CN107370755A - A kind of method of the profound detection APT attacks of various dimensions - Google Patents

A kind of method of the profound detection APT attacks of various dimensions Download PDF

Info

Publication number
CN107370755A
CN107370755A CN201710731477.0A CN201710731477A CN107370755A CN 107370755 A CN107370755 A CN 107370755A CN 201710731477 A CN201710731477 A CN 201710731477A CN 107370755 A CN107370755 A CN 107370755A
Authority
CN
China
Prior art keywords
attack
detection
apt
attacks
phase
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710731477.0A
Other languages
Chinese (zh)
Other versions
CN107370755B (en
Inventor
李凯
范渊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN201710731477.0A priority Critical patent/CN107370755B/en
Publication of CN107370755A publication Critical patent/CN107370755A/en
Application granted granted Critical
Publication of CN107370755B publication Critical patent/CN107370755B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Abstract

The present invention relates to APT attack detectings field, it is desirable to provide a kind of method of the profound detection APT attacks of various dimensions.The method of the profound detection APT attacks of this kind of various dimensions includes step:Flow collection, parsing reduction are done to common network application-level protocol packet;Network application behavior to acquisition carries out analysis detection, records attack and is alerted;Further optimize the inspection policies and mechanism of each point of attack;Association generation APT attack links.The possible point of attack in each stage that the present invention attacks APT life cycle, profound analysis detection is carried out from multiple dimensions, and the attack clue found in a certain phase of the attack is used for being further used as the detection foundation of other phase of the attacks, the test result of each phase of the attack is used for further association, forms the higher evidence of attack of certainty.

