CN107786531B - APT attack detection method and device - Google Patents
APT attack detection method and device Download PDFInfo
- Publication number
- CN107786531B CN107786531B CN201710155925.7A CN201710155925A CN107786531B CN 107786531 B CN107786531 B CN 107786531B CN 201710155925 A CN201710155925 A CN 201710155925A CN 107786531 B CN107786531 B CN 107786531B
- Authority
- CN
- China
- Prior art keywords
- address
- file
- stored
- hash value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Abstract
The invention relates to an APT attack detection method, which comprises the following steps: acquiring an outlet IP address of a local area network; comparing the outlet IP address with a prestored IP address in a prestored IP address file; if the outlet IP address is consistent with the prestored IP address in comparison, detecting whether a file appears in the local area network access content; if the file appears in the local area network access content, calculating the hash value of the file; comparing the hash value of the file with a pre-stored hash value in a pre-stored hash value file; and if the hash value of the file is consistent with the comparison of the pre-stored hash values, generating a safety warning and sending the safety warning to the terminal. The method can improve the detection accuracy of the APT attack. In addition, an APT attack detection device is also provided.
Description
Technical Field
The invention relates to the technical field of computers, in particular to an APT attack detection method and device.
Background
APT (Advanced Persistent Threat) is a new type of attack and Threat that is organized, targeted, covert, destructive, and long lasting. When an attacker performs an APT attack, the attacker usually controls an internal server of the enterprise remotely to launch an external DDOS attack (distributed denial of service attack) or conveniently invades the internal network of the enterprise again later by uploading a malicious file and leaving a backdoor.
For the above APT attack, the conventional detection method is implemented by analyzing whether the collected device log, system log, and application log conform to preset determination rules. However, the conventional APT attack detection method relies on log determination rules, and when the number of log information is very large, some available information for determining the APT attack is easily extracted by mistake, so that the false alarm rate of the APT attack detection is high, and the accuracy of the APT attack detection is low.
Disclosure of Invention
In view of the foregoing, it is necessary to provide an APT attack detection method and apparatus for improving detection accuracy.
An APT attack detection method, the method comprising:
acquiring an outlet IP address of a local area network;
comparing the outlet IP address with a prestored IP address in a prestored IP address file;
if the outlet IP address is consistent with the prestored IP address in comparison, detecting whether a file appears in the local area network access content;
if the file appears in the local area network access content, calculating the hash value of the file;
comparing the hash value of the file with a pre-stored hash value in a pre-stored hash value file;
and if the hash value of the file is consistent with the comparison of the pre-stored hash values, generating a safety warning and sending the safety warning to the terminal.
In one embodiment, whether a new IP address and/or a new hash value appear in a prestored website is detected; and if the pre-stored website has a new IP address and/or a new hash value, adding the new IP address and/or the new hash value into a pre-stored IP address file and/or a pre-stored hash value file.
In one embodiment, after the generating a security warning and sending the security warning to a terminal if the hash value of the file matches the pre-stored hash value, the method further includes: acquiring a first source IP address for providing the file; and adding the first source IP address to the pre-stored IP address file.
In one embodiment, the method further comprises: detecting whether the mail appears in the local area network access content; if the local area network access content has the mail, acquiring a mail source address and a mail destination address of the mail; comparing the mail source address/mail destination address of the mail with the pre-stored mail address; and if the mail source address/the mail destination address of the mail is consistent with the pre-stored mail address in comparison, generating a safety warning and sending the safety warning to the terminal.
In one embodiment, after the generating and sending a security warning to the terminal if the mail source address/mail destination address of the mail matches the pre-stored mail address, the method further includes: acquiring a second source IP address corresponding to the mail source address; and adding the second IP source address into the prestored IP address file.
An APT attack detection apparatus, the apparatus comprising:
the outlet IP address acquisition module is used for acquiring an outlet IP address of the local area network;
the IP address comparison module is used for comparing the outlet IP address with a prestored IP address;
the file detection module is used for detecting whether a file appears in the local area network access content if the export IP address is consistent with the prestored IP address;
the file hash value calculation module is used for calculating the hash value of the file if the file appears in the local area network access content;
the hash value comparison module is used for comparing the hash value of the file with a prestored hash value in a prestored hash value file;
and the safety warning generation module is used for generating a safety warning and sending the safety warning to the terminal if the hash value of the file is consistent with the comparison of the pre-stored hash values.
