CN107370755A - A kind of method of the profound detection APT attacks of various dimensions - Google Patents
A kind of method of the profound detection APT attacks of various dimensions Download PDFInfo
- Publication number
- CN107370755A CN107370755A CN201710731477.0A CN201710731477A CN107370755A CN 107370755 A CN107370755 A CN 107370755A CN 201710731477 A CN201710731477 A CN 201710731477A CN 107370755 A CN107370755 A CN 107370755A
- Authority
- CN
- China
- Prior art keywords
- attack
- detection
- apt
- attacks
- phase
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Abstract
The present invention relates to APT attack detectings field, it is desirable to provide a kind of method of the profound detection APT attacks of various dimensions.The method of the profound detection APT attacks of this kind of various dimensions includes step:Flow collection, parsing reduction are done to common network application-level protocol packet;Network application behavior to acquisition carries out analysis detection, records attack and is alerted;Further optimize the inspection policies and mechanism of each point of attack;Association generation APT attack links.The possible point of attack in each stage that the present invention attacks APT life cycle, profound analysis detection is carried out from multiple dimensions, and the attack clue found in a certain phase of the attack is used for being further used as the detection foundation of other phase of the attacks, the test result of each phase of the attack is used for further association, forms the higher evidence of attack of certainty.
Description
Technical field
The present invention is on APT attack detectings field, the side of more particularly to a kind of profound detection APT attacks of various dimensions
Method.
Background technology
APT (Advanced Persistent Threat) attacks are that one kind is directed to specific objective, organized, meticulous plan
A series of hidden and lasting attack process drawn.APT attacks utilize commonly using Malware to system vulnerability, and make
The specific objective of attack is carried out with outside C&C servers to continue monitoring and data theft, also just because of APT attacks are all based on
Particular attack target, the expansion after well-planned, and can more pointedly be held with reference to artificial technical ability further by far controlling
Row attack process, whole process is latent for a long time to be difficult to discover, so attack once success, can be caused very big to target of attack
Threaten.
The life cycle of APT attacks is generally divided into several phase of the attacks:
1) preliminary invasion:Social worker's attack is carried out using mail or spear type phishing, malicious file are delivered;In website
It is implanted into malicious file and carries out puddle attack etc.;
2) strong point is established:Remote side administration instrument (RAT is implanted on by invasion main frame:remote administration
Tool), network back door or tunnel are created so as to unauthorized access;
3) wooden horse Hui Lian:RAT returns even C&C servers, updates attack tool, and can far control by invasion main frame;
4) power is put forward:Carry out putting forward power by vulnerability exploit or password cracking, completely control invasion main frame;
5) it is internal to survey:Pass through the information such as means collection network framework, the assets vouchers such as scanning;
6) horizontal proliferation:The cryptographic token obtained by internal exploration or password Brute Force or vulnerability exploit etc.
Means further realize control to other servers, work station;
7) data are stolen:The data stolen are illegally sent outside.
APT attacks, can be to the weak link of the existing infrastructure of target of attack, existing anti-it is determined that after target of attack
A large amount of investigations, and well-planned each attack step are done in imperial measure, and existing defensive measure can be tried to bypass, and are used
0day leaks design malicious file, can try in attack process to hide and latent, to reach the final target for stealing data.
Traditional preventing mechanism and product, it is more to make list based on the APT several attack meanses attacked in life cycle
Point detection, the point of attack detected and attack aspect are more single, and between the inspection policies of each point of attack can not it is interactive and
Self-optimization, it is unfavorable for finding latent APT attacks, APT attack links can not be sketched the contours of, be also easy to by well-planned
APT attacks are bypassed, so needing the possible point of attack in each stage to APT attack life cycles, are entered from multiple dimensions
The profound analysis detection of row, and the attack clue found in a certain phase of the attack can be further used as other phase of the attacks
Detection foundation, the test result of each phase of the attack can also associate further, the higher evidence of attack of certainty be formed, with more
Efficiently find APT attacks.
The content of the invention
It is a primary object of the present invention to overcome deficiency of the prior art, there is provided a kind of to be directed to APT attack Life Cycles
Interim each phase of the attack, the method that profound analysis detection is carried out from multiple dimensions.In order to solve the above technical problems, this
The solution of invention is:
The method for providing a kind of profound detection APT attacks of various dimensions, comprises the following steps:
Step A:Flow collection module to common network application-level protocol packet (HTTP, SMTP, POP3, IMAP,
FTP, SMB, DNS etc.) do flow collection, parsing reduction;
The flow collection module energy (using Libpcap software kits) is to the network application-level protocol in bypass mirror image flow
Packet is captured, and recombinated by ip fragmentation, TCP refitting, network application-level protocol parsing, by common network application layer
The application specification of agreement (HTTP, SMTP, POP3, IMAP, FTP, SMB, DNS etc.) solves to network application-level protocol packet
Analysis reduction, it is final to obtain the specific network application behavior included in network application-level protocol packet;
Step B:For the possible point of attack in each phase of the attack of APT attack life cycles, step A is obtained respectively
Network application behavior carry out analysis detection, record attack is simultaneously alerted;
Step C:Using attack warning information caused by the detection of the single point of attack, further optimize the inspection of each point of attack
Survey strategy and mechanism;
Step D:Using the single point of attack detection caused by attack warning information, by attack source IP, by attack IP,
The stage position that each point of attack is attacked in life cycle in APT, and the temporal information of each warning information, association generation APT are attacked
Hit link.