Description

A kind of method of the profound detection APT attacks of various dimensions
Technical field
The present invention is on APT attack detectings field, the side of more particularly to a kind of profound detection APT attacks of various dimensions Method.
Background technology
APT (Advanced Persistent Threat) attacks are that one kind is directed to specific objective, organized, meticulous plan A series of hidden and lasting attack process drawn.APT attacks utilize commonly using Malware to system vulnerability, and make The specific objective of attack is carried out with outside C&C servers to continue monitoring and data theft, also just because of APT attacks are all based on Particular attack target, the expansion after well-planned, and can more pointedly be held with reference to artificial technical ability further by far controlling Row attack process, whole process is latent for a long time to be difficult to discover, so attack once success, can be caused very big to target of attack Threaten.
The life cycle of APT attacks is generally divided into several phase of the attacks:
1) preliminary invasion:Social worker's attack is carried out using mail or spear type phishing, malicious file are delivered;In website It is implanted into malicious file and carries out puddle attack etc.;
2) strong point is established:Remote side administration instrument (RAT is implanted on by invasion main frame:remote administration Tool), network back door or tunnel are created so as to unauthorized access;
3) wooden horse Hui Lian:RAT returns even C&C servers, updates attack tool, and can far control by invasion main frame;
4) power is put forward:Carry out putting forward power by vulnerability exploit or password cracking, completely control invasion main frame;
5) it is internal to survey:Pass through the information such as means collection network framework, the assets vouchers such as scanning;
6) horizontal proliferation:The cryptographic token obtained by internal exploration or password Brute Force or vulnerability exploit etc. Means further realize control to other servers, work station;
7) data are stolen:The data stolen are illegally sent outside.
APT attacks, can be to the weak link of the existing infrastructure of target of attack, existing anti-it is determined that after target of attack A large amount of investigations, and well-planned each attack step are done in imperial measure, and existing defensive measure can be tried to bypass, and are used 0day leaks design malicious file, can try in attack process to hide and latent, to reach the final target for stealing data.
Traditional preventing mechanism and product, it is more to make list based on the APT several attack meanses attacked in life cycle Point detection, the point of attack detected and attack aspect are more single, and between the inspection policies of each point of attack can not it is interactive and Self-optimization, it is unfavorable for finding latent APT attacks, APT attack links can not be sketched the contours of, be also easy to by well-planned APT attacks are bypassed, so needing the possible point of attack in each stage to APT attack life cycles, are entered from multiple dimensions The profound analysis detection of row, and the attack clue found in a certain phase of the attack can be further used as other phase of the attacks Detection foundation, the test result of each phase of the attack can also associate further, the higher evidence of attack of certainty be formed, with more Efficiently find APT attacks.
The content of the invention
It is a primary object of the present invention to overcome deficiency of the prior art, there is provided a kind of to be directed to APT attack Life Cycles Interim each phase of the attack, the method that profound analysis detection is carried out from multiple dimensions.In order to solve the above technical problems, this The solution of invention is:
The method for providing a kind of profound detection APT attacks of various dimensions, comprises the following steps:
Step A:Flow collection module to common network application-level protocol packet (HTTP, SMTP, POP3, IMAP, FTP, SMB, DNS etc.) do flow collection, parsing reduction;
The flow collection module energy (using Libpcap software kits) is to the network application-level protocol in bypass mirror image flow Packet is captured, and recombinated by ip fragmentation, TCP refitting, network application-level protocol parsing, by common network application layer The application specification of agreement (HTTP, SMTP, POP3, IMAP, FTP, SMB, DNS etc.) solves to network application-level protocol packet Analysis reduction, it is final to obtain the specific network application behavior included in network application-level protocol packet;
Step B:For the possible point of attack in each phase of the attack of APT attack life cycles, step A is obtained respectively Network application behavior carry out analysis detection, record attack is simultaneously alerted;
Step C:Using attack warning information caused by the detection of the single point of attack, further optimize the inspection of each point of attack Survey strategy and mechanism;
Step D:Using the single point of attack detection caused by attack warning information, by attack source IP, by attack IP, The stage position that each point of attack is attacked in life cycle in APT, and the temporal information of each warning information, association generation APT are attacked Hit link.
In the present invention, for possible attack in each phase of the attack of APT attack life cycles in described step B The analysis and detection of point carry out analysis detection respectively, can be transferred through source IP, the reliability coefficient of purpose IP address and infected system Count to adjust detection threshold, realize different inspecting forces;