In one embodiment, the apparatus further comprises: the first pre-stored file updating module is used for detecting whether a pre-stored website has a new IP address and/or a new hash value, and if the pre-stored website has the new IP address and/or the new hash value, the new IP address and/or the new hash value are/is added into a pre-stored IP address file and/or a pre-stored hash value file.
In one embodiment, the apparatus further comprises: and the second pre-stored file updating module is used for acquiring a first source IP address for providing the file and adding the first source IP address to the pre-stored IP address file.
In one embodiment, the apparatus further comprises: the mail detection module is used for detecting whether a mail appears in the local area network access content; the mail address acquisition module is used for acquiring a mail source address and a mail destination address of a mail if the mail appears in the local area network access content; the mail address comparison module is used for comparing the mail source address/the mail destination address of the mail with the pre-stored mail address; and the safety warning sending module is also used for generating a safety warning and sending the safety warning to the terminal if the mail source address/mail destination address of the mail is consistent with the pre-stored mail address in comparison.
In one embodiment, the apparatus further includes: and the third pre-stored file updating module is used for acquiring a second source IP address corresponding to the mailbox source address and adding the second source IP address to the pre-stored IP address file.
According to the APT attack detection method and device, the exit IP address of the local area network is obtained, the exit IP address is compared with the prestored IP address in the prestored IP address file, if the exit IP address is consistent with the prestored IP address in comparison, whether the file appears in the access content of the local area network is detected, if the file appears in the access content of the local area network, the hash value of the file is calculated, the hash value of the file is compared with the prestored hash value in the prestored hash value file, and if the hash value of the file is consistent with the prestored hash value in comparison, a safety warning is generated and sent to the terminal. The method comprises the steps of comparing an outlet IP address of an enterprise local area network with a pre-collected IP address to determine that the server of the enterprise local area network is subjected to the APT attack, comparing a hash value of a file appearing in the access content of the local area network with a pre-collected hash value to detect the specific action position and the attack type of the APT attack, and determining that the pre-collected IP address and the hash value are a malicious IP address and a malicious hash value which are confirmed by the public and are subjected to the APT attack to the outside, so that the accuracy of the detected APT attack is high.
Drawings
FIG. 1 is a diagram of an application environment of the APT attack detection method in one embodiment;
FIG. 2 is an internal block diagram of a server in one embodiment;
FIG. 3 is a flow diagram of a method for APT attack detection in one embodiment;
FIG. 4 is a flow diagram of the mail-based APT attack detection method of FIG. 3 in one embodiment;
FIG. 5 is a flowchart of an APT attack detection method in another embodiment;
FIG. 6 is a block diagram showing the structure of an APT attack detection apparatus according to an embodiment;
FIG. 7 is a block diagram showing the structure of an APT attack detection apparatus according to another embodiment;
fig. 8 is a block diagram of an APT attack detection apparatus according to still another embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The APT attack detection method provided by the embodiment of the invention can be applied to the environment shown in figure 1. Referring to fig. 1, the server 102 may send the generated security alarm to the terminal 104, or may receive a processing result returned after the terminal 104 performs corresponding processing according to the security alarm. Specifically, the server 102 communicates with the terminal 104 through a network, the server 102 acquires an exit IP address of a local area network, compares the exit IP address with a prestored IP address, if the exit IP address is consistent with the prestored IP address, detects whether a file appears in the local area network access content, if the file appears in the local area network access content, calculates a hash value of the file, compares the hash value of the file with a prestored hash value in a prestored hash value file, if the hash value of the file is consistent with the prestored hash value, generates a safety warning and sends the safety warning to the terminal 104, and the terminal 104 returns a processing result to the server 102 and the like after performing corresponding processing according to the safety warning. The terminal includes, but is not limited to, various personal computers, notebook computers, smart phones, tablet computers, portable wearable devices, and the like.
In an embodiment, as shown in fig. 2, a server is further provided, where the server includes a processor, a nonvolatile storage medium, an internal memory, and a network connection port, which are connected by a system bus, where the nonvolatile storage medium stores an operating system and computer-executable instructions, and the computer-executable instructions are used to implement an APT attack detection method applicable to a terminal provided in the embodiment of the present application. The processor is used for improving the calculation and control capacity and supporting the operation of the whole server. The internal memory is used to provide an environment for the operating system and the execution of computer-executable instructions in the non-volatile storage medium. The network interface is used for network communication with the terminal. Those skilled in the art will appreciate that the architecture shown in fig. 2 is a block diagram of only a portion of the architecture associated with the subject application, and does not constitute a limitation on the servers to which the subject application applies, and in particular that a server may include more or fewer components than shown, or combine certain components, or have a different arrangement of components.
