CN107426159A - APT based on big data analysis monitors defence method - Google Patents

APT based on big data analysis monitors defence method Download PDF

Info

Publication number
CN107426159A
CN107426159A CN201710304060.6A CN201710304060A CN107426159A CN 107426159 A CN107426159 A CN 107426159A CN 201710304060 A CN201710304060 A CN 201710304060A CN 107426159 A CN107426159 A CN 107426159A
Authority
CN
China
Prior art keywords
information
collecting zone
data
network
collected
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710304060.6A
Other languages
Chinese (zh)
Inventor
彭光辉
屈立笳
陶磊
苏礼刚
林伟
黄丽洪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CHENGDU GOLDTEL INDUSTRY GROUP Co Ltd
Original Assignee
CHENGDU GOLDTEL INDUSTRY GROUP Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CHENGDU GOLDTEL INDUSTRY GROUP Co Ltd filed Critical CHENGDU GOLDTEL INDUSTRY GROUP Co Ltd
Priority to CN201710304060.6A priority Critical patent/CN107426159A/en
Publication of CN107426159A publication Critical patent/CN107426159A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of APT based on big data analysis to monitor defence method, it is characterised in that comprises the following steps:Network hierarchy division is carried out to collecting zone:Collecting zone is divided into Back ground Information network and important information system;Collect the data of each collecting zone:Receipt in collecting zone is collected to the protocol data including data on flows and database;The information being collected into made a distinction by feature;The information being collected into is clustered, realizes the dynamic sensing to security incident, note abnormalities rule, so as to produce warning information;Analysis result is presented.Present invention employs session-oriented packet splicing, application program network communication session legitimacy detection, to network service process carry out filtering block have information flow detection with alarm, operating process supervision with audit, data convert with recover support etc. multiple function.