The reliability coefficient of the IP address, represented by the numerical value in the range of 0 to 100, can be from IP creditworthiness informations Obtain;The IP creditworthiness informations are the two-dimensional signal storehouse with the IP reliability coefficients for numerical value based on IP address;
The infected coefficient of the IP address, represented by the numerical value in the range of 0 to 100, can be from IP threat degree information Middle acquisition;The IP threat degrees information, it is the two-dimensional signal storehouse based on IP address with the infected coefficients of the IP for numerical value;
Step B specifically includes following sub-steps:
Step B1:APT attacks life cycle is divided into tentatively invade, establish strong point, wooden horse Hui Lian, put forward power, inside is surveyed Survey, horizontal proliferation, steal data totally 7 phase of the attacks;
Step B2:To the preliminary Network Intrusion stage, mail social worker attack detecting is carried out, the detection that malicious file is delivered;
Step B3:To establishing strong point phase of the attack, malicious file reception, the detection of Webshell implantation are carried out;
Step B4:Even phase of the attack is returned to wooden horse, carries out C&C IP/URL, DGA domain name requests, the inspection using Webshell Survey;
Step B5:To carrying power phase of the attack, the detection of vulnerability exploit and password cracking is carried out;
Step B6:Phase of the attack is surveyed to inside, carries out Intranet port scan, Intranet passes through the long-range floodings of SMB Detection;
Step B7:To horizontal proliferation phase of the attack, Intranet password Brute Force is carried out, the detection that malicious file is delivered;
Step B8:To stealing the Data attack stage, carry out private communication channel transmission, the transmission of steganography file, passed using 80 ports The detection of defeated invalid data.
In the present invention, the step C specifically includes following sub-steps:
Step C1:By carrying out Macro or mass analysis to all attack warning information, detect to attack rank in different APT Section, different target of attack IP, using different agreement and attack pattern, the attack source IP of attack is routinely attempted, with this To generate IP creditworthiness informations;
The IP creditworthiness informations are the two-dimensional signal storehouse with the IP reliability coefficients for numerical value based on IP address;The IP Reliability coefficient, being represented by the numerical value in the range of 0 to 100, numerical value is bigger, illustrates that the access confidence level that the IP is initiated is higher, It is i.e. relative to there is a possibility that attack is smaller;
Step C2:By carrying out Macro or mass analysis to all attack warning information, detect to attack rank in adjacent APT Section, not only as attack initiator but also as the IP for attacking recipient, IP threat degree information is generated with this;
The IP threat degrees information is the two-dimensional signal storehouse with the infected coefficients of the IP for numerical value based on IP address;It is described The infected coefficients of IP, being represented by the numerical value in the range of 0 to 100, numerical value is bigger, illustrates that the infected possibilities of the IP are bigger, Further, the possibility that the source IP for accessing the IP is attacker IP is also corresponding larger, by the IP initiate to other IP's Access, the possibility that other IP attack by horizontal proliferation is also corresponding larger;
Step C3:The IP creditworthiness informations and IP threat degree information of generation, it is synchronized in step B to attack APT and gives birth to (the analysis detection side of the possible point of attack in each phase of the attack is ordered in the inspection policies of the point of attack of 7 phase of the attacks of cycle Method, the infected coefficients of IP in the IP reliability coefficients and IP threat degree information in IP creditworthiness informations have been used as inspection Side valve value, so as to reach effect of the dynamic regulation to specific IP inspecting force).
In the present invention, in the step D, APT attacks link using IP as node, to confirm that successful APT is attacked between IP The point of attack title of life cycle is connected, and can collect on the line between IP nodes and show attack pattern, number of times of attack, attack start-stop Time, threat degree and it can click on and drill through details;
APT attacks link can attack several phase of the attacks of life cycle according to APT, sketch the contours of and attacked from preliminary invasion automatically The stage is hit to the IP node path figures for stealing the Data attack stage;If not finding above-mentioned APT of covering attacks Life cycle IP node path figures, then can sketch the contours of the IP node path figures of longest path, most there is an urgent need to regulation so as to fast positioning Node device.
Compared with prior art, the beneficial effects of the invention are as follows:
It is of the invention to be compared with traditional preventing mechanism with product, it is possible in each stage for attacking life cycle to APT The point of attack, carries out profound analysis detection from multiple dimensions, and the attack clue found in a certain phase of the attack be used for into Detection foundation of one step as other phase of the attacks, the test result of each phase of the attack are used for further association, form certainty Higher evidence of attack, solve the traditional product that single-point detection is done based on the APT several attack meanses attacked in life cycle, The point of attack and attack aspect detected are more single, and can not be interactive between the inspection policies of each point of attack and self is excellent Change, the problem of being unfavorable for finding latent APT attacks.