In one embodiment, as shown in fig. 3, there is provided an APT attack detection method, which is described as applied to a server as in fig. 2, and includes:
The exit IP address of the local area network is the IP address of the local area network external communication where the current server is located, and one local area network corresponds to one exit IP. There are three ways to obtain the exit IP address of the lan: through a third-party website or tool, directly logging in to the broadband router, and executing a mail sending command in a command execution window, such as "telnetsmtp.
In this embodiment, the pre-stored IP address file is a file that is obtained in advance and stored in a local IP address blacklist published on the global APT attack information sharing website, where the IP address blacklist may be stored in a web page in a file form or may be directly displayed on the web page; the pre-stored IP address is the IP address in the IP address blacklist, namely the malicious IP address which initiates the APT attack.
And step 306, if the outlet IP address is consistent with the pre-stored IP address in comparison, detecting whether a file appears in the local area network access content.
If the exit IP address of the local area network where the current server is located is the same as the pre-stored IP address, it indicates that the server of the local area network of the enterprise is attacked by the ap as a springboard when the enterprise does not actively attack the ap from the outside. Generally, an APT attack is implemented by uploading a malicious file and leaving a backdoor, and therefore, after it is determined that an APT attack has occurred on a server of an enterprise lan, it is required to detect which file transmission on which server the APT attack specifically acts on, and then detect whether a file appears in the access content of the lan.
Specifically, whether a file appears in the local area network access content or not is detected, and whether a file header character or a file extension name appears in the local area network access content or not can be detected. The header is a piece of data which is positioned at the beginning of the file and takes certain tasks, for example, the header of the gif file is 47494638(16 systems); a file extension, also called the suffix name of a file, is a mechanism used by an operating system to mark the type of file, and typically, an extension is a string of characters following a primary file name, separated by a separator, such as "123. doc", where "123" is the primary file name and "doc" is the file extension.
The hash value is a binary value with any length mapped into a binary value with a fixed length by using a hash algorithm, and the hash value of the file is a binary value with a fixed length mapped into a binary value corresponding to the content of the file by using a hash algorithm.
In this embodiment, the unique characteristic of the hash value is used as an identifier for distinguishing files, and for example, the hash value of a file is the same even if the file names of two files with the same content are different.
And step 310, comparing the hash value of the file with a pre-stored hash value in a pre-stored hash value file.
In this embodiment, similarly, the pre-stored hash value file is a file that is obtained in advance from a hash value blacklist published on the global APT attack information sharing website and is stored locally, where the hash value blacklist may be stored in a web page in a file form or may be directly displayed on the web page; the pre-stored hash value is the hash value in the hash value blacklist, namely the hash value of the malicious file which has launched the APT attack.
And step 312, if the hash value of the file is consistent with the comparison of the pre-stored hash values, generating a safety warning and sending the safety warning to the terminal.
If the hash value of the file in the local area network access content is the same as the hash value of the pre-stored malicious file, the fact that the server of the local area network is attacked by the APT based on the file is shown. After detecting the APT attack, generating a safety warning aiming at the APT attack, wherein the safety warning comprises an attack type, an attack level, attack detection time and the like, and sending the safety warning to a terminal where operation and maintenance personnel are located so that the operation and maintenance personnel can process the APT attack in time (such as deleting a malicious file and an export IP of a local area network in a prestored IP address file).
In this embodiment, the specific action position and attack type of the APT attack are detected by comparing the exit IP address of the enterprise lan with the pre-collected IP address to determine that the server of the enterprise lan has the APT attack (for example, an attacker performs an attack of performing a distributed denial of service attack to the outside by remotely controlling the internal server of the enterprise), and then comparing the hash value of the file appearing in the access content of the lan with the pre-collected hash value. The pre-collected IP address and the pre-collected hash value are the malicious IP address and the malicious hash value which are confirmed by the public and subject to the APT attack to the outside, so that the accuracy of the detected APT attack is high.
In one embodiment, after step 312, further comprising: detecting whether a new IP address and/or a new hash value address appears in a prestored website; and if the pre-stored website has a new IP address and/or a new hash value, adding the new IP address and/or the new hash value into the pre-stored IP address file and/or the pre-stored hash value file.