Description

APT based on big data analysis monitors defence method
Technical field
The present invention relates to network security to monitor field, is based especially on the APT monitoring defence methods of big data analysis.
Background technology
Under the overall background of global network level of informatization high speed development, possesses disguised, permeability and targetedly high Level continuation threatens(APT, advanced persistent threat)The prestige to caused by all kinds of high-grade information safety systems Coerce getting worse, for specific objective organized APT attack it is increasing country, enterprise network information system and Data safety faces a severe challenge.For example, China Great Wall network in 2008 suffers from the attack infiltration of U.S. Department of Defense's network hacker, It is implanted back door and steals information;" the shake net " of 2010.
By preparation for many years and latent, successful attack is located at the industrial control system in physical isolation Intranet, sluggish The nuclear programme of Iran;" the night dragon action " of 2011 has stolen the extremely sensitive internal text of multiple transnational energy giant companies Part;The supervirus " flame " of 2012 successfully obtains the substantial amounts of confidential information in Middle East various countries.As can be seen that APT attacks are Through all kinds of key message infrastructure securities are caused with grave danger, it is very urgent to carry out the work of APT attack defendings.APT is attacked Hit in defense work, attack detecting be security protection and reinforce premise and foundation, and in APT attack defendings it is most difficult Part, therefore detection technique has turned into the study hotspot in current APT attack defendings field.However, from the point of view of typical case, APT attacks have extremely strong hidden ability and specific aim, and traditional detection device is felt simply helpless mostly in face of APT attacks.
The content of the invention
It is an object of the invention to overcome the deficiencies of the prior art and provide the APT analyzed based on big data to monitor defender Method, the defence attacked APT in monitored area is realized, effectively prevents APT attack.
The purpose of the present invention is achieved through the following technical solutions:A kind of APT monitorings based on big data analysis are anti- Imperial method, comprises the following steps:
S1 carries out network hierarchy division to collecting zone:Collecting zone is divided into Back ground Information network and important information system;
S2 collects the data of each collecting zone:Receipt in collecting zone is collected including data on flows and database Protocol data;
The information being collected into make a distinction by feature by S3;
S4 is clustered the information being collected into, and realizes the dynamic sensing to security incident, and note abnormalities rule, pre- so as to produce Alert information;
S5 is presented to analysis result.
Further limit, it is described network hierarchy division is carried out to collecting zone to be specifically divided into Back ground Information network and important Information system.
Further limit, described Back ground Information network is the network of individual consumer.
Further limit, described important information system is in the webmaster of concentration network of medical treatment, bank, electric power and property The heart.
Further limit, the data of the described each collecting zone of collection include step in detail below:
Collector is installed in collecting zone by S21;
S22 completes host log all in collecting zone using main frame probe;
S23 utilizes the mail in network probe completion one's respective area, social platform data on flows, database manipulation data, long-range control Data processed and networks congestion control data;
S24 detects the plant maintenance information of collecting zone using collector, and realizes collecting zone and front end data acquisition platform Communication.
Further limit, it is described by the information being collected into carry out by feature make a distinction including:
Establish mail features storehouse and the e-mail messages being collected into are subjected to feature extraction, especially to including link in text and with attached The mail of part carries out depth analysis;
Establish the social platform information that social platform feature database is collected into and carry out feature extraction to information in station with link Hold and carry out depth analysis;
Behavioural characteristic storehouse is established from individual Internet Access behavioral data analysis inside under fire organization, identifies possible spear type Phishing attack, spoof attack.
Establish intranet data stream feature database and carry out data flow white list modeling.
Further limit, it is described by the information being collected into carry out cluster make to belong to same category of individual between distance use up May it is small, and it is different classes of on individual between distance it is as big as possible.
Further limit, it is described that analysis result is presented, to generate all kinds of forms and analysis report.
The beneficial effects of the invention are as follows:Present invention employs the splicing of the packet of session-oriented, application program network service Session legitimacy detection, to network service process carry out filtering block have information flow detection with alarm, operating process supervision with Audit, data convert are with recovering the multiple functions such as support.Lifted, had obvious to improving domestic the overall of evidence obtaining product technology Impetus.
Brief description of the drawings
Fig. 1 is the inventive method flow chart.
Embodiment
Technical scheme is described in further detail below in conjunction with the accompanying drawings, but protection scope of the present invention is not limited to It is as described below.
As shown in figure 1, the APT based on big data analysis monitors defence method, comprise the following steps:
S1 carries out network hierarchy division to collecting zone:Collecting zone is divided into Back ground Information network and important information system;
The described network hierarchy division that carried out to collecting zone is specifically divided into Back ground Information network and important information system.
Described Back ground Information network is the network of individual consumer.
Described important information system is the network management center of the concentration network of medical treatment, bank, electric power and property.
S2 collects the data of each collecting zone, and the receipt in collecting zone is collected including data on flows and data The protocol data in storehouse, it is specially:
Collector is installed in collecting zone by S21;
S22 completes host log all in collecting zone using main frame probe;
S23 utilizes the mail in network probe completion one's respective area, social platform data on flows, database manipulation data, long-range control Data processed and networks congestion control data;
S24 detects the plant maintenance information of collecting zone using collector, and realizes collecting zone and front end data acquisition platform Communication
The information being collected into make a distinction by feature by S3;
Mail and the modeling of social network sites domain knowledge base.Two kinds of the most frequently used intrusion features are attacked for APT, this programme focuses on The safety monitoring of mail and the safety monitoring of social network sites.On the basis of Http and mail protocol holography regression analysis, establish The feature database of popular mail and main flow social network sites.Bank in popular mail and net purchase platform mail are carried out sample collection and Signature analysis.According to the content of each envelope user mail of characteristic matching.Enter to including the mail linked and with annex in text Row depth analysis.
Establish the social platform information that social platform feature database is collected into and carry out feature extraction to information in station with link Content carry out depth analysis, especially to domestic popular social platform(Wechat and 10 World Jam)Carry out feature extraction.It is right Content of the information with link carries out depth analysis in standing.
Behavioural characteristic storehouse is established from individual Internet Access behavioral data analysis inside under fire organization, identifies possible fish V shape phishing attack, spoof attack.
Establish intranet data stream feature database and carry out data flow white list modeling.
S4 is clustered the information being collected into, and realizes the dynamic sensing to security incident, and note abnormalities rule, so as to produce Raw warning information;
Analysis cluster is carried out to all kinds of evidences, realizes the dynamic sensing of all kinds of security incidents.Affair clustering is in unsupervised condition Under, according to the different characteristic of data, it is divided into different data class.Distance between belonging to same category of individual is set to the greatest extent may be used Can it is small, and it is different classes of on individual between distance it is as big as possible.By clustering, the alert event of agglomerating appearance can be analyzed, Note abnormalities rule, so as to produce warning information.
S5 is presented to analysis result.According to the needs using main body, all kinds of forms and analysis report are generated.Practical friend Good interface queries data warehouse content, and realize that session is reset, each platform management is safeguarded, such as backs up, delete.
Described above is only the preferred embodiment of the present invention, it should be understood that the present invention is not limited to described herein Form, the exclusion to other embodiment is not to be taken as, and can be used for various other combinations, modification and environment, and can be at this In the text contemplated scope, it is modified by the technology or knowledge of above-mentioned teaching or association area.And those skilled in the art are entered Capable change and change does not depart from the spirit and scope of the present invention, then all should be in the protection domain of appended claims of the present invention It is interior.