In the present invention, for possible attack in each phase of the attack of APT attack life cycles in described step B
The analysis and detection of point carry out analysis detection respectively, can be transferred through source IP, the reliability coefficient of purpose IP address and infected system
Count to adjust detection threshold, realize different inspecting forces;
The reliability coefficient of the IP address, represented by the numerical value in the range of 0 to 100, can be from IP creditworthiness informations
Obtain;The IP creditworthiness informations are the two-dimensional signal storehouse with the IP reliability coefficients for numerical value based on IP address;
The infected coefficient of the IP address, represented by the numerical value in the range of 0 to 100, can be from IP threat degree information
Middle acquisition;The IP threat degrees information, it is the two-dimensional signal storehouse based on IP address with the infected coefficients of the IP for numerical value;
Step B specifically includes following sub-steps:
Step B1:APT attacks life cycle is divided into tentatively invade, establish strong point, wooden horse Hui Lian, put forward power, inside is surveyed
Survey, horizontal proliferation, steal data totally 7 phase of the attacks;
Step B2:To the preliminary Network Intrusion stage, mail social worker attack detecting is carried out, the detection that malicious file is delivered;
Step B3:To establishing strong point phase of the attack, malicious file reception, the detection of Webshell implantation are carried out;
Step B4:Even phase of the attack is returned to wooden horse, carries out C&C IP/URL, DGA domain name requests, the inspection using Webshell
Survey;
Step B5:To carrying power phase of the attack, the detection of vulnerability exploit and password cracking is carried out;
Step B6:Phase of the attack is surveyed to inside, carries out Intranet port scan, Intranet passes through the long-range floodings of SMB
Detection;
Step B7:To horizontal proliferation phase of the attack, Intranet password Brute Force is carried out, the detection that malicious file is delivered;
Step B8:To stealing the Data attack stage, carry out private communication channel transmission, the transmission of steganography file, passed using 80 ports
The detection of defeated invalid data.
In the present invention, the step C specifically includes following sub-steps:
Step C1:By carrying out Macro or mass analysis to all attack warning information, detect to attack rank in different APT
Section, different target of attack IP, using different agreement and attack pattern, the attack source IP of attack is routinely attempted, with this
To generate IP creditworthiness informations;
The IP creditworthiness informations are the two-dimensional signal storehouse with the IP reliability coefficients for numerical value based on IP address;The IP
Reliability coefficient, being represented by the numerical value in the range of 0 to 100, numerical value is bigger, illustrates that the access confidence level that the IP is initiated is higher,
It is i.e. relative to there is a possibility that attack is smaller;
Step C2:By carrying out Macro or mass analysis to all attack warning information, detect to attack rank in adjacent APT
Section, not only as attack initiator but also as the IP for attacking recipient, IP threat degree information is generated with this;
The IP threat degrees information is the two-dimensional signal storehouse with the infected coefficients of the IP for numerical value based on IP address;It is described
The infected coefficients of IP, being represented by the numerical value in the range of 0 to 100, numerical value is bigger, illustrates that the infected possibilities of the IP are bigger,
Further, the possibility that the source IP for accessing the IP is attacker IP is also corresponding larger, by the IP initiate to other IP's
Access, the possibility that other IP attack by horizontal proliferation is also corresponding larger;
Step C3:The IP creditworthiness informations and IP threat degree information of generation, it is synchronized in step B to attack APT and gives birth to
(the analysis detection side of the possible point of attack in each phase of the attack is ordered in the inspection policies of the point of attack of 7 phase of the attacks of cycle
Method, the infected coefficients of IP in the IP reliability coefficients and IP threat degree information in IP creditworthiness informations have been used as inspection
Side valve value, so as to reach effect of the dynamic regulation to specific IP inspecting force).