The pre-stored website is a pre-collected global APT attack information sharing website; and if the release of the APT attack information is 2 pm every day, the detection of the new IP address and/or the new hash value address is 2 pm every day, so that the data of the pre-stored IP address file and/or the pre-stored hash value file is updated in real time.
In the embodiment, the accuracy rate of detecting the APT attack is further improved by updating the pre-stored IP address and/or the pre-stored hash value in the pre-stored IP address file and/or the pre-stored hash value file in real time.
In one embodiment, after step 312, further comprising: acquiring a first source IP address of a provided file; the first source IP address is added to a pre-stored IP address file. Wherein the first source IP address is an IP address of a sender of the detected malicious file. In the embodiment, the IP address of the sender which is confirmed to be the malicious file is added into the prestored IP address file, so that the number of the prestored IP addresses is increased for detecting the server-based APT attack, and the accuracy of detecting the APT attack is further improved.
In one embodiment, as shown in fig. 4, after step 312, the method further includes:
Whether the mail appears in the access content of the local area network is detected, whether a mail transmission protocol (such as an SMTP (simple mail transfer protocol) and a POP3 (post office protocol) version 3) appears in a data transmission protocol used by the local area network can be detected, and if the mail transmission protocol or the post office protocol version 3 appears, the mail transmission is carried out in the local area network; or detecting whether a postfix name of the mailbox address appears in the local area network access content, and if the postfix name appears, indicating that mail transmission is carried out in the local area network.
The mail source address is the mailbox address of the mail sender; accordingly, the mail destination address is a mailbox address of the mail recipient. According to the simple mail transmission protocol and the post office protocol version 3, the mail source address and the mail destination address of the mail transmitted in the local area network can be obtained.
In step 406, the mail source address/mail destination address of the mail is compared with the pre-stored mail address.
In this embodiment, similarly, the pre-stored email address is a file that is obtained in advance and stored in a local email address blacklist published on the global APT attack information sharing website, where the email address blacklist may be stored in a web page in a file form or may be directly displayed on the web page; the pre-stored mail address is the mail address in the mail address blacklist, namely the mail address of the malicious file which initiates the APT attack.
And step 408, if the mail source address/mail destination address of the mail is the same as the pre-stored mail address, generating a safety warning and sending the safety warning to the terminal.
If the mail source address is the same as the pre-stored mail address or the mail destination address is the same as the pre-stored mail address, it indicates that the local area network is attacked by the APT based on the mail, and at this time, a security warning needs to be generated and sent to the operation and maintenance personnel terminal, so that the operation and maintenance personnel can timely process the APT attack (such as deleting the malicious mail and the export IP of the local area network in the pre-stored IP address file).
In the embodiment, after the server of the enterprise local area network is determined to be subjected to the APT attack, the mail source address and/or the mail destination address of the mail appearing in the access content of the local area network are/is compared with the pre-stored mail address, so that the APT attack based on the mail is detected, and meanwhile, the accuracy of the detected APT attack is high because the pre-stored mail address is a malicious mail address confirmed by the public and subjected to the APT attack to the outside.
In one embodiment, after step 408, further comprising: acquiring a second source IP address corresponding to the mail source address; and adding the second IP source address into a prestored IP address file. Wherein the second source IP address is the IP address of the sender of the mail. In the embodiment, the IP address of the sender which is confirmed to be the malicious mail is added to the prestored IP address file, so that the number of the prestored IP addresses is increased for detecting the server-based APT attack, and the accuracy of detecting the APT attack is further improved. In one embodiment, after step 408, further comprising: and detecting whether a new mail address appears in the pre-stored website, and if the new mail address appears in the pre-stored website, adding the new mail address into a pre-stored mail address file.
In one embodiment, as shown in fig. 5, another APT detection attack method is provided, including:
In this embodiment, the exit IP address of the external communication of the lan is obtained through a third-party website (e.g., www.ip138.com).
And step 504, comparing the outlet IP address with a prestored IP address in a prestored IP address file.
The pre-stored IP address file comprises a plurality of pre-stored IP addresses, and the acquired outlet IP addresses are compared with the pre-stored IP addresses one by one.
If the outlet IP address of the local area network where the current server is located is consistent with one prestored IP address in the prestored IP address file in comparison, whether file transmission is carried out in the access content of the local area network is detected by monitoring the communication flow of the local area network so as to detect the file-based APT attack.
In this embodiment, whether a file header character string appears in the local area network access content is detected, and if the file header character string appears in the local area network access content, the file is extracted, and the hash value of the file is calculated according to the file content.