Claims (8)

1. a kind of APT based on big data analysis monitors defence method, it is characterised in that comprises the following steps:
S1 carries out network hierarchy division to collecting zone:Collecting zone is divided into Back ground Information network and important information system;
S2 collects the data of each collecting zone:Receipt in collecting zone is collected including data on flows and database Protocol data;
The information being collected into make a distinction by feature by S3;
S4 is clustered the information being collected into, and realizes the dynamic sensing to security incident, and note abnormalities rule, pre- so as to produce Alert information;
S5 is presented to analysis result.
2. a kind of APT based on big data analysis according to claim 1 monitors defence method, it is characterised in that:It is described To collecting zone carry out network hierarchy division be specifically divided into Back ground Information network and important information system.
3. a kind of APT based on big data analysis according to claim 2 monitors defence method, it is characterised in that:It is described Back ground Information network be individual consumer network.
4. a kind of APT based on big data analysis according to claim 2 monitors defence method, it is characterised in that:It is described Important information system be medical treatment, bank, electric power and property concentration network network management center.
5. a kind of APT based on big data analysis according to claim 1 monitors defence method, it is characterised in that described The data of each collecting zone of collection include step in detail below:
Collector is installed in collecting zone by S21;
S22 completes host log all in collecting zone using main frame probe;
S23 utilizes the mail in network probe completion one's respective area, social platform data on flows, database manipulation data, long-range control Data processed and networks congestion control data;
S24 detects the plant maintenance information of collecting zone using collector, and realizes collecting zone and front end data acquisition platform Communication.
6. a kind of APT based on big data analysis according to claim 1 monitors defence method, it is characterised in that described The information being collected into is carried out by feature make a distinction including:
Establish mail features storehouse and the e-mail messages being collected into are subjected to feature extraction, especially to including link in text and with attached The mail of part carries out depth analysis;
Establish the social platform information that social platform feature database is collected into and carry out feature extraction to information in station with link Hold and carry out depth analysis;
Behavioural characteristic storehouse is established from individual Internet Access behavioral data analysis inside under fire organization, identifies possible spear type Phishing attack, spoof attack;
Establish intranet data stream feature database and carry out data flow white list modeling.
7. a kind of APT based on big data analysis according to claim 1 monitors defence method, it is characterised in that:It is described The information being collected into is carried out cluster make to belong to same category of individual between distance it is as small as possible, and it is different classes of on Distance between body is as big as possible.
8. a kind of APT based on big data analysis according to claim 1 monitors defence method, it is characterised in that:It is described Analysis result is presented, to generate all kinds of forms and analysis report.
CN201710304060.6A 2017-05-03 2017-05-03 APT based on big data analysis monitors defence method Pending CN107426159A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710304060.6A CN107426159A (en) 2017-05-03 2017-05-03 APT based on big data analysis monitors defence method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710304060.6A CN107426159A (en) 2017-05-03 2017-05-03 APT based on big data analysis monitors defence method

Publications (1)

Publication Number Publication Date
CN107426159A true CN107426159A (en) 2017-12-01

Family

ID=60425288

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710304060.6A Pending CN107426159A (en) 2017-05-03 2017-05-03 APT based on big data analysis monitors defence method

Country Status (1)