In the present invention, in the step D, APT attacks link using IP as node, to confirm that successful APT is attacked between IP
The point of attack title of life cycle is connected, and can collect on the line between IP nodes and show attack pattern, number of times of attack, attack start-stop
Time, threat degree and it can click on and drill through details;
APT attacks link can attack several phase of the attacks of life cycle according to APT, sketch the contours of and attacked from preliminary invasion automatically
The stage is hit to the IP node path figures for stealing the Data attack stage;If not finding above-mentioned APT of covering attacks Life cycle
IP node path figures, then can sketch the contours of the IP node path figures of longest path, most there is an urgent need to regulation so as to fast positioning
Node device.
Compared with prior art, the beneficial effects of the invention are as follows:
It is of the invention to be compared with traditional preventing mechanism with product, it is possible in each stage for attacking life cycle to APT
The point of attack, carries out profound analysis detection from multiple dimensions, and the attack clue found in a certain phase of the attack be used for into
Detection foundation of one step as other phase of the attacks, the test result of each phase of the attack are used for further association, form certainty
Higher evidence of attack, solve the traditional product that single-point detection is done based on the APT several attack meanses attacked in life cycle,
The point of attack and attack aspect detected are more single, and can not be interactive between the inspection policies of each point of attack and self is excellent
Change, the problem of being unfavorable for finding latent APT attacks.
Brief description of the drawings
Fig. 1 is the overhaul flow chart of the present invention.
Embodiment
It is computer technology in information security technology the present invention relates to APT attack detectings field firstly the need of explanation
One of field applies branch.In the implementation process of the present invention, the point of attack that multiple APT are attacked in life cycles can be related to
Detection.It is applicant's understanding that such as read over application documents, accurate understanding the present invention realization principle and goal of the invention with
Afterwards, in the case where combining existing known technology, those skilled in the art can use the software programming technical ability of its grasp completely
Realize the present invention.Category this category that all the present patent application files refer to, applicant will not enumerate.
The present invention is described in further detail with embodiment below in conjunction with the accompanying drawings:
A kind of method of the profound detection APT attacks of various dimensions, is drawn to APT attacks life cycle by phase of the attack
Point, the profound detection of various dimensions is carried out to the point of attack of different phase of the attacks, uses the attack found in a certain phase of the attack
Clue is used for being further used as the detection foundation of other phase of the attacks, and the test result of each phase of the attack is used for further association and given birth to
Link, so that fast positioning is most there is an urgent need to the node device of regulation, its handling process are attacked into APT as shown in figure 1, specific step
It is rapid as described below:
Step 1:Flow collection module carries out flow collection.
Flow collection module using Libpcap software kits carry out network data Packet capturing, according to port capture HTTP,
SMTP, POP3, IMAP, FTP, SMB, DNS etc. common application layer protocol, as http protocol gives tacit consent to 80 and 8080 ports of capture
Packet.
To adapt to heterogeneous networks scene, the applicable capture-port of each application protocol institute can be changed by interface additions and deletions.
Step 2:Protocol analysis reduces, and generates primitive behavior information.
The TCP data bag of capture is recombinated in application layer protocol aspect, and according to application layer protocol specification parsing also
Former primitive behavior information, record source IP, purpose IP, destination interface, time of origin, application protocol, using information such as contents of the act,
It is wherein different according to different application protocols using content of the act, such as the application content of the act of http protocol, according to HTTP
Protocol specification, including requesting method, URI, User-Agent, Host, Cookie, Request Header, the text for uploading download
The information such as part name and file, Post Body, answer code, response contents, delayed data.
Step 3:Whether the source IP, purpose IP in judgement primitive behavior are in IP credit worthinesses, threat degree information bank.
IP creditworthiness informations storehouse, it is IP address-based reputation information, the IP creditworthiness informations are systems according to passing
The attack condition of attack source IP in all attack warning information calculates what is obtained.
IP threat degree information banks, it is IP address-based threat degree information, the IP threat degrees information, is system
In passing all attack warning information is not only attack source but also is the IP attacked, and the possibility for calculating acquisition is felt
The IP of dye.
If one of IP in the source IP, purpose IP in primitive behavior, journey is threatened in IP creditworthiness informations storehouse or IP
Spend in information bank, then handled into step 4;If source IP, purpose IP in primitive behavior not in IP creditworthiness informations storehouse and
In IP threat degree information banks, then handled into step 5.
Step 4:Adjust each point of attack detection threshold of APT attacks life cycle and strategy.
Each point of attack inspection policies in APT attack life cycles, its Stringency detected can further pass through inspection
Side valve value is adjusted, and the detection threshold then obtains according to IP credit worthinesses and IP threat degrees weighted calculations, carrys out dynamic regulation with this
To specific IP inspecting force.
Step 5:Preliminary intrusion detection.
The possible point of attack in the preliminary Network Intrusion stage, including mail head's deception, sender are carried out by mail
Deception, mail fishing, mail malicious link, malicious file are delivered;Injected by SQL injection, across station, order to WEB server
Invaded and be implanted into malicious file, or attacked by delivering Malware to FTP, SMB server with deploying puddle.