The pre-stored hash value file comprises a plurality of pre-stored hash values, and the hash values of the file are compared with the pre-stored hash values one by one.
And step 512, if the hash value of the file is consistent with the pre-stored hash value, generating a safety warning and sending the safety warning to the terminal.
If the hash value of the file is consistent with a pre-stored hash value comparison in the pre-stored hash value file, detecting the APT attack based on the file, generating a safety warning for the APT attack at the moment, wherein the safety warning comprises an attack type, an attack level, attack detection time and the like, and sending the safety warning to a terminal where IT operation and maintenance personnel are located, so that the operation and maintenance personnel correspondingly process the detected APT attack, such as deleting the file.
In addition, after the file-based APT attack is detected, a first source IP address for providing the file is obtained, and the first source IP address is added to the pre-stored IP address file, so that the file provider can be detected to carry out intrusion attack on the server, and the accuracy rate of detecting the server-based APT attack is improved.
Whether mail transmission is carried out in the access content of the local area network is detected by monitoring the communication flow of the local area network so as to detect the APT attack based on the mail.
In this embodiment, according to the simple mail transfer protocol and the post office protocol version 3, a mail source address and a mail destination address for mail transfer in the local area network are acquired.
Step 518 compares the mail source/destination address of the mail with the pre-stored mail address.
In this embodiment, the pre-stored mail address file includes a plurality of mail addresses, and the mail source address and/or the mail destination address are/is compared with the pre-stored mail addresses one by one.
And step 520, if the mail source address/mail destination address of the mail is consistent with the pre-stored mail address in comparison, generating a safety warning and sending the safety warning to the terminal.
If the mail source address is consistent with one prestored mail address in the prestored mail address file or the mail destination address is consistent with one prestored mail address in the prestored mail address file, the APT attack based on the mail is detected, at the moment, a safety warning is generated aiming at the APT attack, wherein the safety warning comprises the attack type, the attack level, the attack detection time and the like, and the safety warning is sent to a terminal where operation and maintenance personnel are located, so that the operation and maintenance personnel correspondingly process the detected APT attack, such as deleting the mail.
In addition, after the APT attack based on the mail is detected, a second source IP address corresponding to the mail source address is obtained, and the second source IP address is added into a prestored IP address file, so that the intrusion attack of the mail sender to the server is detected, and the accuracy of detecting the APT attack based on the mail is improved.
In step 522, whether a new IP address and/or a new hash value and/or a new mail address appears in the prestored website is detected.
In this embodiment, when the pre-stored website issues new information of the APT attack, it is detected whether a new IP address and/or a new hash value and/or a new mail address appears on the pre-stored website, so as to expand the pre-stored IP address file and/or the hash value file and/or the mail address file.
In step 524, if a new IP address and/or a new hash value and/or a new mail address appears in the pre-stored website, the new IP address and/or the new hash value and/or the new mail address are added to the pre-stored IP address file and/or the pre-stored hash value file and/or the pre-stored mail address file.
The expansion of the pre-stored IP address file and/or the hash value file and/or the mail address file is completed by adding the new IP address and/or the new hash value and/or the new mail address published by the pre-stored website to the pre-stored IP address file and/or the pre-stored hash value file and/or the pre-stored mail address file.
In this embodiment, the exit IP address of the enterprise lan is compared with the pre-collected IP address, and it is determined that an APT attack has occurred on the server of the enterprise lan (for example, an attack of performing a distributed denial of service attack to the outside by remotely controlling the internal server of the enterprise); the method comprises the steps that the Hash value of a file appearing in the access content of the local area network is compared with a pre-collected Hash value, and the APT attack type is detected to be an APT attack based on the file; and comparing the mail address appearing in the local area network access content with the mail address collected in advance to detect that the attack type of the APT is the APT attack based on the mail. The IP address, the hash value and the mail address which are collected in advance are the malicious IP address and the malicious hash value which are confirmed by the public and externally carry out the APT attack, so that the accuracy of the detected APT attack is high; meanwhile, a new IP address and/or a new hash value and/or a new mail address appearing in the pre-stored website are/is added to the local pre-stored file, so that data in the pre-stored file are expanded, and the accuracy of APT detection is further improved.
In one embodiment, as shown in fig. 6, there is provided an APT attack detection apparatus including:
an egress IP address obtaining module 602, configured to obtain an egress IP address of the local area network.