Country Link
CN (1) CN107426159A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108848102A (en) * 2018-07-02 2018-11-20 北京网藤科技有限公司 A kind of APT attack early warning system and its method for early warning
CN109088869A (en) * 2018-08-14 2018-12-25 北京科东电力控制系统有限责任公司 APT attack detection method and device
CN109951419A (en) * 2017-12-20 2019-06-28 广东电网有限责任公司电力调度控制中心 A kind of APT intrusion detection method based on attack chain attack rule digging
CN111885087A (en) * 2020-08-05 2020-11-03 杭州安恒信息技术股份有限公司 Intranet computer network behavior monitoring method, device and equipment
CN114301659A (en) * 2021-12-24 2022-04-08 中国电信股份有限公司 Network attack early warning method, system, device and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140330841A1 (en) * 2013-05-01 2014-11-06 Timothy Alan Barrett Method, system and apparatus for facilitating discovery of items sharing common attributes
CN104753946A (en) * 2015-04-01 2015-07-01 浪潮电子信息产业股份有限公司 Security analysis framework based on network traffic metadata
CN104852927A (en) * 2015-06-01 2015-08-19 国家电网公司 Safety comprehensive management system based on multi-source heterogeneous information
CN105681298A (en) * 2016-01-13 2016-06-15 成都安信共创检测技术有限公司 Data security abnormity monitoring method and system in public information platform
CN105721416A (en) * 2015-11-16 2016-06-29 哈尔滨安天科技股份有限公司 Apt event attack organization homology analysis method and apparatus
CN106254317A (en) * 2016-07-21 2016-12-21 柳州龙辉科技有限公司 A kind of data security exception monitoring system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140330841A1 (en) * 2013-05-01 2014-11-06 Timothy Alan Barrett Method, system and apparatus for facilitating discovery of items sharing common attributes
CN104753946A (en) * 2015-04-01 2015-07-01 浪潮电子信息产业股份有限公司 Security analysis framework based on network traffic metadata
CN104852927A (en) * 2015-06-01 2015-08-19 国家电网公司 Safety comprehensive management system based on multi-source heterogeneous information
CN105721416A (en) * 2015-11-16 2016-06-29 哈尔滨安天科技股份有限公司 Apt event attack organization homology analysis method and apparatus
CN105681298A (en) * 2016-01-13 2016-06-15 成都安信共创检测技术有限公司 Data security abnormity monitoring method and system in public information platform
CN106254317A (en) * 2016-07-21 2016-12-21 柳州龙辉科技有限公司 A kind of data security exception monitoring system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
付钰等: "基于大数据分析的APT攻击检测研究综述", 《通信学报》 *

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109951419A (en) * 2017-12-20 2019-06-28 广东电网有限责任公司电力调度控制中心 A kind of APT intrusion detection method based on attack chain attack rule digging
CN108848102A (en) * 2018-07-02 2018-11-20 北京网藤科技有限公司 A kind of APT attack early warning system and its method for early warning
CN108848102B (en) * 2018-07-02 2021-04-13 北京网藤科技有限公司 APT attack early warning system and early warning method thereof
CN109088869A (en) * 2018-08-14 2018-12-25 北京科东电力控制系统有限责任公司 APT attack detection method and device
CN109088869B (en) * 2018-08-14 2021-09-28 北京科东电力控制系统有限责任公司 APT attack detection method and device
CN111885087A (en) * 2020-08-05 2020-11-03 杭州安恒信息技术股份有限公司 Intranet computer network behavior monitoring method, device and equipment
CN114301659A (en) * 2021-12-24 2022-04-08 中国电信股份有限公司 Network attack early warning method, system, device and storage medium
CN114301659B (en) * 2021-12-24 2024-04-05 中国电信股份有限公司 Network attack early warning method, system, equipment and storage medium

Similar Documents

Publication Publication Date Title
CN107426159A (en) APT based on big data analysis monitors defence method
CN105208037B (en) A kind of DoS/DDoS attack detectings and filter method based on lightweight intrusion detection
Kumar et al. Machine learning classification model for network based intrusion detection system
CN101399658B (en) Safe log analyzing method and system
CN103118036A (en) Cloud end based intelligent security protection system and method
CN106790186A (en) Multi-step attack detection method based on multi-source anomalous event association analysis
CN108183888A (en) A kind of social engineering Network Intrusion path detection method based on random forests algorithm
Tchakoucht et al. Building a fast intrusion detection system for high-speed-networks: Probe and dos attacks detection
CN105471882A (en) Behavior characteristics-based network attack detection method and device
CN104660594A (en) Method for identifying virtual malicious nodes and virtual malicious node network in social networks
CN102333313A (en) Feature code generation method and detection method of mobile botnet
CN107172022A (en) APT threat detection method and system based on intrusion feature
CN103905459A (en) Cloud-based intelligent security defense system and defense method
CN108200067A (en) Big data information network adaptive security guard system based on trust computing
CN102130920A (en) Botnet discovery method and system thereof
CN104836805A (en) Network intrusion detection method based on fuzzy immune theory
CN106973051B (en) Establish the method, apparatus and storage medium of detection Cyberthreat model
CN107493258A (en) A kind of intruding detection system based on network security
CN107493259A (en) A kind of network security control system
CN107018143A (en) The monitoring system of defense for the APT monitoring defence platforms analyzed based on big data
Kadam et al. Various approaches for intrusion detection system: an overview
CN116055071A (en) Industrial control network threat information generation system and method based on hidden network traffic mining
CN106897619A (en) Mobile terminal from malicious software cognitive method and device
Wang et al. Artificial immune intelligence-inspired dynamic real-time computer forensics model
Wu et al. Meta-analysis of network information security and Web data mining techniques

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20171201

RJ01 Rejection of invention patent application after publication