Mail head's deception, sender's deception, mail fishing, mail malicious link are mail social worker attack, to postal
The detection of part social worker attack, primitive behavior that can be based on SMTP, POP3, IMAP protocol, by semantic analysis or URL whether extension horse
To complete.
The detection for delivering malicious file, it can be based on passing through upper transmitting file in SMTP, FTP, HTTP, SMB application protocol
Behavior, the file isolated is detected to complete by viral wooden horse killing, static analysis and sandbox dynamic analysis.
Step 6:Establish strong point detection.
The possible point of attack for establishing strong point phase of the attack, including by mail reception Malware, by WEB,
FTP or SMB server download of malware, Webshell behavior is implanted into WEB server by SQL injection, across station.
The detection of the implantation behavior of the Webshell, can be completed, Webshell files by way of strategy matching
Identification, can also based on machine learning and classification method come Identification.
Step 7:Wooden horse, which returns, even to be detected.
The wooden horse returns the possible point of attack of even phase of the attack, including accesses C&C IP/URL, the mistake of DGA domain name requests
Journey.
The detection of the C&C IP/URL, can be by that based on IP the and URL storehouses in history APT attacks, can also lead to
The company of the returning IP or URL captured is crossed in malicious file dynamic sandbox to identify.
The detection of the DGA domain name requests, refer to identify that request analysis DGA (domain name generating algorithm) is generated in DNS flows
Domain name process.
Step 8:Propose power detection.
The detection of the point of attack for carrying power phase of the attack, including the detection of vulnerability exploit or password cracking behavior.
Step 9:Inside exploration detection.
The inside surveys the port scan captured in the detection of the point of attack of phase of the attack, including Intranet communication, Intranet
Pass through the detection of the long-range flooding behaviors of SMB.
Step 10:Horizontal proliferation detects.
The password Brute Force captured in the detection of the point of attack of the horizontal proliferation phase of the attack, including Intranet communication,
Malicious file delivers the detection of behavior.
Step 11:Steal Data Detection.
The point of attack for stealing the Data attack stage, including private communication channel transmission, steganography file are transmitted, utilize 80 ports
Transmit the detection of invalid data behavior;
Step 12:Determine whether the attack of each point of attack.
If in point of attack detection process of the primitive behavior described in step 5 to step 11, it is attack to be determined
Behavior, then into step 13, further processing;If primitive behavior is unsatisfactory for any one point of attack in step 5 to step 11
Testing conditions, then return to step 1, further processing.
Step 13:Record attack simultaneously produces alarm.
The primitive behavior for being identified as attack is marked, and standard logs are produced by alarm form.
Step 14:Warning information is put in storage.
Alarm log is write relevant database.
Step 15:Generation attack link is associated according to warning information.
Pass through the attack source IP in warning information, the stage position by attack IP, each point of attack in APT attack life cycles
Put, and the temporal information of each warning information, association generation APT attack links.The APT attacks link using IP as node, between IP
To confirm that the point of attack title of successful APT attacks life cycle is connected, it can collect on the line between IP nodes and show attacker
Formula, number of times of attack, attack beginning and ending time, threat degree and it can click on and drill through details.
APT attacks link can attack several stages of life cycle further according to APT, sketch the contours of automatically from preliminary invasion
Phase of the attack is to the IP node path figures for stealing the Data attack stage;If not finding above-mentioned APT of covering attacks full Life Cycle
The IP node path figures of phase, then the IP node path figures of longest path can be sketched the contours of, most there is an urgent need to renovate so as to fast positioning
Node device.
Step 16:To IP credit worthiness, threat degree involved by warning information Macro or mass analysis.
System is detected in different APT stages, different by carrying out Macro or mass analysis to all attack warning information
Target of attack IP, using different agreement and attack pattern, the attack source IP of the trial attack of continuation, and to these attack sources
IP is referred to potential low credit worthiness IP, and the confirmation to IP prestige is completed with this.
System is detected in adjacent APT phase of the attacks, both by carrying out Macro or mass analysis to all attack warning information
As the attack initiator IP as attack recipient again, and these IP are referred to it is potential be controlled IP, completed pair with this
The confirmation of IP threat degrees.
Step 17:Update IP threat degree information banks.
IP threat degree information banks are IP address-based threat degree information, are stored in for a long time in relevant database,
Also cached simultaneously in internal memory, so that the deterministic process of step 3 has more dominance energy.
Step 18:Update IP creditworthiness informations storehouse.
IP creditworthiness informations storehouse is IP address-based creditworthiness information, is stored in for a long time in relevant database, simultaneously
Also cached in internal memory, so that the deterministic process of step 3 has more dominance energy.