And an IP address comparing module 604, configured to compare the egress IP address with a pre-stored IP address.
And the file detection module 606 is configured to detect whether a file appears in the local area network access content if the exit IP address is consistent with the pre-stored IP address in comparison.
The file hash value calculation module 608 is configured to calculate a hash value of a file if the file appears in the local area network access content.
And the hash value comparison module 610 is configured to compare the hash value of the file with a pre-stored hash value in a pre-stored hash value file.
And the safety warning generation module 612 is configured to generate a safety warning and send the safety warning to the terminal if the hash value of the file is consistent with the pre-stored hash value.
In one embodiment, the APT attack detection apparatus further includes: and the first pre-stored file updating module is used for detecting whether a new IP address and/or a new hash value appears on the pre-stored website, and if the new IP address and/or the new hash value appears on the pre-stored website, adding the new IP address and/or the new hash value into the pre-stored IP address file and/or the pre-stored hash value file.
In one embodiment, the APT attack detection apparatus further includes: the second pre-stored file updating module is used for acquiring a first source IP address of a provided file; and the first pre-stored IP address file updating module is used for adding the first source IP address to the pre-stored IP address file.
In one embodiment, as shown in fig. 7, the APT attack detecting device further includes:
a mail detection module 702, configured to detect whether a mail appears in the local area network access content.
A mail address obtaining module 704, configured to obtain a mail source address and a mail destination address of the mail if the mail appears in the local area network access content.
And a mail address comparison module 706, configured to compare the mail source address/mail destination address of the mail with a pre-stored mail address.
The safety warning generating module 612 is further configured to generate a safety warning and send the safety warning to the terminal if the mail source address/mail destination address of the mail is consistent with the pre-stored mail address.
In one embodiment, the APT attack detection apparatus further includes: and the third pre-stored file updating module is used for acquiring a second source IP address corresponding to the mailbox source address and adding the second source IP address to the pre-stored IP address file.
In one embodiment, the APT attack detection apparatus further includes: and the fourth pre-stored file updating module is used for detecting whether the pre-stored website has a new mail address or not, and if the pre-stored website has the new mail address, the new mail address is added into the pre-stored mail address file.
In one embodiment, as shown in fig. 8, another APT attack detection apparatus is provided, including:
an egress IP address obtaining module 602, configured to obtain an egress IP address of the local area network.
And an IP address comparing module 604, configured to compare the egress IP address with a pre-stored IP address.
And the file detection module 606 is configured to detect whether a file appears in the local area network access content if the exit IP address is consistent with the pre-stored IP address in comparison.
The file hash value calculation module 608 is configured to calculate a hash value of a file if the file appears in the local area network access content.
And the hash value comparison module 610 is configured to compare the hash value of the file with a pre-stored hash value in a pre-stored hash value file.
And the safety warning generation module 612 is configured to generate a safety warning and send the safety warning to the terminal if the hash value of the file is consistent with the pre-stored hash value.
A mail detection module 702, configured to detect whether a mail appears in the local area network access content.
A mail address obtaining module 704, configured to obtain a mail source address and a mail destination address of the mail if the mail appears in the local area network access content.
And a mail address comparison module 706, configured to compare the mail source address/mail destination address of the mail with a pre-stored mail address.
The safety warning generating module 612 is further configured to generate a safety warning and send the safety warning to the terminal if the mail source address/mail destination address of the mail is consistent with the pre-stored mail address.
A pre-stored file updating module 802, configured to obtain a first source IP address of a provided file, and add the first source IP address to a pre-stored IP address file; acquiring a second source IP address corresponding to the mailbox source address, and adding the second source IP address to a prestored IP address file; and detecting whether a new IP address and/or a new hash value and/or a new mail address appear on the pre-stored website, and if the new IP address and/or the new hash value and/or the new mail address appear on the pre-stored website, adding the new IP address and/or the new hash value and/or the new mail address into a pre-stored IP address file and/or a pre-stored hash value file and/or a pre-stored mail address file.
It should be noted that "first", "second", "third", and "fourth" in the embodiments of the present invention are used for distinction only, and are not used as limitations on size, dependency, sequence, and the like.
The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present invention, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the inventive concept, which falls within the scope of the present invention. Therefore, the protection scope of the present patent shall be subject to the appended claims.