Brief description of the drawings
Fig. 1 is the overhaul flow chart of the present invention.
Embodiment
It is computer technology in information security technology the present invention relates to APT attack detectings field firstly the need of explanation One of field applies branch.In the implementation process of the present invention, the point of attack that multiple APT are attacked in life cycles can be related to Detection.It is applicant's understanding that such as read over application documents, accurate understanding the present invention realization principle and goal of the invention with Afterwards, in the case where combining existing known technology, those skilled in the art can use the software programming technical ability of its grasp completely Realize the present invention.Category this category that all the present patent application files refer to, applicant will not enumerate.
The present invention is described in further detail with embodiment below in conjunction with the accompanying drawings:
A kind of method of the profound detection APT attacks of various dimensions, is drawn to APT attacks life cycle by phase of the attack Point, the profound detection of various dimensions is carried out to the point of attack of different phase of the attacks, uses the attack found in a certain phase of the attack Clue is used for being further used as the detection foundation of other phase of the attacks, and the test result of each phase of the attack is used for further association and given birth to Link, so that fast positioning is most there is an urgent need to the node device of regulation, its handling process are attacked into APT as shown in figure 1, specific step It is rapid as described below:
Step 1:Flow collection module carries out flow collection.
Flow collection module using Libpcap software kits carry out network data Packet capturing, according to port capture HTTP, SMTP, POP3, IMAP, FTP, SMB, DNS etc. common application layer protocol, as http protocol gives tacit consent to 80 and 8080 ports of capture Packet.
To adapt to heterogeneous networks scene, the applicable capture-port of each application protocol institute can be changed by interface additions and deletions.
Step 2:Protocol analysis reduces, and generates primitive behavior information.
The TCP data bag of capture is recombinated in application layer protocol aspect, and according to application layer protocol specification parsing also Former primitive behavior information, record source IP, purpose IP, destination interface, time of origin, application protocol, using information such as contents of the act, It is wherein different according to different application protocols using content of the act, such as the application content of the act of http protocol, according to HTTP Protocol specification, including requesting method, URI, User-Agent, Host, Cookie, Request Header, the text for uploading download The information such as part name and file, Post Body, answer code, response contents, delayed data.
Step 3:Whether the source IP, purpose IP in judgement primitive behavior are in IP credit worthinesses, threat degree information bank.
IP creditworthiness informations storehouse, it is IP address-based reputation information, the IP creditworthiness informations are systems according to passing The attack condition of attack source IP in all attack warning information calculates what is obtained.
IP threat degree information banks, it is IP address-based threat degree information, the IP threat degrees information, is system In passing all attack warning information is not only attack source but also is the IP attacked, and the possibility for calculating acquisition is felt The IP of dye.
If one of IP in the source IP, purpose IP in primitive behavior, journey is threatened in IP creditworthiness informations storehouse or IP Spend in information bank, then handled into step 4;If source IP, purpose IP in primitive behavior not in IP creditworthiness informations storehouse and In IP threat degree information banks, then handled into step 5.
Step 4:Adjust each point of attack detection threshold of APT attacks life cycle and strategy.
Each point of attack inspection policies in APT attack life cycles, its Stringency detected can further pass through inspection Side valve value is adjusted, and the detection threshold then obtains according to IP credit worthinesses and IP threat degrees weighted calculations, carrys out dynamic regulation with this To specific IP inspecting force.
Step 5:Preliminary intrusion detection.
The possible point of attack in the preliminary Network Intrusion stage, including mail head's deception, sender are carried out by mail Deception, mail fishing, mail malicious link, malicious file are delivered;Injected by SQL injection, across station, order to WEB server Invaded and be implanted into malicious file, or attacked by delivering Malware to FTP, SMB server with deploying puddle.
Mail head's deception, sender's deception, mail fishing, mail malicious link are mail social worker attack, to postal The detection of part social worker attack, primitive behavior that can be based on SMTP, POP3, IMAP protocol, by semantic analysis or URL whether extension horse To complete.
The detection for delivering malicious file, it can be based on passing through upper transmitting file in SMTP, FTP, HTTP, SMB application protocol Behavior, the file isolated is detected to complete by viral wooden horse killing, static analysis and sandbox dynamic analysis.
Step 6:Establish strong point detection.
The possible point of attack for establishing strong point phase of the attack, including by mail reception Malware, by WEB, FTP or SMB server download of malware, Webshell behavior is implanted into WEB server by SQL injection, across station.