So far, APT attacks life cycle is divided by phase of the attack, the point of attack progress to different phase of the attacks is more
The profound detection of dimension, it is used for being further used as other phase of the attacks using the attack clue found in a certain phase of the attack
Foundation is detected, the test result of each phase of the attack is used for further association and generates APT attack links, realizes one kind and pass through multidimensional
The system of the profound detection APT attacks of degree.
Finally it should be noted that listed above is only specific embodiment of the invention.It is clear that the invention is not restricted to
Above example, there can also be many variations.One of ordinary skill in the art can directly lead from present disclosure
All deformations for going out or associating, are considered as protection scope of the present invention.
Claims (4)
1. the method for the profound detection APT attacks of a kind of various dimensions, it is characterised in that comprise the following steps:
Step A:Flow collection module does flow collection, parsing reduction to common network application-level protocol packet;
The flow collection module can capture to the network application-level protocol packet in bypass mirror image flow, and pass through IP
Fragment restructuring, TCP refittings, network application-level protocol parsing, should to network by the application specification of common network application-level protocol
Parsing reduction is carried out with layer protocol packet, it is final to obtain the specific network application row included in network application-level protocol packet
For;
Step B:For the possible point of attack in each phase of the attack of APT attack life cycles, the net obtained respectively to step A
Network application behavior carries out analysis detection, records attack and is alerted;
Step C:Using attack warning information caused by the detection of the single point of attack, further optimize the detection plan of each point of attack
Summary and mechanism;
Step D:Using the single point of attack detection caused by attack warning information, by attack source IP, by attack IP, respectively attack
Hit the stage position a little attacked in APT in life cycle, and the temporal information of each warning information, association generation APT attack chains
Road.
2. the method for the profound detection APT attacks of a kind of various dimensions according to claim 1, it is characterised in that described
Analysis and detection in step B for the possible point of attack in each phase of the attack of APT attack life cycles are divided respectively
Analysis detection, source IP, the reliability coefficient of purpose IP address and infected coefficient are can be transferred through to adjust detection threshold, realize different
Inspecting force;
The reliability coefficient of the IP address, represented, can be obtained from IP creditworthiness informations by the numerical value in the range of 0 to 100;
The IP creditworthiness informations are the two-dimensional signal storehouse with the IP reliability coefficients for numerical value based on IP address;
The infected coefficient of the IP address, represented, can be obtained from IP threat degree information by the numerical value in the range of 0 to 100
Take;The IP threat degrees information, it is the two-dimensional signal storehouse based on IP address with the infected coefficients of the IP for numerical value;
Step B specifically includes following sub-steps:
Step B1:APT attacks life cycle is divided into and is tentatively invaded, is established strong point, wooden horse Hui Lian, carries power, internal exploration, horizontal stroke
To spreading, steal data totally 7 phase of the attacks;
Step B2:To the preliminary Network Intrusion stage, mail social worker attack detecting is carried out, the detection that malicious file is delivered;
Step B3:To establishing strong point phase of the attack, malicious file reception, the detection of Webshell implantation are carried out;
Step B4:Even phase of the attack is returned to wooden horse, carries out C&C IP/URL, DGA domain name requests, the detection using Webshell;
Step B5:To carrying power phase of the attack, the detection of vulnerability exploit and password cracking is carried out;
Step B6:Phase of the attack is surveyed to inside, carries out Intranet port scan, the detection that Intranet passes through the long-range floodings of SMB;
Step B7:To horizontal proliferation phase of the attack, Intranet password Brute Force is carried out, the detection that malicious file is delivered;
Step B8:To stealing the Data attack stage, private communication channel transmission is carried out, steganography file transmits, be non-using 80 port transmissions
The detection of method data.
A kind of 3. method of the profound detection APT attacks of various dimensions according to claim 1, it is characterised in that the step
Rapid C specifically includes following sub-steps:
Step C1:By carrying out Macro or mass analysis to all attack warning information, detect in different APT phase of the attacks, no
With target of attack IP, using different agreement and attack pattern, routinely attempt the attack source IP of attack, generated with this
IP creditworthiness informations;
The IP creditworthiness informations are the two-dimensional signal storehouse with the IP reliability coefficients for numerical value based on IP address;The IP is credible
Coefficient is spent, is represented by the numerical value in the range of 0 to 100, numerical value is bigger, illustrates that the access confidence level that the IP is initiated is higher, i.e. phase
To there is a possibility that attack is smaller;
Step C2:By carrying out Macro or mass analysis to all attack warning information, detect in adjacent APT phase of the attacks, both
As attack initiator again as the IP for attacking recipient, IP threat degree information is generated with this;
The IP threat degrees information is the two-dimensional signal storehouse with the infected coefficients of the IP for numerical value based on IP address;The IP by
Multiplicity of infection, represented by the numerical value in the range of 0 to 100, numerical value is bigger, illustrates that the infected possibilities of the IP are bigger, enters one
Step, the possibility that the source IP for accessing the IP is attacker IP also corresponding larger, the access to other IP initiated by the IP,
The possibility that other IP attack by horizontal proliferation is also corresponding larger;
Step C3:The IP creditworthiness informations and IP threat degree information of generation, it is synchronized in step B and Life Cycle is attacked to APT
In the inspection policies of the point of attack of 7 phase of the attacks of phase.