Claims (10)
1. An APT attack detection method, the method comprising:
acquiring an outlet IP address of a local area network;
comparing the outlet IP address with a prestored IP address in a prestored IP address file;
if the outlet IP address is consistent with the prestored IP address in comparison, detecting whether a file appears in the local area network access content;
if the file appears in the local area network access content, calculating the hash value of the file;
comparing the hash value of the file with a pre-stored hash value in a pre-stored hash value file;
and if the hash value of the file is consistent with the comparison of the pre-stored hash values, generating a safety warning and sending the safety warning to the terminal.
2. The method of claim 1, further comprising:
detecting whether a new IP address and/or a new hash value appear in a prestored website;
and if the pre-stored website has a new IP address and/or a new hash value, adding the new IP address and/or the new hash value into a pre-stored IP address file and/or a pre-stored hash value file.
3. The method according to claim 1, wherein after generating and sending a security warning to a terminal if the hash value of the file matches the pre-stored hash value comparison, further comprising:
acquiring a first source IP address for providing the file;
and adding the first source IP address to the pre-stored IP address file.
4. The method of claim 1, further comprising:
detecting whether the mail appears in the local area network access content;
if the local area network access content has the mail, acquiring a mail source address and a mail destination address of the mail;
comparing the mail source address/mail destination address of the mail with a pre-stored mail address;
and if the mail source address/the mail destination address of the mail is consistent with the pre-stored mail address in comparison, generating a safety warning and sending the safety warning to the terminal.
5. The method according to claim 4, wherein after the generating and sending a security alarm to the terminal if the mail source/destination address of the mail matches the pre-stored mail address, further comprising:
acquiring a second source IP address corresponding to the mail source address;
and adding the second source IP address into the prestored IP address file.
6. An APT attack detection apparatus, the apparatus comprising:
the outlet IP address acquisition module is used for acquiring an outlet IP address of the local area network;
the IP address comparison module is used for comparing the outlet IP address with a prestored IP address;
the file detection module is used for detecting whether a file appears in the local area network access content if the outlet IP address is consistent with the prestored IP address in comparison;
the file hash value calculation module is used for calculating the hash value of the file if the file appears in the local area network access content;
the hash value comparison module is used for comparing the hash value of the file with a prestored hash value in a prestored hash value file;
and the safety warning generation module is used for generating a safety warning and sending the safety warning to the terminal if the hash value of the file is consistent with the comparison of the pre-stored hash values.
7. The apparatus of claim 6, further comprising:
the first pre-stored file updating module is used for detecting whether a pre-stored website has a new IP address and/or a new hash value, and if the pre-stored website has the new IP address and/or the new hash value, the new IP address and/or the new hash value are/is added into a pre-stored IP address file and/or a pre-stored hash value file.
8. The apparatus of claim 6, further comprising:
and the second pre-stored file updating module is used for acquiring a first source IP address for providing the file and adding the first source IP address to the pre-stored IP address file.
9. The apparatus of claim 6, further comprising:
the mail detection module is used for detecting whether a mail appears in the local area network access content;
the mail address acquisition module is used for acquiring a mail source address and a mail destination address of a mail if the mail appears in the local area network access content;
the mail address comparison module is used for comparing the mail source address/the mail destination address of the mail with a pre-stored mail address;
and the safety warning generation module is also used for generating a safety warning and sending the safety warning to the terminal if the mail source address/mail destination address of the mail is consistent with the pre-stored mail address in comparison.
