CN108073809A - APT Heuristic detection methods and system based on abnormal component liaison - Google Patents

APT Heuristic detection methods and system based on abnormal component liaison Download PDF

Info

Publication number
CN108073809A
CN108073809A CN201711420803.2A CN201711420803A CN108073809A CN 108073809 A CN108073809 A CN 108073809A CN 201711420803 A CN201711420803 A CN 201711420803A CN 108073809 A CN108073809 A CN 108073809A
Authority
CN
China
Prior art keywords
component
call relation
environment information
abnormal
caching
Prior art date
Application number
CN201711420803.2A
Other languages
Chinese (zh)
Inventor
沈长伟
童志明
何公道
Original Assignee
哈尔滨安天科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 哈尔滨安天科技股份有限公司 filed Critical 哈尔滨安天科技股份有限公司
Priority to CN201711420803.2A priority Critical patent/CN108073809A/en
Publication of CN108073809A publication Critical patent/CN108073809A/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures

Abstract

The present invention proposes a kind of APT Heuristic detection methods and system based on abnormal component liaison, and inventive method includes:Whole launching process in monitoring system;The call relation of all components and component environment information are recorded, and is cached to caching knowledge base;To the component that system newly obtains, its call relation and component environment information are recorded;By the call relation of the component newly obtained and component environment information and caching knowledge storehouse matching, based on matched rule, judge whether the component in system is abnormal, if, then alerted to user, and risk is prompted, otherwise by the call relation of the component of the new acquisition and the storage of component environment information into caching knowledge base.The present invention also proposes corresponding system and storage medium.By means of the invention it is also possible to effectively detection components, modularization, engineering, highly concealed type, complicated APT are attacked.

Description

APT Heuristic detection methods and system based on abnormal component liaison

Technical field

The present invention relates to computer network security technology field, more particularly to a kind of APT based on abnormal component liaison is opened Hairdo detection method and system.

Background technology

APT attacks are that a kind of advanced sustainability threatens, and APT attacks are with high concealment, specific aim, complexity Characteristic, the modularization of more and more functions uses, modular mode are realized.Component, which refers to, can complete function or a part of work( The independent individual of energy includes but not limited to executable program, dynamic link library etc..Modularization realize function, then need component it Between be associated calling, component liaison is to include but not limited to dynamic link to reach the relation of function formation between finger assembly Storehouse mode, process method of calling etc..The attack of attack load is launched in batches, and the batch time of component is launched in this kind of attack Interval time span is larger, but can not be malice by constructing each component meticulously, but the possible completion that combines is attacked Hit behavior.Traditional APT detection methods are detected based on single load, can not tackle the attack means of this complexity.

The content of the invention

Based on the above problem, the present invention proposes a kind of APT Heuristic detection methods based on abnormal component liaison and is System by component liaison relation, determines whether component is abnormal, solves the attacker that APT complexity can not be detected in conventional method Formula.

The present invention realizes by the following method:

A kind of APT Heuristic detection methods based on abnormal component liaison, including:

Whole launching process in monitoring system;

The call relation of all components and component environment information are recorded, and is cached to caching knowledge base;

To the component that system newly obtains, its call relation and component environment information are recorded;

By the call relation of the component newly obtained and component environment information and caching knowledge storehouse matching, based on matched rule, judge Whether the component in system is abnormal, if it is, being alerted to user, and risk is prompted, otherwise by the component of the new acquisition Call relation and the storage of component environment information are into caching knowledge base.

In the method, the component environment information includes at least:Finally be called time, component acquisition source and component Acquisition modes.

It is described based on matched rule in the method, judge whether the component in system is abnormal, is specially:If system Interior component meets following matched rule, then corresponding assembly is abnormal component in system:

It is longer into system interval, and form association from the inter-module being not called upon;

The inter-module formation that different component acquisition modes obtain source with component associates;

The different components that the frequent interconnected system of component newly obtains;

And user-defined matched rule.

In the method, further include:Call relation of the knowledge base by intelligence learning associated component is cached, to conventional tune White list is automatically added to relation.

A kind of heuristic detecting systems of APT based on abnormal component liaison, including:

Process monitoring module, whole launching process in monitoring system;

Data obtaining module records the call relation of all components and component environment information, and is cached to caching knowledge base;

To the component that system newly obtains, its call relation and component environment information are recorded;

Matching module, by the call relation of the component newly obtained and component environment information with caching knowledge storehouse matching, based on matching Rule judges whether the component in system is abnormal, if it is, being alerted to user, and risk is prompted, otherwise by the new acquisition Component call relation and component environment information storage to caching knowledge base in.

In the system, the component environment information includes at least:Finally be called time, component acquisition source and component Acquisition modes.

It is described based on matched rule in the system, judge whether the component in system is abnormal, is specially:If system Interior component meets following matched rule, then corresponding assembly is abnormal component in system:

It is longer into system interval, and form association from the inter-module being not called upon;

The inter-module formation that different component acquisition modes obtain source with component associates;

The different components that the frequent interconnected system of component newly obtains;

And user-defined matched rule.

In the system, further include:Call relation of the knowledge base by intelligence learning associated component is cached, to conventional tune White list is automatically added to relation.

The present invention also proposes a kind of non-transitorycomputer readable storage medium, is stored thereon with computer program, the journey Any APT Heuristic detection methods based on abnormal component liaison as described above are realized when sequence is executed by processor.

Advantage of the invention is that:Traditional single load detection mode is changed into associated payload detection mode;Pass through Fine granularity environment information acquisition, based on intelligence learning algorithm, depth excavates abnormal associated component;And pass through a variety of decision plans And self-defined decision plan, increase detection uncertainty, improve APT intrusion scenes, reduce APT concealments.The technology of the present invention Scheme can effectively detection components, modularization, engineering, highly concealed type, the APT of complexity attack.Intelligence learning side simultaneously Method avoids frequent updating virus base in conventional method.

Description of the drawings

It, below will be to embodiment or the prior art in order to illustrate more clearly of technical solution of the invention or of the prior art Attached drawing is briefly described needed in description, it should be apparent that, the accompanying drawings in the following description is only in the present invention Some embodiments recorded, for those of ordinary skill in the art, without creative efforts, can be with Other attached drawings are obtained according to these attached drawings.

Fig. 1 is a kind of APT Heuristic detection method embodiment flow charts based on abnormal component liaison of the present invention;

Fig. 2 is a kind of heuristic detecting system structure diagrams of APT based on abnormal component liaison of the present invention.

Specific embodiment

In order to which those skilled in the art is made to more fully understand the technical solution in the embodiment of the present invention, and make the present invention's Above-mentioned purpose, feature and advantage can be more obvious understandable, technical solution in the present invention made below in conjunction with the accompanying drawings further detailed Thin explanation.

The present invention realizes by the following method:

A kind of APT Heuristic detection methods based on abnormal component liaison, as shown in Figure 1, including:

S101:Whole launching process in monitoring system;

S102:The call relation of all components and component environment information are recorded, and is cached to caching knowledge base;

S103:To the component that system newly obtains, its call relation and component environment information are recorded;

S104:By the call relation of the component newly obtained and component environment information and caching knowledge storehouse matching, based on matched rule, Judge whether the component in system is abnormal, if it is, being alerted to user, and risk is prompted, otherwise by the group of the new acquisition Call relation and component environment the information storage of part are into caching knowledge base.

In the method, the component environment information includes but not limited to, finally be called the time, component obtain source and Component acquisition modes etc., component obtain source including such as actively download, application program download and USB flash disk obtain.

It is described based on matched rule in the method, judge whether the component in system is abnormal, is specially:If system Interior component meets following matched rule, then corresponding assembly is abnormal component in system:

It is longer into system interval, and form association from the inter-module being not called upon;The component of such case, Ke Nengwei It is longer to enter system time for the multiple dispensing of APT attacks, such as a component, but do not generate calling with any other component Relation, but form chaining with the new inter-module into system, then there are suspicious;

The inter-module formation that different component acquisition modes obtain source with component associates;The component of such case may be that APT is attacked In order to hide the attack of itself, launched by various ways;

The different components that the frequent interconnected system of component newly obtains;Such as loader mode, dynamic link library is downloaded in Loader loadings;

And user-defined matched rule;By user-defined strategy, the hidden of APT attacks can be further reduced Tibetan property increases the uncertainty of detection.

In the method, further include:Call relation of the knowledge base by intelligence learning associated component is cached, to conventional tune White list is automatically added to relation.Component that conventional call relation in system is called as required for when system starts, open it is clear Component of loading etc. required for the component and playout software of the required loading of device of looking at.

A kind of heuristic detecting systems of APT based on abnormal component liaison, as shown in Fig. 2, including:

Process monitoring module 201, whole launching process in monitoring system;

Data obtaining module 202 records the call relation of all components and component environment information, and is cached to caching knowledge base;

To the component that system newly obtains, its call relation and component environment information are recorded;

Matching module 203, by the call relation of the component newly obtained and component environment information and caching knowledge storehouse matching, based on With rule, judge whether the component in system is abnormal, if it is, being alerted to user, and prompts risk, is otherwise newly obtained described Call relation and component environment the information storage of the component taken are into caching knowledge base.

In the system, the component environment information includes at least:Finally be called time, component acquisition source and component Acquisition modes.

It is described based on matched rule in the system, judge whether the component in system is abnormal, is specially:If system Interior component meets following matched rule, then corresponding assembly is abnormal component in system:

It is longer into system interval, and form association from the inter-module being not called upon;

The inter-module formation that different component acquisition modes obtain source with component associates;

The different components that the frequent interconnected system of component newly obtains;

And user-defined matched rule.

In the system, further include:Call relation of the knowledge base by intelligence learning associated component is cached, to conventional tune White list is automatically added to relation.

The present invention also proposes a kind of non-transitorycomputer readable storage medium, is stored thereon with computer program, the journey Any APT Heuristic detection methods based on abnormal component liaison as described above are realized when sequence is executed by processor.

Advantage of the invention is that:Traditional single load detection mode is changed into associated payload detection mode;Pass through Fine granularity environment information acquisition, based on intelligence learning method, depth excavates abnormal associated component;And pass through a variety of decision plans And self-defined decision plan, increase detection uncertainty, improve APT intrusion scenes, reduce APT concealments.The technology of the present invention Scheme can effectively detection components, modularization, engineering, highly concealed type, the APT of complexity attack.Intelligence learning side simultaneously Method avoids frequent updating virus base in conventional method.

Each embodiment in this specification is described by the way of progressive, identical similar portion between each embodiment Point just to refer each other, and the highlights of each of the examples are difference from other examples.It is real especially for system For applying example, since it is substantially similar to embodiment of the method, so description is fairly simple, related part is referring to embodiment of the method Part explanation.

Although depicting the present invention by embodiment, it will be appreciated by the skilled addressee that the present invention there are many deformation and Change the spirit without departing from the present invention, it is desirable to which appended claim includes these deformations and changes without departing from the present invention's Spirit.

Claims (9)

1. a kind of APT Heuristic detection methods based on abnormal component liaison, which is characterized in that including:
Whole launching process in monitoring system;
The call relation of all components and component environment information are recorded, and is cached to caching knowledge base;
To the component that system newly obtains, its call relation and component environment information are recorded;
By the call relation of the component newly obtained and component environment information and caching knowledge storehouse matching, based on matched rule, judge Whether the component in system is abnormal, if it is, being alerted to user, and risk is prompted, otherwise by the component of the new acquisition Call relation and the storage of component environment information are into caching knowledge base.
2. the method as described in claim 1, which is characterized in that the component environment information includes at least:When being finally called Between, component obtain source and component acquisition modes.
3. method as claimed in claim 2, which is characterized in that it is described based on matched rule, judge component in system is whether It is abnormal, be specially:If the component in system meets following matched rule, corresponding assembly is abnormal component in system:
It is longer into system interval, and form association from the inter-module being not called upon;
The inter-module formation that different component acquisition modes obtain source with component associates;
The different components that the frequent interconnected system of component newly obtains;
And user-defined matched rule.
4. the method as described in claim 1, which is characterized in that further include:Caching knowledge base passes through intelligence learning associated component Call relation, white list is automatically added to conventional call relation.
5. a kind of heuristic detecting systems of APT based on abnormal component liaison, which is characterized in that including:
Process monitoring module, whole launching process in monitoring system;
Data obtaining module records the call relation of all components and component environment information, and is cached to caching knowledge base;
To the component that system newly obtains, its call relation and component environment information are recorded;
Matching module, by the call relation of the component newly obtained and component environment information with caching knowledge storehouse matching, based on matching Rule judges whether the component in system is abnormal, if it is, being alerted to user, and risk is prompted, otherwise by the new acquisition Component call relation and component environment information storage to caching knowledge base in.
6. system as claimed in claim 5, which is characterized in that the component environment information includes at least:When being finally called Between, component obtain source and component acquisition modes.
7. system as claimed in claim 6, which is characterized in that it is described based on matched rule, judge component in system is whether It is abnormal, be specially:If the component in system meets following matched rule, corresponding assembly is abnormal component in system:
It is longer into system interval, and form association from the inter-module being not called upon;
The inter-module formation that different component acquisition modes obtain source with component associates;
The different components that the frequent interconnected system of component newly obtains;
And user-defined matched rule.
8. system as claimed in claim 5, which is characterized in that further include:Caching knowledge base passes through intelligence learning associated component Call relation, white list is automatically added to conventional call relation.
9. a kind of non-transitorycomputer readable storage medium, is stored thereon with computer program, which is characterized in that the program quilt The APT Heuristic detection methods based on abnormal component liaison as described in any in claim 1-4 are realized when processor performs.
CN201711420803.2A 2017-12-25 2017-12-25 APT Heuristic detection methods and system based on abnormal component liaison CN108073809A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711420803.2A CN108073809A (en) 2017-12-25 2017-12-25 APT Heuristic detection methods and system based on abnormal component liaison

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711420803.2A CN108073809A (en) 2017-12-25 2017-12-25 APT Heuristic detection methods and system based on abnormal component liaison

Publications (1)

Publication Number Publication Date
CN108073809A true CN108073809A (en) 2018-05-25

Family

ID=62155898

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711420803.2A CN108073809A (en) 2017-12-25 2017-12-25 APT Heuristic detection methods and system based on abnormal component liaison

Country Status (1)

Country Link
CN (1) CN108073809A (en)

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1818823A (en) * 2005-02-07 2006-08-16 福建东方微点信息安全有限责任公司 Computer protecting method based on programm behaviour analysis
CN101373502A (en) * 2008-05-12 2009-02-25 公安部第三研究所 Automatic analysis system of virus behavior based on Win32 platform
US20090158430A1 (en) * 2005-10-21 2009-06-18 Borders Kevin R Method, system and computer program product for detecting at least one of security threats and undesirable computer files
US20100058431A1 (en) * 2008-08-26 2010-03-04 Mccorkendale Bruce Agentless Enforcement of Application Management through Virtualized Block I/O Redirection
CN104794399A (en) * 2015-04-23 2015-07-22 北京北信源软件股份有限公司 Terminal protection system and method based on massive program behavior data
CN104811447A (en) * 2015-04-21 2015-07-29 深信服网络科技(深圳)有限公司 Security detection method and system based on attack association
CN104850780A (en) * 2015-04-27 2015-08-19 北京北信源软件股份有限公司 Discrimination method for advanced persistent threat attack
CN104866765A (en) * 2015-06-03 2015-08-26 康绯 Behavior characteristic similarity-based malicious code homology analysis method
CN105681286A (en) * 2015-12-31 2016-06-15 中电长城网际系统应用有限公司 Association analysis method and association analysis system
CN106802821A (en) * 2017-02-14 2017-06-06 腾讯科技(深圳)有限公司 Recognition application installs the method and device in source

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1818823A (en) * 2005-02-07 2006-08-16 福建东方微点信息安全有限责任公司 Computer protecting method based on programm behaviour analysis
US20090158430A1 (en) * 2005-10-21 2009-06-18 Borders Kevin R Method, system and computer program product for detecting at least one of security threats and undesirable computer files
CN101373502A (en) * 2008-05-12 2009-02-25 公安部第三研究所 Automatic analysis system of virus behavior based on Win32 platform
US20100058431A1 (en) * 2008-08-26 2010-03-04 Mccorkendale Bruce Agentless Enforcement of Application Management through Virtualized Block I/O Redirection
CN104811447A (en) * 2015-04-21 2015-07-29 深信服网络科技(深圳)有限公司 Security detection method and system based on attack association
CN104794399A (en) * 2015-04-23 2015-07-22 北京北信源软件股份有限公司 Terminal protection system and method based on massive program behavior data
CN104850780A (en) * 2015-04-27 2015-08-19 北京北信源软件股份有限公司 Discrimination method for advanced persistent threat attack
CN104866765A (en) * 2015-06-03 2015-08-26 康绯 Behavior characteristic similarity-based malicious code homology analysis method
CN105681286A (en) * 2015-12-31 2016-06-15 中电长城网际系统应用有限公司 Association analysis method and association analysis system
CN106802821A (en) * 2017-02-14 2017-06-06 腾讯科技(深圳)有限公司 Recognition application installs the method and device in source

Similar Documents

Publication Publication Date Title
US10699011B2 (en) Efficient white listing of user-modifiable files
EP3528458B1 (en) A cyber security appliance for a cloud infrastructure
US9916440B1 (en) Detection efficacy of virtual machine-based analysis with application specific events
US10902117B1 (en) Framework for classifying an object as malicious with machine learning for deploying updated predictive models
AU2017254815B2 (en) Anomaly detection to identify coordinated group attacks in computer networks
US20170214701A1 (en) Computer security based on artificial intelligence
US9807120B2 (en) Method and system for automated incident response
US10873597B1 (en) Cyber attack early warning system
US9794279B2 (en) Threat indicator analytics system
US20170213031A1 (en) Kernel-Level Security Agent
JP2016053979A (en) System and method for local protection against malicious software
US9244671B2 (en) System and method for deploying preconfigured software
EP3216193B1 (en) Recombinant threat modeling
US9106692B2 (en) System and method for advanced malware analysis
US10147049B2 (en) Automatic generation of training data for anomaly detection using other user's data samples
JP6208761B2 (en) Return-oriented programming threat detection
Pincus et al. Beyond stack smashing: Recent advances in exploiting buffer overruns
CN102902909B (en) A kind of system and method preventing file to be tampered
US10574675B2 (en) Similarity search for discovering multiple vector attacks
US20160197951A1 (en) Method and system for virtual asset assisted extrusion and intrusion detection and threat scoring in a cloud computing environment
US20190156023A1 (en) System for securing software containers with embedded agent
KR102189295B1 (en) Continuous classifiers for computer security applications
US9306962B1 (en) Systems and methods for classifying malicious network events
US9021584B2 (en) System and method for assessing danger of software using prioritized rules
US9392017B2 (en) Methods, systems, and media for inhibiting attacks on embedded devices

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 150028 Building 7, Innovation Plaza, Science and Technology Innovation City, Harbin Hi-tech Industrial Development Zone, Harbin, Heilongjiang Province (838 Shikun Road)

Applicant after: Harbin antiy Technology Group Limited by Share Ltd

Address before: 150090 Room 506, No. 162 Hongqi Street, Nangang District, Harbin Development Zone, Heilongjiang Province

Applicant before: Harbin Antiy Technology Co., Ltd.

CB02 Change of applicant information