The detection of the implantation behavior of the Webshell, can be completed, Webshell files by way of strategy matching Identification, can also based on machine learning and classification method come Identification.
Step 7:Wooden horse, which returns, even to be detected.
The wooden horse returns the possible point of attack of even phase of the attack, including accesses C&C IP/URL, the mistake of DGA domain name requests Journey.
The detection of the C&C IP/URL, can be by that based on IP the and URL storehouses in history APT attacks, can also lead to The company of the returning IP or URL captured is crossed in malicious file dynamic sandbox to identify.
The detection of the DGA domain name requests, refer to identify that request analysis DGA (domain name generating algorithm) is generated in DNS flows Domain name process.
Step 8:Propose power detection.
The detection of the point of attack for carrying power phase of the attack, including the detection of vulnerability exploit or password cracking behavior.
Step 9:Inside exploration detection.
The inside surveys the port scan captured in the detection of the point of attack of phase of the attack, including Intranet communication, Intranet Pass through the detection of the long-range flooding behaviors of SMB.
Step 10:Horizontal proliferation detects.
The password Brute Force captured in the detection of the point of attack of the horizontal proliferation phase of the attack, including Intranet communication, Malicious file delivers the detection of behavior.
Step 11:Steal Data Detection.
The point of attack for stealing the Data attack stage, including private communication channel transmission, steganography file are transmitted, utilize 80 ports Transmit the detection of invalid data behavior;
Step 12:Determine whether the attack of each point of attack.
If in point of attack detection process of the primitive behavior described in step 5 to step 11, it is attack to be determined Behavior, then into step 13, further processing;If primitive behavior is unsatisfactory for any one point of attack in step 5 to step 11 Testing conditions, then return to step 1, further processing.
Step 13:Record attack simultaneously produces alarm.
The primitive behavior for being identified as attack is marked, and standard logs are produced by alarm form.
Step 14:Warning information is put in storage.
Alarm log is write relevant database.
Step 15:Generation attack link is associated according to warning information.
Pass through the attack source IP in warning information, the stage position by attack IP, each point of attack in APT attack life cycles Put, and the temporal information of each warning information, association generation APT attack links.The APT attacks link using IP as node, between IP To confirm that the point of attack title of successful APT attacks life cycle is connected, it can collect on the line between IP nodes and show attacker Formula, number of times of attack, attack beginning and ending time, threat degree and it can click on and drill through details.
APT attacks link can attack several stages of life cycle further according to APT, sketch the contours of automatically from preliminary invasion Phase of the attack is to the IP node path figures for stealing the Data attack stage;If not finding above-mentioned APT of covering attacks full Life Cycle The IP node path figures of phase, then the IP node path figures of longest path can be sketched the contours of, most there is an urgent need to renovate so as to fast positioning Node device.
Step 16:To IP credit worthiness, threat degree involved by warning information Macro or mass analysis.
System is detected in different APT stages, different by carrying out Macro or mass analysis to all attack warning information Target of attack IP, using different agreement and attack pattern, the attack source IP of the trial attack of continuation, and to these attack sources IP is referred to potential low credit worthiness IP, and the confirmation to IP prestige is completed with this.
System is detected in adjacent APT phase of the attacks, both by carrying out Macro or mass analysis to all attack warning information As the attack initiator IP as attack recipient again, and these IP are referred to it is potential be controlled IP, completed pair with this The confirmation of IP threat degrees.
Step 17:Update IP threat degree information banks.
IP threat degree information banks are IP address-based threat degree information, are stored in for a long time in relevant database, Also cached simultaneously in internal memory, so that the deterministic process of step 3 has more dominance energy.
Step 18:Update IP creditworthiness informations storehouse.
IP creditworthiness informations storehouse is IP address-based creditworthiness information, is stored in for a long time in relevant database, simultaneously Also cached in internal memory, so that the deterministic process of step 3 has more dominance energy.
So far, APT attacks life cycle is divided by phase of the attack, the point of attack progress to different phase of the attacks is more The profound detection of dimension, it is used for being further used as other phase of the attacks using the attack clue found in a certain phase of the attack Foundation is detected, the test result of each phase of the attack is used for further association and generates APT attack links, realizes one kind and pass through multidimensional The system of the profound detection APT attacks of degree.
Finally it should be noted that listed above is only specific embodiment of the invention.It is clear that the invention is not restricted to Above example, there can also be many variations.One of ordinary skill in the art can directly lead from present disclosure All deformations for going out or associating, are considered as protection scope of the present invention.

Claims (4)

1. the method for the profound detection APT attacks of a kind of various dimensions, it is characterised in that comprise the following steps:
Step A:Flow collection module does flow collection, parsing reduction to common network application-level protocol packet;
The flow collection module can capture to the network application-level protocol packet in bypass mirror image flow, and pass through IP Fragment restructuring, TCP refittings, network application-level protocol parsing, should to network by the application specification of common network application-level protocol Parsing reduction is carried out with layer protocol packet, it is final to obtain the specific network application row included in network application-level protocol packet For;
Step B:For the possible point of attack in each phase of the attack of APT attack life cycles, the net obtained respectively to step A Network application behavior carries out analysis detection, records attack and is alerted;
Step C:Using attack warning information caused by the detection of the single point of attack, further optimize the detection plan of each point of attack Summary and mechanism;
Step D:Using the single point of attack detection caused by attack warning information, by attack source IP, by attack IP, respectively attack Hit the stage position a little attacked in APT in life cycle, and the temporal information of each warning information, association generation APT attack chains Road.
2. the method for the profound detection APT attacks of a kind of various dimensions according to claim 1, it is characterised in that described Analysis and detection in step B for the possible point of attack in each phase of the attack of APT attack life cycles are divided respectively Analysis detection, source IP, the reliability coefficient of purpose IP address and infected coefficient are can be transferred through to adjust detection threshold, realize different Inspecting force;
The reliability coefficient of the IP address, represented, can be obtained from IP creditworthiness informations by the numerical value in the range of 0 to 100; The IP creditworthiness informations are the two-dimensional signal storehouse with the IP reliability coefficients for numerical value based on IP address;
The infected coefficient of the IP address, represented, can be obtained from IP threat degree information by the numerical value in the range of 0 to 100 Take;The IP threat degrees information, it is the two-dimensional signal storehouse based on IP address with the infected coefficients of the IP for numerical value;
Step B specifically includes following sub-steps:
Step B1:APT attacks life cycle is divided into and is tentatively invaded, is established strong point, wooden horse Hui Lian, carries power, internal exploration, horizontal stroke To spreading, steal data totally 7 phase of the attacks;
Step B2:To the preliminary Network Intrusion stage, mail social worker attack detecting is carried out, the detection that malicious file is delivered;
Step B3:To establishing strong point phase of the attack, malicious file reception, the detection of Webshell implantation are carried out;
Step B4:Even phase of the attack is returned to wooden horse, carries out C&C IP/URL, DGA domain name requests, the detection using Webshell;
Step B5:To carrying power phase of the attack, the detection of vulnerability exploit and password cracking is carried out;
Step B6:Phase of the attack is surveyed to inside, carries out Intranet port scan, the detection that Intranet passes through the long-range floodings of SMB;
Step B7:To horizontal proliferation phase of the attack, Intranet password Brute Force is carried out, the detection that malicious file is delivered;
Step B8:To stealing the Data attack stage, private communication channel transmission is carried out, steganography file transmits, be non-using 80 port transmissions The detection of method data.
A kind of 3. method of the profound detection APT attacks of various dimensions according to claim 1, it is characterised in that the step Rapid C specifically includes following sub-steps:
Step C1:By carrying out Macro or mass analysis to all attack warning information, detect in different APT phase of the attacks, no With target of attack IP, using different agreement and attack pattern, routinely attempt the attack source IP of attack, generated with this IP creditworthiness informations;
The IP creditworthiness informations are the two-dimensional signal storehouse with the IP reliability coefficients for numerical value based on IP address;The IP is credible Coefficient is spent, is represented by the numerical value in the range of 0 to 100, numerical value is bigger, illustrates that the access confidence level that the IP is initiated is higher, i.e. phase To there is a possibility that attack is smaller;
Step C2:By carrying out Macro or mass analysis to all attack warning information, detect in adjacent APT phase of the attacks, both As attack initiator again as the IP for attacking recipient, IP threat degree information is generated with this;
The IP threat degrees information is the two-dimensional signal storehouse with the infected coefficients of the IP for numerical value based on IP address;The IP by Multiplicity of infection, represented by the numerical value in the range of 0 to 100, numerical value is bigger, illustrates that the infected possibilities of the IP are bigger, enters one Step, the possibility that the source IP for accessing the IP is attacker IP also corresponding larger, the access to other IP initiated by the IP, The possibility that other IP attack by horizontal proliferation is also corresponding larger;
Step C3:The IP creditworthiness informations and IP threat degree information of generation, it is synchronized in step B and Life Cycle is attacked to APT In the inspection policies of the point of attack of 7 phase of the attacks of phase.
A kind of 4. method of the profound detection APT attacks of various dimensions according to claim 1, it is characterised in that the step In rapid D, APT attacks link using IP as node, to confirm that the point of attack title of successful APT attacks life cycle is connected between IP, It can collect on line between IP nodes and show attack pattern, number of times of attack, attack beginning and ending time, threat degree and can click on Drill through details;
APT attacks link can attack several phase of the attacks of life cycle according to APT, sketch the contours of automatically from preliminary Network Intrusion rank Section is to the IP node path figures for stealing the Data attack stage;If the above-mentioned IP for covering APT attack Life cycle is not found Node path figure, then the IP node path figures of longest path can be sketched the contours of, most there is an urgent need to the node of regulation so as to fast positioning Equipment.
CN201710731477.0A 2017-08-23 2017-08-23 Method for multi-dimensional deep detection of APT (active Power test) attack Active CN107370755B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710731477.0A CN107370755B (en) 2017-08-23 2017-08-23 Method for multi-dimensional deep detection of APT (active Power test) attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710731477.0A CN107370755B (en) 2017-08-23 2017-08-23 Method for multi-dimensional deep detection of APT (active Power test) attack

Publications (2)

Publication Number Publication Date
CN107370755A true CN107370755A (en) 2017-11-21
CN107370755B CN107370755B (en) 2020-03-03

Family

ID=60311784

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710731477.0A Active CN107370755B (en) 2017-08-23 2017-08-23 Method for multi-dimensional deep detection of APT (active Power test) attack

Country Status (1)

Country Link
CN (1) CN107370755B (en)

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107888607A (en) * 2017-11-28 2018-04-06 新华三技术有限公司 A kind of Cyberthreat detection method, device and network management device
CN108040075A (en) * 2018-01-31 2018-05-15 海南上德科技有限公司 A kind of APT attack detection systems
CN108833437A (en) * 2018-07-05 2018-11-16 成都康乔电子有限责任公司 One kind being based on flow fingerprint and the matched APT detection method of communication feature
CN109067815A (en) * 2018-11-06 2018-12-21 深信服科技股份有限公司 Attack Source Tracing method, system, user equipment and storage medium
CN109284317A (en) * 2018-10-26 2019-01-29 山东中孚安全技术有限公司 A kind of extraction of steal information clue and Segment evaluation method based on timing digraph
CN109309591A (en) * 2018-10-31 2019-02-05 掌阅科技股份有限公司 Data on flows statistical method, electronic equipment and storage medium
CN109347882A (en) * 2018-11-30 2019-02-15 深信服科技股份有限公司 Webpage Trojan horse monitoring method, device, equipment and storage medium
CN109446810A (en) * 2018-10-31 2019-03-08 杭州安恒信息技术股份有限公司 Malicious file defence method, device and the electronic equipment rewritten based on request
CN109660539A (en) * 2018-12-20 2019-04-19 北京神州绿盟信息安全科技股份有限公司 It falls device identification method, device, electronic equipment and storage medium
CN109660515A (en) * 2018-11-15 2019-04-19 中国科学院信息工程研究所 Attack chain detection method and device
CN109922069A (en) * 2019-03-13 2019-06-21 中国科学技术大学 The multidimensional association analysis method and system that advanced duration threatens
CN110022288A (en) * 2018-01-10 2019-07-16 贵州电网有限责任公司遵义供电局 A kind of APT threat recognition methods
CN110602042A (en) * 2019-08-07 2019-12-20 中国人民解放军战略支援部队信息工程大学 APT attack behavior analysis and detection method and device based on cascade attack chain model
CN111723378A (en) * 2020-06-17 2020-09-29 浙江网新恒天软件有限公司 Website directory blasting method based on website map
CN112152962A (en) * 2019-06-26 2020-12-29 北京观成科技有限公司 Threat detection method and system
CN113596037A (en) * 2021-07-31 2021-11-02 南京云利来软件科技有限公司 APT attack detection method based on event relation directed graph in network full flow
CN113746832A (en) * 2021-09-02 2021-12-03 华中科技大学 Multi-method mixed distributed APT malicious flow detection defense system and method
CN113839950A (en) * 2021-09-27 2021-12-24 厦门天锐科技股份有限公司 Mail approval method and system based on terminal mail SMTP protocol
CN116032527A (en) * 2022-11-08 2023-04-28 广东广信通信服务有限公司 Cloud computing-based data security vulnerability sensing system and method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103354548A (en) * 2013-06-28 2013-10-16 华为数字技术(苏州)有限公司 Method, device and system for detecting highly persistent threat attack
US20140115706A1 (en) * 2012-10-19 2014-04-24 ZanttZ,Inc. Network infrastructure obfuscation
CN103905418A (en) * 2013-11-12 2014-07-02 北京安天电子设备有限公司 APT multi-dimensional detection and defense system and method
CN105024976A (en) * 2014-04-24 2015-11-04 中国移动通信集团山西有限公司 Advanced persistent threat attack recognition method and device
CN105376245A (en) * 2015-11-27 2016-03-02 杭州安恒信息技术有限公司 Rule-based detection method of ATP attack behavior