A kind of 4. method of the profound detection APT attacks of various dimensions according to claim 1, it is characterised in that the step
In rapid D, APT attacks link using IP as node, to confirm that the point of attack title of successful APT attacks life cycle is connected between IP,
It can collect on line between IP nodes and show attack pattern, number of times of attack, attack beginning and ending time, threat degree and can click on
Drill through details;
APT attacks link can attack several phase of the attacks of life cycle according to APT, sketch the contours of automatically from preliminary Network Intrusion rank
Section is to the IP node path figures for stealing the Data attack stage;If the above-mentioned IP for covering APT attack Life cycle is not found
Node path figure, then the IP node path figures of longest path can be sketched the contours of, most there is an urgent need to the node of regulation so as to fast positioning
Equipment.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710731477.0A CN107370755B (en) | 2017-08-23 | 2017-08-23 | Method for multi-dimensional deep detection of APT (active Power test) attack |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710731477.0A CN107370755B (en) | 2017-08-23 | 2017-08-23 | Method for multi-dimensional deep detection of APT (active Power test) attack |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107370755A true CN107370755A (en) | 2017-11-21 |
CN107370755B CN107370755B (en) | 2020-03-03 |
Family
ID=60311784
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710731477.0A Active CN107370755B (en) | 2017-08-23 | 2017-08-23 | Method for multi-dimensional deep detection of APT (active Power test) attack |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107370755B (en) |
Cited By (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107888607A (en) * | 2017-11-28 | 2018-04-06 | 新华三技术有限公司 | A kind of Cyberthreat detection method, device and network management device |
CN108040075A (en) * | 2018-01-31 | 2018-05-15 | 海南上德科技有限公司 | A kind of APT attack detection systems |
CN108833437A (en) * | 2018-07-05 | 2018-11-16 | 成都康乔电子有限责任公司 | One kind being based on flow fingerprint and the matched APT detection method of communication feature |
CN109067815A (en) * | 2018-11-06 | 2018-12-21 | 深信服科技股份有限公司 | Attack Source Tracing method, system, user equipment and storage medium |
CN109284317A (en) * | 2018-10-26 | 2019-01-29 | 山东中孚安全技术有限公司 | A kind of extraction of steal information clue and Segment evaluation method based on timing digraph |
CN109309591A (en) * | 2018-10-31 | 2019-02-05 | 掌阅科技股份有限公司 | Data on flows statistical method, electronic equipment and storage medium |
CN109347882A (en) * | 2018-11-30 | 2019-02-15 | 深信服科技股份有限公司 | Webpage Trojan horse monitoring method, device, equipment and storage medium |
CN109446810A (en) * | 2018-10-31 | 2019-03-08 | 杭州安恒信息技术股份有限公司 | Malicious file defence method, device and the electronic equipment rewritten based on request |
CN109660539A (en) * | 2018-12-20 | 2019-04-19 | 北京神州绿盟信息安全科技股份有限公司 | It falls device identification method, device, electronic equipment and storage medium |
CN109660515A (en) * | 2018-11-15 | 2019-04-19 | 中国科学院信息工程研究所 | Attack chain detection method and device |
CN109922069A (en) * | 2019-03-13 | 2019-06-21 | 中国科学技术大学 | The multidimensional association analysis method and system that advanced duration threatens |
CN110022288A (en) * | 2018-01-10 | 2019-07-16 | 贵州电网有限责任公司遵义供电局 | A kind of APT threat recognition methods |
CN110602042A (en) * | 2019-08-07 | 2019-12-20 | 中国人民解放军战略支援部队信息工程大学 | APT attack behavior analysis and detection method and device based on cascade attack chain model |
CN111723378A (en) * | 2020-06-17 | 2020-09-29 | 浙江网新恒天软件有限公司 | Website directory blasting method based on website map |
CN112152962A (en) * | 2019-06-26 | 2020-12-29 | 北京观成科技有限公司 | Threat detection method and system |
CN113596037A (en) * | 2021-07-31 | 2021-11-02 | 南京云利来软件科技有限公司 | APT attack detection method based on event relation directed graph in network full flow |
CN113746832A (en) * | 2021-09-02 | 2021-12-03 | 华中科技大学 | Multi-method mixed distributed APT malicious flow detection defense system and method |
CN113839950A (en) * | 2021-09-27 | 2021-12-24 | 厦门天锐科技股份有限公司 | Mail approval method and system based on terminal mail SMTP protocol |
CN116032527A (en) * | 2022-11-08 | 2023-04-28 | 广东广信通信服务有限公司 | Cloud computing-based data security vulnerability sensing system and method |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103354548A (en) * | 2013-06-28 | 2013-10-16 | 华为数字技术(苏州)有限公司 | Method, device and system for detecting highly persistent threat attack |
US20140115706A1 (en) * | 2012-10-19 | 2014-04-24 | ZanttZ,Inc. | Network infrastructure obfuscation |
CN103905418A (en) * | 2013-11-12 | 2014-07-02 | 北京安天电子设备有限公司 | APT multi-dimensional detection and defense system and method |
CN105024976A (en) * | 2014-04-24 | 2015-11-04 | 中国移动通信集团山西有限公司 | Advanced persistent threat attack recognition method and device |
CN105376245A (en) * | 2015-11-27 | 2016-03-02 | 杭州安恒信息技术有限公司 | Rule-based detection method of ATP attack behavior |
-
2017
- 2017-08-23 CN CN201710731477.0A patent/CN107370755B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140115706A1 (en) * | 2012-10-19 | 2014-04-24 | ZanttZ,Inc. | Network infrastructure obfuscation |
CN103354548A (en) * | 2013-06-28 | 2013-10-16 | 华为数字技术(苏州)有限公司 | Method, device and system for detecting highly persistent threat attack |
CN103905418A (en) * | 2013-11-12 | 2014-07-02 | 北京安天电子设备有限公司 | APT multi-dimensional detection and defense system and method |
CN105024976A (en) * | 2014-04-24 | 2015-11-04 | 中国移动通信集团山西有限公司 | Advanced persistent threat attack recognition method and device |
CN105376245A (en) * | 2015-11-27 | 2016-03-02 | 杭州安恒信息技术有限公司 | Rule-based detection method of ATP attack behavior |
Cited By (31)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107888607A (en) * | 2017-11-28 | 2018-04-06 | 新华三技术有限公司 | A kind of Cyberthreat detection method, device and network management device |
CN107888607B (en) * | 2017-11-28 | 2020-11-06 | 新华三技术有限公司 | Network threat detection method and device and network management equipment |
CN110022288A (en) * | 2018-01-10 | 2019-07-16 | 贵州电网有限责任公司遵义供电局 | A kind of APT threat recognition methods |
CN108040075A (en) * | 2018-01-31 | 2018-05-15 | 海南上德科技有限公司 | A kind of APT attack detection systems |
CN108040075B (en) * | 2018-01-31 | 2020-09-01 | 海南上德科技有限公司 | APT attack detection system |
CN108833437A (en) * | 2018-07-05 | 2018-11-16 | 成都康乔电子有限责任公司 | One kind being based on flow fingerprint and the matched APT detection method of communication feature |
CN109284317A (en) * | 2018-10-26 | 2019-01-29 | 山东中孚安全技术有限公司 | A kind of extraction of steal information clue and Segment evaluation method based on timing digraph |
CN109446810A (en) * | 2018-10-31 | 2019-03-08 | 杭州安恒信息技术股份有限公司 | Malicious file defence method, device and the electronic equipment rewritten based on request |
CN109309591A (en) * | 2018-10-31 | 2019-02-05 | 掌阅科技股份有限公司 | Data on flows statistical method, electronic equipment and storage medium |
CN109309591B (en) * | 2018-10-31 | 2021-10-22 | 掌阅科技股份有限公司 | Traffic data statistical method, electronic device and storage medium |
CN109446810B (en) * | 2018-10-31 | 2021-05-25 | 杭州安恒信息技术股份有限公司 | Malicious file defense method and device based on request rewriting and electronic equipment |
CN109067815A (en) * | 2018-11-06 | 2018-12-21 | 深信服科技股份有限公司 | Attack Source Tracing method, system, user equipment and storage medium |
CN109660515A (en) * | 2018-11-15 | 2019-04-19 | 中国科学院信息工程研究所 | Attack chain detection method and device |
CN109660515B (en) * | 2018-11-15 | 2020-05-12 | 中国科学院信息工程研究所 | Attack chain detection method and device |
CN109347882B (en) * | 2018-11-30 | 2021-12-21 | 深信服科技股份有限公司 | Webpage Trojan horse monitoring method, device, equipment and storage medium |
CN109347882A (en) * | 2018-11-30 | 2019-02-15 | 深信服科技股份有限公司 | Webpage Trojan horse monitoring method, device, equipment and storage medium |
CN109660539A (en) * | 2018-12-20 | 2019-04-19 | 北京神州绿盟信息安全科技股份有限公司 | It falls device identification method, device, electronic equipment and storage medium |
CN109660539B (en) * | 2018-12-20 | 2020-12-25 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for identifying defect-losing equipment, electronic equipment and storage medium |
CN109922069A (en) * | 2019-03-13 | 2019-06-21 | 中国科学技术大学 | The multidimensional association analysis method and system that advanced duration threatens |
CN112152962B (en) * | 2019-06-26 | 2022-10-28 | 北京观成科技有限公司 | Threat detection method and system |