10. The apparatus of claim 9, further comprising:
and the third pre-stored file updating module is used for acquiring a second source IP address corresponding to the mail source address and adding the second source IP address to the pre-stored IP address file.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710155925.7A CN107786531B (en) | 2017-03-14 | 2017-03-14 | APT attack detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710155925.7A CN107786531B (en) | 2017-03-14 | 2017-03-14 | APT attack detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107786531A CN107786531A (en) | 2018-03-09 |
| CN107786531B true CN107786531B (en) | 2020-02-18 |
Family
ID=61437526
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710155925.7A Active CN107786531B (en) | 2017-03-14 | 2017-03-14 | APT attack detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107786531B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110233831A (en) * | 2019-05-21 | 2019-09-13 | 深圳壹账通智能科技有限公司 | The detection method and device of malicious registration |
| CN110519301A (en) * | 2019-09-25 | 2019-11-29 | 新华三信息安全技术有限公司 | A kind of attack detection method and device |
| CN112039836A (en) * | 2020-06-30 | 2020-12-04 | 浙江远望信息股份有限公司 | Method, system and equipment for monitoring and identifying illegal network outlet |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101360019A (en) * | 2008-09-18 | 2009-02-04 | 华为技术有限公司 | Detection method, system and apparatus of zombie network |
| CN101651579A (en) * | 2009-09-15 | 2010-02-17 | 成都市华为赛门铁克科技有限公司 | Method and gateway device for identifying Botnet |
| CN101741862A (en) * | 2010-01-22 | 2010-06-16 | 西安交通大学 | System and method for detecting IRC bot network based on data packet sequence characteristics |
| CN105119938A (en) * | 2015-09-14 | 2015-12-02 | 电子科技大学 | Method for defending against innerport recall trojan |
| CN105430001A (en) * | 2015-12-18 | 2016-03-23 | 北京奇虎科技有限公司 | Detecting method, terminal device, server and system of APT (Advanced Persistent Threat) attack |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9392017B2 (en) * | 2010-04-22 | 2016-07-12 | The Trustees Of Columbia University In The City Of New York | Methods, systems, and media for inhibiting attacks on embedded devices |
-
2017
- 2017-03-14 CN CN201710155925.7A patent/CN107786531B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101360019A (en) * | 2008-09-18 | 2009-02-04 | 华为技术有限公司 | Detection method, system and apparatus of zombie network |
| CN101651579A (en) * | 2009-09-15 | 2010-02-17 | 成都市华为赛门铁克科技有限公司 | Method and gateway device for identifying Botnet |
| CN101741862A (en) * | 2010-01-22 | 2010-06-16 | 西安交通大学 | System and method for detecting IRC bot network based on data packet sequence characteristics |
| CN105119938A (en) * | 2015-09-14 | 2015-12-02 | 电子科技大学 | Method for defending against innerport recall trojan |
| CN105430001A (en) * | 2015-12-18 | 2016-03-23 | 北京奇虎科技有限公司 | Detecting method, terminal device, server and system of APT (Advanced Persistent Threat) attack |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107786531A (en) | 2018-03-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11122061B2 (en) | Method and server for determining malicious files in network traffic | |
| US9560059B1 (en) | System, apparatus and method for conducting on-the-fly decryption of encrypted objects for malware detection | |
| US9124626B2 (en) | Firewall based botnet detection | |
| Prasse et al. | Malware detection by analysing network traffic with neural networks | |
| CN110730175B (en) | Botnet detection method and detection system based on threat information | |
| WO2018218537A1 (en) | Industrial control system and network security monitoring method therefor | |
| US8898784B1 (en) | Device for and method of computer intrusion anticipation, detection, and remediation | |
| US10880319B2 (en) | Determining potentially malware generated domain names | |
| US20160019388A1 (en) | Event correlation based on confidence factor | |
| CN107733581B (en) | Rapid internet asset feature detection method and device based on whole network environment | |
| CA2545916A1 (en) | Apparatus method and medium for detecting payload anomaly using n-gram distribution of normal data | |
| WO2012177736A1 (en) | Compiler for regular expressions | |
| CN107786531B (en) | APT attack detection method and device | |
| US9680832B1 (en) | Using a probability-based model to detect random content in a protocol field associated with network traffic | |
| US10659493B2 (en) | Technique for detecting malicious electronic messages | |
| US20210409446A1 (en) | Leveraging network security scanning to obtain enhanced information regarding an attack chain involving a decoy file | |
| US11057347B2 (en) | Filtering data using malicious reference information | |
| CN107347057A (en) | Intrusion detection method, detected rule generation method, apparatus and system | |
| JP4743901B2 (en) | Method, system and computer program for detecting unauthorized scanning on a network | |
| KR101487476B1 (en) | Method and apparatus to detect malicious domain | |
| US20240121251A1 (en) | Command and Control Steganographic Communications Detection Engine | |
| Almousa et al. | Identification of ransomware families by analyzing network traffic using machine learning techniques | |
| WO2021018440A1 (en) | METHODS FOR DETECTING A CYBERATTACK ON AN ELECTRONIC DEVICE, METHOD FOR OBTAINING A SUPERVISED RANDOM FOREST MODEL FOR DETECTING A DDoS ATTACK OR A BRUTE FORCE ATTACK, AND ELECTRONIC DEVICE CONFIGURED TO DETECT A CYBERATTACK ON ITSELF | |
| Abinaya et al. | A performance aware security framework to avoid software attacks on Internet of Things (IoT) based patient monitoring system | |
| US11520884B2 (en) | Dummy information insertion device, dummy information insertion method, and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |