-24 | 2022-05-13 | 深信服科技股份有限公司 | Network security detection method and device, electronic equipment and readable storage medium |
CN114553580B (en) * | 2022-02-28 | 2024-04-09 | 国网新疆电力有限公司博尔塔拉供电公司 | Network attack detection method and device based on rule generalization and attack reconstruction |
CN114826705A (en) * | 2022-04-12 | 2022-07-29 | 国网湖北省电力有限公司信息通信公司 | APT attack determination method and system based on independent component analysis method and storage medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101272286A (en) * | 2008-05-15 | 2008-09-24 | 上海交通大学 | Network inbreak event association detecting method |
CN103312679A (en) * | 2012-03-15 | 2013-09-18 | 北京启明星辰信息技术股份有限公司 | APT (advanced persistent threat) detection method and system |
CN104811447A (en) * | 2015-04-21 | 2015-07-29 | 深信服网络科技(深圳)有限公司 | Security detection method and system based on attack association |
WO2015120752A1 (en) * | 2014-02-17 | 2015-08-20 | 北京奇虎科技有限公司 | Method and device for handling network threats |
CN105024976A (en) * | 2014-04-24 | 2015-11-04 | 中国移动通信集团山西有限公司 | Advanced persistent threat attack recognition method and device |
-
2015
- 2015-11-27 CN CN201510854610.2A patent/CN105376245B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101272286A (en) * | 2008-05-15 | 2008-09-24 | 上海交通大学 | Network inbreak event association detecting method |
CN103312679A (en) * | 2012-03-15 | 2013-09-18 | 北京启明星辰信息技术股份有限公司 | APT (advanced persistent threat) detection method and system |
WO2015120752A1 (en) * | 2014-02-17 | 2015-08-20 | 北京奇虎科技有限公司 | Method and device for handling network threats |
CN105024976A (en) * | 2014-04-24 | 2015-11-04 | 中国移动通信集团山西有限公司 | Advanced persistent threat attack recognition method and device |
CN104811447A (en) * | 2015-04-21 | 2015-07-29 | 深信服网络科技(深圳)有限公司 | Security detection method and system based on attack association |
Also Published As
Publication number | Publication date |
---|---|
CN105376245A (en) | 2016-03-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105376245B (en) | A kind of detection method of rule-based APT attacks | |
Skopik et al. | Under false flag: using technical artifacts for cyber attack attribution | |
Martins et al. | Towards a systematic threat modeling approach for cyber-physical systems | |
Goseva-Popstojanova et al. | Characterization and classification of malicious Web traffic | |
CN111651757A (en) | Attack behavior monitoring method, device, equipment and storage medium | |
CN107634967A (en) | A kind of the CSRFToken systems of defense and method of CSRF attacks | |
CN103581185A (en) | Cloud searching and killing method, device and system for resisting anti-antivirus test | |
Bollinger et al. | Crafting the InfoSec playbook: security monitoring and incident response master plan | |
Lincke et al. | Designing system security with UML misuse deployment diagrams | |
CN113886829B (en) | Method and device for detecting defect host, electronic equipment and storage medium | |
CN111859374A (en) | Method, device and system for detecting social engineering attack event | |
CN104683378A (en) | Computing and debugging system for novel cloud computing service platform adopting new technology | |
Zamiri-Gourabi et al. | Gas what? i can see your gaspots. studying the fingerprintability of ics honeypots in the wild | |
CN112398857B (en) | Firewall testing method, device, computer equipment and storage medium | |
Davis et al. | A framework for programming and budgeting for cybersecurity | |
Yermalovich et al. | Formalization of attack prediction problem | |
Su et al. | Crowdsourcing platform for collaboration management in vulnerability verification | |
Pasandideh et al. | Improving attack trees analysis using Petri net modeling of cyber-attacks | |
Kumar et al. | A Review on Recent Advances & Future Trends of Security in Honeypot. | |
Kim et al. | Involvers’ behavior-based modeling in cyber targeted attack | |
Xu et al. | Identification of ICS Security Risks toward the Analysis of Packet Interaction Characteristics Using State Sequence Matching Based on SF‐FSM | |
Ussath et al. | Automatic multi-step signature derivation from taint graphs | |
CN104683379A (en) | A new system for computing and debugging facing enterprise service platform with new technique of novel cloud computing | |
Rushing et al. | Collaborative penetration-testing and analysis toolkit (cpat) | |
Razzaq et al. | Multi-layered defense against web application attacks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CP01 | Change in the name or title of a patent holder |
Address after: 310051 15-storey Zhongcai Building, Tonghe Road, Binjiang District, Hangzhou City, Zhejiang Province Patentee after: Hangzhou Annan information technology Limited by Share Ltd Address before: 310051 15-storey Zhongcai Building, Tonghe Road, Binjiang District, Hangzhou City, Zhejiang Province Patentee before: Dbappsecurity Co.,ltd. |
|
CP01 | Change in the name or title of a patent holder |