CN112152962A (en) * | 2019-06-26 | 2020-12-29 | 北京观成科技有限公司 | Threat detection method and system |
CN110602042A (en) * | 2019-08-07 | 2019-12-20 | 中国人民解放军战略支援部队信息工程大学 | APT attack behavior analysis and detection method and device based on cascade attack chain model |
CN111723378A (en) * | 2020-06-17 | 2020-09-29 | 浙江网新恒天软件有限公司 | Website directory blasting method based on website map |
CN111723378B (en) * | 2020-06-17 | 2023-03-10 | 浙江网新恒天软件有限公司 | Website directory blasting method based on website map |
CN113596037A (en) * | 2021-07-31 | 2021-11-02 | 南京云利来软件科技有限公司 | APT attack detection method based on event relation directed graph in network full flow |
CN113596037B (en) * | 2021-07-31 | 2023-04-14 | 广州广电研究院有限公司 | APT attack detection method based on event relation directed graph in network full flow |
CN113746832A (en) * | 2021-09-02 | 2021-12-03 | 华中科技大学 | Multi-method mixed distributed APT malicious flow detection defense system and method |
CN113746832B (en) * | 2021-09-02 | 2022-04-29 | 华中科技大学 | Multi-method mixed distributed APT malicious flow detection defense system and method |
CN113839950A (en) * | 2021-09-27 | 2021-12-24 | 厦门天锐科技股份有限公司 | Mail approval method and system based on terminal mail SMTP protocol |
CN113839950B (en) * | 2021-09-27 | 2023-06-27 | 厦门天锐科技股份有限公司 | Mail approval method and system based on terminal mail SMTP protocol |
CN116032527A (en) * | 2022-11-08 | 2023-04-28 | 广东广信通信服务有限公司 | Cloud computing-based data security vulnerability sensing system and method |
Also Published As
Publication number | Publication date |
---|---|
CN107370755B (en) | 2020-03-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107370755A (en) | A kind of method of the profound detection APT attacks of various dimensions | |
Saad et al. | Countering selfish mining in blockchains | |
CN101610264B (en) | Firewall system, safety service platform and firewall system management method | |
US8516575B2 (en) | Systems, methods, and media for enforcing a security policy in a network including a plurality of components | |
US8826400B2 (en) | System for automated prevention of fraud | |
CN106790313A (en) | Intrusion prevention method and device | |
CN103229185B (en) | System and method for the local protection for Malware | |
CN111245793A (en) | Method and device for analyzing abnormity of network data | |
CN107634967B (en) | CSRFtoken defense system and method for CSRF attack | |
CN107872456A (en) | Network intrusion prevention method, apparatus, system and computer-readable recording medium | |
CN102685081B (en) | A kind of web-page requests security processing and system | |
CN107888607A (en) | A kind of Cyberthreat detection method, device and network management device | |
CN106657025A (en) | Network attack behavior detection method and device | |
CN105471912B (en) | Monitor the safety defense method and system of network | |
CN104620225B (en) | Method and system for server security checking | |
CN112567707A (en) | Enhanced techniques for generating and deploying dynamic false user accounts | |
CN106650436A (en) | Safety detecting method and device based on local area network | |
CN105915532A (en) | Method and device for recognizing fallen host | |
CN101978376A (en) | Method and system for protection against information stealing software | |
Damghani et al. | Classification of attacks on IoT | |
US20210051176A1 (en) | Systems and methods for protection from phishing attacks | |
CN108259514A (en) | Leak detection method, device, computer equipment and storage medium | |
CN110266673A (en) | Security strategy optimized treatment method and device based on big data | |
CN105871775B (en) | A kind of safety protecting method and DPMA Protection Model | |
CN108040036A (en) | A kind of industry cloud Webshell safety protecting methods |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information |
Address after: 310051 No. 188 Lianhui Street, Xixing Street, Binjiang District, Hangzhou City, Zhejiang Province Applicant after: Hangzhou Annan information technology Limited by Share Ltd Address before: Zhejiang Zhongcai Building No. 68 Binjiang District road Hangzhou City, Zhejiang Province, the 310051 and 15 layer Applicant before: Dbappsecurity Co.,ltd. |
|
CB02 | Change of applicant information | ||
GR01 | Patent grant | ||
GR01 | Patent grant |