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140115706A1 (en) * 2012-10-19 2014-04-24 ZanttZ,Inc. Network infrastructure obfuscation
CN103354548A (en) * 2013-06-28 2013-10-16 华为数字技术(苏州)有限公司 Method, device and system for detecting highly persistent threat attack
CN103905418A (en) * 2013-11-12 2014-07-02 北京安天电子设备有限公司 APT multi-dimensional detection and defense system and method
CN105024976A (en) * 2014-04-24 2015-11-04 中国移动通信集团山西有限公司 Advanced persistent threat attack recognition method and device
CN105376245A (en) * 2015-11-27 2016-03-02 杭州安恒信息技术有限公司 Rule-based detection method of ATP attack behavior

Cited By (31)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107888607A (en) * 2017-11-28 2018-04-06 新华三技术有限公司 A kind of Cyberthreat detection method, device and network management device
CN107888607B (en) * 2017-11-28 2020-11-06 新华三技术有限公司 Network threat detection method and device and network management equipment
CN110022288A (en) * 2018-01-10 2019-07-16 贵州电网有限责任公司遵义供电局 A kind of APT threat recognition methods
CN108040075A (en) * 2018-01-31 2018-05-15 海南上德科技有限公司 A kind of APT attack detection systems
CN108040075B (en) * 2018-01-31 2020-09-01 海南上德科技有限公司 APT attack detection system
CN108833437A (en) * 2018-07-05 2018-11-16 成都康乔电子有限责任公司 One kind being based on flow fingerprint and the matched APT detection method of communication feature
CN109284317A (en) * 2018-10-26 2019-01-29 山东中孚安全技术有限公司 A kind of extraction of steal information clue and Segment evaluation method based on timing digraph
CN109446810A (en) * 2018-10-31 2019-03-08 杭州安恒信息技术股份有限公司 Malicious file defence method, device and the electronic equipment rewritten based on request
CN109309591A (en) * 2018-10-31 2019-02-05 掌阅科技股份有限公司 Data on flows statistical method, electronic equipment and storage medium
CN109309591B (en) * 2018-10-31 2021-10-22 掌阅科技股份有限公司 Traffic data statistical method, electronic device and storage medium
CN109446810B (en) * 2018-10-31 2021-05-25 杭州安恒信息技术股份有限公司 Malicious file defense method and device based on request rewriting and electronic equipment
CN109067815A (en) * 2018-11-06 2018-12-21 深信服科技股份有限公司 Attack Source Tracing method, system, user equipment and storage medium
CN109660515A (en) * 2018-11-15 2019-04-19 中国科学院信息工程研究所 Attack chain detection method and device
CN109660515B (en) * 2018-11-15 2020-05-12 中国科学院信息工程研究所 Attack chain detection method and device
CN109347882B (en) * 2018-11-30 2021-12-21 深信服科技股份有限公司 Webpage Trojan horse monitoring method, device, equipment and storage medium
CN109347882A (en) * 2018-11-30 2019-02-15 深信服科技股份有限公司 Webpage Trojan horse monitoring method, device, equipment and storage medium
CN109660539A (en) * 2018-12-20 2019-04-19 北京神州绿盟信息安全科技股份有限公司 It falls device identification method, device, electronic equipment and storage medium
CN109660539B (en) * 2018-12-20 2020-12-25 北京神州绿盟信息安全科技股份有限公司 Method and device for identifying defect-losing equipment, electronic equipment and storage medium
CN109922069A (en) * 2019-03-13 2019-06-21 中国科学技术大学 The multidimensional association analysis method and system that advanced duration threatens
CN112152962B (en) * 2019-06-26 2022-10-28 北京观成科技有限公司 Threat detection method and system
CN112152962A (en) * 2019-06-26 2020-12-29 北京观成科技有限公司 Threat detection method and system
CN110602042A (en) * 2019-08-07 2019-12-20 中国人民解放军战略支援部队信息工程大学 APT attack behavior analysis and detection method and device based on cascade attack chain model
CN111723378A (en) * 2020-06-17 2020-09-29 浙江网新恒天软件有限公司 Website directory blasting method based on website map
CN111723378B (en) * 2020-06-17 2023-03-10 浙江网新恒天软件有限公司 Website directory blasting method based on website map
CN113596037A (en) * 2021-07-31 2021-11-02 南京云利来软件科技有限公司 APT attack detection method based on event relation directed graph in network full flow
CN113596037B (en) * 2021-07-31 2023-04-14 广州广电研究院有限公司 APT attack detection method based on event relation directed graph in network full flow
CN113746832A (en) * 2021-09-02 2021-12-03 华中科技大学 Multi-method mixed distributed APT malicious flow detection defense system and method
CN113746832B (en) * 2021-09-02 2022-04-29 华中科技大学 Multi-method mixed distributed APT malicious flow detection defense system and method
CN113839950A (en) * 2021-09-27 2021-12-24 厦门天锐科技股份有限公司 Mail approval method and system based on terminal mail SMTP protocol
CN113839950B (en) * 2021-09-27 2023-06-27 厦门天锐科技股份有限公司 Mail approval method and system based on terminal mail SMTP protocol
CN116032527A (en) * 2022-11-08 2023-04-28 广东广信通信服务有限公司 Cloud computing-based data security vulnerability sensing system and method

Also Published As

Publication number Publication date
CN107370755B (en) 2020-03-03

Similar Documents

Publication Publication Date Title
CN107370755A (en) A kind of method of the profound detection APT attacks of various dimensions
Saad et al. Countering selfish mining in blockchains
CN101610264B (en) Firewall system, safety service platform and firewall system management method
US8516575B2 (en) Systems, methods, and media for enforcing a security policy in a network including a plurality of components
US8826400B2 (en) System for automated prevention of fraud
CN106790313A (en) Intrusion prevention method and device
CN103229185B (en) System and method for the local protection for Malware
CN111245793A (en) Method and device for analyzing abnormity of network data
CN107634967B (en) CSRFtoken defense system and method for CSRF attack
CN107872456A (en) Network intrusion prevention method, apparatus, system and computer-readable recording medium
CN102685081B (en) A kind of web-page requests security processing and system
CN107888607A (en) A kind of Cyberthreat detection method, device and network management device
CN106657025A (en) Network attack behavior detection method and device
CN105471912B (en) Monitor the safety defense method and system of network
CN104620225B (en) Method and system for server security checking
CN112567707A (en) Enhanced techniques for generating and deploying dynamic false user accounts
CN106650436A (en) Safety detecting method and device based on local area network
CN105915532A (en) Method and device for recognizing fallen host
CN101978376A (en) Method and system for protection against information stealing software
Damghani et al. Classification of attacks on IoT
US20210051176A1 (en) Systems and methods for protection from phishing attacks
CN108259514A (en) Leak detection method, device, computer equipment and storage medium
CN110266673A (en) Security strategy optimized treatment method and device based on big data
CN105871775B (en) A kind of safety protecting method and DPMA Protection Model
CN108040036A (en) A kind of industry cloud Webshell safety protecting methods

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 310051 No. 188 Lianhui Street, Xixing Street, Binjiang District, Hangzhou City, Zhejiang Province

Applicant after: Hangzhou Annan information technology Limited by Share Ltd

Address before: Zhejiang Zhongcai Building No. 68 Binjiang District road Hangzhou City, Zhejiang Province, the 310051 and 15 layer

Applicant before: Dbappsecurity Co.,ltd.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant